Risk Assessment evaluation

Don Dom
Tera Contributor

Imagine a scenario where your organization tracks user endpoints—like ThinkPads—under a specific entity class and type. Each time a new endpoint is added, the system automatically creates both a Risk record and a corresponding Control. The usual workflow is that the Control goes through an attestation step, followed by a Risk assessment. If there are 10,000 ThinkPads, this means you end up with 10,000 unique Controls and 10,000 matching Risks. Let’s say the initial assessment was completed for all of them with the same outcome: each Control was deemed ineffective.

Now, suppose at a later point the Control is updated and marked as effective. This revision should logically affect every Risk assessment and change the overall risk score for each of those 10,000 items. But how exactly is that handled?

Key question: When the Control’s status shifts from ineffective to effective, do you need to reevaluate every single Risk individually, or is there a way to make a single update that applies across all instances?

Additional Thoughts:

  1. If the same Control applies to all endpoints, would it be more efficient to use a Common Control approach instead of creating thousands of separate controls?
  2. If risk evaluations are driven by an automated or scripted factor on a schedule (e.g., monthly), and previously the score was based on the Control being ineffective, would the new effective status automatically recalculate the residual risk in the Risk Assessment Methodology (RAM) record? If so, would that updated residual risk then appear in the Risk report without requiring the creation of new assessment records?
1 REPLY 1

Connor Levien
ServiceNow Employee
ServiceNow Employee

@Don Dom if all the controls fail or pass together that is when you should use a single common control. You should only make individuals controls when each can pass and fail individually and for something of this scale should only be done if you have automated control indicators to monitor compliance automatically. Automated factors in RAMs will auto recalculate at your defined interval. So if you have an automated factor looking at connected control health they can recalculate residual risk automatically and update reports.

 

I would also suggest not creating hundreds of risks in this scenario. Normally you would make a single risk for each department or business area and then have that reflect the overall risk.