TPRM IRQ

Hi Team,

Currently I am working with one of Insurance industry client in Australia region and need to comply with APRA CPS 230. The major challenge which I have identified which is their Inherent Risk Assessment Questionnaire where their process starts with 

1. Screening questionnaire -> Screening questionnaire responses decides next questionnaire based on the questions on Cyber, Privacy, Data Governance and Strategic souring team which client call as DDQs these DDQs are two types 

1. DDQs Cyber Intenal-> Business owner has to be responded

2. DDq Cyber Vendor -> Vendors has to be responded and similar for other domains as mentioned above.

after that, these outputs will feed into Inherent Risk assessment (IRA)

so to fit this process, I have many questions to design in to ServiceNow TPRM

1. Screening Questionnaire -> IRQ template

2. Based on response, it will trigger next IRQ templates (DDQ Cyber, DDQ Privacy etc) parallelly

3. once this completes and approved then It should trigger IRA which is another IRQ template

so here i have questions:

1. How do we manage each IRQ Review and approval process  work? 

2. How can we feed Outputs from vendor into IRA (inherent Risk assessment) means which stage ?

 as OOB first IRQ has to be completed then vendor questionnaires. 

3. Can we introduce new field which is outcome of IRA as they are not using Inherent Risk rating?

4. Also how can we enable IRA to be responded by different users if needed? as of now one person can respond only

Appreciate your quick help.

Thanks,

Divya Saxena

#tprm #GRC