This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Risk Workspace for the operational risk manager
Operational risk managers oversee risks arising from people, processes, systems, or external events that may cause financial or reputational losses.These risks range from minor errors to severe threats like fraud-induced bankruptcy.The role focuses on managing an organization's risk posture by establishing a structured risk management framework and continuously monitoring risks and controls.
Show full answerShow less
Key Responsibilities
Define the Operational Risk Framework: Develop a comprehensive framework encompassing risk identification, measurement/scoring, mitigation, and ongoing reporting and monitoring.
Set Up Libraries: Create standardized risk statements to ensure consistent understanding of risks, define control objectives for mitigating risks, and organize entities and their relationships within the risk structure.
Conduct Periodic Risk Assessments: Schedule and perform annual risk assessments, maintain an accurate risk register, and scope assessments to align with organizational policies.
Record and Monitor Risk Events: Capture and analyze risk events—including losses, near misses, and gains—to identify improvement areas and recommend additional controls.
Define and Monitor Key Risk Indicators (KRIs): Establish KRIs and control indicators to enable continuous risk posture monitoring, trigger alerts when thresholds are breached, and support audit and control testing activities.
Manage Issues and Incidents: Track environmental or process changes posing threats (issues) and negative-impact events (incidents), ensuring their remediation, closure, and monitoring.
Communicate Risk Posture: Create dashboards and reports for executives and risk teams to visualize aggregated risk data and highlight top operational risks.
Practical Use and Benefits for ServiceNow Customers
Using the Risk Workspace, operational risk managers can systematically identify and mitigate operational risks through a centralized platform that supports:
Standardized risk documentation and control mapping.
Automated risk assessments aligned with organizational frameworks.
Comprehensive tracking and analysis of risk events and incidents.
Real-time monitoring of risk indicators to proactively manage emerging risks.
Effective communication of risk posture via customizable dashboards and reports.
This structured approach helps ServiceNow customers maintain an accurate and actionable understanding of their operational risks, enabling timely interventions to reduce losses and improve organizational resilience.
Operational risk managers manage operational risks such as losses due to errors,
breaches, or damages that are caused by people, internal processes, systems, or external events.
Operational risks range from the small, such as the risk of loss due to minor human errors, to the
large, such as the risk of bankruptcy due to serious fraud.
Operational risk manager
Operational risk managers are a part of the operational risk team that manages the risk
posture of the organization. Risk posture is the current risk profile for a company. As an
operational risk manager, you must perform the following tasks.
Define the operational risk framework
Effectively manage the operational risks of an organization by defining a robust risk
management framework. This framework helps to identify risks and to define the control
framework to mitigate those risks. A risk management framework consists of the following
components:
Risk identification
Risk measurement or scoring
Risk mitigation
Risk reporting and monitoring
Set up libraries
Set up comprehensive libraries by doing the following:
Creating risk statements: A risk statement is used to record a risk in a way that
everyone can reach a common agreement on its severity or relative priority.
Creating control objectives: A control objective defines the aim or purpose of
risk-mitigating controls. These controls need continuous monitoring.
Defining entity classes, entity types, and entities: For more information on entities,
see Understanding entities.
Defining the upstream and downstream entities.
The first step is to set up risk statements so that your team has a specific idea of the
risk. For example, simply calling a risk as a cybersecurity risk is not specific.
Cybersecurity risks could mean different things to different people. Therefore, a common
statement to define cybersecurity is created as a risk statement. To create risk statements
and their hierarchy, clearly define the risk impact, the assets at risk, and the source of
risk. By defining the risk statements and creating their hierarchy, you can ensure that the
risk scores are aggregated thus giving the complete risk status.
Conduct risk assessments on a periodic basis
Perform the annual risk assessments according to your organization's policies. Also,
ensure that the risk register is updated and accurate. Create risk assessment scopes and
schedule assessments. To learn more about risk registers, see Risk register in the Risk Workspace.
Record and monitor risk events
Risk events are potential or actual financial and non-financial losses, near misses, and
gains that occur within an organization. To effectively manage risks, it is essential to
monitor risk events, perform a root-cause analysis, and track the remedial tasks.
Organizations use risk events to understand their losses and analyze areas of improvement to
reduce further losses. You must maintain the loss event register to capture complete event
information and to suggest additional controls to mitigate risks in the future.
Define key risk indicators
Monitor the risk posture of your enterprise on a continuous basis. Continuous monitoring
of risks and controls involves identifying and creating key risk and control indicators.
Supporting information can be collected for those indicators through automatic data
collection or manual tasks. Indicator results are then used to create issues for controls,
signal a change in the risk posture, and to provide supporting information for audit
activities and control testing. If the indicator thresholds are breached, you must escalate
to the respective stakeholders.
Manage issues and incidents
An issue is created when there is a change in the environment, process, or system that
poses a threat. An issue requires action to prevent an incident or loss. An incident is a
successful outcome or event with a negative impact. As the operational risk manager, you can
view, create, and manage issues and incidents. Ensure tracking, proper closure, remediation,
and monitoring of issues and incidents.
Communicate the operational risk posture
Define dashboards to report data effectively and accurately. You must create the required
reports which can be shared with the executives and the head of the operational risk team.
The reports and dashboards ensure that the aggregated assessment results across the
organization help to identify the top operational risks for the enterprise.
The following table lists the key tasks that you perform in your role as an operational risk
manager.
