Risk and Compliance Dashboard reports and solutions

Release version: Xanadu

Updated August 1, 2024

5 minutes to read

Summarize

Summarized using AI

Summary of Risk and Compliance Dashboard reports and solutions

The Risk and Compliance Dashboard in ServiceNow offers a centralized platform for analyzing compliance and risk data from various GRC applications. It is designed for Chief Information Security Officers (CISOs) to assess the organization’s risk posture and compliance status effectively. Access to reports is contingent upon the installation of corresponding workspaces.

Show full answer Show less

Key Features

Unified Dashboard: Consolidates data from the ServiceNow GRC suite to provide comprehensive insights.
Role-Based Access: Specific roles are required for different types of reports:
- Compliance: sngrcdashboards.grccisouser, snbod.ciso
- Risk: sngrcdashboards.grccisouser, snbod.ciso
- Business Continuity: snbcm.viewer, snbod.ciso
- Third-party Risk: snvdrriskasmt.vendorassessmentreviewer, snbod.ciso
- Privacy: snprivacy.analyst, snbod.ciso
- Audit: snauditws.auditor, snbod.ciso
Indicators: Key indicators include compliance percentage, compliant controls, and privacy compliance posture to track performance effectively.
Detailed Reports: Various tabs such as Overview, Compliance, Risk, Privacy, Entity, and Audit provide insights into compliance posture, risk ratings, authority documents, and audit engagements.

Key Outcomes

Using the Risk and Compliance Dashboard, organizations can:

Quickly assess compliance and risk status through visual indicators and detailed reports.
Identify and prioritize high-risk issues and overdue tasks to enhance compliance management.
Gain insights into third-party risks, privacy compliance, and audit engagements to ensure thorough oversight of risk management processes.

The Risk and Compliance dashboard is a unified dashboard that provides a comprehensive analytical data of reports available from the major GRC applications for the chief information security officer to understand the compliance and risk posture of the organization. The dashboard consolidates data from various products within the ServiceNow GRC suite of applications.

Note:

All reports are available only when the corresponding workspaces are installed.

Video showing the reports available in the different tabs of the Risk and compliance dashboard. — Figure 1. Risk and compliance dashboard

Required ServiceNow AI Platform roles

For Compliance related reports: User must have sn_grc_dashboards.grc_ciso_user role and sn_bod.ciso role.
For Risk related reports: User must have sn_grc_dashboards.grc_ciso_user role and sn_bod.ciso role.
For Business Continuity Management related reports: User must have sn_bcm.viewer role and sn_bod.ciso role.
For Third-party risk related reports: User must have sn_vdr_risk_asmt.vendor_assessment_reviewer role and sn_bod.ciso role.
For Privacy related reports: User must have sn_privacy.analyst role and sn_bod.ciso role.
For Audit related reports: User must have sn_audit_ws.auditor role and sn_bod.ciso role.

Access the Risk and Compliance Dashboard

To open the dashboard, navigate to All > Cybersecurity Executive Dashboard > Cybersecurity Executive Dashboard.

Indicators

Compliance posture

Compliance percentage: Formula indicator that depicts compliance posture.
All Controls: Automated indicator that supports the formula indicator.
Compliant Controls: Automated indicator that supports the formula indicator.

Privacy compliance posture

PA indicator: Processing activity compliance score percentage.

Breakdowns

Functional Domain.

Reports

Note:

All reports are available only when the corresponding workspaces are installed.

Table 1. Overview tab
Title	Type	Source table	Description
Compliance posture	Line chart	Control [sn_compliance_control]	Provides cybersecurity and risk, and IT risk and compliance posture based on data analysis to the compliance managers.
Risk posture	Donut chart	The source tables are as follows: Risk [sn_risk_risk] Detailed aggregated risk [sn_risk_advanced_risk_assessment_result] (When the Advanced Risk application is installed and Advanced Risk Assessment is enabled	Provides the risk count based on the risk ratings.
Ongoing crisis events	Single Score	Recovery event [sn_recovery_event] where event type is actual	Displays the total number of ongoing crisis events that are neither approved nor closed.
Assets by recovery status	Donut chart	Assets [sn_recovery_event_asset]	Provides the total number of assets for ongoing crisis events grouped by their recovery status, including assets that have been recovered and those that have not.
Recovery tasks by status	Donut chart	Recovery tasks [sn_recovery_event_task]	Provides the status of recovery tasks in various states for ongoing crisis events.

Table 2. Compliance overview tab
Title	Type	Source table	Description
Authority documents	Donut chart	Authority Document [sn_compliance_authority_document]	Provides data of compliant and non-compliant authority documents in the chart. The list provides details of the authority documents, their individual compliance score in percentage, count of high priority issues and high risk exceptions on the authority documents, and the count of compliant cases.
Policies	Donut chart	Policy [sn_compliance_policy]	Provides the count of compliant and non-compliant policies in the chart. The list provides details of the policies, their individual compliance score in percentage, count of high priority issues and risk exceptions raised on each policy, and the count of compliant cases.

Table 3. Risk overview tab
Title	Type	Source table	Description
Risk posture	Donut chart	The source tables are as follows: Risk [sn_risk_risk] Detailed aggregated risk [sn_risk_advanced_risk_assessment_result] (When the Advanced Risk application is installed and Advanced Risk Assessment is enabled)	Provides the risk count based on the risk ratings.
Risk posture	List	GRC Content Status [sn_grc_content_reports]	Provides the risk rating for each organizational risk to understand the overall risk assessment results. These ratings help organizations understand the potential impact and likelihood of various risks, enabling them to prioritize and manage these risks. The Risk posture card also highlights the following information for each risk: Risk appetite: Risk appetite value defined. High priority issues: The number of issues with priority is defined as High. Overdue risk response tasks: Number of overdue risk response tasks. KRI Breach %: Percentage of Key Risk Indicators (KRIs) that have exceeded their predefined thresholds or limits.
Third-party risk posture	Donut chart	Third-party risks [sn_grc_dashboards_third_party_risk]	Provides the risk rating for each third party. The risk rating is the overall assessment rating that considers the scores and ratings from all assessments conducted for a third party or vendor. The Third-party risk posture card also highlights the following information for each third party or vendor: Risk criteria: Group of risk domains (sometimes called risk areas in other platform features) that applies to a particular type of third party. Risk tier: Value determined based on the responses collected after an inherent risk assessment (IRQ) is completed. Risk intelligence rating: Aggregate of all the scores collected from Risk intelligence providers. Overdue risk response tasks: Number of overdue risk response tasks.

Table 4. Privacy overview tab
Title	Type	Source table	Description
Privacy compliance posture	Line	PA indicator: Processing activity compliance score percentage [pa_indicators]	Provides the compliance posture by month and is plotted by referring to the overall compliance score across all the processing activities.
Overdue high priority issues	Single score	Issues [sn_grc_issue]	Provides a focused overview of all overdue high-priority privacy-related issues, enabling quick identification and resolution of critical tasks to ensure compliance and data protection.
Privacy risk heatmap	Heatmap	Risk assessment methodology [sn_risk_advanced_risk_assessment_methodology]	Provides the privacy risk assessment data in the form of a heatmap. Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap.

Table 5. Entity overview tab
Title	Type	Source table	Description
Entities	List	Entity compliance status [sn_compliance_entities_reports]	Provides the summary of risks directly associated with the entity that contribute to the overall risk rating of the entity. The list also displays the compliance score of entities, and high priority issues and risk exceptions that are raised as a result of the non-compliant controls associated with the entity.

Table 6. Audit overview tab
Title	Type	Source table	Description
Open and upcoming audit engagements	List	Engagement [sn_audit_engagement]	Provides a list of open and upcoming audit engagements. The list also provides details of the engagement lead for each authority document, each engagement's planned start and end dates, high-priority issues, percentage of fieldwork that is completed, and the milestones in progress.

Filters


Name	Type	Description
Risk criteria	Report	Depending on which risk criterias you select, the donut chart and list shows the third parties or vendors that are in those risk areas.