Why do we need Risk Identification

Najmuddin Mohd · ‎06-14-2025

Hello community,

We have Risk Identification in ServiceNow GRC, where we use Risk Configuration and trigger the Risk Questionnaire whenever an Entity is created.

In Risk Identification,

with Step 1: We review the questionnaire

with Step 2: We see the Risks associated to it (Entity type mapped to Risk Statement) and add if any additional are required.
with Step 3: We associate Citation or Policies
with Step 4: We see Controls associated to it (Entity type mapped to Control objective) and add if any additional are requried.

My Question is with Step 3: Why do we need associate any Citation or Policy. Since Controls are mapped in Step 4, which rolls up to Control objective to Policy or Citation.

Thanks in Advance.

Regards,

Najmuddin.

SANDEEP DUTTA · ‎06-15-2025

Hi @Najmuddin Mohd ,

From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

View solution in original post

SANDEEP DUTTA · ‎06-15-2025

Hi @Najmuddin Mohd ,

From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

SANDEEP DUTTA · ‎06-15-2025

Hi @Najmuddin Mohd ,

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.