What is the difference between the risk and risk statement (advance risk assessment)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2024 02:12 AM
What is the difference between the risk and risk statement (advance risk assessment) any proper example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2024 04:35 AM
Hi @Venky Kshatriy2 ,
Risk vs. Risk Statement in ServiceNow GRC
**Risk**:
- A broad, high-level potential problem that could affect the organization.
- Example: "Data Breach Risk" - The possibility that sensitive data might be accessed or stolen.
**Risk Statement**:
- A specific, detailed part of the broader risk.
- Example: For "Data Breach Risk," you might have:
1. **Risk Statement 1**: "Insufficient Encryption of Sensitive Data" - Data isn't encrypted well enough, making it vulnerable.
2. **Risk Statement 2**: "Unpatched Security Vulnerabilities in Web Applications" - Software isn't updated, creating security holes.
3. **Risk Statement 3**: "Employee Lack of Awareness on Phishing Attacks" - Employees aren't trained to spot phishing emails, increasing risk.
### Real-Life Example
- **Risk**: "Data Breach Risk"
- Big picture: Sensitive data could be stolen.
- Solutions: Better security, staff training, regular audits.
- **Risk Statements**:
1. "Insufficient Encryption of Sensitive Data"
- Detail: Data isn't well-protected.
- Action: Improve encryption standards.
2. "Unpatched Security Vulnerabilities in Web Applications"
- Detail: Software has unpatched security holes.
- Action: Regularly update and patch software.
3. "Employee Lack of Awareness on Phishing Attacks"
- Detail: Employees might fall for phishing emails.
- Action: Train employees to recognize phishing.
By breaking down a big risk into smaller, specific statements, it's easier to tackle each part effectively.
If you find my response helpful, please consider marking it as the 'Accepted Solution' and giving it a 'Helpful' rating. Your feedback not only supports the community but also encourages me to continue providing valuable assistance.
Thanks,
Amitoj Wadhera
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 01:00 AM
Hi Venky
I'm relatively new to IRM however here is my take on risk vs risk statement. Risk Statements in IRM are like templates for common risks across your organisation. e.g. unauthorised access. You use a Risk Statement to create a risk. A Risk is a specific occurrence of a Risk Statement relating to an Entity. E.g. the entity might be a core system. The combination of Risk Statement and Entity creates a unique risk.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 05:35 PM
Further to @carlosgaspa reply, the combination of the 2 (Risk Statement and Entity) provides the specific risk, and within this risk you are able to elaborate on how this risk statement is relevant to your entity in the Risk Relevance field.
So even though you applied this generic risk statement that could be broadly applicable to just about anything in your organisation, you still have the flexibility to guide your audience about your interpretation of the risk statement and it's applicability to your entity.
Unauthorised Access may have different interpretations when linked to an Entity: Finance Department compared to Entity: Business Application - SAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2024 10:03 PM
In the context of ServiceNow GRC, a Risk is a potential event that could negatively impact an organization’s ability to achieve its objectives. It involves systematically identifying, assessing, and mitigating potential risks. For example, a risk could be “Potential data breach due to inadequate security measures”.
On the other hand, a Risk Statement (also known as Advanced Risk Assessment) is a more detailed and specific articulation of the risk, often including the cause, the risk event, and its potential impact. It’s a part of the Advanced Risk Assessment functionality in ServiceNow, which allows for a more granular and comprehensive assessment of risks. For instance, a risk statement for the above risk could be “Due to inadequate security measures (cause), there is a risk of a data breach (risk event), which could result in financial loss and reputational damage (impact)”.
So, while both “Risk” and “Risk Statement” pertain to potential issues that could affect an organization, the risk statement provides a more detailed description of the risk, its causes, and potential impacts.
This distinction helps organizations better understand and manage their risks. I hope this helps!