This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Risk Workspace for the operational risk manager
The Risk Workspace for the operational risk manager in ServiceNow Yokohama release enables operational risk managers to effectively manage risks arising from people, processes, systems, or external events.These risks can range from minor errors to major incidents like fraud that threaten organizational stability.Operational risk managers are responsible for defining risk management frameworks, conducting assessments, monitoring risk events, and communicating the organization's risk posture.
Show full answerShow less
Key Responsibilities and Capabilities
Define the Operational Risk Framework: Establish a comprehensive framework including risk identification, measurement, mitigation, and reporting to manage operational risks systematically.
Set up Libraries: Create standardized risk statements to clarify risk severity and priority, define control objectives for risk mitigation, and organize entities and their relationships for accurate risk aggregation.
Conduct Risk Assessments: Schedule and perform annual and periodic risk assessments to keep risk registers up to date and aligned with organizational policies.
Record and Monitor Risk Events: Maintain a loss event register to capture financial and non-financial losses or near misses, perform root cause analyses, and track remediation efforts to reduce future risks.
Define Key Risk Indicators (KRIs): Continuously monitor the risk posture using KRIs and control indicators, automate data collection where possible, and escalate threshold breaches to stakeholders.
Manage Issues and Incidents: Track and manage changes or threats (issues) and actual negative events (incidents) ensuring proper closure and remediation.
Communicate Risk Posture: Use dashboards and reports to provide executives and risk teams with aggregated risk data, highlighting top operational risks and facilitating informed decision-making.
Practical Benefits for ServiceNow Customers
By leveraging the Risk Workspace, operational risk managers can maintain a clear, structured approach to identifying, assessing, and mitigating operational risks. The platform supports standardized risk documentation, continuous monitoring through KRIs, and comprehensive reporting. This ensures proactive risk management, regulatory compliance, and enhanced organizational resilience.
Key Features Summary
Risk framework creation and association of risk statements with control objectives.
Comprehensive libraries for risk statements, control objectives, and entity definitions.
Scheduling and executing advanced risk assessments.
Risk event capture and analysis with loss event registers.
Automated and manual monitoring of risk and control indicators.
Issue and incident management capabilities.
Customizable dashboards and reports to communicate risk posture effectively.
Operational risk managers manage operational risks such as losses due to errors,
breaches, or damages that are caused by people, internal processes, systems, or external events.
Operational risks range from the small, such as the risk of loss due to minor human errors, to the
large, such as the risk of bankruptcy due to serious fraud.
Operational risk manager
Operational risk managers are a part of the operational risk team that manages the risk
posture of the organization. Risk posture is the current risk profile for a company. As an
operational risk manager, you must perform the following tasks.
Define the operational risk framework
Effectively manage the operational risks of an organization by defining a robust risk
management framework. This framework helps to identify risks and to define the control
framework to mitigate those risks. A risk management framework consists of the following
components:
Risk identification
Risk measurement or scoring
Risk mitigation
Risk reporting and monitoring
Set up libraries
Set up comprehensive libraries by doing the following:
Creating risk statements: A risk statement is used to record a risk in a way that
everyone can reach a common agreement on its severity or relative priority.
Creating control objectives: A control objective defines the aim or purpose of
risk-mitigating controls. These controls need continuous monitoring.
Defining entity classes, entity types, and entities: For more information on entities,
see Understanding entities.
Defining the upstream and downstream entities.
The first step is to set up risk statements so that your team has a specific idea of the
risk. For example, simply calling a risk as a cybersecurity risk is not specific.
Cybersecurity risks could mean different things to different people. Therefore, a common
statement to define cybersecurity is created as a risk statement. To create risk statements
and their hierarchy, clearly define the risk impact, the assets at risk, and the source of
risk. By defining the risk statements and creating their hierarchy, you can ensure that the
risk scores are aggregated thus giving the complete risk status.
Conduct risk assessments on a periodic basis
Perform the annual risk assessments according to your organization's policies. Also,
ensure that the risk register is updated and accurate. Create risk assessment scopes and
schedule assessments. To learn more about risk registers, see Risk register in the Risk Workspace.
Record and monitor risk events
Risk events are potential or actual financial and non-financial losses, near misses, and
gains that occur within an organization. To effectively manage risks, it is essential to
monitor risk events, perform a root-cause analysis, and track the remedial tasks.
Organizations use risk events to understand their losses and analyze areas of improvement to
reduce further losses. You must maintain the loss event register to capture complete event
information and to suggest additional controls to mitigate risks in the future.
Define key risk indicators
Monitor the risk posture of your enterprise on a continuous basis. Continuous monitoring
of risks and controls involves identifying and creating key risk and control indicators.
Supporting information can be collected for those indicators through automatic data
collection or manual tasks. Indicator results are then used to create issues for controls,
signal a change in the risk posture, and to provide supporting information for audit
activities and control testing. If the indicator thresholds are breached, you must escalate
to the respective stakeholders.
Manage issues and incidents
An issue is created when there is a change in the environment, process, or system that
poses a threat. An issue requires action to prevent an incident or loss. An incident is a
successful outcome or event with a negative impact. As the operational risk manager, you can
view, create, and manage issues and incidents. Ensure tracking, proper closure, remediation,
and monitoring of issues and incidents.
Communicate the operational risk posture
Define dashboards to report data effectively and accurately. You must create the required
reports which can be shared with the executives and the head of the operational risk team.
The reports and dashboards ensure that the aggregated assessment results across the
organization help to identify the top operational risks for the enterprise.
The following table lists the key tasks that you perform in your role as an operational risk
manager.
