Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Governance, Risk, and Compliance
Table of Contents
Choose your release version
    Home New York Governance, Risk, and Compliance Governance, Risk, and Compliance Risk Management Understanding Risk Management

    Understanding Risk Management

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Understanding Risk Management

    The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues.

    Who uses Risk Management?

    The complete risk process involves all areas of your organization working together.

    • Audit committee
    • IT steering committee
    • Risk officers (conduct risk assessment and identify all that can go wrong in business)
    • All levels of management (assist the risk officers with the identification of what can go wrong in their processes)

    Key activities for Risk Management

    Once key roles are identified, work together to identify the following items:
    • Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable.
    • Develop a risk management policy, through risk frameworks and risk statements.
    • Develop risk assessment and response procedures.
    • Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval.
    • Measure your risk exposure and improvements.

    Risk Management and the NowPlatform

    Risk Management and the NowPlatform

    Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management.

    Set up and run Risk Management and Advanced Risk components in this order:

    1. Download Risk Management: Before you run GRC: Risk Management (com.sn_risk) in your instance, you must download it from the ServiceNow Store.
    2. Download Advanced Risk: Before you run Advanced Risk in your instance, you must download it from the ServiceNow Store.
    3. Mobile experience for GRC Risk Management: As a risk manager, use your Android or iOS mobile device to manage your work.
    4. Quick start tests for Risk Management: Validate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data.
    5. Manage risks, risk statements, and risk frameworks: The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.
    6. Manage risk events: Risk events are potential or actual financial and non-financial losses, near-misses, and gains that occur within an organization.
    7. Risk hierarchy and scoring: Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.
    8. Manage risk assessments: Risk assessments are surveys that gather evidence to determine risk. The Risk Assessment Designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents.
    9. Manage policy exceptions and extensions: Policy exceptions and extensions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. Also, extension to an approved policy exception can be requested before the policy exception validity period. The control owner, the compliance manager, and the risk manager may be involved in the policy exception and extension workflow.
    10. Manage entity and risk dependencies using the GRC: Workbench: The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.
    11. Manage risk indicators: Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.
    12. Manage risk issues and remediation: Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.
    13. Manage continuous monitoring for risks between Risk Management and Vulnerability Response: Continuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact.
    14. Out-of-the-box GRC: Risk Management Performance Analytics Solution: Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.
    • Download Risk Management

      Before you run GRC: Risk Management (com.sn_risk) in your instance, you must download it from the ServiceNow Store.

    • Download Advanced Risk

      Before you run Advanced Risk in your instance, you must download it from the ServiceNow Store.

    • Mobile experience for GRC Risk Management

      As a risk manager, use your Android or iOS mobile device to manage your work.

    • Advanced risk assessment

      With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies and enables customers to integrate risk assessment as a part of their overall decision-making process.

    • Quick start tests for Risk Management

      Validate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data.

    • Manage risks, risk statements, and risk frameworks

      The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.

    • Relationship between risks, risk events, and risk statement

      Relating risk events to risks and relating risk statement to a risk is important for all organizations that use the risk management application.

    • Manage risk events

      Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur within an organization.

    • Risk hierarchy and scoring

      Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.

    • Manage risk assessments

      Risk assessments are surveys that gather evidence to determine risk. The Risk Assessment Designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents.

    • Manage policy exceptions and extensions

      Policy exceptions and extensions provide temporary relief for non-compliant controls. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. Also, you can request an extension to an approved policy exception before the policy exception validity period. The control owner, the compliance manager, and the risk manager may be involved in the policy exception and extension workflow.

    • Manage entity and risk dependencies using the GRC: Workbench

      The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.

    • Manage risk indicators

      Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.

    • Manage risk issues and remediation

      Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.

    • Manage continuous monitoring for risks between Risk Management and Vulnerability Response

      Continuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact.

    • Basel dashboard

      Use the Basel dashboard to share Basel reports with external regulators for Basel regulations. This dashboard is useful for banking and financial domains. In the banking and financial domains it is compulsory to share the Basel reports.

    • Performance Analytics dashboards for risk events and risk hierarchy

      Use the Performance Analytics (PA) dashboards to view the comprehensive data for risk events and risk hierarchy. Use the Analytics Hub to view data for any time period.

    • Operational Risk Management dashboard

      The Operational Risk Management dashboard enables an entity owner, with the role sn_risk.user, to view the complete risk posture for the enterprise in a single consolidated report. This dashboard makes it easy to analyze the risk posture efficiently and take necessary corrective actions to ensure that there are no losses.

    • Out-of-the-box GRC: Risk Management Performance Analytics Solution

      Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Understanding Risk Management

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Understanding Risk Management

      The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues.

      Who uses Risk Management?

      The complete risk process involves all areas of your organization working together.

      • Audit committee
      • IT steering committee
      • Risk officers (conduct risk assessment and identify all that can go wrong in business)
      • All levels of management (assist the risk officers with the identification of what can go wrong in their processes)

      Key activities for Risk Management

      Once key roles are identified, work together to identify the following items:
      • Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable.
      • Develop a risk management policy, through risk frameworks and risk statements.
      • Develop risk assessment and response procedures.
      • Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval.
      • Measure your risk exposure and improvements.

      Risk Management and the NowPlatform

      Risk Management and the NowPlatform

      Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management.

      Set up and run Risk Management and Advanced Risk components in this order:

      1. Download Risk Management: Before you run GRC: Risk Management (com.sn_risk) in your instance, you must download it from the ServiceNow Store.
      2. Download Advanced Risk: Before you run Advanced Risk in your instance, you must download it from the ServiceNow Store.
      3. Mobile experience for GRC Risk Management: As a risk manager, use your Android or iOS mobile device to manage your work.
      4. Quick start tests for Risk Management: Validate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data.
      5. Manage risks, risk statements, and risk frameworks: The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.
      6. Manage risk events: Risk events are potential or actual financial and non-financial losses, near-misses, and gains that occur within an organization.
      7. Risk hierarchy and scoring: Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.
      8. Manage risk assessments: Risk assessments are surveys that gather evidence to determine risk. The Risk Assessment Designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents.
      9. Manage policy exceptions and extensions: Policy exceptions and extensions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. Also, extension to an approved policy exception can be requested before the policy exception validity period. The control owner, the compliance manager, and the risk manager may be involved in the policy exception and extension workflow.
      10. Manage entity and risk dependencies using the GRC: Workbench: The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.
      11. Manage risk indicators: Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.
      12. Manage risk issues and remediation: Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.
      13. Manage continuous monitoring for risks between Risk Management and Vulnerability Response: Continuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact.
      14. Out-of-the-box GRC: Risk Management Performance Analytics Solution: Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.
      • Download Risk Management

        Before you run GRC: Risk Management (com.sn_risk) in your instance, you must download it from the ServiceNow Store.

      • Download Advanced Risk

        Before you run Advanced Risk in your instance, you must download it from the ServiceNow Store.

      • Mobile experience for GRC Risk Management

        As a risk manager, use your Android or iOS mobile device to manage your work.

      • Advanced risk assessment

        With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies and enables customers to integrate risk assessment as a part of their overall decision-making process.

      • Quick start tests for Risk Management

        Validate that Risk Management still works after you make any configuration change, such as apply an upgrade or develop an application. Copy and customize these quick start tests to pass when using your instance-specific data.

      • Manage risks, risk statements, and risk frameworks

        The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.

      • Relationship between risks, risk events, and risk statement

        Relating risk events to risks and relating risk statement to a risk is important for all organizations that use the risk management application.

      • Manage risk events

        Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur within an organization.

      • Risk hierarchy and scoring

        Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.

      • Manage risk assessments

        Risk assessments are surveys that gather evidence to determine risk. The Risk Assessment Designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents.

      • Manage policy exceptions and extensions

        Policy exceptions and extensions provide temporary relief for non-compliant controls. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. Also, you can request an extension to an approved policy exception before the policy exception validity period. The control owner, the compliance manager, and the risk manager may be involved in the policy exception and extension workflow.

      • Manage entity and risk dependencies using the GRC: Workbench

        The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.

      • Manage risk indicators

        Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.

      • Manage risk issues and remediation

        Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.

      • Manage continuous monitoring for risks between Risk Management and Vulnerability Response

        Continuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact.

      • Basel dashboard

        Use the Basel dashboard to share Basel reports with external regulators for Basel regulations. This dashboard is useful for banking and financial domains. In the banking and financial domains it is compulsory to share the Basel reports.

      • Performance Analytics dashboards for risk events and risk hierarchy

        Use the Performance Analytics (PA) dashboards to view the comprehensive data for risk events and risk hierarchy. Use the Analytics Hub to view data for any time period.

      • Operational Risk Management dashboard

        The Operational Risk Management dashboard enables an entity owner, with the role sn_risk.user, to view the complete risk posture for the enterprise in a single consolidated report. This dashboard makes it easy to analyze the risk posture efficiently and take necessary corrective actions to ensure that there are no losses.

      • Out-of-the-box GRC: Risk Management Performance Analytics Solution

        Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login