What is differences between the compliance score and Risk rating .

Venky Kshatriy2
Tera Contributor

What is the differences between the compliance score (Policy and compliance) and Risk rating (Advance risk assessment) is booth are same or different if it is different could please give me one proper example .

1 REPLY 1

Jan Spurlin
ServiceNow Employee
ServiceNow Employee

The compliance score provides a percentage of the controls that your organization is compliant with for a few different records: the policy, the authority document (aka the regulation) and also at the control objective and citation level. When an individual control is determined to be compliant or not compliance, then this rolls up to it's parent - the control objective.  If I have 4 controls under a control objective and 2 are compliance and 2 are not, then the compliance score of it's parent control objective will be 50%. This assumes that the weight of the 4 controls is equal. Customers often need to report out how compliant they are to a certain regulation.

 

You will frequently hear that the reason a customer performs compliance management is to reduce risk.

For any specific risk, there may be multiple controls that mitigate the risk.

During the risk assessment process it is possible to assess how effectively these controls are mitigating a risk. A control could be compliant but still now have a big impact on reducing the risk.

 

The risk assessment risk score is about identifying how much risk an organization can handle. It is often not cost effective to reduce all risks - but how much risk is ok?  The risk ratings help the risk management team answer that question.