Why do we need Risk Identification

Najmuddin Mohd
Mega Sage

Hello community,

We have Risk Identification in ServiceNow GRC, where we use Risk Configuration and trigger the Risk Questionnaire whenever an Entity is created. 

In Risk Identification,

with Step 1: We review the questionnaire

with Step 2: We see the Risks associated to it (Entity type mapped to Risk Statement) and add if any additional are required.
with Step 3: We associate Citation or Policies
with Step 4: We see Controls associated to it (Entity type mapped to Control objective) and add if any additional are requried.

 

NajmuddinMohd_0-1749918032889.png

 


My Question is with Step 3: Why do we need associate any Citation or Policy. Since Controls are mapped in Step 4, which rolls up to Control objective to Policy or Citation.


Thanks in Advance.

Regards,

Najmuddin.

1 ACCEPTED SOLUTION

SANDEEP DUTTA
Tera Patron
Tera Patron

Hi @Najmuddin Mohd ,

From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

View solution in original post

2 REPLIES 2

SANDEEP DUTTA
Tera Patron
Tera Patron

Hi @Najmuddin Mohd ,

From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

Hi @Najmuddin Mohd ,

 

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.