Manage issues

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage Issues

    Managing issues effectively is crucial for measuring and improving your company’s risk management program. Issues can be reported either by employees and business users through the ServiceNow® Service Portal or directly by GRC users within their instance. This allows for timely identification and response to risk and compliance issues, helping maintain control and mitigate risk.

    Show full answer Show less

    Issue Submission and Types

    • Employee and Business User Submission: Users can self-identify and submit issues via the Service Portal, which automatically creates a triage issue to initiate the triage process.
    • GRC User Submission: GRC users manually create issues to document audit observations, remediations, and compliance or risk concerns.
    • Automatically Generated Issues: Control issues are created when control attestations indicate non-implementation or failure, and control test issues are generated when control tests are closed as ineffective.

    Goals of Issue Management

    • Eliminate noise by reducing duplicate issues.
    • Focus on issues that pose the greatest risk exposure.
    • Identify and prioritize remediation actions effectively.
    • Detect new issues across business operations.
    • Analyze weaknesses in policies, processes, and controls.

    Issue Management Workflow and Life Cycle

    Remediation of issues ensures that controls remain compliant and risks are mitigated through a structured workflow:

    • Issue Intake: Issues are submitted via the Service Portal or directly by GRC users. Triage issues are automatically created when submitted through the portal.
    • Investigation: The triage team analyzes the issue, may request additional information, and decides if further action is required. Issues can be escalated to compliance or risk managers as needed.
    • Remediation: Confirmed issues are remediated. Triage issues may be converted into formal issues or risk events, tracked as recommendations, or closed if deemed non-issues.
    • Review and Monitoring: Before closure, issues require review and approval by the policy owner. This step helps track overdue tasks, benchmark timelines, identify potential loss mitigation points, and reduce future gaps.

    Managing Issues in the Workspace

    Issues can be tracked individually or collectively within the ServiceNow Workspace, providing a centralized list view for efficient management. Grouping related issues within the workspace helps organize workflows, streamline processes, and save time by handling similar issues together.

    You can measure the effectiveness of your company's risk management program by how quickly and completely it identifies and reacts to risk and compliance issues.

    Issues can be submitted using two methods, depending on the type of user involved:
    Note:
    Various types of issues can also be automatically generated under the following conditions (these types of issues are not triaged):
    • Control issue: Created when a control attestation is completed, indicating that the control is not implemented, or when an indicator fails.
    • Control test issue: Created when a control test is closed complete with the control effectiveness set to Ineffective.

    Goals of issue management

    The goals of issue management include:

    • Eliminating noise​.

    • Consolidating duplicate issues​.

    • Focusing on issues that expose the organization to the greatest risk.

    • Identifying and prioritizing remediation actions​.

    • Identifying new issues across the business operations​.

    • Analyzing operational weakness in policies, processes, and controls​.

    Issue management workflow and life cycle

    By remediating issues, controls can be kept compliant, and risk can be mitigated​. The Issue Management workflow and life cycle are illustrated and described here.
    Figure 1. Issue Management workflow
    Issue Management Workflow
    Table 1. Issue Management life cycle
    Stage Description
    Issue intake As described earlier, issues can be submitted using two methods, depending on the type of user involved:
    • Employees and business users within your company can self-identify an issue and submit it via the ServiceNow® Service Portal. Following submission, a triage issue is automatically created and the issue triage process begins.
    • GRC users can manually create an issue from within their instance. These types of issues are not triaged.
    Investigate the issue During the investigation phase, it is determined whether the issue requires additional study. If a triage is being performed, the triage issue is assigned to a triage team for analysis. The triage team may request more information from the issue creator. The team can also optionally send the issue to the compliance manager, risk manager, or triage manager with a triage result.
    Remediate the issue After the team has confirmed the issue, the necessary steps to remediate it are performed. If a triage was performed, the triage issue is converted into an actual issue or risk event. The team may also decide to track the issue as a recommendation or close it as a non-issue.
    Review and monitor the issue Prior to closing the issue, the policy owner reviews and approves it. The review also allows the organization to:
    • track past due tasks
    • benchmark issue timelines
    • identify where losses could have been mitigated
    • reduce gaps in the future