0
20.1.1
Yokohama Patch 2, Yokohama, Xanadu Patch 4, Xanadu, Washington DC Patch 7, Washington DC Patch 5, Washington DC Patch 3, Washington DC, Vancouver Patch 9, Vancouver
The Advanced Risk application manages risks effectively and efficiently on both the proactive and reactive sides of risk management. On the proactive side, use Advanced Risk Assessment to assess the organizational risk posture. On the reactive side, use the Risk Events to capture the operational losses, near-misses, and events with non-financial impacts to learn and prevent similar future losses.
Advanced Risk Assessments
Use Advanced Risk Assessments to manage your organizational risk assessment needs in an integrated platform. This application helps you to do the following:
- Configure multiple types of risk assessments in a single application. Perform risk assessments top-down or bottom-up risk by defining assessment template criteria such as risk factors, scoring logic, rating criteria, and reporting preferences to create a truly integrated risk platform.
- Perform a comprehensive risk and control assessments, including inherent assessment, assessment of mitigating controls, residual risk, and target risk rating for risks in a guided workflow.
- Connect risk silos and make risk assessments in near real-time by automating risk assessment responses.
- Reduce the barriers to risk management and make risk-driven decisions by integrating risk assessments into any record type in ServiceNow using object-based risk assessments.
- Tailor for different levels of risk maturity within the organization by determining whether a risk must be analyzed qualitatively (using a numerical scale), quantitatively, or both.
- Reduce the need to follow the software development life cycle for risk assessment template deployments.
- Configure multi-level and dynamic risk approval workflows to seamlessly digitize the risk review process and ensure that required stakeholders have provided their consent.
- Manage and schedule risk assessments at scale by scoping the entities and defining the interval of assessments using the Risk Assessment Scheduler.
- Manage a risk assessment program for a specific entity efficiently by initiating periodic assessments of risks.
- Automate reporting by aggregating risks across multi-level risk statement hierarchies or entity hierarchies, or pivot between both. You can also compare rolled-up risk scores based on various functions, such as worst case, best case, average, or overall sum.
- Integrated reports and dashboards to analyze risk trends and monitor risk effectively.
Risk Assessment Project
- Empower assessors to perform bulk assessments on multiple risks and controls simultaneously with an intuitive and seamless user experience.
- Allow assessors to set up the context of the assessment project with a name, RAM, and other relevant information.
- Allow assessors to scope multiple risks that need to be evaluated as a part of the assessment project.
- A focused UI with the ability to seamlessly move between different stages of risk assessment without the need to switch between multiple screens.
- A clear & concise overview of assessment results with an assessment summary for quick review and effective decision-making.
- Ensure accuracy and reliability of the assessment project with error handling and validation framework.
- Dynamic approval of the Risk assessment project using approval configurator.
Risk Appetite
Establish the amount of risk that an organization is willing to take to achieve its strategic objectives. This capability allows you to define acceptable boundaries in a digitized workflow. Key features include:
- Tailor the risk appetite framework and configure it based on unique organizational needs and maturity.
- Manage the complete risk-appetite lifecycle—including documentation of qualitative risk appetite statements, Amber and Red thresholds for qualitative rating, and loss expectancy—and link it to the risk taxonomy to ensure easy monitoring and compliance.
- Digitize the risk appetite breach management workflow to ensure subsequent actions are taken once the appetite is breached until the risk is brought back within the defined levels.
- Focus on risks that are outside appetite and require management attention with a risk appetite visual status.
Risk Identification
Collaborate and collect information from the front lines using a simple, easy-to-respond to questionnaire to identify, map, and manage your risks, policies, and regulations. Key features include:
- Configure workflow stages to meet your unique organizational needs.
- Ask relevant questions for each entity in your organization by creating unique questionnaires for each.
Risk Events
Risk events are financial or non-financial losses, gains, or near-misses that occur during regular operations and have a material impact on organizational risk. This feature helps you to:
- Capture all types of risk events, such as near-misses and actual losses, with financial and non-financial impacts.
- Inject risk events from any ServiceNow application, such as Incidents, Case Management, or through a simplified user interface so that any employee can report risk events.
- Manage the complete risk event lifecycle, configure the approval rule threshold, perform a root-cause analysis, and identify remediation plans to prevent future losses.
- Associate risk events with citations, risks, and controls and use them to drive quantitative risk assessments and identify control deficiencies.
- View pre-packaged dashboards and reports that aggregate and analyze loss trends by different departments, loss types, and sources.
- View pre-packaged Basel dashboards with standard regulatory reports (for financial organizations).
- Manage external risk events with the Operational Risk data eXchange (ORX) integration support (for financial organizations).
[New]
- Implemented Entity-Based Access Control to strengthen security across key Advanced Risk Management tables: Risk Assessment, Risk Identification, Risk Assessment Project, and Risk Event.
- Delegated users can approve Risk Events, adding flexibility to the approval process.
[Changed]
- Changed the Description field type in the Factor table from plain text to translatable text to support localization and multi-language capabilities.
- Replaced scripted ACLs with the Security Attributes feature to streamline and modernize access control.
- The Date of Impact field in the Risk Event entry will now compare with the Date of Occurrence instead of the Date of Discovery for improved data accuracy.
[Fixed]
- Improved performance on Risk Workspace home pages by adding indexes to the Qualitative Rating Criteria table.
- Enhanced security by reviewing and updating ACLs across multiple tables.
- Resolved an issue where some modules were being deactivated when customized, due to a licensing bug.
- Fixed a problem where there was an issue in creation of Risk Event Entry for Non-Financial Risk Events.
- Corrected a display issue where the Due Date on Risk Response task cards showed one day earlier than the selected date.
- Addressed a mismatch in rollup values between list and form views when single currency mode is enabled.
- Fixed an issue where the Reject button was missing on Risk Events in the Awaiting Approval state.
The following applications get installed automatically when the Advanced Risk application is activated:
- GRC: Risk Management (com.sn_risk)
- GRC: Advanced Risk Assessment (com.sn_risk_assessment)
Permissions and roles:
Role required to install the app: System Admin (admin)
To upgrade the Advanced Risk application to a newer version, make sure to upgrade the Risk Management Workspace and any other installed GRC applications to the equivalent major release version. For example, Advanced Risk version 14.x is certified to work with Risk Management Workspace version 14.x and other GRC applications with version 14.x.