Manage risks linked to the same risk statement
Summarize
Summary of Manage risks linked to the same risk statement
This feature update allows ServiceNow customers to create and associate multiple risks with the same risk statement and entity combination, enhancing flexibility in risk management. Previously, only one risk could be linked to a single risk statement and entity, which suited mature programs with standardized taxonomies but was limiting for organizations with less defined hierarchies.
Show less
Key Features
- Multiple Risks per Risk Statement and Entity: Users can now link several risks to the same risk statement and entity, enabling detailed categorization and better management of localized risks within broader enterprise risk frameworks.
- Inherit from Risk Statement Option: Available on the Risk form, this option controls how risks are created:
- When selected, risk creation follows the previous method, allowing only one risk per risk statement and entity.
- When not selected, the system permits multiple risks under the same risk statement and entity, with risks having distinct names and descriptions from the risk statement.
- Flexible Risk Taxonomy Definition: Risk managers can customize risk taxonomies to their organizational needs, accommodating various levels of risk detail across business units.
Key Outcomes
- Enhanced Risk Identification: Entity owners can identify and associate localized risks to the enterprise risk taxonomy more accurately, even when risks vary significantly below high-level risk statements.
- Prevention of Orphan Risks: By linking multiple risks to a single risk statement and entity, organizations avoid unaddressed or isolated risks, ensuring appropriate risk ownership and action.
- Improved Aggregation and Impact Analysis: New risks identified by first-line teams can be appropriately scored and aggregated at the desired level within the risk hierarchy, supporting comprehensive risk oversight.
You can create and associate multiple risks to the same risk statement and entity combination. This association benefits the risk managers and the entity owners.
Before the latest release, users could only associate one risk for a single entity and risk statement combination. This ability was useful for customers who have a mature risk program with a well-defined and standardized risk taxonomy. However, it did not meet the requirements of customers who do not have a standardized risk taxonomy. Such customers usually have only two or three levels of risk statement hierarchy while their actual risks are still local for each business unit or lines of business. Also, when the first line identifies new risks, they associate those risks to an enterprise risk hierarchy. This allows the new risk scores to aggregate and impact the overall risk hierarchy. With the current release, a new option called Inherit from risk statement is introduced on the Risk form. If this option is selected, the risk creation happens in the previous manner. This means that there can be only one instance of risk statement and entity combination. However, if this option is not selected, the system allows the risk statement hierarchy to be used as categorization and sub-categorization hierarchy and associates multiple risks to the same risk statement and entity combination. This option also enables the first line to associate their newly identified risks to the risk hierarchy at a level they want to. When this new option is not selected, the system assumes that the name and description of the risk is overridden and must not be the same as the risk statement name and description.
This feature benefits the risk manager as it allows the risk managers to define the risk taxonomy according to the needs of their organization. It also benefits the entity owners to identify risks for their entity and link them to enterprise risk taxonomy.