Risk Management overview - Legacy
Risk management enables an organization to quickly identify and quantify the impact that
loss events affecting various business processes and items (such as facilities, business services,
and vendors) pose to the organization. A risk is a definition of the possible consequence of
failing to comply with a policy.
Risks are rated on criteria that can be used to calculate a risk approach. The risk approach
calculation is based on risk approach rules that typically use the values contained in the
Significance and Likelihood fields in the Risk Criteria [grc_risk_criteria] table. This table
contains a Display value field to allow for text values and a weighting, which can be used to
define the risk approach rules. After the risks are defined, they can be associated with controls
to identify how they are being mitigated.
By utilizing risk and profiles, organizations can coordinate the risk assessment process to
prioritize the order and frequency of risk assessments, control testing, and periodic audits
against each entity.
- Ensure that the settings for Risk Criteria, Risk Criteria Thresholds, and Properties are
correct based on the needs of your organization. Modify if necessary.
- Create Profile Types to group common Profiles with similar risks together for easier
- Generate profiles from Profile Types, or create Profiles manually.
- Create Risk Definitions to define a set of baseline risks that should be assessed across the
- Assign Risk Definitions to Profile Types, and Generate Risks from Definitions, or generate
- Determine the appropriate risk response (for example, Accept, Avoid, Mitigate, or Transfer),
and document the justification for the response.
- Assign and complete Remediation Tasks to ensure that risk mitigation efforts are
- Utilize the Governance, Risk, and Compliance (GRC) application to track risk mitigation
efforts by relating a risk to controls or policies which mitigate the risk.
- Parent Topic
- Governance, Risk, and
Compliance (GRC) -
The ServiceNow® Governance,
Risk, and Compliance (GRC) application enables an organization to document authority documents,
policies, and risks and then design controls to enforce those documents and mitigate risk.
Organizations can schedule and run control tests and/or conduct audits to gather compliance
evidence and identify failures that require remediation.
- Child Topics
- Migrate from Legacy Risk
A migration tool is provided to migrate Legacy Risk risks, risk definitions,
risk/task relationships, and/or control/risk relationships to the new GRC applications.
- Create a profile type - Legacy
Profile types are similar to a category in that they group like profiles together.
However, profile types are more powerful than categories, because business logic automates
the identification of all potential profiles in the system that meet the profile type
- Generate a profile from a profile type - Legacy
Profiles are not automatically generated by creating the Profile Type; they must be
- Create a profile - Legacy
Profiles are the records that aggregate GRC information related to a specific item.
Profiles can exist for any particular item such as a business service, vendor, demand,
software, contract, or any other record in the system. An item can only have one profile,
but it can belong to many profile types. Profiles cannot be created for items that do not
have a record in a table.
- Create a risk definition - Legacy
Risk definitions act as a template for creating risks, but also allow you to group
like risks together. They automate the process of creating and assigning risks to items that
the risk relates to.
- Relate a risk definition to a profile type - Legacy
After a risk definition is created, it can be related to a profile type to generate a
- Create a risk - Legacy
Risks are the specific records used to document and assess the likelihood and
significance of a risk.
- Create or modify a risk criteria threshold - Legacy
Risk Criteria are the scoring values attributed to the likelihood that a risk will
occur, and the significance to your organization if the risk does occur. Risk Criteria
Thresholds allow you to define what is deemed a high/likely or low/unlikely score. You can
create or modify risk criteria thresholds, as necessary.
- Risk homepage - Legacy
The risk homepage provides an executive view into risk management, allowing risk
managers to quickly identify areas of concern by pinpointing profiles with known high risk.
- Risk properties - Legacy
The Administration module contains
Properties. The Risk application provides properties associated with
significance, likelihood, and application.
Products > Business Management > Governance, Risk and Compliance; Versions > Istanbul