Manage issues

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage issues Governance, Risk, and Compliance

    Effectively managing issues within your organization is crucial for a successful risk management program. This process involves swiftly identifying and responding to risk and compliance challenges. Employees can report issues through the ServiceNow® Service Portal, while Governance, Risk, and Compliance (GRC) users can manually create issues to document audit findings and compliance concerns.

    Show full answer Show less

    Key Features

    • Issue Submission: Employees self-identify issues via the Service Portal; GRC users can create issues manually.
    • Automatic Issue Generation: Control and control test issues are automatically created under specific conditions, enhancing efficiency.
    • Issue Management Workflow: The workflow includes stages such as issue intake, investigation, remediation, and review, ensuring a structured approach to managing issues.
    • Workspace Tracking: Users can monitor all issues or specific ones within the Workspace, allowing for organized management.
    • Grouping Issues: Grouping similar issues in the Workspace helps streamline workflows and saves time.

    Key Outcomes

    Implementing effective issue management enables your organization to:

    • Eliminate noise and consolidate duplicate issues.
    • Focus on high-risk issues and prioritize remediation actions.
    • Identify and analyze operational weaknesses in policies and controls.
    • Enhance compliance and mitigate risks through structured remediation efforts.
    • Review and monitor issues to improve future risk management practices.

    You can measure the effectiveness of your company's risk management program by how quickly and completely it identifies and reacts to risk and compliance issues.

    Issues can be submitted using two methods, depending on the type of user involved:
    Note:
    Various types of issues can also be automatically generated under the following conditions (these types of issues are not triaged):
    • Control issue: Created when a control attestation is completed, indicating that the control is not implemented, or when an indicator fails.
    • Control test issue: Created when a control test is closed complete with the control effectiveness set to Ineffective.

    The goals of issue management

    The goals of issue management include:

    • Eliminating noise​.

    • Consolidating duplicate issues​.

    • Focusing on issues that expose the organization to the greatest risk.

    • Identifying and prioritizing remediation actions​.

    • Identifying new issues across the business operations​.

    • Analyzing operational weakness in policies, processes, and controls​.

    Issue management workflow and life cycle

    By remediating issues, controls can be kept compliant, and risk can be mitigated​. The Issue Management workflow and life cycle are illustrated and described here.
    Figure 1. Issue Management workflow
    Issue Management Workflow
    Table 1. Issue Management life cycle
    Stage Description
    Issue intake As described earlier, issues can be submitted using two methods, depending on the type of user involved:
    • Employees and business users within your company can self-identify an issue and submit it via the ServiceNow® Service Portal. Following submission, a triage issue is automatically created and the issue triage process begins.
    • GRC users can manually create an issue from within their instance. These types of issues are not triaged.
    Investigate the issue During the investigation phase, it is determined whether the issue requires additional study. If a triage is being performed, the triage issue is assigned to a triage team for analysis. The triage team may request more information from the issue creator. The team can also optionally send the issue to the compliance manager, risk manager, or triage manager with a triage result.
    Remediate the issue After the team has confirmed the issue, the necessary steps to remediate it are performed. If a triage was performed, the triage issue is converted into an actual issue or risk event. The team may also decide to track the issue as a recommendation or close it as a non-issue.
    Review and monitor the issue Prior to closing the issue, the policy owner reviews and approves it. The review also allows the organization to:
    • track past due tasks
    • benchmark issue timelines
    • identify where losses could have been mitigated
    • reduce gaps in the future