0
21.1.2
Zurich Patch 4, Zurich, Yokohama Patch 9, Yokohama Patch 6, Yokohama, Xanadu Patch 9, Xanadu, Washington DC Patch 5, Washington DC
The Advanced Risk application manages risks effectively and efficiently on both the proactive and reactive sides of risk management. On the proactive side, use Advanced Risk Assessment to assess the organizational risk posture. On the reactive side, use the Risk Events to capture the operational losses, near-misses, and events with non-financial impacts to learn and prevent similar future losses.
Advanced Risk Assessments
Use Advanced Risk Assessments to manage your organizational risk assessment needs in an integrated platform. This application helps you to do the following:
- Configure multiple types of risk assessments in a single application. Perform top-down or bottom-up risk assessments by defining assessment template criteria such as risk factors, scoring logic, rating criteria, and reporting preferences to create a truly integrated risk platform.
- Perform comprehensive risk and control assessments, including inherent assessment, assessment of mitigating controls, residual risk, and target risk rating for risks in a guided workflow.
- Connect risk silos and make risk assessments in near real-time by automating risk assessment responses.
- Reduce the barriers to risk management and make risk-driven decisions by integrating risk assessments into any record type in ServiceNow using object-based risk assessments.
- Tailor for different levels of risk maturity within the organization by determining whether a risk must be analyzed qualitatively (using a numerical scale), quantitatively, or both.
- Reduce the need to follow the software development life cycle for risk assessment template deployments.
- Configure multi-level and dynamic risk approval workflows to seamlessly digitize the risk review process and ensure that required stakeholders have provided their consent.
- Manage and schedule risk assessments at scale by scoping the entities and defining the interval of assessments using the Risk Assessment Scheduler.
- Manage a risk assessment program for a specific entity efficiently by initiating periodic assessments of risks.
- Automate reporting by aggregating risks across multi-level risk statement hierarchies or entity hierarchies, or pivot between both. You can also compare rolled-up risk scores based on various functions, such as worst case, best case, average, or overall sum.
- Integrated reports and dashboards to analyze risk trends and monitor risk effectively.
Risk Assessment Project
- Empower assessors to perform bulk assessments on multiple risks and controls simultaneously with an intuitive and seamless user experience.
- Allow assessors to set up the context of the assessment project with a name, RAM, and other relevant information.
- Allow assessors to scope multiple risks that need to be evaluated as a part of the assessment project.
- A focused UI with the ability to seamlessly move between different stages of risk assessment without the need to switch between multiple screens.
- A clear & concise overview of assessment results with an assessment summary for quick review and effective decision-making.
- Ensure accuracy and reliability of the assessment project with error handling and validation framework.
- Dynamic approval of the Risk assessment project using approval configurator.
Risk Assessment Project in Grid Mode
- A flexible, spreadsheet-style RCSA built for power users to rapidly compare, edit, and prioritize risks and controls.
- Traditional RCSA suit users who prefer a focused, methodical approach, assessing one risk at a time.
- Provides fast, intuitive risk assessment with bulk editing, side-by-side comparison and improved risk prioritization.
Risk Appetite
Establish the amount of risk that an organization is willing to take to achieve its strategic objectives. This capability allows you to define acceptable boundaries in a digitized workflow. Key features include:
- Tailor the risk appetite framework and configure it based on unique organizational needs and maturity.
- Manage the complete risk-appetite lifecycle—including documentation of qualitative risk appetite statements, Amber and Red thresholds for qualitative rating, and loss expectancy—and link it to the risk taxonomy to ensure easy monitoring and compliance.
- Digitize the risk appetite breach management workflow to ensure subsequent actions are taken once the appetite is breached until the risk is brought back within the defined levels.
- Focus on risks that are outside appetite and require management attention with a risk appetite visual status.
Risk Identification
Collaborate and collect information from the front lines using a simple, easy-to-respond to questionnaire to identify, map, and manage your risks, policies, and regulations. Key features include:
- Configure workflow stages to meet your unique organizational needs.
- Ask relevant questions for each entity in your organization by creating unique questionnaires for each.
Risk Events
Risk events are financial or non-financial losses, gains, or near-misses that occur during regular operations and have a material impact on organizational risk. This feature helps you to:
- Capture all types of risk events, such as near-misses and actual losses, with financial and non-financial impacts.
- Inject risk events from any ServiceNow application, such as Incidents, Case Management, or through a simplified user interface so that any employee can report risk events.
- Manage the complete risk event lifecycle, configure the approval rule threshold, perform a root-cause analysis, and identify remediation plans to prevent future losses.
- Associate risk events with citations, risks, and controls and use them to drive quantitative risk assessments and identify control deficiencies.
- View pre-packaged dashboards and reports that aggregate and analyze loss trends by different departments, loss types, and sources.
- View pre-packaged Basel dashboards with standard regulatory reports (for financial organizations).
- Manage external risk events with the Operational Risk data eXchange (ORX) integration support (for financial organizations).
[New]
- Introduced Reporting Views for Advanced Risk Assessment to simplify report and dashboard creation. This feature consolidates risk factors, controls, issues, and responses into a single view, making reporting easier for non-technical users.
- Reporting Views are automatically generated when a Risk Assessment Methodology is published and these views can be used to create custom reports.
- Automatic creation of Reporting Views is not supported on Xanadu. For instructions on creating them manually, refer to KB2547071.
- Introduced a feature in Entity-Based Access (EBA) that allows lifecycle users to access records. You can now configure any user or user group field on the record to provide additional access beyond what is defined in the EBA configuration.
- Introduced an 'Active' flag in the GRC Choice table, with updates to these flags now reflected in the Advanced risk application.
[Fixed]
- Resolved a security vulnerability that allowed unauthorized edits to read-only fields.
- Replaced hard-coded administrator role dependencies with granular roles to improve security and align with least privilege principles.
- Resolved an issue where the message“The residual score cannot be greater than the inherent score” was not displayed when using the 'Request for Approval' action in the Classic UI.
- Resolved an issue where sending final reminders for assessments linked to Risk Assessment Methodologies (RAMs) in Draft or Retire state could fail if the due date had passed.
- Resolved a problem where updates to risk color styles reverted to default values after an upgrade. Your customizations are now preserved.
- Resolved an issue where Risk Identification records remained in the Information Gathering state after completing the initial risk assessment. The state now correctly moves to Review as expected.
- The 'View Responses' action in the Risk Identification flow now works for users with the sn_risk.reader role. Previously, this action was not functioning for these users.
- The 'Perform Inherent Assessment' button is now displayed only in the Review state of the Risk Identification workflow when using Smart Assessment integration. Previously, it was incorrectly visible in the Information Gathering state.
- Fixed role-based access issues for reopening risk events: only users with sn_risk_advanced.risk_event_admin can reopen closed events, and users with sn_risk.manager role can now reopen rejected events as intended.
- The Group Factor Comment field in Risk Assessment now correctly retains comment text when navigating between pages. Previously, comments were lost when moving forward and then returning to a previous page. This behavior has been corrected, and data entered in the comment field will persist as expected.
- Currency values in the Risk Assessment workspace now display with proper delimiters. Previously, currency factors appeared without separators, making values harder to read.
- Deleting a risk associated with a risk assessment no longer creates an empty record in the sn_risk_risk table. Previously, removing a linked risk would generate a new entry with blank values.
- The 'Cancel Assessment' action in Risk record now works as intended. Previously, users with the sn_risk.user role could see the option but clicking it had no effect. The functionality has been corrected so that only users with the sn_risk.manager role can cancel a risk assessment, or sn_risk.user can cancel it only if they are the entity owner.
- Non-admin assessors can now view updates to the qualitative score label in the Risk Assessment component. Previously, changes to the label were not visible to users without admin privileges.
- The Next Scheduled Date for Risk Assessments is now calculated accurately. Previously, it could inherit a future date from the previous assessment based on the scheduled job run time. This issue has been resolved.
The following applications are installed automatically when you activate the Advanced Risk application:
- GRC: Risk Management (com.sn_risk)
- GRC: Advanced Risk Assessment (com.sn_risk_assessment)
Permissions and roles:
Role required to install the app: System Admin (admin)
To upgrade the Advanced Risk application to a newer version, make sure to upgrade the Risk Management Workspace and any other installed GRC applications to the equivalent major release version. For example, Advanced Risk version 14.x is certified to work with Risk Management Workspace version 14.x and other GRC applications with version 14.x.