Common controls in Risk Management

  • Release version: Zurich
  • Updated April 28, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Common controls in Risk Management

    Common controls in Risk Management allow ServiceNow customers to centrally manage controls that multiple business units (BUs) or shared functions—such as IT, HR, and finance—can use to mitigate risks and meet regulatory requirements. By linking risks to these common controls, risk owners can reduce the effort required for testing and attestation across reliant entities, enabling efficient and consistent risk management across the organization.

    Show full answer Show less

    Key Features

    • Centralized Control Management: Common controls are owned and managed by specific departments but can be applied across multiple BUs, promoting standardized control processes.
    • Automatic Risk-Control Associations: When a control objective and risk statement are linked and the entities match, the system automatically establishes risk-control associations.
    • Inheritance Capabilities: Common controls can be inherited in risk assessments, risk-mitigation tasks (when in Draft or Work In Progress states), and risk events when the entity is marked as a reliant entity.
    • Active Relationship Maintenance: Only active relationships between risks and controls are maintained, with historic relationships automatically removed to ensure current and relevant control data.
    • Real-Time Risk Event Linking: Common controls are automatically linked to risk events when underlying risks materialize, helping control owners quickly identify failures and take corrective actions.

    Benefits

    • Efficiency: Reduces time and effort by applying and testing a single control across multiple reliant entities.
    • Improved Reporting: Focuses management on active controls, enhancing the accuracy and relevance of control reporting.
    • Enhanced Risk Mitigation: Enables immediate action when common controls fail, improving organizational risk response.

    By linking the risks to a common control in the Risk Management application, you can reduce the time and effort that is needed to manage and apply these centralized controls to your reliant entities. For example, a fire sprinkler system can be a common control for multiple business units (BUs), such as finance, security, and human resources (HR).

    Overview of common controls

    Every organization has multiple (BUs) and shared functions, such as information technology (IT), HR, and finance. These shared functions define the policies and controls that the BUs can use to meet the regulatory requirements or to manage the risks in their BUs. Multiple BUs can use common controls that are owned and managed by a different department or team. This process enables an organization to maintain centralized control over certain processes while each BU can take advantage of these common controls. For more information on common controls, see Common Controls.

    To mitigate the risks in the reliant entities, a risk owner can link their risks to the common controls. By linking the risk, a risk owner can reduce the effort that is required to attest and test these common controls for the reliant entities.

    Benefits of common controls

    A common control has the following benefits:
    • You spend less time and effort to manage a common control because you can test and apply a common control to all your reliant entities.
    • You only need to manage the active controls, so the overall reporting of the controls is improved.

    Common controls in a risk

    If a control objective and risk statement are associated and the reliant entity of the control matches the risk entity, the risk-control association is established automatically. You can also inherit common controls to a risk when the risk entity is marked as a reliant entity in a common control. Any changes to the risk statement and the control's objective relationship can impact the risk-control association as well.

    Note:
    Only active relationships between risks and controls are maintained and any historic relationships are automatically deleted.

    Common controls in a risk assessment

    You can inherit common controls in the risk assessment when the entity is marked as a reliant entity in the common control.

    Common controls in a risk-mitigation task

    You can inherit the common controls to a risk-mitigating task when the entity is marked as a reliant entity in the common control. You can inherit the common controls to a risk-mitigating task when it is in the Draft or Work In Progress state.

    Common controls in a risk event

    A common control is automatically linked to a risk event when the underlying risk has materialized for the risk event. It enables the control owner to identify when the common control fails and to take immediate action if a common control does fail.