What is the difference between the risk and risk statement (advance risk assessment)

Venky Kshatriy2
Tera Contributor

What is the difference between the risk and risk statement (advance risk assessment) any proper example.

8 REPLIES 8

PrashantLearnIT
Giga Sage

Hi @Venky Kshatriy2 

 

In ServiceNow GRC (Governance, Risk, and Compliance), "Risk" and "Risk Statement" are distinct but related concepts used in the management of organizational risk. Here’s a breakdown of each term and how they relate:

 

### Risk
In ServiceNow GRC, a **Risk** refers to any event that could potentially impact the organization's ability to achieve its objectives. Risks can come from various sources such as financial uncertainties, legal liabilities, strategic management errors, accidents, or natural disasters.

- **Attributes of Risk:**
- **Risk ID:** A unique identifier for the risk.
- **Title:** A brief description of the risk.
- **Category:** The classification of the risk (e.g., financial, operational, strategic).
- **Likelihood:** The probability of the risk occurring.
- **Impact:** The potential effect or damage the risk could cause.
- **Risk Owner:** The person responsible for managing the risk.
- **Mitigation Plans:** Actions or controls put in place to reduce the risk's likelihood or impact.
- **Assessment:** Evaluation of the risk’s likelihood and impact.

 

### Risk Statement
A **Risk Statement** is a structured and detailed articulation of a specific risk, describing the condition that creates the risk, the consequence if it occurs, and the context in which the risk exists. A well-defined risk statement helps in understanding and communicating the nature of the risk more effectively.

- **Components of a Risk Statement:**
- **Condition:** The cause or source of the risk (e.g., "Due to outdated IT infrastructure...").
- **Consequence:** The potential outcome or impact of the risk if it materializes (e.g., "...there is a risk of system downtime...").
- **Context:** The specific situation or environment in which the risk exists (e.g., "...within the financial reporting system during peak transaction periods.").

 

### Example
To illustrate the difference, consider a scenario in an IT department:

- **Risk:** "System Downtime"
- **Description:** The organization's IT system may experience downtime, affecting business operations.
- **Likelihood:** High
- **Impact:** Severe
- **Risk Owner:** IT Manager
- **Mitigation Plan:** Implementing redundant systems and regular maintenance schedules.

- **Risk Statement:** "Due to outdated IT infrastructure, there is a risk of system downtime within the financial reporting system during peak transaction periods."
- **Condition:** Outdated IT infrastructure
- **Consequence:** System downtime
- **Context:** Financial reporting system during peak transaction periods

 

### Usage in ServiceNow GRC
In ServiceNow GRC, risks are typically cataloged and managed within the Risk Management application. Risk statements are used to clearly define and articulate individual risks, providing detailed context that helps in assessing, prioritizing, and mitigating these risks. The relationship between a risk and its risk statement is essential for effective risk management, as the risk statement provides the necessary detail to understand the risk fully and to implement appropriate controls and mitigation strategies.

 

### Summary
- **Risk**: A potential event that could impact the organization, described with attributes like likelihood, impact, and mitigation plans.
- **Risk Statement**: A detailed articulation of the risk, including its condition, consequence, and context.

Understanding and distinguishing between these two concepts is crucial for effective risk management in ServiceNow GRC, as it allows for a structured approach to identifying, evaluating, and mitigating risks.

********************************************************************************************************
Please appreciate the efforts of community contributors by marking the appropriate response as the correct answer and helpful. This may help other community users to follow the correct solution in the future.

********************************************************************************************************
Cheers,
Prashant Kumar
ServiceNow Technical Architect


Community Profile LinkedIn YouTube Medium TopMate
********************************************************************************************************

aperestrit
Kilo Contributor

Hello,

 

I believe that gurus Shafraz and Amitoj provide not accurate explanations, actually opposite to what is available in the ServiceNow knowledge base:

 

Risk Statement: a general statement about a potential risk that can occur anywhere in the organization. Risk statements serve as a template to generate risks per entity and can be arranged in parent-child hierarchical relations.

 

Risk: is the specific occurrence of a risk statement against a single entity. Within each risk record, you can define ownership, document any details, define a response strategy, and monitor the risk. Risks link to many other objects including controls, indicators, risk response tasks, entities, risk statements, risk frameworks etc.

 

Risk statements can be organized into categorized risk frameworks. To manage numerous risk statements more efficiently, organizations can define a risk framework to group similar risk statements or a hierarchy of risk statements into manageable categories.

 

Please also see diagrams of the structure diagrams:

Pasted image.pngPasted image (1).png

Phil Swann
Tera Guru
Tera Guru

Plenty of good answers here! 

 

 

let me add some things... 

 

I like to think of the Risk as the object of aggregation, when scoring risk from the various perspectives (using RAM).

A risk is going to join the Entity and Risk Statement, so when you start to report on risk posture/position/picture, across the organisation, it will roll up via the various layers of Entity Hierarchy and Risk Statement Hierarchy

 

So , yes it is a template, and provides some commonality, but you CAN have more than one risk for the same entity and risk statement (wasn't always possible...). Use cases need clarity, but consider this means the risk statement is a way to provide the relevant taxonomy for reporting purposes and handle appetite with ownership as an aside from the Entity model...