Contents Governance, Risk, and Compliance (GRC) Previous Topic Next Topic Understanding Risk Management Subscribe Log in to subscribe to topics and get notified when content changes. ... SAVE AS PDF Selected Topic Topic & Subtopics All Topics in Contents Share Understanding Risk Management The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues. Who uses Risk Management? The complete risk process involves all areas of your organization working together. Audit committee IT steering committee Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Key activities for Risk Management Once key roles are identified, work together to identify the following items: Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable. Develop a risk management policy, through risk frameworks and risk statements. Develop risk assessment and response procedures. Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval. Measure your risk exposure and improvements. Risk Management and the NowPlatform Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management. Install Risk ManagementBefore you run Risk Management in your instance, you must download it from the ServiceNow Store.Configure Risk ManagementAdministrators in the global domain can set properties to determine how the system defines the Risk Management application.Quick start tests for GRC: Risk ManagementValidate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data. Establish profile scoping for risksProfile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.Manage risks, risk statements, and risk frameworksThe risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at anytime, anywhere in the organization.Manage risk assessmentsRisk assessments are surveys that gather evidence to determine risk. The assessment designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents. Manage policy exceptionsPolicy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception worklow.Manage profile and risk dependencies using the GRC WorkbenchThe GRC Workbench utilizes CMBD information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise. The GRC Workbench does not work with Legacy GRC.Manage risk indicatorsContinuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.Manage risk issues and remediationIssues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness. Manage continuous monitoring for risks between Risk Management and Vulnerability ResponseContinuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact. Out-of-the-box GRC: Risk Management Performance Analytics SolutionPerformance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices. On this page Send Feedback Previous Topic Next Topic
Understanding Risk Management The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues. Who uses Risk Management? The complete risk process involves all areas of your organization working together. Audit committee IT steering committee Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Key activities for Risk Management Once key roles are identified, work together to identify the following items: Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable. Develop a risk management policy, through risk frameworks and risk statements. Develop risk assessment and response procedures. Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval. Measure your risk exposure and improvements. Risk Management and the NowPlatform Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management. Install Risk ManagementBefore you run Risk Management in your instance, you must download it from the ServiceNow Store.Configure Risk ManagementAdministrators in the global domain can set properties to determine how the system defines the Risk Management application.Quick start tests for GRC: Risk ManagementValidate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data. Establish profile scoping for risksProfile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.Manage risks, risk statements, and risk frameworksThe risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at anytime, anywhere in the organization.Manage risk assessmentsRisk assessments are surveys that gather evidence to determine risk. The assessment designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents. Manage policy exceptionsPolicy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception worklow.Manage profile and risk dependencies using the GRC WorkbenchThe GRC Workbench utilizes CMBD information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise. The GRC Workbench does not work with Legacy GRC.Manage risk indicatorsContinuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.Manage risk issues and remediationIssues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness. Manage continuous monitoring for risks between Risk Management and Vulnerability ResponseContinuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact. Out-of-the-box GRC: Risk Management Performance Analytics SolutionPerformance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.
Understanding Risk Management The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues. Who uses Risk Management? The complete risk process involves all areas of your organization working together. Audit committee IT steering committee Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Key activities for Risk Management Once key roles are identified, work together to identify the following items: Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable. Develop a risk management policy, through risk frameworks and risk statements. Develop risk assessment and response procedures. Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval. Measure your risk exposure and improvements. Risk Management and the NowPlatform Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management. Install Risk ManagementBefore you run Risk Management in your instance, you must download it from the ServiceNow Store.Configure Risk ManagementAdministrators in the global domain can set properties to determine how the system defines the Risk Management application.Quick start tests for GRC: Risk ManagementValidate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data. Establish profile scoping for risksProfile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.Manage risks, risk statements, and risk frameworksThe risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at anytime, anywhere in the organization.Manage risk assessmentsRisk assessments are surveys that gather evidence to determine risk. The assessment designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents. Manage policy exceptionsPolicy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception worklow.Manage profile and risk dependencies using the GRC WorkbenchThe GRC Workbench utilizes CMBD information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise. The GRC Workbench does not work with Legacy GRC.Manage risk indicatorsContinuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.Manage risk issues and remediationIssues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness. Manage continuous monitoring for risks between Risk Management and Vulnerability ResponseContinuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact. Out-of-the-box GRC: Risk Management Performance Analytics SolutionPerformance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.
