- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2025 09:18 AM - edited 06-14-2025 09:20 AM
Hello community,
We have Risk Identification in ServiceNow GRC, where we use Risk Configuration and trigger the Risk Questionnaire whenever an Entity is created.
In Risk Identification,
with Step 1: We review the questionnaire
with Step 2: We see the Risks associated to it (Entity type mapped to Risk Statement) and add if any additional are required.
with Step 3: We associate Citation or Policies
with Step 4: We see Controls associated to it (Entity type mapped to Control objective) and add if any additional are requried.
My Question is with Step 3: Why do we need associate any Citation or Policy. Since Controls are mapped in Step 4, which rolls up to Control objective to Policy or Citation.
Thanks in Advance.
Regards,
Najmuddin.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2025 05:29 AM
Hi @Najmuddin Mohd ,
From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.
Sandeep Dutta
Please mark the answer correct & Helpful, if i could help you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2025 05:29 AM
Hi @Najmuddin Mohd ,
From a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2.
Sandeep Dutta
Please mark the answer correct & Helpful, if i could help you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-15-2025 07:00 PM
Hi @Najmuddin Mohd ,
Sandeep Dutta
Please mark the answer correct & Helpful, if i could help you.