Manage risks linked to the same risk statement
Summarize
Summary of Manage risks linked to the same risk statement
This feature allows ServiceNow customers to create and associate multiple risks with the same risk statement and entity combination. Previously, only one risk could be linked per risk statement and entity, which worked well for organizations with mature, standardized risk taxonomies. However, it posed challenges for customers with less standardized risk structures, especially those with fewer hierarchical levels and more localized risks across business units or lines of business.
Show less
Key Features
- Inherit from risk statement option: When selected on the Risk form, risk creation behaves as before, allowing only one risk per risk statement and entity.
- Multiple risks association: When the inherit option is not selected, multiple risks can be linked to the same risk statement and entity, enabling use of the risk statement hierarchy as categorization and sub-categorization.
- Risk customization: If multiple risks are linked, risk names and descriptions can differ from the risk statement, allowing tailored risk definitions at different organizational levels.
Key Outcomes
- Flexibility in risk taxonomy: Risk managers can define and adapt risk taxonomies aligned with their organization's needs.
- Improved risk identification and linkage: Entity owners can identify localized risks and link them effectively to the broader enterprise risk taxonomy.
- Prevention of orphan risks: By linking multiple risks under the same statement, risks are less likely to remain unmanaged or unassigned.
- Supports hierarchical risk aggregation: New risks identified at lower levels can be associated with enterprise risk hierarchies, allowing aggregated scoring and impact analysis.
You can create and associate multiple risks to the same risk statement and entity combination. This association benefits the risk managers and the entity owners.
Before the latest release, users could only associate one risk for a single entity and risk statement combination. This ability was useful for customers who have a mature risk program with a well-defined and standardized risk taxonomy. However, it did not meet the requirements of customers who do not have a standardized risk taxonomy. Such customers usually have only two or three levels of risk statement hierarchy while their actual risks are still local for each business unit or lines of business. Also, when the first line identifies new risks, they associate those risks to an enterprise risk hierarchy. This allows the new risk scores to aggregate and impact the overall risk hierarchy. With the current release, a new option called Inherit from risk statement is introduced on the Risk form. If this option is selected, the risk creation happens in the previous manner. This means that there can be only one instance of risk statement and entity combination. However, if this option is not selected, the system allows the risk statement hierarchy to be used as categorization and sub-categorization hierarchy and associates multiple risks to the same risk statement and entity combination. This option also enables the first line to associate their newly identified risks to the risk hierarchy at a level they want to. When this new option is not selected, the system assumes that the name and description of the risk is overridden and must not be the same as the risk statement name and description.
This feature benefits the risk manager as it allows the risk managers to define the risk taxonomy according to the needs of their organization. It also benefits the entity owners to identify risks for their entity and link them to enterprise risk taxonomy.