The CreatorCon Call for Content is officially open! Get started here.

Risk methodologies & Gross Risk

flyingkermit
Mega Explorer

3 weeks ago

Hi Everyone 

 

Could i ask for some guidance? We/are a consumer of IRM, and are looking at ways to utilise in the context of our organisations existing risk management practices... The preference, to minimise business change and accelerate scaled use/leverage, is to adopt a IRM risk methodology to 'fit' our practices, rather than the other way around. 

 

To that end; we follow the common approach of in these phases:

 

Assessment 

  • Gross Risk (The risk without any risk treatment applied.)
  • Target Risk (The risk remaining after the risk treatment has been applied.)
  • Control Objective assignment (risk treatments/requirements to reduce the likelihood and/or impact of a risk)
  •  

Attestation

  • Planned/required control objective implementation, including attributes associated with state (in place/partially in place/not in place) and other attributes, including ownership (enterprise/system specific)

 

Assurance

  • Control effectiveness (effective/partially effective/not effective)
  • Current Risk (measured actual risk, given the control states and effectiveness determined through Audit)

 

The SNOW question is; 

 

Is it viable to configure the 'risk methodology' (or methodologies) and workflows to reflect this business process? 

or

is the language (workflows) of Inherent Risk, Residual Risk, and Target Risk 'baked in' to SNOW, making that a more foundational change for us? 

 

Would be grateful for insights/pointers and viewpoints on our thinking here. 

0 Helpfuls
  • 326 Views
1 REPLY 1

HenkHeath
Kilo Guru

Tuesday

Hi @flyingkermit 

 

Sounds like your business process does not deviate too far from OOTB.

In general you could set up your RAM such that;

Your first assessment of the risk, you would conduct an Inherent (which you could rename Gross Risk)

HenkHeath_0-1760483892514.png

  • Control effective = N/A (because you have none)
  • Residual ( can be labelled Current) is calculated based of inherent and control effectiveness (at this stage inherent = residual)
  • Target -> where would I like this Risk to be in the future
  • Clearly it is outside of appetite and possibly target 
  • Response task to create control(s)

After instructing risk owners to chat to control owners and establishing the controls;

  • Control owners conduct an attestation to confirm controls are in place 

The second assessment of the risk

  • Inherent / Gross is same
  • Control effectiveness - evaluate how effective these controls are in mitigating the risk
  • Residual / Current risk is calculated
  • Still outside appetite / target 
  • Response task 

Rinse, repeat.......

 

When assurance arrives on scene, they will evaluate how effectively you have designed the controls and how well they are operating. (Control Test).

 

In ServiceNow the assurance (Audit application) does not determine the current risk, it merely confirms that process and artefacts in stating these risks are appropriate.  

 

Does not sound like the chasm is too wide to overcome with OOTB implementation, slight terminology differences and approach to Target and Current

 

0 Helpfuls