Risk Assessment Questionnaire

David347
Tera Contributor

We are partly into configuring our GRC instance and I will be completely honest, not 100% up to speed at the moment. But we currently use a risk questionnaire to help us understand the risk that they are raising.

Are there any good guides or videos on a step by step?

Thanks in advance

1 ACCEPTED SOLUTION

Roy Verrips
Tera Expert

Hi David 

When you say "... the risks they are raising" it makes me want to verify if your team is raising risks or issues.  

A simple difference is issues are current (something that is happening now, like Log4Shell, etc.) while Risks are more forward-looking (i.e. Risk of Unauthorized access) - Risks Statements are generally defined at an enterprise level while Issues are created by end-users.  

I'm hoping it's not the case, but we sadly often see teams struggle with that difference which then impacts implementing other aspects of GRC and the complexity just increases from there. 

The Quick answer is your actual questions would be to create your assessments using the Risk Assessment Designer.   https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/task/create-assessment-using-assessment-designer.html

However, you may want to reach out to an implementation partner to verify if your roadmap of implementing Risk, Controls (with Issues) and Entities is sustainable.

Hoping you find that helpful.

Roy  

View solution in original post

3 REPLIES 3

Roy Verrips
Tera Expert

Hi David 

When you say "... the risks they are raising" it makes me want to verify if your team is raising risks or issues.  

A simple difference is issues are current (something that is happening now, like Log4Shell, etc.) while Risks are more forward-looking (i.e. Risk of Unauthorized access) - Risks Statements are generally defined at an enterprise level while Issues are created by end-users.  

I'm hoping it's not the case, but we sadly often see teams struggle with that difference which then impacts implementing other aspects of GRC and the complexity just increases from there. 

The Quick answer is your actual questions would be to create your assessments using the Risk Assessment Designer.   https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/task/create-assessment-using-assessment-designer.html

However, you may want to reach out to an implementation partner to verify if your roadmap of implementing Risk, Controls (with Issues) and Entities is sustainable.

Hoping you find that helpful.

Roy  

Thanks, that is helpful.

It is the former. The users will be people like Project Managers or Service owners who are looking to make changes in their environment, so we need a certain amount of information to make these assessments. 

Is that what you would use these questionnaires/Assessments for?

 

I understand how to use these but how are they triggered? When a new risk is identified, I want the questionnaire going out to them.