Import/Create records in [sn_risk_risk] or [sn_grc_issue] table?

Valqe · ‎03-14-2024

Hi all,

I'm relatively new to the GRC space and would greatly appreciate your advice on the following matter:

Is there a scenario where records are created directly (or imported) into the [sn_risk_risk] table without following the 'per book' process, wherein you create an 'Entity Type' and associate it with an 'Entity' and 'Risk Statement'?

I'm asking because (new implementation) customer has provided us with an Excel list they refer to as the 'Existing risk ticket queue,' and they want to import it into ServiceNow. Personally, I feel it might be more appropriate to import these records into [sn_grc_isse] instead of considering them as risks and importing them into [sn_risk_risk]. I welcome your comments and further elaboration on this matter.

Sharing best pactices to importing existing records in [Risk] module when fresh IRM implementation is greatly appreciated 🙂

Many thanks,

Valqe.

Community Alums · ‎03-16-2024

Hi @Valqe ,

Intresting Question!!

It's not advised to import directly to "sn_risk_risk" table as it's meant to be created automatically when you add the entity type to Risk Statements.

Now, as per your customer's requirement, i belive it's the risk's excel sheet which they want to track and remidiate. so import 'Existing risk ticket queue', to the "sn_grc_isse" table and follow the issue management lifecycle.

Issue lifecycle involves the below stages and it should be the right approach to track your requirement provided by your customer:

New: Default state of issue. So as soon as issue is created, it will be in New state and assigned to the control owner.

Analyze: In this state, the owner needs to analyze the issue and identify the root cause.

Respond: In this state, owner decides if he/she can remediate the issue or needs to accept the issue and create an exception. If owner select response as Remediate, the owner/his team responds/fixes the issue in this state and move it to review. If they select response as Accept, we provide user to create an exception. And until the exception is closed, we keep the issue in respond state. Once closed, owner should remediate the issue.

Review: In this state, as per my understanding, the compliance/Risk/Audit Manager reviews the response from the owner and decides if issue is fixed.

Closed: Compliance/Audit/Risk manager closes the issue, if he/she thinks issue has been resolved.

View solution in original post

Community Alums · ‎03-18-2024

Hi @Valqe ,

As per OOTB , the indicator failure will also create an issue which will be available in [sn_grc_issue] table.

No need for creating a Record Producer as You can create issues manually on adhoc basis and it will be going to [sn_grc_issue] table.

If you can later attach the issue to a risk, control , entity or control objectives:

Valqe · ‎03-19-2024

Thank you for your comments and contribution @Community Alums and @Rakesh Chigari I appreciate it.

Community Alums · ‎03-19-2024

Hi @Valqe ,

Glad to see i could contribute in your learning journey 😊