0
22.3.2
Australia Patch 3, Australia, Zurich Patch 7, Zurich Patch 4, Zurich, Yokohama Patch 12, Yokohama Patch 9, Yokohama Patch 6, Yokohama Patch 4, Yokohama Patch 2, Yokohama, Xanadu Patch 9, Xanadu Patch 8, Xanadu Patch 4, Xanadu
Standalone Application
The Advanced Risk application manages risks effectively and efficiently on both the proactive and reactive sides of risk management. On the proactive side, use Advanced Risk Assessment to assess the organizational risk posture. On the reactive side, use the Risk Events to capture the operational losses, near-misses, and events with non-financial impacts to learn and prevent similar future losses.
Advanced Risk Assessments
Use Advanced Risk Assessments to manage your organizational risk assessment needs in an integrated platform. This application helps you to do the following:
- Configure multiple types of risk assessments in a single application. Perform top-down or bottom-up risk assessments by defining assessment template criteria such as risk factors, scoring logic, rating criteria, and reporting preferences to create a truly integrated risk platform.
- Perform comprehensive risk and control assessments, including inherent assessment, assessment of mitigating controls, residual risk, and target risk rating for risks in a guided workflow.
- Connect risk silos and make risk assessments in near real-time by automating risk assessment responses.
- Reduce the barriers to risk management and make risk-driven decisions by integrating risk assessments into any record type in ServiceNow using object-based risk assessments.
- Tailor for different levels of risk maturity within the organization by determining whether a risk must be analyzed qualitatively (using a numerical scale), quantitatively, or both.
- Reduce the need to follow the software development life cycle for risk assessment template deployments.
- Configure multi-level and dynamic risk approval workflows to seamlessly digitize the risk review process and ensure that required stakeholders have provided their consent.
- Manage and schedule risk assessments at scale by scoping the entities and defining the interval of assessments using the Risk Assessment Scheduler.
- Manage a risk assessment program for a specific entity efficiently by initiating periodic assessments of risks.
- Automate reporting by aggregating risks across multi-level risk statement hierarchies or entity hierarchies, or pivot between both. You can also compare rolled-up risk scores based on various functions, such as worst case, best case, average, or overall sum.
- Integrated reports and dashboards to analyze risk trends and monitor risk effectively.
Risk Assessment Project
- Empower assessors to perform bulk assessments on multiple risks and controls simultaneously with an intuitive and seamless user experience.
- Allow assessors to set up the context of the assessment project with a name, RAM, and other relevant information.
- Allow assessors to scope multiple risks that need to be evaluated as a part of the assessment project.
- A focused UI with the ability to seamlessly move between different stages of risk assessment without the need to switch between multiple screens.
- A clear & concise overview of assessment results with an assessment summary for quick review and effective decision-making.
- Ensure accuracy and reliability of the assessment project with error handling and validation framework.
- Dynamic approval of the Risk assessment project using approval configurator.
Risk Assessment Project in Grid Mode
- A flexible, spreadsheet-style RCSA built for power users to rapidly compare, edit, and prioritize risks and controls.
- Traditional RCSA suit users who prefer a focused, methodical approach, assessing one risk at a time.
- Provides fast, intuitive risk assessment with bulk editing, side-by-side comparison and improved risk prioritization.
Risk Appetite
Establish the amount of risk that an organization is willing to take to achieve its strategic objectives. This capability allows you to define acceptable boundaries in a digitized workflow. Key features include:
- Tailor the risk appetite framework and configure it based on unique organizational needs and maturity.
- Manage the complete risk-appetite lifecycle—including documentation of qualitative risk appetite statements, Amber and Red thresholds for qualitative rating, and loss expectancy—and link it to the risk taxonomy to ensure easy monitoring and compliance.
- Digitize the risk appetite breach management workflow to ensure subsequent actions are taken once the appetite is breached until the risk is brought back within the defined levels.
- Focus on risks that are outside appetite and require management attention with a risk appetite visual status.
Risk Identification
Collaborate and collect information from the front lines using a simple, easy-to-respond to questionnaire to identify, map, and manage your risks, policies, and regulations. Key features include:
- Configure workflow stages to meet your unique organizational needs.
- Ask relevant questions for each entity in your organization by creating unique questionnaires for each.
Risk Events
Risk events are financial or non-financial losses, gains, or near-misses that occur during regular operations and have a material impact on organizational risk. This feature helps you to:
- Capture all types of risk events, such as near-misses and actual losses, with financial and non-financial impacts.
- Inject risk events from any ServiceNow application, such as Incidents, Case Management, or through a simplified user interface so that any employee can report risk events.
- Manage the complete risk event lifecycle, configure the approval rule threshold, perform a root-cause analysis, and identify remediation plans to prevent future losses.
- Associate risk events with citations, risks, and controls and use them to drive quantitative risk assessments and identify control deficiencies.
- View pre-packaged dashboards and reports that aggregate and analyze loss trends by different departments, loss types, and sources.
- View pre-packaged Basel dashboards with standard regulatory reports (for financial organizations).
- Manage external risk events with the Operational Risk data eXchange (ORX) integration support (for financial organizations).
[New]
- Standardized Query Range ACLs: All tables now include standardized query range ACLs, ensuring authenticated users with read permissions can reliably query records. New ACL rules install automatically during upgrade. Automated scripts handle detection and processing of any previously customized ACLs. Review customized query range ACLs after upgrade to confirm alignment with your access policy.
- Not Applicable Flag Configuration: A configuration option in Risk Assessment Methodology allows hiding the "Not Applicable" flag in Risk Assessments.
- Smart Assessment Template Versioning: Risk Identification now supports template versioning — modify existing templates by creating new versions instead of building from scratch. The latest published version is always used when creating assessments.
- Smart Assessment Template Versioning: Risk Identification now supports template versioning — modify existing templates by creating new versions instead of building from scratch. The latest published version is always used when creating assessments.
- Audit Entries for Risk Assessment Projects: Risk Assessment Projects now support audit entries for tracking changes and activity history.
- Worst Case Aggregation: A new rollup method in Risk Assessment Methodology that derives all aggregated scores from the single risk with the highest residual, ensuring rollup results reflect a real risk scenario rather than a composite across multiple risks.
[Changed]
- Email notification links for Advanced Risk records now redirect users to the appropriate workspace based on their access permissions.
- Risk Event administrators now have expanded control over the entire risk event workflow, beyond reopening risk events.
[Fixed]
- Currency locale is now respected when Risk scores roll up to Risk Statements.
- Non-breaking spaces in Guidance Text HTML no longer cause rendering issues in non-English languages.
- Risk Assessment Projects can no longer be submitted multiple times on slow networks.
- Initiation date can no longer be set to a past date in the Risk Assessment scheduler workflow.
- Smart assessment creation now works correctly for templates with a large number of questions.
- The Next button now saves values correctly in the Risk Assessment Project stakeholder section.
- Scheduler frequency no longer resets to default after request initiation.
- Notifications are now triggered for assessors when assessments are generated outside the Risk Assessment scope.
- Profile class is no longer overwritten when you customize the record.
- Original Assessor field now populates correctly after reassignment.
- Assessment ratings display accurately for scores with three decimal places.
- Duplicate numbering on out-of-box Risk Assessment Methodology records has been resolved.
- When multiple methodologies are available, the selection popup now displays all options instead of defaulting to one.
- Last Assessment Date now shows the assessment end date instead of the system updated date.
- Approval and rejection comments are now copied to the approval record for improved traceability.
The following applications are installed automatically when you activate the Advanced Risk application:
- GRC: Risk Management (com.sn_risk)
- GRC: Advanced Risk Assessment (com.sn_risk_assessment)
Permissions and roles:
Role required to install the app: System Admin (admin)
To upgrade the Advanced Risk application to a newer version, make sure to upgrade the Risk Management Workspace and any other installed GRC applications to the equivalent major release version. For example, Advanced Risk version 14.x is certified to work with Risk Management Workspace version 14.x and other GRC applications with version 14.x.