- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-31-2022 08:06 AM
We are partly into configuring our GRC instance and I will be completely honest, not 100% up to speed at the moment. But we currently use a risk questionnaire to help us understand the risk that they are raising.
Are there any good guides or videos on a step by step?
Thanks in advance
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-31-2022 11:48 AM
Hi David
When you say "... the risks they are raising" it makes me want to verify if your team is raising risks or issues.
A simple difference is issues are current (something that is happening now, like Log4Shell, etc.) while Risks are more forward-looking (i.e. Risk of Unauthorized access) - Risks Statements are generally defined at an enterprise level while Issues are created by end-users.
I'm hoping it's not the case, but we sadly often see teams struggle with that difference which then impacts implementing other aspects of GRC and the complexity just increases from there.
The Quick answer is your actual questions would be to create your assessments using the Risk Assessment Designer. https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/task/create-assessment-using-assessment-designer.html
However, you may want to reach out to an implementation partner to verify if your roadmap of implementing Risk, Controls (with Issues) and Entities is sustainable.
Hoping you find that helpful.
Roy

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-31-2022 11:48 AM
Hi David
When you say "... the risks they are raising" it makes me want to verify if your team is raising risks or issues.
A simple difference is issues are current (something that is happening now, like Log4Shell, etc.) while Risks are more forward-looking (i.e. Risk of Unauthorized access) - Risks Statements are generally defined at an enterprise level while Issues are created by end-users.
I'm hoping it's not the case, but we sadly often see teams struggle with that difference which then impacts implementing other aspects of GRC and the complexity just increases from there.
The Quick answer is your actual questions would be to create your assessments using the Risk Assessment Designer. https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/task/create-assessment-using-assessment-designer.html
However, you may want to reach out to an implementation partner to verify if your roadmap of implementing Risk, Controls (with Issues) and Entities is sustainable.
Hoping you find that helpful.
Roy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-01-2022 01:07 AM
Thanks, that is helpful.
It is the former. The users will be people like Project Managers or Service owners who are looking to make changes in their environment, so we need a certain amount of information to make these assessments.
Is that what you would use these questionnaires/Assessments for?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-25-2023 08:24 AM
I understand how to use these but how are they triggered? When a new risk is identified, I want the questionnaire going out to them.