This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Risk Workspace for the operational risk manager
The Risk Workspace for the operational risk manager in ServiceNow Zurich release helps operational risk managers effectively manage operational risks caused by people, processes, systems, or external events.These risks can range from minor human errors to severe incidents such as fraud leading to bankruptcy.Operational risk managers oversee the organization's risk posture by defining frameworks, assessing risks, monitoring events, and communicating risk status.
Show full answerShow less
Key Responsibilities and Tasks
Define the operational risk framework: Establish a robust risk management framework comprising risk identification, measurement, mitigation, reporting, and monitoring to manage operational risks effectively.
Set up libraries: Create clear risk statements to ensure common understanding of risks, define control objectives for risk mitigation, and organize entity classes and relationships to support risk assessment.
Conduct periodic risk assessments: Perform annual risk assessments, update risk registers, create assessment scopes, and schedule assessments to maintain an accurate risk profile.
Record and monitor risk events: Capture potential or actual losses, near misses, and gains in a loss event register, perform root-cause analysis, and track remedial actions to improve risk control.
Define and monitor key risk indicators (KRIs): Continuously monitor risk posture through KRIs and control indicators, collect supporting data automatically or manually, and escalate threshold breaches to stakeholders.
Manage issues and incidents: Identify and act on issues before they result in incidents, track and remediate issues and incidents to minimize impact.
Communicate the operational risk posture: Create dashboards and reports that aggregate assessment results, highlight top risks, and provide actionable insights for executives and risk teams.
Practical Benefits for ServiceNow Customers
Using the Risk Workspace, operational risk managers can:
Establish a structured and transparent risk framework tailored to their organization.
Create standardized risk statements and control objectives to unify risk understanding across teams.
Maintain up-to-date risk registers and perform consistent risk assessments to comply with organizational policies.
Proactively identify and investigate risk events to reduce future losses.
Monitor risk indicators continuously and respond promptly to changing risk conditions.
Manage issues and incidents systematically to prevent or mitigate negative outcomes.
Deliver clear, comprehensive reports and dashboards that support informed decision-making by leadership.
Key Tools and Features
Risk statements and hierarchies for clear risk definitions and aggregated scoring.
Control objectives linked to risk mitigation efforts.
Risk registers and assessment scopes for tracking and scheduling risk evaluations.
Loss event registers for detailed recording and analysis of risk events.
Key risk and control indicators with threshold monitoring and escalation capabilities.
Issue and incident management features to track remediation workflows.
Dashboards and heatmaps for visualizing risk posture and assessment outcomes.
Operational risk managers manage operational risks such as losses due to errors,
breaches, or damages that are caused by people, internal processes, systems, or external events.
Operational risks range from the small, such as the risk of loss due to minor human errors, to the
large, such as the risk of bankruptcy due to serious fraud.
Operational risk manager
Operational risk managers are a part of the operational risk team that manages the risk
posture of the organization. Risk posture is the current risk profile for a company. As an
operational risk manager, you must perform the following tasks.
Define the operational risk framework
Effectively manage the operational risks of an organization by defining a robust risk
management framework. This framework helps to identify risks and to define the control
framework to mitigate those risks. A risk management framework consists of the following
components:
Risk identification
Risk measurement or scoring
Risk mitigation
Risk reporting and monitoring
Set up libraries
Set up comprehensive libraries by doing the following:
Creating risk statements: A risk statement is used to record a risk in a way that
everyone can reach a common agreement on its severity or relative priority.
Creating control objectives: A control objective defines the aim or purpose of
risk-mitigating controls. These controls need continuous monitoring.
Defining entity classes, entity types, and entities: For more information on entities,
see Understanding entities.
Defining the upstream and downstream entities.
The first step is to set up risk statements so that your team has a specific idea of the
risk. For example, simply calling a risk as a cybersecurity risk is not specific.
Cybersecurity risks could mean different things to different people. Therefore, a common
statement to define cybersecurity is created as a risk statement. To create risk statements
and their hierarchy, clearly define the risk impact, the assets at risk, and the source of
risk. By defining the risk statements and creating their hierarchy, you can ensure that the
risk scores are aggregated thus giving the complete risk status.
Conduct risk assessments on a periodic basis
Perform the annual risk assessments according to your organization's policies. Also,
ensure that the risk register is updated and accurate. Create risk assessment scopes and
schedule assessments. To learn more about risk registers, see Risk register in the Risk Workspace.
Record and monitor risk events
Risk events are potential or actual financial and non-financial losses, near misses, and
gains that occur within an organization. To effectively manage risks, it is essential to
monitor risk events, perform a root-cause analysis, and track the remedial tasks.
Organizations use risk events to understand their losses and analyze areas of improvement to
reduce further losses. You must maintain the loss event register to capture complete event
information and to suggest additional controls to mitigate risks in the future.
Define key risk indicators
Monitor the risk posture of your enterprise on a continuous basis. Continuous monitoring
of risks and controls involves identifying and creating key risk and control indicators.
Supporting information can be collected for those indicators through automatic data
collection or manual tasks. Indicator results are then used to create issues for controls,
signal a change in the risk posture, and to provide supporting information for audit
activities and control testing. If the indicator thresholds are breached, you must escalate
to the respective stakeholders.
Manage issues and incidents
An issue is created when there is a change in the environment, process, or system that
poses a threat. An issue requires action to prevent an incident or loss. An incident is a
successful outcome or event with a negative impact. As the operational risk manager, you can
view, create, and manage issues and incidents. Ensure tracking, proper closure, remediation,
and monitoring of issues and incidents.
Communicate the operational risk posture
Define dashboards to report data effectively and accurately. You must create the required
reports which can be shared with the executives and the head of the operational risk team.
The reports and dashboards ensure that the aggregated assessment results across the
organization help to identify the top operational risks for the enterprise.
The following table lists the key tasks that you perform in your role as an operational risk
manager.
