Hi all,
I was wondering what your experiences are, in practice, when it comes to managing the risk lifecycle in ServiceNow and getting approvals for risk mitigation tasks etc. For example, Risk Manager role is the one who reviews e.g. risk mitigation tasks and closes them but have you used other approaches for this? Do you for example see it necessary that risk manager reviews all mitigation tasks before they can be closed. In some cases there might not be risk managers available to allocate time to continuously review response tasks.
The way the lifecycle goes OOB as far as I understand, using mitigation as an example for response option:
- Document risk
- Assess risk
- Use risk assessment(s) as input to determine inherent and residual risk (if using qualitative method). Risk owner responsibility
- Select response option (mitigation in this example)
- Risk owner by default marked as responsible for the mitigation task (can be allocated to someone else)
- Risk mitigation plan created and implemented
- Sent for review --> Risk Managers get notification and one of them approves the task
- Risk moves automatically to review state (where risk owner can take a final look that everything is ok?)
- Risk moved to monitor state
So to summarize my flow of thoughts, what kind of practical application experiences you have in managing risk lifecycle with ServiceNow 🙂 Do you use the OOB process?
Best,
Iiro
