Risks creation from Entity type Reason

ANKITA_CHARAYA · ‎08-02-2023

Hi ServiceNow Community ,

In Layman terms , A question popped up in my mind , if we are starting with Top-down approach from Entity Scoping to Policy & Compliance and to Risk module, and we have a Entity type lets say Business Applications in your organization and we are applying Policy and control objective and then Controls to that so ideally if control is Pass/fail and compliant/non compliant as per the results , then Risk will be created right if control is not compliant why there is an option to associate risks with different entities already without getting the results even from our controls implementation , i don't understand this idea , Risk for that entity should be generated automatically right if the entity or we can say Business application not following the certain standard

Karin4 · ‎08-03-2023

Although a control is compliant, does not mean that it is effective. It is important to evaluate the control effectiveness in the form of a risk assessment. A risk does not simply go away because there is a control implemented. By generating all of the risks from the entities and building the right relationships, you will see that the maturity of your risk posture will be elevated because of the control attestation results and those meaningful relationships.

ANKITA_CHARAYA · ‎10-19-2023

Thanks for your response Karin, I wanted to also check that in my business case, we have Risks on the top and to mitigate those risks we have controls in place and if control fails/not compliant, issues are created , could you give me idea as per best practice how I should map this as per ServiceNow IRM process , we have policies on the top I think , then control objectives , controls and then risk statements , risks are generated for those entities , I need to get the idea how i should make best use using recommended practice of servicenow.

Thanks

Ankita Charaya