Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Activate Risk Management

Activate Risk Management

The GRC: Risk Management (com.sn_risk) plugin is available as a separate subscription.

Before you begin

Role required: admin

This plugin includes demo data and activates related plugins if they are not already active.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Components installed with Risk Management

Activating the GRC: Risk Management (com.sn_risk) plugin adds or modifies several tables, user roles, and other components.

Tables installed with Risk Management

GRC: Risk Management adds the following tables.

Table Description
Risk

[sn_risk_risk]

Extends Item table [sn_grc_item] and stores specific risks associated with profiles
Risk Criteria

[sn_risk_criteria]

Stores risk criteria used to calculate risk scores
Risk Statement

[sn_risk_definition]

Extends Content table [sn_grc_content] and stores definitions of risks.
Risk Framework

[sn_risk_framework]

Extends Document table [sn_grc_document] and stores all risk frameworks, a collection of risk statements
Risk Framework to Profile Type

[sn_risk_m2m_framework_profile_type]

Extends Document to Profile Type table [sn_grc_m2m_document_profile_type] and is a many-to-many relationship table that is used to manage the relationships between risk frameworks and profile types
Risk to Control

[sn_risk_m2m_risk_control]

Stores many-to-many relationships between risks and controls
Profile Type to Risk Statement

[sn_risk_m2m_risk_definition_profile_type]

Extends Content to Profile Type table [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between profile types and risk statements
Risk Relationship

sn_risk_m2m_risk_risk

Stores many-to-many relationships between risks
Risk Tasks

[sn_risk_m2m_risk_task]

Stores many-to-many relationships between risks and tasks
Note: All additional tables installed by the dependent plugins are also needed for GRC: Risk Management.

Properties installed with Risk Management

GRC: Risk Management adds the following properties.

Name Description
States for which the risk is active (the first state is the default active state)

sn_risk.active_states

  • Type: string
  • Default value: draft, assess, review, monitor
  • Location: Risk > Administration > Properties
States for which risk is inactive (the first state is the default inactive state)

sn_risk.closed_states

  • Type: string
  • Default value: retired
  • Location: Risk > Administration > Properties
Name of the assessment metric type that is used for risk assessment

sn_risk.default_assessment

  • Type: string
  • Default value: Risk Assessment
  • Location: Risk > Administration > Properties
sn_risk.glide.script.block.client.globals
  • Type: true or false
  • Default value: False
  • Location: Risk > Administration > Properties
Use qualitative impact scores as input

sn_risk.qualitative_impact

  • Type: true | false
  • Default value: false
    Note: If upgrading from Geneva (or earlier) or Helsinki (or later) and the value was previously set to true, this value is set to true after upgrading.
  • Location: Risk > Administration > Properties
Use qualitative likelihood scores as input

sn_risk.qualitative_likelihood

  • Type: true | false
  • Default value: false
  • Location: Risk > Administration > Properties

Roles installed with Risk Management

GRC: Risk Management adds the following roles.

Role title [name] Description Contains roles
Risk User

[sn_risk.user]

Contains the reader and user roles in sn_grc scope, and the reader role in the Risk Management application. In addition to the inherited permissions, the risk user can view profile types, profiles, risks, and remediation tasks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules.
  • sn_grc.reader
  • sn_grc.user
  • sn_risk.reader
  • Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated.
    • grc_compliance_reader
    • grc_user
    • grc_audit_reader
    • grc_control_test_reader
    • task_editor
Risk Reader

[sn_risk.reader]

Contains the reader role in sn_grc scope. In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules and can be assigned risks.
  • sn_grc.reader
Assessment Creator

[sn_risk.asmt_creator]

  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_risk.reader
  • sn_risk.user
  • Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated.
    • grc_audit_reader
    • task_editor
    • certification_admin
    • grc_test_definition_admin
    • grc_control_test_reader
    • assessment_admin
    • certification
    • grc_compliance_reader
    • certification_filter_admin
    • grc_user
Risk Manager

[sn_risk.manager]

Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in theRisk Management application. In addition to the inherited permissions, the risk manager can create risk frameworks, risk statements, and risks.
  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_risk.reader
  • sn_risk.user
  • Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated.
    • grc_audit_reader
    • task_editor
    • certification_admin
    • grc_test_definition_admin
    • grc_control_test_reader
    • assessment_admin
    • certification
    • grc_compliance_reader
    • certification_filter_admin
    • grc_user
Risk Admin

[sn_risk.admin]

Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in theRisk Management application. In addition to the inherited permissions, the risk admin can delete risk frameworks, risk statements, and risks, and modify admin properties and risk criteria.
  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_grc.admin
  • sn_risk.reader
  • sn_risk.user
  • sn_risk.manager
  • Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated.
    • grc_audit_reader
    • task_editor
    • certification_admin
    • grc_test_definition_admin
    • grc_control_test_reader
    • assessment_admin
    • certification
    • grc_compliance_reader
    • certification_filter_admin
    • grc_admin
    • grc_user

Client scripts installed with Risk Management

GRC: Risk Management adds the following client scripts.
Client script Table Description
Calculate Inherent ALE when ARO changes Risk

[sn_risk_risk]

Calculate the inherent Annualized Loss Expectancy (ALE) when the inherent Annual Rate of Occurrence (ARO) changes.
Calculate Inherent ALE when SLE changes Risk

[sn_risk_risk]

Calculate the inherent ALE when the inherent Single Loss Expectancy (SLE) changes.
Calculate Residual ALE when ARO changes Risk

[sn_risk_risk]

Calculate Residual ALE when Residual ARO changes.
Calculate Residual ALE when SLE changes Risk

[sn_risk_risk]

Calculate Residual ALE when Residual SLE changes.
Calculated ALE (Inherent ALE) Risk

[sn_risk_risk]

Updates the calculated ALE when the inherent ALE changes
Calculated ALE (Residual ALE) Risk

[sn_risk_risk]

Updates the calculated ALE when the residual ALE changes
Hide risk to control related list Risk

[sn_risk_risk]

Hides the Risk to Control related list when compliance is not installed
Set maximum value (currency max value) Risk Criteria

[sn_risk_criteria]

Updates the maximum value when the currency max value field changes
Set maximum value (percentage max value) Risk Criteria

[sn_risk_criteria]

Updates the maximum value when the percentage max value field changes
Show risk generation message Profile Type

sn_grc_profile_type

Display business rule that shows a message indicating that risks are being generated when risks are being created for all the profiles in a profile type
Update Fields from Definition
  • Risk [sn_risk_risk]
  • Risk [grc_risk]
Updates various fields from the risk statement whenever the risk statement field changes
Update Inherent Score (Inher Likelihood) Risk

[sn_risk_risk]

Updates the inherent score when the inherent likelihood changes
Update Inherent Score (Inherent impact) Risk

[sn_risk_risk]

Updates the inherent score when the inherent impact changes
Update Inherent Score (Likelihood) Risk

[grc_risk]

Updates the inherent score when the likelihood changes
Update Inherent Score (Significance) Risk

[grc_risk]

Updates the inherent score when the significance changes
Update Residual Score (Likelihood) Risk

[grc_risk]

Updates the residual score when the residual likelihood changes
Update Residual Score (Resid Likelihood) Risk

[sn_risk_risk]

Updates the residual score when the residual likelihood changes
Update Residual Score (Residual impact) Risk

[sn_risk_risk]

Updates the residual score when the residual impact changes
Update Residual Score (Significance) Risk

[grc_risk]

Updates the residual score when the residual significance changes
Use qualitative impact
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
Choose to show Inherent impact or inherent SLE based on the qualtiative_impact system property.
Use qualitative likelihood
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
Choose to show Inherent impact or inherent SLE based on the qualtiative_impact system property.
Validate Default Inherent SLE Risk Statement

[sn_risk_definition]

Validates that the inherent SLE is greater than or equal to the residual SLE when inherent SLE changes
Validate Default Residual ARO Risk Statement

[sn_risk_definition]

Validates that the inherent ARO is greater than or equal to the residual ARO when residual ARO changes
Validate Inherent ARO Risk

[sn_risk_risk]

Validates that the inherent ARO is greater than or equal to the residual ARO when inherent ARO changes
Validate Inherent impact
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
Validates that the inherent impact is greater than or equal to the residual impact when inherent impact changes
Validate Inherent likelihood
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
  • Risk [grc_risk]
Validates that the inherent likelihood is greater than or equal to the residual likelihood when inherent likelihood changes
Validate Inherent Residual SLE Risk Statement

[sn_risk_definition]

Validates that the inherent SLE is greater than or equal to the residual SLE when residual SLE changes
Validate Inherent significance Risk

[grc_risk]

Validates that the inherent significance is greater than or equal to the residual significance when inherent significance changes
Validate Inherent SLE Risk

[sn_risk_risk]

Validates that the inherent SLE is greater than or equal to the residual SLE when inherent SLE changes
Validate Residual ARO Risk

[sn_risk_risk]

Validates that the inherent ARO is greater than or equal to the residual ARO when residual ARO changes
Validate Residual impact
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
Validates that the inherent impact is greater than or equal to the residual impact when residual impact changes
Validate residual likelihood
  • Risk [sn_risk_risk]
  • Risk Statement [sn_risk_definition]
  • Risk [grc_risk]
Validates that the inherent likelihood is greater than or equal to the residual likelihood when residual likelihood changes
Validate Residual significance Risk

[grc_risk]

Validates that the inherent significance is greater than or equal to the residual significance when residual significance changes
Validate Residual SLE Risk

[sn_risk_risk]

Validates that the inherent SLE is greater than or equal to the residual SLE when residual SLE changes

Script includes installed with Risk Management

GRC: Risk Management adds the following script includes.

Script include Description
RiskALECalculator Calculates Risk Annualized Loss Expectancy (ALE) based on Single Loss Expectancy (SLE) and Annual Rate of Occurrence (ARO) selections.
RiskGeneratorStrategy Generates risks when relationships are created between profile types, risk definitions, and risk statements
RiskMigrationUtils Utilities for migrating risks from grc_risk to sn_risk_risk.
RiskUtils Editable script include that allows RiskUtilsBase to be overridden without affecting the base code.
RiskUtilsAJAX Provides client-callable risk methods.
RiskUtilsAJAX2 Provides client-callable risk methods.
RiskUtilsBase Provides base risk utilities. This protected script include cannot be edited.
RiskUtilsBaseV2 Risk utility base for Risk V2.
RiskUtilsV2 Risk utilities for Risk V2.

Business rules installed with Risk Management

GRC: Risk Management adds the following business rules.

Business rule Tables Description
Assign risks to profiles Profile

[sn_grc_profile]

Allows the system to assign risks to various profiles.
Calculate qualitative scores Risk

[sn_risk_risk]

Calculates the inherent and residual scores for the risk and updates the qualitative values.
Calculate Scores Risk

[grc_risk]

Calculates the inherent, residual, and calculated risk score from the likelihood and significance of a risk.
Calculated ALE Risk

[sn_risk_risk]

Sets the calculated score for the risk.
Cascade Changes Risk Statement

[sn_risk_definition]

Copies changes to the name, description, and category fields from the risk statement to its associated risks.
Create risk scratchpad Profile Type

[sn_grc_profile_type]

Sets a scratchpad field to determine if risks are currently being created.
Populate SLE & ARO from definition Risk

[sn_risk_risk]

Populates the default values from the risk statement into a risk when a risk is created.
Prevent adding inactive framework Risk Framework to Profile Type

[sn_risk_m2m_framework_profile_type]

Prevents the association of an inactive risk framework with any profile type.
Prevent adding inactive risk statement Risk Statement to Profile Type

[sn_risk_m2m_definition_profile_type]

Prevents the association of an inactive risk statement with any profile type.
Rollup Profile Scores
  • Profile [sn_grc_profile]
  • Risk [grc_risk]
Calculates inherent, residual, and calculated risk scores from the likelihood and significance of all risks associated with a profile.
Scratchpad: Risk Scoring Risk

[sn_risk_risk]

Sets scratchpad fields to determine if qualitative scoring is used for impact and likelihood and whether the compliance plugin is installed.
Scratchpad: Risk Statement Scoring Risk Statement

[sn_risk_definition]

Sets scratchpad fields to determine if qualitative scoring is used for impact and likelihood.
Set Content Risk Statement to Profile Type

[sn_risk_m2m_definition_profile_type]

Sets the content field to be equal to the risk statement in the many-to-many relationship.
Set maximum value Risk Criteria

[sn_risk_criteria]

Updates the maximum value whenever the currency or percentage max values change.
Sync between content and definition Risk

[sn_risk_risk]

Synchronizes the content and risk statement fields.
Sync qualitative fields
  • Risk Statement [sn_risk_definition]
  • Risk [sn_risk_risk]
Synchronizes the qualitative and quantitative scores whenever risk impact, residual impact, inherent SLE, residual SLE, likelihood, residual likelihood, inherent ARO, or residual ARO change.
Update impact/likelihood Risk Criteria

[sn_risk_criteria]

Updates the SLE, ARO, impact, likelihood of all risk statements and risks that are using the risk criteria.
Update applies to when profile changes Risk

[grc_risk]

Updates the ‘applies to’ field on the risk form when the profile is changed on the risk form.
Update risk control factor Risk to Control

[sn_risk_m2m_risk_control]

Updates the risk control failure factor whenever a many-to-many relationship between risks and controls is created, updated, or deleted.
Validate inherent and residual values Risk Statement

[sn_risk_definition]

Validates that the inherent impact, likelihood, SLE, and ARO are greater than or equal to the corresponding residual values.
Validate residual fields Risk

[sn_risk_risk]

Validates that the inherent impact, likelihood, SLE, and ARO are greater than or equal to the corresponding residual values.