100% found this document useful (2 votes)

4K views230 pages

ServiceNow Governance Risk Compliance (PDFDrive)

grc servicenow

Uploaded by

uday madaan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

4K views230 pages

ServiceNow Governance Risk Compliance (PDFDrive)

grc servicenow

Uploaded by

uday madaan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

08/10/2018

Jakarta ServiceNow Governance Risk Compliance

Jakarta ServiceNow Contents

Contents

Governance, Risk, and Compliance (GRC)............................................................................................... 4

Policy and Compliance Management.........................................................................................................8

Understanding Policy and Compliance Management......................................................................... 8
Activate Policy and Compliance Management....................................................................... 10
Configure Policy and Compliance Management.................................................................... 18
Establish profile scoping for policies and controls................................................................. 18
Manage policy statements and policies................................................................................. 30
Use UCF Common Controls Hub to manage compliance frameworks.................................. 44
Manage controls..................................................................................................................... 57
Manage control attestations................................................................................................... 64
Manage control indicators...................................................................................................... 68
Monitor controls using GRC Performance Analytics Indicators..............................................73
Manage compliance issues and remediation......................................................................... 76

Risk Management.......................................................................................................................................78
Understanding Risk Management..................................................................................................... 79
Activate Risk Management.....................................................................................................80
Configure Risk Management.................................................................................................. 91
Establish profile scoping for risks...........................................................................................93
Manage risks, risk statements, and risk frameworks........................................................... 105
Manage profile and risk dependencies using the GRC Workbench.....................................120
Manage risk indicators..........................................................................................................129
Manage risk issues and remediation................................................................................... 136

Audit Management................................................................................................................................... 138

Understanding Audit Management..................................................................................................139
Activate Audit Management..................................................................................................140
Create an audit report template........................................................................................... 148
Establish profile types, profile classes, and profiles.............................................................149
Manage test templates and test plans................................................................................. 157
Manage engagements.......................................................................................................... 159
Manage GRC key risk and control indicators...................................................................... 172
Manage audit issues and remediation................................................................................. 177

Vendor Risk Management....................................................................................................................... 179

Understanding Vendor Risk Management...................................................................................... 180
Vendor Risk Management workflow.....................................................................................180
Activate Vendor Risk Management...................................................................................... 180
Update vendor information................................................................................................... 191
Vendor risk ratings and scoring calculations........................................................................192
Manage vendor risk assessments........................................................................................206
Index.......................................................................................................................................................... 228

© 2018 ServiceNow. All rights reserved. iii

Jakarta ServiceNow Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) is the methodology created to manage the strict and
complex regulatory and industry requirements across corporate environments. The ServiceNow® GRC
suite contains four main applications: Policy and Compliance Management, Risk Management, Audit
Management, and Vendor Risk Management.

Who uses GRC?

The complete GRC process involves all areas of your organization working together.
• Board of directors
• Audit committee
• IT steering committee
• Compliance officer
• Risk officers (conduct risk assessment and identify all that can go wrong in business)
• All levels of management (assist the risk officers with the identification of what can go wrong in their
processes)
• Audit committee
• Auditors (an independent body, typically reporting to the board of directors)

© 2018 ServiceNow. All rights reserved. 4

Jakarta ServiceNow Governance, Risk, and Compliance (GRC)

GRC and the Now Platform

Because the GRC application is built on the Now Platform, data and evidence is provided back to GRC
allowing you:
• full access to all asset, configuration, and IT data within the instance
• automatic evidence and data collection to see if controls are working
• access to source data from real-time reporting
• centralized access and management for all authoritative sources, policies, and controls
• full work flow integration and business process support integrating controls directly into your business
processes
• document management and knowledge base can be used to support Policy Management and control
test instructions
• secure integration to gather evidence and report on controls outside of the instance

© 2018 ServiceNow. All rights reserved. 5

Jakarta ServiceNow Governance, Risk, and Compliance (GRC)

Applications and integrations supporting GRC workflow

The following applications and integrations work together with other GRC applications or ServiceNow®
applications to maximize your GRC workflow.

Table 1: GRC integration plugins

Plugin Name Can the plugin be Is there demo data? What application is this
activated by a user with plugin used with?
the admin role?

GRC: Vendor Yes No • GRC: Policy

Risk Management and Compliance
(com.sn_vdr_risk_asmt) Management
(com.sn_compliance)
• GRC: Risk
Management

GRC: Compliance UCF Yes No • GRC: Policy

(com.sn_comp_ucf) and Compliance
Management
(com.sn_compliance)

GRC: Performance Yes No • GRC: Policy

Analytics Integration and Compliance
(com.sn_grc_pa) Management
(com.sn_compliance)
• GRC: Risk
Management

GRC: SIG Yes No • GRC: Vendor

Questionnaire Risk Management
Integration (com.sn_vdr_risk_asmt)
(com.sn_sig_asmt)

GRC terminology

The following terms are used within GRC applications.

Term Definition Additional information

Authority The regulations, certifications, Related to controls, risks, policies. IT

documents frameworks, standards that an audits typically rely on the authority
organization chooses or is required for documents downloaded from Network
compliance with regulations. Frontiers, Unified Compliance
Framework.
Citations Citations are records with the specific The citation record relates authority
requirements cited by an authority documents to its applicable control.
document.

© 2018 ServiceNow. All rights reserved. 6

Jakarta ServiceNow Governance, Risk, and Compliance (GRC)

Term Definition Additional information

Policies Policies include policies, standards, Policies are related to authoritative

and procedures. documents and control records.
Publishing and version control of
policies are managed using document
and knowledge management
capabilities from the Now Platform.
Custom workflows ensure all policy
changes are routed to the appropriate
work owners for final approval. All
approved organizational policies are
published in the knowledge base.
Risks A risk is any threat or vulnerability Risks can be related to any item,
that could adversely affect your policy, control, and remediation task.
organization’s business objectives. Risks requiring immediate or ongoing
All risks are contained in one risk attention can be mitigated, prevented,
repository. or controlled using the defined controls
and related control tests.
Controls Controls are the actual control Controls can be related to authoritative
activities performed by your source contents, policies, and risks.
organization. These control records
include the basic required information
about the control (owner, activity,
frequency, etc.)
Control framework The control framework is a single
consolidated set of controls which
perform and preserve the cross
mapping of controls that are critical for
audits.
Audit An audit is a coordinated event where Audits are related to controls and
the organization identifies all of the control tests.
controls that they want to test at one
time and assigns responsibility of the
overall audit to a single person. A
single task manages the testing of all
the controls.
Audit Activities An audit activity is one of the tasks
within an audit that is assigned to an
individual for execution of the audit.
Audit Audit observations are used by Audit observations are related to
Observations internal auditors for identifying control control gaps and risks.
gaps or identifying new risks.
Remediation Remediation tasks are automatically Remediations are related to controls,
created when a control test fails or control test failures, and control test
when audit observations are noted. instances.
Remediation tasks include information
about the control test instance and
is typically assigned to a remediation
group or to the control owner.

© 2018 ServiceNow. All rights reserved. 7

Jakarta ServiceNow Policy and Compliance Management

Policy and Compliance Management

The ServiceNow® Policy and Compliance Management product provides a centralized process for
creating and managing policies, standards, and internal control procedures that are cross-mapped to
external regulations and best practices. Additionally, the application provides structured workflows for the
identification, assessment, and continuous monitoring of control activities.
The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate
subscription and requires activation.

Explore Set up Administer

• Governance, Risk, and • Activate Policy and • Configure Policy and
Compliance release notes Compliance Management on Compliance Management on
page 10 page 18
• Configure Policy and • Manage GRC key risk and
Compliance Management on control indicators on page
page 18 172

Use Develop Integrate

• What is GRC dependency • Developer training • Use UCF Common Controls
modeling and mapping? on • Developer documentation Hub to manage compliance
page 23 • Components installed with frameworks on page 44
• Attestation designer on page Policy and Compliance • Monitor controls using GRC
65 Management on page 11 Performance Analytics
• Upgrade to Jakarta Indicators on page 73

Troubleshoot and get help

• Ask or answer questions in the
GRC community
• Search the HI Knowledge
Base for known error articles
• Contact ServiceNow Support

Understanding Policy and Compliance Management

What is Policy and Compliance Management

Policy and Compliance Management centralizes the following activities:
• Establish controls and controls owners
• Define control tests and expected results
• Establish test and control frequencies
• Identify risks: impact and likelihood

© 2018 ServiceNow. All rights reserved. 8

Jakarta ServiceNow Policy and Compliance Management

• Prepare attestations
• Map authoritative sources to policies, procedures, controls, and risks

Who uses Policy and Compliance Management?

Policy and Compliance activities involve all levels of management. A key function of good governance
involves the establishment of a strong organization structure.
• Board of directors
• IT steering committee
• Audit committee
• All levels of management

© 2018 ServiceNow. All rights reserved. 9

Jakarta ServiceNow Policy and Compliance Management

Policy and Compliance Management and the Now Platform

Activate Policy and Compliance Management

The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate
subscription.
Role required: admin
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.

© 2018 ServiceNow. All rights reserved. 10

Jakarta ServiceNow Policy and Compliance Management

If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.
You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

To use the UCF import application, activate the UCF Import (com.sn_comp_ucf) plugin.

Components installed with Policy and Compliance Management

Activating the Policy and Compliance Management (com.sn_compliance) plugin adds or modifies several
tables, user roles, and other components.

Tables installed with Policy and Compliance Management

Policy and Compliance Management adds the following tables.

Table Description

Article Template Used to format the policy text contained in a

policy record when publishing the policy to the
[sn_compliance_article_template]
Knowledge Base (KB).
Authority Document Extends the Document [sn_grc_document] table
and stores all Authority Documents.
[sn_compliance_authority_document]

Citation Extends the Content [sn_grc_content] table and

stores all citations.
[sn_compliance_citation]

Control Extends the Item [sn_grc_item] table and stores

all controls.
[sn_compliance_control]

Policy Extends the Document [sn_grc_document] table

and stores all policies.
[sn_compliance_policy]

Policy Statement Extends the Content [sn_grc_content] table and

stores all policy statements.
[sn_compliance_policy_statement]

Policy Statement to Assessment Metric

[sn_comp_asmt_m2m_statement_metric]

Policy Statement to Citation Is a many-to-many relationship table that is

used to manage relationships between policy
[sn_compliance_m2m_statement_citation]
statements and their related citations.

© 2018 ServiceNow. All rights reserved. 11

Jakarta ServiceNow Policy and Compliance Management

Table Description

Policy Statement to Profile Type Extends Content to Profile Type

[sn_grc_m2m_content_profile_type] and is a
[sn_compliance_m2m_statement_profile_type]
many-to-many relationship table that is used
to manage the relationships between policy
statements and profile types.
Policy to Profile Type Extends Document to Profile Type
[sn_grc_m2m_document_profile_type] and is a
[sn_compliance_m2m_policy_profile_type]
many-to-many relationship table that is used to
manage the relationships between policies and
profile types.

Note: All additional tables installed by the dependent plugins are also needed for Risk
Management.

Properties installed with Policy and Compliance Management

Policy and Compliance Management adds the following properties.

Name Description

States for which the control is active (the first Compliance administrators can change this
state is the default active state) setting.
sn_compliance.active_states • Type: string
• Default value: draft, assess, review, monitor
• Location: Policy and Compliance >
Administration > Properties

States for which control is inactive (the first state Compliance administrators can change this
is the default inactive) setting.
sn_compliance.closed_states • Type: string
• Default value: retired
• Location: Policy and Compliance >
Administration > Properties

Name of the assessment metric type that is used System administrators can change this setting.
for attestations
• Type: string
sn_compliance.default_attestation • Default value: GRC Attestation
• Location: Policy and Compliance >
Administration > Properties

sn_compliance.glide.script.block.client.globals • Type: true or false

• Default value: false
• Location: Policy and Compliance >
Administration > Properties

© 2018 ServiceNow. All rights reserved. 12

Jakarta ServiceNow Policy and Compliance Management

Name Description

Name of the knowledge base used to publish Compliance administrators can change this
Policy articles setting.
sn_compliance.knowledge_base • Type: string
• Default value: Governance, Risk, and
Compliance
• Location: Policy and Compliance >
Administration > Properties

Roles installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following roles.

Role title [name] Description Contains roles

Compliance Reader Contains the reader role in • sn_grc.reader

sn_grc scopes. In addition
[sn_compliance.reader]
to the inherited permissions,
the compliance reader can be
assigned profile types, profiles,
indicators templates, indicators
and issues.
Compliance User Contains the reader and user • sn_grc.reader
roles in sn_grc scopes, and • sn_grc.user
[sn_compliance.user]
the reader role in the Policy
• sn_compliance.reader
and Compliance Management
application. In addition to
the inherited permissions,
the compliance user can be
assigned controls, and has
read-only access to the Risk
Management application and
modules.
Compliance Manager Contains the reader, user, • sn_grc.reader
and manager roles in sn_grc • sn_grc.user
[sn_compliance.manager]
scopes, and the reader and
• sn_grc.manager
user roles in thePolicy and
Compliance Management • sn_compliance.reader
application. In addition to the • sn_compliance.user
inherited permissions, the
compliance manager can create
authority documents, citations,
policies, policy statements, and
controls.

© 2018 ServiceNow. All rights reserved. 13

Jakarta ServiceNow Policy and Compliance Management

Role title [name] Description Contains roles

Compliance Administrator Contains the reader, user, • sn_grc.reader

manager, and admin roles in • sn_grc.user
[sn_compliance.admin]
sn_grc scopes, and the reader,
• sn_grc.manager
user, and manager roles in
thePolicy and Compliance • sn_grc.admin
Management application. • sn_compliance.reader
In addition to the inherited • sn_compliance.user
permissions, the compliance • sn_compliance.manager
admin can delete authority
documents, citations, policies,
policy statements, and controls.
Compliance Developer Contains the reader, user, • sn_grc.reader
manager, admin, and developer • sn_grc.user
[sn_compliance.developer]
roles in sn_grc scopes, and
• sn_grc.manager
the reader, user, manager,
and admin roles in thePolicy • sn_grc.admin
and Compliance Management • sn_grc.developer
application. In addition to the • sn_compliance.reader
inherited permissions, the • sn_compliance.user
compliance developer can • sn_compliance.manager
create article templates and edit • sn_compliance.admin
scripts.

Attestation Creator Role used for creating GRC assessment_admin

attestation metric type
sn_compliance.attestation_creator

Script includes installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following script includes.

Script include Description

AssessmentEngine Engine for generating assessments.

AssessmentEngineBase Engine for generating assessments.
AssessmentStrategy Creates controls for assessments.
AssessmentStrategyBase Shared processor utility for evaluating
assessments
ComplianceAjax AJAX utilities for compliance
ComplianceMigrationUtils Utilities for migrating authority documents,
citations, policies, controls/policy statements,
and control test definitions from previous
instances.
ComplianceUtils Utilities for Policy and Compliance Management
ComplianceUtilsBase Utilities for Policy and Compliance Management
ControlGeneratorStrategy Creates controls for profile.

© 2018 ServiceNow. All rights reserved. 14

Jakarta ServiceNow Policy and Compliance Management

Script include Description

ControlGeneratorStrategyBase Generates controls when relationships between

profiles, profile types, policies, and policy
statements are made.
GRCPolicyCompAssessment Contains the APIs for policy statement and
compliance assessments.
GRCPolicyCompAssessmentAjax AJAX utilities for policy statement and
compliance assessment
GRCPolicyCompAssessmentBase Contains the APIs for policy statement and
compliance assessments.

Client scripts installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following client scripts.
Client script Table Description

Force positive weighting Control Enforces that the weighting field

is greater than or equal to 0.
[sn_compliance_control]

Populate fields from policy Control Populates the name,

statement description, type, category, and
[sn_compliance_control]
classification from the policy
statement.

Business rules installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following business rules.

Business rule Tables Description

Add processing document Policy to Profile Type

[sn_compliance_m2m_policy_profile_type]

Add processing statement Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Allow only one default Article Template Ensures that only one template
record has the default check
[sn_compliance_article_template]
box checked.
Associate Metric Type to Control
Record
[sn_compliance_control]
[sn_comp_asmt_m2m_statement_metric]

Associate Metric Type to Policy Statement to

Record Assessment Metric
[sn_comp_asmt_m2m_statement_metric]

© 2018 ServiceNow. All rights reserved. 15

Jakarta ServiceNow Policy and Compliance Management

Business rule Tables Description

Auto business rule for Control Automatically creates an

Assessments Assessable Record when
[sn_compliance_control]
controls are created
Auto deletion rule for Control Automatically deletes the
Assessments associated Assessable Record
[sn_compliance_control]
when a control is deleted
Cannot Insert Duplicates Policy Statement to
Assessment Metric
[sn_comp_asmt_m2m_statement_metric]

Cascade Changes Policy Statement Copies changes made to policy

statement name, description,
[sn_compliance_policy_statement]
reference, category, type,
and classification fields to the
associated controls
Create issue for non-compliant Control If no issues exist, creates an
control issue when a control status
[sn_compliance_control]
changes to non-compilant.
Otherwise, a worknote is added
to the existing issue.
Deactivate retired policy Policy Sets the Active field to false
when a policy state changes to
[sn_compliance_policy]
Retired.
Enforce Evaluation Method Policy Statement to
Allowed Assessment Metric
[sn_comp_asmt_m2m_statement_metric]

Enforce fields Policy Ensures that the Valid to and

Article template fields are
[sn_compliance_policy]
populated before moving to
the Awaiting Approval or
Published states.
Enforce positive weighting Control Ensures that the weighting of a
control is greater than or equal
[sn_compliance_control]
to 0.
Issue close rollup response to Issue Sets a control status to
control Compliant when all issues are
[sn_grc_issue]
closed.
Mark control as non-compliant Issue Sets a control status to non-
compliantwhen a related issue
[sn_grc_issue]
is created.
No item gen while generating Policy to Profile Type
profiles
[[sn_compliance_m2m_policy_profile_type]]

No item gen while generating Policy Statement to Profile Type

profiles
[sn_compliance_m2m_statement_profile_type]

© 2018 ServiceNow. All rights reserved. 16

Jakarta ServiceNow Policy and Compliance Management

Business rule Tables Description

Prevent adding inactive policy Policy to Profile Type Prevents relating inactive
policies with profile types.
[sn_compliance_m2m_policy_profile]

Prevent adding inactive policy Policy Statement to Profile Type Prevents relating inactive policy
statement statements with profile types.
[sn_compliance_m2m_statement_profile_type]

Prevent generation during Policy Statement to Profile Type

retirement
[sn_compliance_m2m_statement_profile_type]

Prevent generation during Policy to Profile Type

retirement
[sn_compliance_m2m_policy_profile_type]

Publish to KB Policy Creates a knowledge article

and publishes it to the default
[sn_compliance_policy]
Knowledge Base once a policy
state changes to Published
Retire KB Article Policy Retires the associated
knowledge article when a policy
[sn_compliance_policy]
is retired or re-published.
Set active Policy Statement Sets a policy statement to be
active if the policy statement
[sn_compliance_policy_statement]
Policy field is populated with an
active policy.
Set Content Policy Statement to Profile Type Sets the Content field to the
same value as the Policy
[sn_compliance_m2m_statement_profile_type]
statement field.
Set Document Policy to Profile Type Sets the Document field to the
same value as the Policy field.
[sn_compliance_m2m_policy_profile]

Set popup scratchpad Policy Statement

[sn_compliance_policy_statement]

Start policy approval workflow Policy Starts the approval workflow for
a policy when it moves to the
[sn_compliance_policy]
Awaiting Approval state.
Start policy review workflow Policy Starts the review workflow for
a policy when it moves to the
[sn_compliance_policy]
Published state.
Update control status Assessment Instance Question
[asmt_assessment_instance_question]

Update controls for adhoc Assessment Instance

questionnaires
[asmt_assessment_instance]

© 2018 ServiceNow. All rights reserved. 17

Jakarta ServiceNow Policy and Compliance Management

Business rule Tables Description

Update risks control failure Control Updates the control failure

factor factor for associated risks
[sn_compliance_control]
when the controls Status field
changes.

Configure Policy and Compliance Management

System and compliance administrators in the global domain can set properties to determine how the
system defines the Policy and Compliance Management application. The Policy and Compliance
Management application provides properties associated with article templates, attestation types, and UCF
integration.
Role required: admin, sn_compliance.admin, sn_compliance.developer
Compliance Administrators can set all the same properties except the Name of the assessment metric
type that is used for attestations.
Administrators in domains lower than the global domain can view the Properties screen, but cannot modify
the settings.

Note: A message appears at the top of the form This record is in the Policy and Compliance
application, but <scope> is the current application to ensure that you are in the correct
application scope.

Article Templates Policy and Compliance managers can create

templates for policy article publishing.

Attestation Types Rather than using the default GRC attestation

type, the compliance manager can create a new set
of questions for each policy statement.

Unified Compliance Integration See Configure the UCF integration on page 51.

1. Navigate to Policy and Compliance > Administration > Properties.

2. Fill in the fields on the form, as appropriate. See Properties installed with Policy and Compliance
Management on page 12 for property descriptions.
3. Click Save.

Establish profile scoping for policies and controls

Understanding how various parts of the organization are related to each other provides a more
comprehensive risk assessment process. Stakeholders can discern how risks in different parts of the
organization and at different levels of the organization impact each other. The scoping of profiles is
permitted in each of the GRC applications, but the GRC Workbench, which provides a visual presentation
of those dependencies, is only activated for use with Risk Management.

© 2018 ServiceNow. All rights reserved. 18

Jakarta ServiceNow Policy and Compliance Management

What is Profile Scoping?

Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the
following elements:

Profile Classes Profile classes allow GRC managers to separate

profiles for better distinction. For example, Business
Service Profiles, Department Profiles, Business
Unit Profiles, and the like. Reports can be filtered
to define relationships between the different profile
classes. A profile class defines what a profile
actually is. Profiles can belong to many profile types
but a profile can have only one profile class (for
example, Business Service).

Profile classes can roll up to each other, leading to

the development of the dependency model. See
What is GRC dependency modeling and mapping?
on page 23

Profile Types Profiles types are dynamic categories containing

one or more profiles. Business logic automates the
process of creating and categorizing any profiles
in the system that meet the profile type conditions.
Profile types are assigned to policy statements,
which generate controls for every profile listed in the
profile type.

Profiles Profiles are the records that aggregate GRC

information related to a specific item. Each profile is
associated with a single record from any table in the
instance. Profiles cannot be created for items that
do not have a record in a table in the platform.

© 2018 ServiceNow. All rights reserved. 19

Jakarta ServiceNow Policy and Compliance Management

Who uses Profile Scoping?

• Policy and compliance managers use profile scoping to create a system of internal controls and monitor
compliance.
• Risk managers use profile scoping to monitor risk exposure and perform risk assessments.

Example of Profile Scoping

In this scoping example, the profile types contain the following profiles:
• Global Office Locations
• Los Angeles Office
• New York Office
• Berlin Office

• North American Office Locations

• Los Angeles Office
• New York City Office

© 2018 ServiceNow. All rights reserved. 20

Jakarta ServiceNow Policy and Compliance Management

• European Union Office Locations

• Berlin Office

How do profiles relate to Policy and Compliance Management?

Profile scoping provides a systematic assignment of policy statements to controls and maintains relational
and hierarchical connections between those controls. Profiles can be a many to many relationship. Profile
types are the high-level categories and profiles are the individual items that can be associated to the profile
type.

In this Policy and Compliance scoping example:

• policies and policy statements are assigned to profile types
• controls are created based on the profiles and associated policy statements

© 2018 ServiceNow. All rights reserved. 21

Jakarta ServiceNow Policy and Compliance Management

Note: Policy statements can be created without a policy, but must be assigned a profile type.
Controls can be created without an associated policy or policy statement, but must be assigned to a
profile.

© 2018 ServiceNow. All rights reserved. 22

Jakarta ServiceNow Policy and Compliance Management

What is GRC dependency modeling and mapping?

Upstream and downstream relationships can be created between profiles to develop the dependency
map. The scoping of profiles is permitted in each of the GRC applications, but the GRC Workbench, which
provides a visual presentation of those dependencies, is only activated for use with Risk Management.

Figure 1: Dependency modeling and mapping

Dependency modeling

Dependency modeling ensures that an organization establishes a uniform definition of risk across the
enterprise. The dependency model defines what relationships are allowed between different types of
areas in the organization. This enables more effective risk normalization and aggregation by allowing
stakeholders to more effectively compare and contrast risk appetite and exposure at various levels of the
enterprise.
Creating a dependency model involves creating profile classes and defining how classes are structured in
relation to each other using the Roll up to field.

© 2018 ServiceNow. All rights reserved. 23

Jakarta ServiceNow Policy and Compliance Management

Dependency mapping

Once dependency modeling is complete, you can build out a dependency map to define how different parts
of the organization are related to each other. The dependency map represents what profile relationships
actually exist. For example, you could specify that certain projects and business services could affect the
HR department, which would in turn affect the enterprise.
Defining the dependency map involves creating profiles, defining the profile class for each profile, then
relating profiles to each other by specifying the upstream/downstream relationship.

© 2018 ServiceNow. All rights reserved. 24

Jakarta ServiceNow Policy and Compliance Management

Create a profile class

GRC managers create profile classes representing the types of things that will be part of the dependency
model. Reports can be filtered to define relationships between the different profile classes.
Role required: sn_grc.manager
A profile class defines what a profile actually is. It differs from a profile type (for example, Business
Services and Critical Business Services), in that a profile can belong to many profile types but a profile can
have only one profile class (for example, Business Service).
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > Profile Classes
• Risk > Scoping > Profile Classes
• Audit > Scoping > Profile Classes

2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 2: Authority Document

Field Value

Name Name of the profile class.

Roll up to Select dependencies to other profiles.
Useful for reporting how your lower-level
operational risks impact corporate-level
risks.

© 2018 ServiceNow. All rights reserved. 25

Jakarta ServiceNow Policy and Compliance Management

Field Value

Is Root Select the check box to indicate that this is

the highest level class.

Note: Only one root class is

allowed and it cannot roll up to
another class.

4. Click Submit.

Create and edit a profile type

Administrators or managers in any of the GRC-related applications, create profiles types from which
profiles are generated. Profiles types are dynamic categories containing one or more profiles. Business
logic automates the process of creating and categorizing any profiles in the system that meet the profile
type conditions. Profile types are assigned to policy statements, which generate controls for every profile
listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for
every profile listed in the profile type, as well.
Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager,
sn_audit.admin or sn_audit.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > Profile Types.
• Risk > Scoping > Profile Types > .
• Audit > Scoping > Profile Types > ..

2. Do one of the following actions:

Option Description

To create a new profile type Click New.

To edit a profile type Open the profile type from the list.
3. Fill in the fields on the form, as appropriate.

Table 3: Profile type

Name Description

Name* The name of the profile type.

Description An explanation of the profile type with any
additional information about the profile type
that a user will find helpful.
Table* The table from which the profile type
conditions identify the records to create
profiles.
Condition Filter conditions to restrict which profiles
belong to a specific profile type.
Use owner field Select the check box to indicate that a
default owner field should be used when
generating new profiles.

© 2018 ServiceNow. All rights reserved. 26

Jakarta ServiceNow Policy and Compliance Management

Name Description

Default owner The field on the table specifying the person

who owns any new profiles generated from
the profile type.
Default profile class Set the default profile class.
Generated profiles copy this default profile
class under the following conditions:
• when the profile’s class is empty and it’s
associated to a profile type that has a
default profile class
• when a profile is created under a profile
type that has a default profile class

The existing profile's class is updated under

the following conditions:
• The profile type's table changes
• The profile type's condition changes
• The profile type's active field is ik;8,'
• The profile type's default profile class
changes

Note: * indicates a mandatory field.

4. Click Submit.

Generate a profile from a profile type

Profiles are generated automatically from profile types in any of the GRC-related applications.
Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager,
sn_audit.admin or sn_audit.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > Profile Types.
• Risk > Scoping > Profile Types.
• Audit > Scoping > Profile Types.

2. Open a Profile Type record from the list.

3. Add or modify any conditions, as necessary.
Changing the Table, changes the number of records matching the condition.

© 2018 ServiceNow. All rights reserved. 27

Jakarta ServiceNow Policy and Compliance Management

4. Assign the Owner field.

5. Click Update.
A profile is generated for every record that matches the filter condition.

Set a profile's class

Set the profile class for a profile to relate the profile to others.
Role required: sn_grc.manager
1. Navigate using any of the following options.
• Policy and Compliance > Scoping > All Profiles.
• Risk > Scoping > All Profiles.
• Audit > Scoping > All Profiles.

2. Open the profile record from the list.

3. Set the class field to the desired class.
4. Click Update.

Assign profiles to classes

GRC managers assign profiles to classes for the filtering of reports and to define relationships between the
different classes of business services.
Role required: sn_compliance.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > All Profiles.
• Risk > Scoping > All Profiles.
• Audit > Scoping > All Profiles.

2. Open the profile record from the list.

3. Assign the Class.
4. Click Update.

© 2018 ServiceNow. All rights reserved. 28

Jakarta ServiceNow Policy and Compliance Management

Relate profiles to each other

Create relationships between profiles to build out the dependency map and better understand how controls
and risks affect each other and how they affect the enterprise.
Role required: sn_grc.manager
1. Navigate using any of these options.
• Policy and Compliance > Scoping > All Profiles.
• Risk > Scoping > All Profiles.
• Audit > Scoping > All Profiles.

2. Open the profile record from the list.

3. Perform one of the following actions:
Option Description

To specify that the current profile is Click the Add button in the Upstream profiles
downstream of another profile related list.
To specify that the current profile is upstream Click the Add button in the Downstream profiles
of another profile related list.
4. Select the desired profiles to relate the current profile to and click Create Relationship.

The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles
related lists are limited based on the current profile's class and the defined dependency model.

Note: If there are no eligible profiles which can be related to the current profile, then the Add
button is not displayed on the Upstream profiles or Downstream profiles related lists.

Deactivate a profile
When a profile is deactivated, all the controls related to that profile are retired, and the indicators and test
plans associated to those controls are marked inactive.
Role required: grc_manager
The owner of the profile can edit the profile record and deactivate it.
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > All Profiles.
• Risk > Scoping > All Profiles.
• Audit > Scoping > All Profiles.

2. Open the profile record from the list.

• If the Active check box is selected, then the profile is active.
• If the Active check box is not selected, then the profile is inactive.

3. Click Update.
• All associated controls change to Retired state.
• All the indicators and test plans associated with the retired control are marked inactive.

© 2018 ServiceNow. All rights reserved. 29

Jakarta ServiceNow Policy and Compliance Management

Reactivate a profile
When a profile is reactivated, associated controls and risks return to the draft state and the indicators and
test plans return to active.
Role required: grc_manager
The owner of the profile can edit the profile record and reactivate it.
1. Navigate to one of the following locations:
• Policy and Compliance > Scoping > All Profiles.
• Risk > Scoping > All Profiles.
• Audit > Scoping > All Profiles.

2. Open the profile record from the list.

3. In the profile, select the check box marked Active.
4. Click Update.
All associated controls, risks, indicators, and test plans are reactivated. All associated controls and
risks are also set to Draft.

Manage policy statements and policies

The Policies and Procedures module contains overview and detailed information related to policy
approvals, policies, and policy statements.

Overview
The Policies and Procedures Overview is contained in the Policies and procedures module and
provides an executive view into compliance requirements, overall compliance, and compliance breakdowns
so areas of concern can be identified quickly. Users with the Compliance Administrator and Compliance
Manager roles view the Policies and Procedures Overview.

Table 4: Policies and Procedures Overview reports in the base system

Name Visual Description

Control compliance Donut chart Displays the overall compliance

of all the controls in the system.
Control details Donut chart Displays a breakdown of
controls, grouped by owner,
category, or type.
Control Overview Column Chart Displays the total number of
controls related to each policy.
The chart is stacked to display
overall control compliance
status for each policy.
Control Issues by Policy Line Chart Displays the number of control
(Opened Date) issues opened each week,
grouped by policy.

© 2018 ServiceNow. All rights reserved. 30

Jakarta ServiceNow Policy and Compliance Management

Name Visual Description

Policy Exceptions List Displays a list of control issues

that have been closed with
a response value of accept,
meaning the issue was not
remediated.
Total Policy Statements by Bar graph Displays a count of the overall
Policy number of policy statements
in each policy. The chart
is stacked to display policy
statements by type.

My Policy Approvals

My Policy Approvals is contained in the Policy and Compliance module and contains all policies
requiring your approval. Policies go through an approval process. Compliance managers set the length
of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies
have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

States of policy approval and publishing

Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk.
Publishing a policy is automatically incorporated in the approval process.

Table 5: Policy approval states

State Description

Draft All policies start in Draft state. In this stage, all

compliance users can modify the policy and
policy statements.
Review The owner, owning group, and reviewers can
modify the policy and policy statements and
send it on to the next state.
Awaiting Approval The policy is read only in this state. Approved
policies move forward to the Published state.
Unapproved policies move back to Review. If
no approvers are identified on the policy form,
the state is skipped and published without an
approval.

© 2018 ServiceNow. All rights reserved. 31

Jakarta ServiceNow Policy and Compliance Management

State Description

Published Approved policies are automatically published

to a template-defined KB. Once a policy is
published, it remains in a read-only state. The
Valid to field on the policy form defines how long
the policy is valid. When a policy is no longer
valid, it is automatically sent back to Draft state.
When a policy reaches the end of the Review
state and is Approved for publishing, it
is automatically published to the GRC
knowledge base (as defined in the Policy and
Compliance > Administration > Properties.
The article template field on the policy form
defines the style of the published policy.

Retired The KB article is removed when a policy is put

into a Retired state.

Policies

Compliance managers catalog and publish internal policies that define a set of business processes,
procedures, and or standards.

Policy Statements

Compliance managers catalog the policy statements and generate controls from those policy statements.
Policy statements only reference a single policy, although they can cover multiple citations from different
authority documents. They can be organized into Classification, Category, and Type.

Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are
imported into the policy statements table.

Create a draft policy

A policy is a document which defines an internal practice that processes must follow. Policies are defined
as policies, procedures, standards, plans, checklists, frameworks, and templates.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 6: Policy

Field Description

Name The name of the policy.

© 2018 ServiceNow. All rights reserved. 32

Jakarta ServiceNow Policy and Compliance Management

Field Description

Type Select from a list of options:

• Policy
• Procedure
• Standard
• Plan
• Checklist
• Framework
• Template

Owning Group Group that owns the policy.

Owner User that owns the policy.
State The policy state is a read-only field. Possible
choices are:
• Draft In this state, all compliance
users can modify the policy and policy
statements. All compliance users can
click Ready for Review at the bottom of
the form, which sets the state to Review.
• Review In this state, the owner, owning
group, and reviewers can modify the
policy and policy statements. The owner,
owning group, and reviewers click
Request approval, starting the workflow
by sending approvals to the users in the
Approvers list. The owner, owning group,
and reviewers move the policy back to
Draft, by clicking Back to draft, as well.
• Awaiting approval In this state, the
policy and policy statements are read-
only for all. Approvers can approve the
policy by updating the approval state in
the Approvals Related List on the policy
form, or by viewing My Approvals. If the
policy is approved, the policy goes to the
Published state. Otherwise, it goes back
to the Review state.
• Published In this state, the policy and
policy statements are read-only for all.
Admins can click Retire which sets the
state of the policy to Retired
• Retired In this state, the policy is read-
only for all.

Valid From The date and time for which the policy
becomes valid.
Valid To The date and time for which the policy is no
longer valid.

© 2018 ServiceNow. All rights reserved. 33

Jakarta ServiceNow Policy and Compliance Management

Field Description

Approvers Select the users you want to be included in

the approval process.
Reviewers Select the users you want to be included in
the review process.
Description A general description of the policy.
Policy text A detailed description of the policy.
Article template The article template to use for the
publication of this policy.
KB article The KB article number and link where the
policy is published.

4. Continue with one of the following options.

Option Action

To save and submit the policy • Click Submit.

To mark the policy ready for review • Click Ready for review.

Approve and publish policy

When a policy is approved, it is automatically published.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
2. Open the policy record.
3. Review the policy details, making updates as necessary.
4. Click Approve.

Review a policy
It is important that the right people in your organization are involved in the review of policies.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
2. Open the Policy record.
3. Review the policy details, making updates as necessary.
4. Continue with one of the following actions:
Option Action

To move the policy back into draft • Click Back to draft.

To request approval for the policy • Click Request approval.

© 2018 ServiceNow. All rights reserved. 34

Jakarta ServiceNow Policy and Compliance Management

Retire a policy
Retiring a policy is part of the policy management process. It can be retired any time after being approved
and published to the KB.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Policies.
2. Open the Policy record.
3. In the top right corner, click Retire.
This option is available only for policies in a published state.

Create a GRC article template

Policy and Compliance managers can create templates for policy article publishing.
Role required: sn_audit.manager
1. Navigate to Policy and Compliance > Administration > Article Templates.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 7: Authority Document

Field Value

Name Name of the article template.

Type • Script
• HTML
• XML

Script The script code. This field is dependent on

the Type field.
HTML The HTML code. This field is dependent on
the Type field.
XML The XML code. This field is dependent on
the Type field.
Is default Check box to indicate that this template
is used as the default template for all KB
articles.

4. Click Submit.

Create an authority document

Authority documents manage a process and citations are created within them to manage points of the
process. For example, the process called Building Security contains a citation for Entry Control.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Compliance > Authority Documents.

© 2018 ServiceNow. All rights reserved. 35

Jakarta ServiceNow Policy and Compliance Management

2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 8: Authority Document

Field Value

Name Name of the document.

Number Read-only field that is automatically
populated with a unique identification
number.
Source A non-editable field with the source of the
policy. For example, if the statement is from
the UCF import, the source is UCF.
Source ID The unique identification number used
by the source to catalog this authority
document.
Version The unique version number used by the
source to identify this authority document.
Common name Abbreviated version of the Name field.
Category Category for this authority document.
Type The document type:
• Audit Guideline
• Best Practice Guideline
• Bill or Act
• Contractual Obligation
• International or National Standard
• Not Set
• Organizational Directive
• Regulation of Statute
• Safe Harbor
• Self-Regulatory Body Requirement
• Vendor Documentation

Valid From The date and time for which the policy
becomes valid.
Valid To The date and time for which the policy is no
longer valid.
Url The URL of the stored authority document.
Description More information about the authority
document.

4. Right-click in the header bar and select Save from the context menu.
The authority document is created and all related lists are visible.

Create a citation from the Authority document related list.

© 2018 ServiceNow. All rights reserved. 36

Jakarta ServiceNow Policy and Compliance Management

Create a policy statement

A policy statement is an objective, direction, or standard that acts as guidance for company interactions
and operations. Policy statements can be categorized, classified, and related to policies.
Role required: sn_compliance.admin or sn_compliance.manager
1. Navigate to Policy and Compliance > Policy Statements.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 9: Policy Statement

Field Description

Name* The name of the policy statement.

Source A non-editable field with the source of the
policy. For example, if the statement is from
the UCF import, the source is UCF.
Source ID The unique identification number used
by the source to catalog this authority
document.
Reference A unique numerical identifier
Policy The parent policy containing the
policy statement. If you create a policy
statement from within a policy, this field is
automatically filled.
Parent The parent policy statement.
Active A policy is marked active if it is not in the
Draft or Retired state.
Creates controls automatically Check box indicating that controls are
automatically created from the policy
statement.

Note: Select this option if the policy

statement can also serve as the
control.

© 2018 ServiceNow. All rights reserved. 37

Jakarta ServiceNow Policy and Compliance Management

Field Description

Classification Select from a list of options:

• Preventive
• Corrective
• Detective

© 2018 ServiceNow. All rights reserved. 38

Jakarta ServiceNow Policy and Compliance Management

Field Description

Type Select from a list of options:

• Acquisition/Sale of Assets or Services
• Actionable Reports or Measurements
• Audits and Risk Management
• Behavior
• Business Processes
• Communicate
• Configuration
• Data and Information Management
• Duplicate
• Establish Roles
• Establish/Maintain Documentation
• Human Resources Management
• Investigate
• IT Impact Zone
• Log Management
• Maintenance
• Monitor and Evaluate Occurrences
• Physical and Environmental Protection
• Process or Activity
• Records Management
• Systems Continuity
• Systems Design, Build, and
Implementation
• Technical Security
• Testing
• Training

Attestation Select from a list of options.

• GRC Attestation is chosen by default
•
Note: If the user changes the
control’s attestation, the related
policy statement's attestation
type is changed also.

Description Description of the policy statement.

4. Click Submit.
The policy statement is created and all related lists are visible.
• A control is created for every policy statement when a policy is associated with a profile.
• The control attributes default to the same attributes as the related policy statement.

Deactivate a policy statement

Deactivate policy statements that are no longer relevant to their citation or policy statement.

© 2018 ServiceNow. All rights reserved. 39

Jakarta ServiceNow Policy and Compliance Management

Role required: sn_compliance_admin or sn_compliance_manager

1. Navigate to Policy and Compliance > Policies and Procedures > Policy Statements.
2. Open a policy statement.
3. In the policy statement, clear the check box marked Active.
4. Click Update.

Relate a policy statement to a policy

Policy statements can be associated to a policy individually by choosing the policy in the document field on
the policy statement, or by editing the policy statements related list.
Role required: sn_compliance.admin or sn_compliance.manager
1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
2. Open the policy record.
3. Click Edit in the Policy Statements related list.
The slushbucket contains active policy statements with no associated policy selected.
4. Select the policy statements.
5. Click Save.
Those policy statements are listed in the Policy Statement related list.

Relate a policy statement to a citation

A single policy statement can be mapped to many citations from different authority documents. This
function allows you to test a policy statement once while complying with many different citations.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Compliance > Citations.
2. Open a citation.
3. In the Policy statements related list, click New.
4. Fill in the fields on the form, as appropriate.

© 2018 ServiceNow. All rights reserved. 40

Jakarta ServiceNow Policy and Compliance Management

Table 10: Policy Statement

Field Description

Name The name of the policy statement.

Source A non-editable field with the source of the
policy. For example, if the statement is from
the UCF import, the source is UCF.
Reference A unique numerical identifier.
Policy The parent policy statement supported by
this policy statement.
Parent References the parent content.
Active If the policy statement is not in the Draft or
Retired states, a policy is marked active.
Source ID The unique identification number used
by the source to catalog this authority
document.
Category Select from a list of options:
• Acquisition or sale of facilities,
technology, and services
• Audits and risk management
• Compliance and Governance Manual of
Style
• Human Resources management
• Leadership and high level objectives
• Monitoring and measurement
• Operational management
• Physical and environmental protection
• Privacy protection for information and
data
• Records management
• System hardening through configuration
management
• Systems continuity
• Systems design, build, and
implementation
• Technical security
• Third Party and supply chain oversight
• Root
• Deprecated

Classification Select from a list of options:

• Preventive
• Corrective
• Detective
• IT Impact Zone

© 2018 ServiceNow. All rights reserved. 41

Jakarta ServiceNow Policy and Compliance Management

Field Description

Type Select from a list of options:

Description Describe the policy statement and how it

supports the goals of the organization.

5. Click Submit.

Create a citation
Usually, authority documents, citations, and policy statements are downloaded from UCF. However,
citations can be created manually from an authority document.
Role required: sn_compliance_admin or sn_compliance_manager
1. Navigate to Policy and Compliance > Authority Documents.
2. Open an authority document.
3. In the Citations Related List, click New.
4. Fill in the fields on the form, as appropriate.

© 2018 ServiceNow. All rights reserved. 42

Jakarta ServiceNow Policy and Compliance Management

Table 11: Citation

Field Description

Name* User-defined name that identifies this

citation.
Source A non-editable field with the source of the
policy. For example, if the statement is from
the UCF import, the source is UCF.
Source ID The unique identification number used
by the source to catalog this authority
document.
Reference Content reference.
Type Type of citation created. Optional field not
used for any processing. Use the value in
this field in reports or to query for records of
a specific type.
• Core Topic
• Process
• Control Objective
• Control
• Supporting information

Authority document Name of the parent authority document for

this citation. When you create citations from
the authority document form, the system
completes this field automatically.
Active A policy is marked active if it is not in the
Draft or Retired state.
Parent References the parent content.
Description Description of the citation.

Deactivate a citation
The Active option in a citation indicates whether the citation has been retired.
Role required: sn_compliance.admin or sn_compliance.manager
1. Navigate to Policy and Compliance > Compliance > Citations.
2. Open a citation.
3. In the citation, clear the check box marked Active.

Deactivate an authority document

The Active option in an authority document indicates whether the authority documents has been retired.

© 2018 ServiceNow. All rights reserved. 43

Jakarta ServiceNow Policy and Compliance Management

Role required: sn_compliance.admin or sn_compliance.manager

1. Navigate to Policy and Compliance > Compliance > Authority Documents.
2. Open an authority document.
3. In the authority document, clear the check box marked Active.

Use UCF Common Controls Hub to manage compliance

frameworks
Compliance administrators can download content from Network Frontiers Unified Compliance Framework
(UCF) for use as GRC authority documents, citations, controls, and policy statements. The documents can
be updated on pre-defined intervals.
Users must have a UCF Common Controls Hub account to create shared lists and import them into the
ServiceNow® instance.
For more information on Unified Compliance Framework (UCF), see https://www.unifiedcompliance.com.

Warning: All data imported from UCF Authority Documents is read-only and must be protected.
Do not customize the authority documents, citations, or policy statements on any UCF fields
transformed into GRC tables.

Getting Started with the UCF Common Controls Hub

Network Frontiers released a new method for allowing authenticated users to download content from
the UCF Common Controls Hub (CCH) website. Users require a separate subscription to the Network
Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH) to download UCF content.
For customers whose GRC entitlement date is before December 1, 2016, you are entitled to a free UCF
CCH account for the period of December 1, 2016 through November 30, 2018.
For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December
1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your
organization plans on using Unified Controls Compliance as the provider of your controls library. For more
information about establishing a UCF CCH account, see Unified Compliance Framework.

Note: A subscription to UCF-CCH is not required for using the GRC Policy & Compliance
application.

Table 12:

If your organization's GRC entitlement date is Tasks

BEFORE December 1, 2016 1. Activate Compliance UCF on page 46.

2. Create HI Request for GRC subscription
validation free UCF-CCH account on page
47.
3. Configure the UCF integration on page
51.
4. Download a UCF shared list on page 53.

© 2018 ServiceNow. All rights reserved. 44

Jakarta ServiceNow Policy and Compliance Management

If your organization's GRC entitlement date is Tasks

AFTER December 1, 2016 1. Sign up for a UCF CCH account and

customize your basic subscription to include
API Access.
2. Activate Compliance UCF on page 46.
3. Create HI Request for UCF-CCH account
integration information on page 49.
4. Configure the UCF integration on page
51.
5. Download a UCF shared list on page 53.

Authority document and shared list imports

Every authority document already imported into the ServiceNow® instance must be in any shared list you
wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which
may have changed) and what you’ve already imported.

Figure 2: Shared list import successful

Figure 3: Shared list import unsuccessful

© 2018 ServiceNow. All rights reserved. 45

Jakarta ServiceNow Policy and Compliance Management

An error is rendered since SOX is not being reimported within this Shared List.

UCF and GRC terminology differences

Authority documents in the UCF content are organized and mapped to their proper citations, which in turn
are mapped to a common set of controls. The terminology between UCF and the GRC applications differ
slightly as explained in the following table.

Table 13: Terminology differences

UCF GRC application

Authority Document Authority Document

Citation Citation
Control Policy Statement

Activate Compliance UCF

The GRC: Compliance UCF (com.sn_comp_ucf) plugin is available as a separate subscription.
Role required: admin
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.
If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.
You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH account is
included for the period of December 1, 2016 through November 30, 2018. See Create HI Request for GRC
subscription validation free UCF-CCH account on page 47.
For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December
1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a basic account subscription
with API access.

Note: API access is required to download UCF content from the UCF-CCH.

For more information about establishing a UCF CCH account, see Unified Compliance Framework.

© 2018 ServiceNow. All rights reserved. 46

Jakarta ServiceNow Policy and Compliance Management

Create HI Request for GRC subscription validation free UCF-CCH account

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH accountis
included for the period of December 1, 2016 through November 30, 2018.
Role required: admin
1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
2. Click Get Help.

3. Click Create an Incident.

4. Select Issue Type Request.

© 2018 ServiceNow. All rights reserved. 47

Jakarta ServiceNow Policy and Compliance Management

5. Select Category Hi Administration.

6. Describe the issue and provide the following information:
• Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I am requesting
that you validate my subscription and open a UCF CCH account on my behalf".
• Include your company name and company account number.
• Include the requester’s name, business email address and phone number.

Note: By providing your company and requester contact information, you authorize
ServiceNow® customer service to contact and share that information with Network Frontiers, a
third party, in order to complete your UCF CCH account enrollment.

7. Attach screen shots, logs, etc., as necessary.

8. Select affected instances. Enter your company's GRC instance.
9. What is the business impact? Select your answer.
10. How many users does this affect? Select your answer.
11. When did you experience this issue? Select today's date.
12. Click Report the issue.
ServiceNow® HI customer support initiates the UCF-CCH account creation and enrollment process
and will contact the requester when the process is complete.

Configure the UCF integration on page 51

© 2018 ServiceNow. All rights reserved. 48

Jakarta ServiceNow Policy and Compliance Management

Create HI Request for UCF-CCH account integration information

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC effective contract date is
December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if
your organization plans on using Unified Controls Compliance as the provider of your controls library. For
more information about establishing a UCF CCH account, see Unified Compliance Framework.
Sign up for a UCF CCH account and customize your basic subscription to include API Access.
Role required: admin
1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
2. Click Get Help.

3. Click Create an Incident.

4. Select Issue Type Request.

© 2018 ServiceNow. All rights reserved. 49

Jakarta ServiceNow Policy and Compliance Management

5. Select Category Hi Administration.

6. Describe the issue and provide the following information:
• Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I have already
subscribed to the UCF CCH. I am requesting that you provide me with the necessary OAuth
information to complete the integration."
• Include your company name and company account number.
• Include the requester’s name, business email address and phone number.

7. Attach screen shots, logs, etc., as necessary.

8. Select affected instances. Enter your company's GRC instance.
9. What is the business impact? Select your answer.
10. How many users does this affect? Select your answer.
11. When did you experience this issue? Select today's date.
12. Click Report the issue.
ServiceNow® HI customer support initiates the OAuth integration process and will contact the
requester with the integration information.

Configure the UCF integration on page 51

© 2018 ServiceNow. All rights reserved. 50

Jakarta ServiceNow Policy and Compliance Management

Configure the UCF integration

UCF integrates with your ServiceNow instance through an authentication process which validates your
subscription. On the UCF Configuration form, select the type of authentication, then enter a UCF-provided
API key or a ServiceNow-provided OAuth2 client and secret.
Role required: sn_comp_ucf.admin and oauth_admin

Note: If you are using Oauth authentication, only the UCF Oauth administrator has access to
the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF
administrator, so the UCF administrator can set up UCF configuration page.

UCF integration requires that GRC is configured and users must be a Common Controls Hub
administrator.
The configuration page for the global domain is loaded by default. If you are using
The configuration page for the global domain is loaded by default. If you are using Domain Separation,
delete the default configuration page, and create one specific to your domain.
1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
2. Click the UCF configuration.
3. Fill in the fields on the form, as appropriate.

Table 14: UCF Configuration

Field Description

Shared List The shared list to be imported.

Note: Shared lists appear

subscription authentication.

Authentication type API Key or Oauth.

4. Perform one of the following actions:

Authentication Method Actions

For API Key authentication 1. Enter the API key in the API Key field.
2. Select a shared list and click Save
Configuration.

© 2018 ServiceNow. All rights reserved. 51

Jakarta ServiceNow Policy and Compliance Management

Authentication Method Actions

For Oauth authentication

Note: If using Oauth authentication, only
the UCF Oauth administrator has access
to the system Oauth tables. The user
must give the UCF Oauth administrator
role to the GRC UCF administrator, so
the UCF administrator can set up UCF
configuration page.

1. Enter the Client ID, provided by ServiceNow®

HI customer support. See Create HI Request
for GRC subscription validation free UCF-
CCH account on page 47 or Create HI
Request for UCF-CCH account integration
information on page 49 for information.

Note: Configuration information is

specific to the ServiceNow® instance.
Be sure to enter accurate information
for any test, development, or
production instances you are using.
Do not include spaces in the entry.

2. Enter the UCF OAuth Client ID, provided

by ServiceNow® HI customer support. See
Create HI Request for GRC subscription
validation free UCF-CCH account on page
47 or Create HI Request for UCF-CCH
account integration information on page
49 for information.

Note: Configuration information is

specific to the ServiceNow® instance.
Be sure to enter accurate information
for any test, development, or
production instances you are using.
Do not include spaces in the entry.

3. Enter the OAuth2 profile to use for

downloading. The default is the United
Compliance Framework Default Profile that is
installed with the UCF plugin. This field does
not typically need to be changed.
4. Enter the Redirect URL, provided by
ServiceNow® HI customer support. For
example, https://mycompany.service-
now.com/oauth_redirect.do
See Create HI Request for GRC subscription
validation free UCF-CCH account on page
47 or Create HI Request for UCF-CCH
account integration information on page
49 for information.

Note: Configuration information is

specific to the ServiceNow® instance.
Be sure to enter accurate information
for any test, development, or
© 2018 ServiceNow. All rights reserved. 52
production instances you are using.
Do not include spaces in the entry.
Jakarta ServiceNow Policy and Compliance Management

If UCF introduces new fields and content, administrators can use staging tables and transform maps to
accommodate those changes to UCF data formats. This is an advanced configuration and not required.
The following import sets and tables can be configured to customize the UCF download logic.

Table 15: Staging table [extends from import set

row table: import_set_row] used for UCF integration

Staging table Description

UCF Authority Document The UCF Authority Document staging table

[sn_comp_ucf_authority_document] is used to store authority documents that are
downloaded from the UCF Common Controls
Hub
UCF Citation [sn_comp_ucf_citation] The UCF Citation staging table is used to store
citations that are downloaded from the UCF
Common Controls Hub
UCF Control [sn_comp_ucf_control] The UCF Control staging table is used to store
controls that are downloaded from the UCF
Common Controls Hub
UCF Citation to Control The UCF Citation to Control staging table
[sn_comp_ucf_m2m_control_citation] is used to store citation to controls that are
downloaded from the UCF Common Controls
Hub

Table 16: Transform maps used for UCF integration

Transform maps Description

Default Authority document transform Transforms data from the UCF Authority
document staging table into the Authority
Document table
Default Citation Transform Transforms data from the UCF Citation staging
table into the Citation table
Default Control transform Transforms data from the UCF Control staging
table into the Policy Statement table
Control to Citation transform map Transforms data from the UCF Citation to
Control table into the Policy Statement to
Citation table

Download a UCF shared list

In order for compliance managers to download UCF authority documents from the UCF CCH, the list must
be marked as Shared. When updating Authority Documents or adding new ones, you must update all your
authority documents to ensure that the common controls framework remains in sync with the authority
documents you are using.
Role required: sn_compliance_admin or sn_compliance_manager

© 2018 ServiceNow. All rights reserved. 53

Jakarta ServiceNow Policy and Compliance Management

Note: The current design of UCF supports the downloading of mandated and implied controls.
The downloading of implementation controls is not supported. See the Unified Compliance
Documentation How do I distribute an authority document list to other accounts?

1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
2. Click the UCF configuration.
3. Configure the UCF integration on page 51, if necessary.
4. Click Import Shared List.
A progress bar shows the progress of downloading and importing the documents.

You may encounter any of the following errors:

© 2018 ServiceNow. All rights reserved. 54

Jakarta ServiceNow Policy and Compliance Management

Table 17: UCF Shared List Errors

Error Explanation Resolve

If the internet connection 1. Click Import Shared

is lost for any reason, this List to download again.
message appears.

If the selected UCF Shared 1. Return to the CCH and

List that you are downloading verify that the Shared
does not include all the List you are trying to
authority documents you download includes all
have already downloaded, the Authority Documents
this message appears. from the original import
to your instance.
2. Click Import Shared
List to download again.

5. Click Review Changed Records to review the list of changed records.

© 2018 ServiceNow. All rights reserved. 55

Jakarta ServiceNow Policy and Compliance Management

Authority documents in the UCF content are organized and mapped to their proper citations, which
in turn are mapped to a common set of controls. The terminology between UCF and the GRC
applications differ slightly as explained in the following table.

© 2018 ServiceNow. All rights reserved. 56

Jakarta ServiceNow Policy and Compliance Management

Table 18: Terminology differences

UCF ServiceNow GRC application

Authority Document Authority Document

Citation Citation
Control Policy Statement

Manage controls
Controls are specific implementations of a policy statement. Retired controls do not appear in the list.
Before defining controls, take time to rationalize, consolidate, and define the important controls in your
organization.

Rationalize your controls

If you upload all your controls in bulk, you are missing the opportunity to refine and streamline your controls
set. How does this control affect my business objective? Is this control actually preventing or detecting
risk? Is there a different control you can place that better protects your business? Is there a control you
can put in place that reduces process overhead and improves IT performance while also mitigating risk?
Can a complicated control be replaced with a simpler more effective control? As your business changes,
and your IT data, processes, and technology improve, replace outdated controls and procedures when you
implement your GRC application.
• How does this control affect my business objective?
• Is this control actually preventing or detecting risk?
• Is there a different control you can place that better protects your business?
• Is there a control you can put in place that reduces process overhead and improves IT performance
while also mitigating risk?
• Can a complicated control be replaced with a simpler more effective control?

As your business changes, and your IT data, processes, and technology improve, replace outdated
controls and procedures.

Consolidate your controls

Look for opportunities to consolidate controls. Look for common, repeated controls across multiple
regulatory authorities of frameworks (e.g., SOX and GLBA and AML). Avoid operating a single control
multiple times for each regulation, by cross-mapping controls and eliminating the redundant ones. This
process establishes a single consolidated set of controls = control framework, performing and preserving
the cross mapping of controls is critical for audits.

© 2018 ServiceNow. All rights reserved. 57

Jakarta ServiceNow Policy and Compliance Management

Figure 4: Industry regulations and requirements overlap

Define controls and business rules

The business rules you define up front, establish the GRC configuration settings later. Be prepared to:
• Identify controls and control owners
• Define control tests and expected results
• Establish test and control frequencies
• Identify risks: impact and likelihood
• Prepare attestations, assessments, questionnaires and required evidence
• Compose likely use-cases (who needs to interact with or view the contents of the GRC system and for
what purposes)
• Map authoritative sources to policies, to procedures, to controls, and to risks

Create a control
Controls are automatically generated when you associate a policy with a profile type or a profile type with
a policy statement. A control is created for each profile listed in the profile type for the policy statement.
Controls can also be manually created.
Role required: sn_compliance.admin or sn_compliance.manager
1. Navigate to Policy and Compliance > Controls > All Controls.
2. Click New.

© 2018 ServiceNow. All rights reserved. 58

Jakarta ServiceNow Policy and Compliance Management

3. Fill in the fields on the form, as appropriate.

Table 19: Control

Field Description

Name The name of the control.

Number Read-only field that is automatically
populated with a unique identification
number.
Profile The related profile.
Policy Statement The related policy statement.
Owning group Group that owns the policy.
Owner User that owns the policy.

Note: The owner is always added

as a respondent.

Key control Marks the control as a key control.

Weighting Set the weighting between 1 and 10. Used
to calculate the control failure factor of a
risk.
Status The control status is a read-only field.
Possible choices are:
• Compliant
• Non compliant
• Not applicable

© 2018 ServiceNow. All rights reserved. 59

Jakarta ServiceNow Policy and Compliance Management

Field Description

State The control state is a read-only field.

Possible choices are:
• Draft In this state, all compliance
users can modify the control. Only
available when creating a one-off control.
One-off controls are possible but not
recommended.
• Attest When the control is created from
a policy statement, controls are in this
state.

Note: When a control is set

back to draft, the attestation is
canceled.
• Review Controls are automatically
moved to review from the attestation
phase.
• Monitor In this state, all compliance
managers can move the control from
review to monitor.
• Retired Compliance managers or
administrators can move a control from
Monitor to Retired. Indicators do not run
when the control is in this state.

Note: When a control is retired,

any attestation associated with it
is canceled.

Enforcement Select from a list of options:

• Mandated
• Voluntary

© 2018 ServiceNow. All rights reserved. 60

Jakarta ServiceNow Policy and Compliance Management

Field Description

Category Select from a list of options:

© 2018 ServiceNow. All rights reserved. 61

Jakarta ServiceNow Policy and Compliance Management

Field Description

Type Select from a list of options:

Classification Select from a list of options:

• Preventive
• Corrective
• Detective
• IT Impact Zone

Frequency Select from a list of options:

• Event Driven
• Daily
• Weekly
• Monthly
• Quarterly
• Semi-Annually
• Annually

Description A description of the control.

Additional Information Additional information about the control.

© 2018 ServiceNow. All rights reserved. 62

Jakarta ServiceNow Policy and Compliance Management

Field Description

Attestation
Attestation Select from a list of options.
• Other attestation types can be
configured.
• If this field is populated, then the
Attestation Respondents field
automatically becomes mandatory, and
the owner is made the respondent.

Note: If the user changes the

attestation type in the policy
statement, all the related controls
are changed also.

Attestation respondents • Users assigned to the attestation of this

control.
• Only a user with the sn_grc.user role can
be added as a respondent.

Note: When both the Attestation

and Attestation respondents fields
are set, attestations are created
when you click Attest.

Activity Journal
Additional comments

4. Click Submit.

Follow a control
Connect integrates with Policy and Compliance Management providing an overlay to the standard
interface, allowing users to participate in conversations while they work and collaborate on the control
record.
Role required: sn_compliance.user or sn_compliance.reader
1. Navigate to Policy and Compliance > Controls > All Controls.
2. Open the control record.
3. Click the Follow tab and select one of the options.
Option Action

To add the Connect sidebar • Click Open Connect mini.

To add the Connect full-screen view • Click Open Connect Full.

© 2018 ServiceNow. All rights reserved. 63

Jakarta ServiceNow Policy and Compliance Management

Attest a control
Attestations are surveys that gather evidence to prove that a control is implemented. If the control’s
attestation field and respondents fields are set, then when a controls moves from the Draft state to the
Attest state, a notification is sent to the attestation respondents.
Role required: sn_grc.user
Users can create multiple attestation types and set their policy statements to different attestations. A
sample attestation called GRC Attestation is also provided as the default attestation which is composed of
the following simple questions:
When controls are attested, a new questionnaire is created. As a result, attestations do not appear in the
Self-Service > My assessments & surveys module. Hundreds of GRC assessment records could be
generated at once and should be separated from other assessments in a separate list view.
1. Navigate to Policy and Compliance > Controls > My Attestations.
2. Open the attestation and review the details.
Option Description

If you are unable to answer the questions 1. Reassign the attestation to another user in
the Assigned to field.
2. Click Update and close the record.

Note: Only a user with the sn_grc.user

role can be re-assigned the attestation.

The list of attestations refreshes when you

reassign an attestation to another user.

If you are able to answer the questions 1. Click Take attestation.

2. Answer the questions and attach information,
as required.
3. Click Submit.

The list of attestations refreshes when you close

the Take Assessment pop-up window.

Manage control attestations

Attestations are surveys that gather evidence to prove that a control is implemented. If the control’s
attestation field and respondents fields are set, then when a controls moves from the Draft state to the
Attest state, a notification is sent to the attestation respondents.
Users can create multiple attestation types and set their policy statements to different attestations. A
sample attestation called GRC Attestation is also provided as the default attestation which is composed of
the following simple questions:
By default, GRC Attestation is used for controls and provides the following assessment questions:
• Is this control implemented?
• Attach evidence
• Explain

© 2018 ServiceNow. All rights reserved. 64

Jakarta ServiceNow Policy and Compliance Management

My Attestations is in the Controls section of the Policy and Compliance application and contains active
attestations for which you are the respondent. The attestations appear in a list with a single attestation
record per control.
All Attestations is contained in the Controls section of the Policy and Compliance application and
contains all active attestations.
Compliance managers can create new attestation types containing different types of questions to fit their
needs. See Create a control attestation using the Attestation Designer on page 65.
Compliance managers can create a new set of questions for each policy statement. See Create an
attestation type on page 68.

Attestation designer
The attestation designer provides a single interface that users can use to create, and edit attestations, as
well as change scoring parameters.
All attestation records are stored in assessment tables and displayed in Attestation views of those tables.
The designer contains the following elements:

Table 20: Elements of the Attestation Designer

Element Description

Controls Controls for the supported question data types

are available in the Controls palette. Drag a
control onto the designer canvas to create a
question of that type.
Header bar The header bar contains tabs that display
different views and a menu of various functions.
The availability of each option depends on the
status of the attestation that is opened in the
designer.
Design canvas New attestations open in the Design view. The
attestation Name field appears above the first
category in the canvas. A blank question field
appears in the category container.

Create a control attestation using the Attestation Designer

Use the Attestation Designer to create and edit metric types, use different metric types for different
controls, select multiple respondents for an attestation, as well as change scoring parameters.
Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator
1. Navigate to Policy and Compliance > Administration > Attestation Types.
2. Click Attestation Designer.
The designer contains the following elements:

Element Description

Controls Controls for the supported question data

types are available in the Controls palette.
Drag a control onto the designer canvas to
create a question of that type.

© 2018 ServiceNow. All rights reserved. 65

Jakarta ServiceNow Policy and Compliance Management

Element Description

Header bar The header bar contains tabs that display

different views and a menu of various
functions. The availability of each option
depends on the status of the attestation that
is opened in the designer.
Design canvas New attestations open in the Design view.
The attestation Name field appears above
the first category in the canvas. A blank
question field appears in the category
container.

3. Enter a name in the Name field.

4. Drag a control onto the designer canvas to create a question of that type.

Table 21: Question controls

Data type Description Scored

Attachment Question with a Manage Y

Attachments icon that allows
users to attach one or more
files.
Boolean Question with a check box
or a Yes/No list for user
responses.
Choice List of predefined options. Y
For more information, see
the definition for Choices.
Date Date field. N
Date/Time Date and time field. N
Number Number field with predefined N
minimum and maximum
values. The default is 1-10.
Percentage Percentage field with a N
prescribed range.
Scale Predefined Likert scale. Y
Answer options appear as
radio buttons.
Numeric Scale Selectable number scale. Y
The default is 1-5. Answer
options appear as radio
buttons.
String Single or multi-line text field. N
Template Choice list of templates that Y
provide a predefined scale of
options.

© 2018 ServiceNow. All rights reserved. 66

Jakarta ServiceNow Policy and Compliance Management

Data type Description Scored

Reference Choice list of fields from a

specified reference table.
This data type does not
support reference qualifiers.
Image Scale
Multiple Selection
Ranking

Note: Set the correct answer for the metric that you want to be scored. Scored metrics
determine the compliance status of the controls.

5. Click one of the following tabs to change the view in the canvas:
Option Description

Design Add categories and questions, and configure the

properties of each. This is the default view of the
canvas when you open the designer.
Configuration Create introductions and end notes for
attestations, and select a signature.
Availability Select the recipients for each category in the
attestation.
6. Point to the menu icon in the upper right of the Attestation Designer to select one of the following
options:

Note: The availability of each option depends on the status of the attestation that is opened in
the designer.

Option Description

Save Save the current attestation.

Preview Display a preview to the selected recipients.
Publish Distributes the attestation to the selected
recipients.
Save and Publish Saves and distributes the attestation in one step.
New Attestation Opens a fresh canvas for a new attestation.
Load Attestation Opens a list of existing attestations that you can
select and edit.

Unlike other types of assessments, control attestations do not appear in the Self-Service > My
assessments & surveys module, because hundreds of control attestations could be generated at
once. Instead, controls attestations are shown as a list in the Policy and Compliance > Controls >
My Attestations module and All Attestation module.

© 2018 ServiceNow. All rights reserved. 67

Jakarta ServiceNow Policy and Compliance Management

Create an attestation type

Rather than using the default GRC attestation type, the compliance manager can create a new set of
questions for each policy statement.
Role required: sn_compliance.attest_creator or sn_compliance.manager or sn_compliance-admin
1. Navigate to Policy and Compliance > Administration > Attestation Types.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 22: Assessment Metric Type

Field Description

Name The name of the assessment type.

Assessment duration The days for which the assessment is
active.
Table
Scale factor
Condition
Description
State
Enforce condition
Roles

4. Click Submit.

Manage control indicators

Continuous monitoring involves activities related to identifying and creating key risk and controls indicators.
Supporting information can be collected for those indicators through automatic data collection or manual
tasks. Indicator results are then used to create issues for controls, update risk scores, and provide
supporting information for audit activities and control testing.

Indicators Indicators collect data to monitor controls and risks,

and collect audit evidence. Indicators monitor a
single control or risk.
Indicator templates Indicator templates allow the creation of multiple
indicators for similar controls or risks.

Compliance overview
The Compliance module contains compliance overview information, and lists of your authority documents
and citations.

© 2018 ServiceNow. All rights reserved. 68

Jakarta ServiceNow Policy and Compliance Management

Overview

The Compliance Overview is available to compliance administrators and compliance managers, providing
an executive view into compliance requirements, overall compliance, and compliance breakdowns.

Table 23: Compliance Overview reports in the base system

Name Visual Description

Compliance Requirements Donut chart Select a wedge to focus on a

specific compliance area.
Overall Compliance Donut chart Displays the overall compliance
of all the control requirements in
the system. Selecting a specific
wedge in the previous widget
brings that area into focus.
Profile Drop down list Select one or more profiles
to view and compare their
compliance across multiple
items.
Control State Check list Select or clear check boxes
to view filter reports by control
state.
Compliance by Authority Bar Chart Compare level of compliance
Document depending on the selected
profile and/or authority
document.
Compliance breakdown Multi-level Pivot View a breakdown of control
compliance by related authority
documents and policies.
Non Compliant Profiles Column Chart Count of non-compliant control
requirements grouped by
profile.

Authority Documents

Authority documents define policies, risks, controls, audits, and other processes to ensure adherence to
the authoritative content.
Each authority document is defined in a record and the related lists on that record contain the individual
conditions of the authority document.
The relationships of these authority document related list items are visible in the GRC Workbench in the
Policy and Compliance Management application.

Citations

Citations contain the provisions of the authority document, which can be interrelated. Citations break down
an authority document into manageable themes.

© 2018 ServiceNow. All rights reserved. 69

Jakarta ServiceNow Policy and Compliance Management

You can create citations or import them from UCF authority documents and then create any necessary
relationships between the citations.

Create a control indicator

Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC
application.
Role required: compliance_admin or compliance_manager
1. Navigate to one of the following locations:
• Policy and Compliance > Indicators > Indicators.
• Risk > Indicators > Indicators.
• Audit > Indicators > Indicators.

2. Select New.
3. Fill in the fields on the form, as appropriate.

Table 24: Indicator

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
Active Check box that determines whether the
indicator is active.
Name Name of the indicator.
Item The related control or risk.
Template The related indicator template.
Applies to The profile related to the Item.
Owner The indicator owner.
Owning group The group that owns the indicator.
Override Template Click to override the indicator template
associated to this indicator
Last result passed Read-only field indicating whether last result
passed.
Schedule
Collection frequency Select the collection frequency for indicator
results. Indicator tasks and results are
generated automatically based on the
indicator schedule.
Next run time Read-only field that is automatically
populated with the next collection time for
indicator results.
Method

© 2018 ServiceNow. All rights reserved. 70

Jakarta ServiceNow Policy and Compliance Management

Field Description

Type Results can be gathered manually using

task assignment or automatically using
basic filter conditions, Performance
Analytics, or a script.
• Manual
• Basic
• Script

Short Description If Type is Manual, this field is present. Brief

description of the issue.
Instructions If Type is Manual, this field is present.
Instructions for the collection of indicator
results.
Value Mandatory If Type is Manual, this field is present.
Passed/Failed If Type is Basic, this field is present.
Indicator passes or fails.
PA Threshold If Type is PA Indicator, this field is present.
The associated PA Threshold.
Script If Type is Script, this field is present. Script
that obtains the desired system information.
Supporting Data
Table Use supporting data to gather supporting
evidence from other applications.
Supporting data fields Supporting data fields based on the selected
table.

4. Click Submit.

Create a GRC indicator template

Compliance or risk managers create indicator templates from which many indicators can be created.
Role required: compliance_admin or compliance_manager, risk_admin or risk_manager, audit_admin or
audit_manager
1. Navigate to one of the following locations:
• Policy and Compliance > Indicators > Indicator Templates.
• Risk > Indicators > Indicator Templates.
• Audit > Indicators > Indicator Templates.

2. Select New.
3. Fill in the fields on the form, as appropriate.

© 2018 ServiceNow. All rights reserved. 71

Jakarta ServiceNow Policy and Compliance Management

Table 25: Indicator template

Field Description

Name Name of the indicator.

Active Check box that determines whether the
indicator template is active.
Content The related policy or risk statement.
Schedule
Collection frequency Select the collection frequency for indicator
results. Indicator tasks and results are
generated automatically based on the
indicator schedule.
Next run time Read-only field that is automatically
populated with the next collection time for
indicator results.
Method
Type Results can be gathered manually using
task assignment or automatically using
basic filter conditions, Performance
Analytics, or a script.
• Manual
• Basic
• PA Indicator
• Script

Short Description If Type is Manual, this field is present. Brief

description of the issue.
Instructions If Type is Manual, this field is present.
Instructions for the collection of indicator
results.
Value Mandatory If Type is Manual, this field is present.
Passed/Failed If Type is Basic, this field is present.
Indicator passes or fails.
PA Threshold If Type is PA Indicator, this field is present.
The associated PA Threshold.
Script If Type is Script, this field is present. Script
that obtains the desired system information.
Supporting Data
Collect Supporting Data Check to gather supporting evidence from
other applications.

4. Click Submit.

© 2018 ServiceNow. All rights reserved. 72

Jakarta ServiceNow Policy and Compliance Management

Monitor controls using GRC Performance Analytics Indicators

You can link Policy and Compliance Management content and items to Performance Analytics indicators,
breakdowns and thresholds. You can associate Performance Analytics indicators with policy statements
and controls to view scorecards and trends and analyze current conditions and trends.
The risks and controls associated with a PA indicator or PA indicator/breakdown/element automatically
monitor any PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship.
Any PA threshold breach is reported at the risk or control and Performance Analytics indicators relationship
level within a breach counter. See Performance Analytics.

PA threshold breach impact

When a risk or control and Performance Analytics indicators relationship breach counter is different than
zero (for example, a PA threshold with the same PA indicator or PA indicator, breakdown, or element
relationship has breached), and if no opened issue already exists, then an issue is created which is
associated to the risk or control. Additionally for risks, the Indicator failure factor represents the number
of risk and Performance Analytics indicators relationships with a breach counter different than zero.

© 2018 ServiceNow. All rights reserved. 73

Jakarta ServiceNow Policy and Compliance Management

Reset all PA Indicator breach counters

Reset breach counters associated to a risk or control by clicking Reset all PA Indicator breach counters
or opening the specific relationship and clicking Reset Breach Counter.

GRC PA indicator breach reports

There are two reports for the reporting of breaches:

• Risk PA Indicator Breaches
• Control PA Indicator Breaches

Activate GRC: Performance Analytics Integration

The GRC: Performance Analytics Integration plugin provides an integration between Performance
Analytics and the Risk Management and Policy and Compliance Management applications, providing more
insight into organizational risk and compliance performance.
Role required: admin
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.
If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.
You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

After activating the GRC: Performance Analytics Integration plugin on an instance with customized related
lists on content (risk or policy statement) or items (risk or control), you may have to manually add the PA
Indicator to content relationships and/or the PA indicator to item relationships.

Associate a PA indicator with a risk statement or policy statement

You can associate Performance Analytics indicators with risk statements and policy statements to analyze
trends related to the risk or policy.
Role required: sn_risk.manager or sn_compliance.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Policies and Procedures > Policy Statements.
• Risk > Risk Library > Risk Statements.

© 2018 ServiceNow. All rights reserved. 74

Jakarta ServiceNow Policy and Compliance Management

2. Open a risk statement or policy statement.

3. In the PA Indicators related list, click New.
4. Fill in the fields on the form, as appropriate.

Table 26: PA Indicators

Field Description

PA Indicator* The performance analytics indicator to

associate the Risk Statement or Policy
Statement with.

5. Click Submit.
On the risk statement or policy statement form, in the PA Indicators related list, you see the
associated indicator. You can optionally click View Indicator on the desired indicator to see the
indicator's Performance Analytics scorecard. The PA Indicator associations are carried over to all
risks or controls associated to the original risk statement or policy statement. Additionally, if the
indicator has a breakdown that matches the risk or control's profile (for example a Business Service
breakdown), the Breakdown and Element fields for the relationship are automatically filled in.

Associate a PA indicator with risks and controls

You can associate Performance Analytics indicators with risks and controls to analyze trends related to the
profile that risk or control belongs to.
Role required: sn_risk.manager or sn_compliance.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Controls > All Controls.
• Risk > Risk Register > All Risks.

2. Open a risk or control.

3. In the PA Indicators related list, click New.
4. Fill in the fields on the form, as appropriate.

Table 27: PA Indicators

Field Description

PA Indicator* The performance analytics indicator to

associate the Risk or Control with.
Breakdown Select a breakdown to view a specific trend
based on the breakdown element.
Element Select the breakdown element to view a
particular trend and scorecard.

Note: This field is dependent on

the Breakdown field is populated.
When visible, it is mandatory.

5. Click Submit.

© 2018 ServiceNow. All rights reserved. 75

Jakarta ServiceNow Policy and Compliance Management

On the Risk or Control form, in the PA Indicators related list, you see the associated indicator.
You can optionally click View Indicator on the desired indicator to see the indicator's Performance
Analytics scorecard.

Update associated GRC indicators for a set of items

You can update all of the items belonging to a GRC content record so each item is individually related to
the PA indicator.
Role required: sn_risk.manager or sn_compliance.manager
1. Navigate to one of the following locations:
• Policy and Compliance > Policies and Procedures > Policy Statements.
• Risk > Risk Library > Risk Statements.

2. Open a Risk Statement or Policy Statement that has an associated Performance Analytics Indicator.
3. Click the Update PA Relationships related link.
All of the risks or controls related to the risk statement or policy statement are automatically associated
with all of the risk statement or policy statement's indicators. Additionally, if the indicator has a
breakdown that matches the risk or control's profile (for example a Business Service breakdown), the
Breakdown and Element fields for the relationship are automatically filled in.

Manage compliance issues and remediation

Issues can be created manually to document audit observations, remediations, or to accept any problems.
They are automatically generated from indicator results, attestation results, or control test effectiveness.
Various types of issues are created under the following conditions:
Issue Created when an indicator fails

Control issue Created when a control attestation is completed

indicating that the control is Not implemented

Control test issue Created when a control test is closed complete with
the control effectiveness set to Ineffective

Other issue Created by the user manually

Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk
exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk.
Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the
issue can be used to document observations during audits.

Create a GRC issue manually

Manually create issues to document audit observations, the intention of remediations, or to accept any
problems.
Role required: (per product)
• In GRC: compliance_admin, compliance_manager, or sn_compliance.user
• In Risk Management: risk_admin, risk_manager, or sn_risk.user

© 2018 ServiceNow. All rights reserved. 76

Jakarta ServiceNow Policy and Compliance Management

• In Audit Management: audit_admin, audit_manager, or audit_admin or sn_audit.user

1. Navigate to one of the following locations:

• Policy and Compliance > Issues > Create New.
• Risk > Issues > Create New.
• Audit > Issues > Create New.

2. Fill in the fields on the form, as appropriate.

Table 28: Issue

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • New
• Analyze
• Respond
• Review
• Closed

Assignment group A group assigned to the issue.

Assigned to The user assigned to the issue.
Priority Priority for this issue:
• 1 - Critical
• 2 - High
• 3 - Moderate
• 4 - Low
• 5 - Planning

Short description Brief description of the issue.

© 2018 ServiceNow. All rights reserved. 77

Jakarta ServiceNow Risk Management

Field Description

Actual start date Time when work began on this issue

Actual end date Time when work on this issue was
completed.
Actual duration Amount of work time. Calculated using the
Actual state date and Actual end date.
Activity
Work notes Information about how to resolve the issue,
or steps already taken to resolve it, if
applicable. Work notes are visible to users
who are assigned to the issue.
Additional comments (Customer visible) Public information about the issue.
Engagement
Engagement The related engagement.

3. Click Submit.

Risk Management
The ServiceNow® Risk Management application provides a centralized process to identify, assess, respond
to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The
application also provides structured workflows for the management of risk assessments, risk indicators,
and risk issues.

Explore Set up Administer

• GRC Common Release Notes • Activate Risk Management on • Risk Management
• Upgrade to Jakarta page 80 Administration on page 92
• Configure Risk Management
on page 91

Use Develop Integrate

• Manage profile and risk • Developer training • Monitor risks using GRC
dependencies using the GRC • Developer documentation Performance Analytics
Workbench on page 120 • Components installed with Indicators on page 133
• Manage risks, risk statements, Risk Management on page
and risk frameworks on page 81
105

Troubleshoot and get help

• Ask or answer questions in the
GRC community
• Search the HI Knowledge
Base for known error articles

© 2018 ServiceNow. All rights reserved. 78

Jakarta ServiceNow Risk Management

• Contact ServiceNow Support

Understanding Risk Management

The Risk Management product provides a centralized process to identify, assess, respond to, and
continuously monitor Enterprise and IT risks that may negatively impact business operations. The
application also provides structured workflows for the management of risk assessments, risk indicators,
and risk issues.

Who uses Risk Management?

The complete risk process involves all areas of your organization working together.
• Audit committee
• IT steering committee
• Risk officers (conduct risk assessment and identify all that can go wrong in business)
• All levels of management (assist the risk officers with the identification of what can go wrong in their
processes)

Key activities for Risk Management

Once key roles are identified, work together to identify the following items:
• Determine what level of risk the organization is willing to accept? Get risk data in place and then
determine what is acceptable.
• Develop a risk management policy, through risk frameworks and risk statements.
• Develop risk assessment and response procedures.
• Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval.
• Measure your risk exposure and improvements.

© 2018 ServiceNow. All rights reserved. 79

Jakarta ServiceNow Risk Management

Risk Management and the NowPlatform

Because the Risk Management application is built on the Now Platform, data and evidence is provided
back to Risk Management.

Activate Risk Management

The GRC: Risk Management (com.sn_risk) plugin is available as a separate subscription.
Role required: admin
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

© 2018 ServiceNow. All rights reserved. 80

Jakarta ServiceNow Risk Management

If the plugin depends on other plugins, these plugins are listed along with their activation status.
If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.
You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

Components installed with Risk Management

Activating the GRC: Risk Management (com.sn_risk) plugin adds or modifies several tables, user roles,
and other components.

Tables installed with Risk Management

GRC: Risk Management adds the following tables.

Table Description

Risk Extends Item table [sn_grc_item] and stores

specific risks associated with profiles
[sn_risk_risk]

Risk Criteria Stores risk criteria used to calculate risk scores

[sn_risk_criteria]

Risk Statement Extends Content table [sn_grc_content] and

stores definitions of risks.
[sn_risk_definition]

Risk Framework Extends Document table [sn_grc_document] and

stores all risk frameworks, a collection of risk
[sn_risk_framework]
statements
Risk Framework to Profile Type Extends Document to Profile Type table
[sn_grc_m2m_document_profile_type] and
[sn_risk_m2m_framework_profile_type]
is a many-to-many relationship table that is
used to manage the relationships between risk
frameworks and profile types
Risk to Control Stores many-to-many relationships between
risks and controls
[sn_risk_m2m_risk_control]

Profile Type to Risk Statement Extends Content to Profile Type table

[sn_grc_m2m_content_profile_type] and is a
[sn_risk_m2m_risk_definition_profile_type]
many-to-many relationship table that is used to
manage the relationships between profile types
and risk statements

© 2018 ServiceNow. All rights reserved. 81

Jakarta ServiceNow Risk Management

Table Description

Risk Relationship Stores many-to-many relationships between

risks
sn_risk_m2m_risk_risk

Risk Tasks Stores many-to-many relationships between

risks and tasks
[sn_risk_m2m_risk_task]

Note: All additional tables installed by the dependent plugins are also needed for GRC: Risk
Management.

Properties installed with Risk Management

GRC: Risk Management adds the following properties.

Name Description

States for which the risk is active (the first state • Type: string
is the default active state) • Default value: draft, assess, review, monitor
sn_risk.active_states • Location: Risk > Administration >
Properties

States for which risk is inactive (the first state is • Type: string
the default inactive state) • Default value: retired
sn_risk.closed_states • Location: Risk > Administration >
Properties

Name of the assessment metric type that is used • Type: string

for risk assessment • Default value: Risk Assessment
sn_risk.default_assessment • Location: Risk > Administration >
Properties

sn_risk.glide.script.block.client.globals • Type: true or false

• Default value: False
• Location: Risk > Administration >
Properties

Use qualitative impact scores as input • Type: true | false

sn_risk.qualitative_impact • Default value: false

Note: If upgrading from Geneva (or

earlier) or Helsinki (or later) and the
value was previously set to true, this
value is set to true after upgrading.
• Location: Risk > Administration >
Properties

© 2018 ServiceNow. All rights reserved. 82

Jakarta ServiceNow Risk Management

Name Description

Use qualitative likelihood scores as input • Type: true | false

sn_risk.qualitative_likelihood • Default value: false
• Location: Risk > Administration >
Properties

sn_risk.applies_to_tables

Roles installed with Risk Management

GRC: Risk Management adds the following roles.

Role title [name] Description Contains roles

Risk Admin Contains the reader, user, • sn_grc.reader

manager, and admin roles • sn_grc.user
[sn_risk.admin]
in sn_grc scopes, and the
• sn_grc.manager
reader, user, and manager
roles in theRisk Management • sn_grc.admin
application. In addition to the • sn_risk.reader
inherited permissions, the • sn_risk.user
risk admin can delete risk • sn_risk.manager
frameworks, risk statements,
and risks, and modify admin • Inherits the following roles
properties and risk criteria. if the GRC: Policy and
Compliance Management
plugin is activated.
• grc_audit_reader
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• certification
• grc_compliance_reader
• certification_filter_admin
• grc_admin
• grc_user

© 2018 ServiceNow. All rights reserved. 83

Jakarta ServiceNow Risk Management

Role title [name] Description Contains roles

Risk Assessment Creator • sn_grc.reader

[sn_risk.asmt_creator] • sn_grc.user
• sn_grc.manager
• sn_risk.reader
• sn_risk.user

• Inherits the following roles

if the GRC: Policy and
Compliance Management
plugin is activated.
• grc_audit_reader
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• certification
• grc_compliance_reader
• certification_filter_admin
• grc_user

Risk Manager Contains the reader, user, • sn_grc.reader

and manager roles in sn_grc • sn_grc.user
[sn_risk.manager]
scope, and the reader and user
• sn_grc.manager
roles in theRisk Management
application. In addition to the • sn_risk.reader
inherited permissions, the • sn_risk.user
risk manager can create risk
frameworks, risk statements, • Inherits the following roles
and risks. if the GRC: Policy and
Compliance Management
plugin is activated.
• grc_audit_reader
• task_editor
• certification_admin
• grc_test_definition_admin
• grc_control_test_reader
• assessment_admin
• certification
• grc_compliance_reader
• certification_filter_admin
• grc_user

© 2018 ServiceNow. All rights reserved. 84

Jakarta ServiceNow Risk Management

Role title [name] Description Contains roles

Risk Reader Contains the reader role in • sn_grc.reader

sn_grc scope. In addition to the
[sn_risk.reader]
inherited permissions, the risk
reader has read-only access
rights to the Risk application
and modules and can be
assigned risks.
Risk User Contains the reader and user • sn_grc.reader
roles in sn_grc scope, and • sn_grc.user
[sn_risk.user]
the reader role in the Risk
• sn_risk.reader
Management application.
In addition to the inherited
permissions, the risk user can • Inherits the following roles
view profile types, profiles, if the GRC: Policy and
risks, and remediation tasks. Compliance Management
The risk user can be assigned plugin is activated.
risks and has read-only access • grc_compliance_reader
to the Policy and Compliance • grc_user
Management application and • grc_audit_reader
modules.
• grc_control_test_reader
• task_editor

Client scripts installed with Risk Management

GRC: Risk Management adds the following client scripts.

Client script Table Description

Calculate Inherent ALE when Risk Calculate the inherent

ARO changes Annualized Loss Expectancy
[sn_risk_risk]
(ALE) when the inherent Annual
Rate of Occurrence (ARO)
changes.
Calculate Inherent ALE when Risk Calculate the inherent ALE
SLE changes when the inherent Single Loss
[sn_risk_risk]
Expectancy (SLE) changes.
Calculate Residual ALE when Risk Calculate Residual ALE when
ARO changes Residual ARO changes.
[sn_risk_risk]

Calculate Residual ALE when Risk Calculate Residual ALE when

SLE changes Residual SLE changes.
[sn_risk_risk]

Calculated ALE (Inherent ALE) Risk Updates the calculated ALE

when the inherent ALE changes
[sn_risk_risk]

Calculated ALE (Residual ALE) Risk Updates the calculated ALE

when the residual ALE changes
[sn_risk_risk]

© 2018 ServiceNow. All rights reserved. 85

Jakarta ServiceNow Risk Management

Client script Table Description

Hide risk to control related list Risk Hides the Risk to Control
related list when compliance is
[sn_risk_risk]
not installed
Send close form response to Risk
workbench
[sn_risk_risk]

Send submit event to Risk

workbench
[sn_risk_risk]

Set maximum value (currency Risk Criteria Updates the maximum value
max value) when the currency max value
[sn_risk_criteria]
field changes
Set maximum value Risk Criteria Updates the maximum value
(percentage max value) when the percentage max value
[sn_risk_criteria]
field changes
Show risk generation message Profile Type Display business rule that
shows a message indicating
sn_grc_profile_type
that risks are being generated
when risks are being created for
all the profiles in a profile type
Update Fields from Definition • Risk [sn_risk_risk] Updates various fields from the
• Risk [grc_risk] risk statement whenever the
risk statement field changes

Update Inherent Score (Inher Risk Updates the inherent score

Likelihood) when the inherent likelihood
[sn_risk_risk]
changes
Update Inherent Score Risk Updates the inherent score
(Inherent impact) when the inherent impact
[sn_risk_risk]
changes
Update Inherent Score Risk Updates the inherent score
(Likelihood) when the likelihood changes
[grc_risk]

Update Inherent Score Risk Updates the inherent score

(Significance) when the significance changes
[grc_risk]

Update Residual Score Risk Updates the residual score

(Likelihood) when the residual likelihood
[grc_risk]
changes
Update Residual Score (Resid Risk Updates the residual score
Likelihood) when the residual likelihood
[sn_risk_risk]
changes
Update Residual Score Risk Updates the residual score
(Residual impact) when the residual impact
[sn_risk_risk]
changes
Update Residual Score Risk Updates the residual score
(Significance) when the residual significance
[grc_risk]
changes

© 2018 ServiceNow. All rights reserved. 86

Jakarta ServiceNow Risk Management

Client script Table Description

Use qualitative impact • Risk [sn_risk_risk] Choose to show Inherent

• Risk Statement impact or inherent SLE based
[sn_risk_definition] on the qualtiative_impact
system property.

Use qualitative likelihood • Risk [sn_risk_risk] Choose to show Inherent

• Risk Statement impact or inherent SLE based
[sn_risk_definition] on the qualtiative_impact
system property.

Validate Default Inherent SLE Risk Statement Validates that the inherent SLE
is greater than or equal to the
[sn_risk_definition]
residual SLE when inherent
SLE changes
Validate Default Residual ARO Risk Statement Validates that the inherent ARO
is greater than or equal to the
[sn_risk_definition]
residual ARO when residual
ARO changes
Validate Inherent ARO • Risk [sn_risk_risk] Validates that the inherent ARO
• Risk Statement is greater than or equal to the
[sn_risk_definition] residual ARO when inherent
ARO changes

Validate Inherent impact • Risk [sn_risk_risk] Validates that the inherent

• Risk Statement impact is greater than or equal
[sn_risk_definition] to the residual impact when
inherent impact changes

Validate Inherent likelihood • Risk [sn_risk_risk] Validates that the inherent

• Risk Statement likelihood is greater than or
[sn_risk_definition] equal to the residual likelihood
when inherent likelihood
• Risk [grc_risk]
changes

Validate Inherent Residual SLE Risk Statement Validates that the inherent SLE
is greater than or equal to the
[sn_risk_definition]
residual SLE when residual
SLE changes
Validate Inherent significance Risk Validates that the inherent
significance is greater than
[grc_risk]
or equal to the residual
significance when inherent
significance changes
Validate Inherent SLE Risk Validates that the inherent SLE
is greater than or equal to the
[sn_risk_risk]
residual SLE when inherent
SLE changes
Validate Default Residual ARO Risk Statement
[sn_risk_definition]

© 2018 ServiceNow. All rights reserved. 87

Jakarta ServiceNow Risk Management

Client script Table Description

Validate Inherent ARO • Risk Statement

[sn_risk_definition]
• Risk [sn_risk_risk]

Validate Residual ARO Risk Validates that the inherent ARO

is greater than or equal to the
[sn_risk_risk]
residual ARO when residual
ARO changes
Validate Residual impact • Risk [sn_risk_risk] Validates that the inherent
• Risk Statement impact is greater than or equal
[sn_risk_definition] to the residual impact when
residual impact changes

Validate residual likelihood • Risk [sn_risk_risk] Validates that the inherent

• Risk Statement likelihood is greater than or
[sn_risk_definition] equal to the residual likelihood
when residual likelihood
• Risk [grc_risk]
changes

Validate Residual significance Risk Validates that the inherent

significance is greater than
[grc_risk]
or equal to the residual
significance when residual
significance changes
Validate Residual SLE Risk Validates that the inherent SLE
is greater than or equal to the
[sn_risk_risk]
residual SLE when residual
SLE changes

Script includes installed with Risk Management

GRC: Risk Management adds the following script includes.

Script include Description

RiskALECalculator Calculates Risk Annualized Loss Expectancy

(ALE) based on Single Loss Expectancy
(SLE) and Annual Rate of Occurrence (ARO)
selections.
RiskGeneratorStrategy Generates risks when relationships are created
between profile types, risk definitions, and risk
statements
RiskGeneratorStrategyBase
RiskMigrationUtils Utilities for migrating risks from grc_risk to
sn_risk_risk.
RiskUtils Editable script include that allows RiskUtilsBase
to be overridden without affecting the base code.
RiskUtilsAJAX Provides client-callable risk methods.

© 2018 ServiceNow. All rights reserved. 88

Jakarta ServiceNow Risk Management

Script include Description

RiskUtilsAJAXV2 Provides client-callable risk methods.

RiskUtilsBase Provides base risk utilities. This protected script
include cannot be edited.
RiskUtilsBaseV2 Risk utility base for Risk V2.
RiskUtilsV2 Risk utilities for Risk V2.

Business rules installed with Risk Management

GRC: Risk Management adds the following business rules.

Business rule Tables Description

Add processing document Risk Framework to Profile Type

[sn_risk_m2m_framework_profile_type]

Add processing statement Risk Statement to Profile Type

[sn_risk_m2m_risk_definition_profile_type]

Assign risks to profile Profile Allows the system to assign

risks to various profiles.
[sn_grc_profile]

Calculate qualitative scores Risk Calculates the inherent and

residual scores for the risk and
[sn_risk_risk]
updates the qualitative values.
Calculate Scores Risk Calculates the inherent,
residual, and calculated risk
[grc_risk]
score from the likelihood and
significance of a risk.
Calculated ALE Risk Sets the calculated score for
the risk.
[sn_risk_risk]

Cascade Changes Risk Statement Copies changes to the name,

description, and category fields
[sn_risk_definition]
from the risk statement to its
associated risks.
Create risk scratchpad Profile Type Sets a scratchpad field to
determine if risks are currently
[sn_grc_profile_type]
being created.
No item gen while generating • Risk Framework
profiles to Profile Type
[sn_risk_m2m_framework_profile_type]
• Risk Statement
to Profile Type
[sn_risk_m2m_risk_definition_profile_type]

© 2018 ServiceNow. All rights reserved. 89

Jakarta ServiceNow Risk Management

Business rule Tables Description

Populate SLE & ARO from Risk Populates the default values
definition from the risk statement into a
[sn_risk_risk]
risk when a risk is created.
Prevent adding inactive Risk Framework to Profile TypePrevents the association of an
framework inactive risk framework with any
[sn_risk_m2m_framework_profile_type]
profile type.
Prevent adding inactive risk Risk Statement to Profile Type Prevents the association of an
statement inactive risk statement with any
[sn_risk_m2m_risk_definition_profile_type]
profile type.
Prevent generation during Risk Framework to Profile Type
retirement
[sn_risk_m2m_framework_profile_type]

Prevent invalid risk relationship ?

[sn_risk_m2m_risk_risk]

Prevent item generation during Risk Statement to Profile Type

retiring
[sn_risk_m2m_risk_definition_profile_type]

Rollup Profile Scores • Profile [sn_grc_profile] Calculates inherent, residual,

• Risk [grc_risk] and calculated risk scores from
the likelihood and significance
of all risks associated with a
profile.
Scratchpad: Risk Scoring Risk Sets scratchpad fields to
determine if qualitative scoring
[sn_risk_risk]
is used for impact and likelihood
and whether the compliance
plugin is installed.
Scratchpad: Risk Statement Risk Statement Sets scratchpad fields to
Scoring determine if qualitative
[sn_risk_definition]
scoring is used for impact and
likelihood.
Set Content Risk Statement to Profile Type Sets the content field to be
equal to the risk statement in
[sn_risk_m2m_risk_definition_profile_type]
the many-to-many relationship.
Set document Risk Framework to Profile Type
[sn_risk_m2m_framework_profile_type]

Set maximum value Risk Criteria Updates the maximum value

whenever the currency or
[sn_risk_criteria]
percentage max values change.
Sync between content and Risk Synchronizes the content and
definition risk statement fields.
[sn_risk_risk]

© 2018 ServiceNow. All rights reserved. 90

Jakarta ServiceNow Risk Management

Business rule Tables Description

Sync qualitative fields • Risk Statement Synchronizes the qualitative

[sn_risk_definition] and quantitative scores
• Risk [sn_risk_risk] whenever risk impact, residual
impact, inherent SLE, residual
SLE, likelihood, residual
likelihood, inherent ARO, or
residual ARO change.
Update impact/likelihood Risk Criteria Updates the SLE, ARO, impact,
likelihood of all risk statements
[sn_risk_criteria]
and risks that are using the risk
criteria.
Update applies to when profile Risk Updates the ‘applies to’ field on
changes the risk form when the profile is
[grc_risk]
changed on the risk form.
Update risk control factor Risk to Control Updates the risk control failure
factor whenever a many-to-
[sn_risk_m2m_risk_control]
many relationship between
risks and controls is created,
updated, or deleted.
Validate inherent and residual Risk Statement Validates that the inherent
values impact, likelihood, SLE, and
[sn_risk_definition]
ARO are greater than or equal
to the corresponding residual
values.
Validate residual fields Risk Validates that the inherent
impact, likelihood, SLE, and
[sn_risk_risk]
ARO are greater than or equal
to the corresponding residual
values.
Workbench scratchpad Risk
[sn_risk_risk]

Configure Risk Management

Administrators in the global domain can set properties to determine how the system defines the Risk
Management application.
Role required: sn_risk.admin

Note: Administrators in domains lower than the global domain can view the Properties screen, but
cannot modify the settings.

1. Navigate to Risk > Administration > Properties.

2. Fill in the fields on the Risk Management Properties form. See Properties installed with Risk
Management on page 82 for property descriptions.
3. Click Save.

© 2018 ServiceNow. All rights reserved. 91

Jakarta ServiceNow Risk Management

Risk Management Administration

Using the Risk Management application, administrators can customize risk categories, risk criteria, risk
management properties, and risk assessment types.

Risk Criteria

Risk Criteria are the scoring values attributed to the likelihood that a risk will occur, and the impact to your
organization if the risk does occur.
Risk criteria thresholds define a high/likely or low/unlikely score as shown:

Table 29: Risk Criteria Thresholds

Likelihood Significance Scores

1 = Extremely Unlikely 1 = Very Low 0-5 = Very Low

2 = Unlikely 2 = Low 6-10 = Low
3 = Neutral 3 = Moderate 11-15 = Moderate
4 = Likely 4 = High 16-20 = High
5 = Extremely Likely 5 = Very High 21-25 = Very High

Table 30: Risk properties

Name Description

Maximum value for Significance Sets the maximum value (1-10) for significance
on the risk criteria table. Decimals cannot be
used, and are rounded if input.
Maximum value for Likelihood Sets the maximum value (1-10) for likelihood on
the risk criteria table. Decimals cannot be used,
and are rounded if input.
A list of tables that are available in the Applies If this field is blank, all tables are available on
to field on forms the various forms for Profile Types, Profiles,
and Risks. Defines a comma-separated list of
tables that are available in the Applies to field
on the Profile Type, Profile, and Risk form. Add
.extended after the table name to include all
extended tables.

Assessment Types

Risk managers can create a new set of questions for each risk assessment. See Create an assessment
type on page 118.

© 2018 ServiceNow. All rights reserved. 92

Jakarta ServiceNow Risk Management

Establish profile scoping for risks

What is Profile Scoping?

Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the
following elements:
Profile Classes Profile classes allow GRC managers to separate
profiles for better distinction. For example, Business
Service Profiles, Department Profiles, Business
Unit Profiles, and the like. Reports can be filtered
to define relationships between the different profile
classes. A profile class defines what a profile
actually is. Profiles can belong to many profile types
but a profile can have only one profile class (for
example, Business Service).

Profile classes can roll up to each other, leading to

the development of the dependency model. See
What is GRC dependency modeling and mapping?
on page 23

Profile Types Profiles types are dynamic categories containing

© 2018 ServiceNow. All rights reserved. 93

Jakarta ServiceNow Risk Management

which generate controls for every profile listed in the

profile type.

Profiles Profiles are the records that aggregate GRC

Who uses Profile Scoping?

Example of Profile Scoping

In this scoping example, the profile types contain the following profiles:

© 2018 ServiceNow. All rights reserved. 94

Jakarta ServiceNow Risk Management

• Global Office Locations

• Los Angeles Office
• New York Office
• Berlin Office

• North American Office Locations

• Los Angeles Office
• New York City Office

• European Union Office Locations

• Berlin Office

How do profiles relate to Risk Management?

Profile scoping provides a systematic assignment of policy statements to controls and maintains relational
and hierarchical connections between those controls. Profiles and profile types can be a many to many
relationship. Profile types are the high-level categories and profiles are the individual items that can be
associated to the profile type.

In this Policy and Compliance scoping example:

• policies and policy statements are assigned to profile types

© 2018 ServiceNow. All rights reserved. 95

Jakarta ServiceNow Risk Management

• controls are created based on the profiles and associated policy statements

© 2018 ServiceNow. All rights reserved. 96

Jakarta ServiceNow Risk Management

© 2018 ServiceNow. All rights reserved. 97

Jakarta ServiceNow Risk Management

What is GRC dependency modeling and mapping?

Figure 5: Dependency modeling and mapping

Dependency modeling

© 2018 ServiceNow. All rights reserved. 98

Jakarta ServiceNow Risk Management

Dependency mapping

© 2018 ServiceNow. All rights reserved. 99

Jakarta ServiceNow Risk Management

Create a profile class

2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 31: Authority Document

Field Value

Name Name of the profile class.

Roll up to Select dependencies to other profiles.
Useful for reporting how your lower-level
operational risks impact corporate-level
risks.

© 2018 ServiceNow. All rights reserved. 100

Jakarta ServiceNow Risk Management

Field Value

Is Root Select the check box to indicate that this is

the highest level class.

Note: Only one root class is

allowed and it cannot roll up to
another class.

4. Click Submit.

Create and edit a profile type

2. Do one of the following actions:

Option Description

To create a new profile type Click New.

To edit a profile type Open the profile type from the list.
3. Fill in the fields on the form, as appropriate.

Table 32: Profile type

Name Description

Name* The name of the profile type.

© 2018 ServiceNow. All rights reserved. 101

Jakarta ServiceNow Risk Management

Name Description

Default owner The field on the table specifying the person

The existing profile's class is updated under

Note: * indicates a mandatory field.

4. Click Submit.

Generate a profile from a profile type

2. Open a Profile Type record from the list.

3. Add or modify any conditions, as necessary.
Changing the Table, changes the number of records matching the condition.

© 2018 ServiceNow. All rights reserved. 102

Jakarta ServiceNow Risk Management

4. Assign the Owner field.

5. Click Update.
A profile is generated for every record that matches the filter condition.

Set a profile's class

2. Open the profile record from the list.

3. Set the class field to the desired class.
4. Click Update.

Assign profiles to classes

2. Open the profile record from the list.

3. Assign the Class.
4. Click Update.

© 2018 ServiceNow. All rights reserved. 103

Jakarta ServiceNow Risk Management

Relate profiles to each other

2. Open the profile record from the list.

3. Perform one of the following actions:
Option Description

The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles
related lists are limited based on the current profile's class and the defined dependency model.

Note: If there are no eligible profiles which can be related to the current profile, then the Add
button is not displayed on the Upstream profiles or Downstream profiles related lists.

2. Open the profile record from the list.

• If the Active check box is selected, then the profile is active.
• If the Active check box is not selected, then the profile is inactive.

3. Click Update.
• All associated controls change to Retired state.
• All the indicators and test plans associated with the retired control are marked inactive.

© 2018 ServiceNow. All rights reserved. 104

Jakarta ServiceNow Risk Management

2. Open the profile record from the list.

Manage risks, risk statements, and risk frameworks

The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk
statements into manageable categories, while risk statements group the individual risks. The risk register is
the central repository for all potential risks that could occur at anytime, anywhere in the organization.

Asses risks and develop risk statements

Assessing risk means identifying and analyzing the threats and vulnerabilities that could adversely affect
your organization’s business objectives. Risk is a function of the likelihood of a given threat exercising a
particular potential vulnerability, and the resulting impact of that adverse event on the organization. By
identifying your risks and the impact and likelihood of those risks occurring, your organization can prioritize
control testing and remediation activities. It also helps you understand the true business impact when a
control fails.
A good risk statement should answer:
• What could happen?
• How could it happen?
• Why do we care?

Create a risk framework and associate risk statements to it

Risk managers create risk frameworks to group risk statements into manageable categories.
Role required: sn_risk.manager
1. Navigate to Risk > Risk Library > Frameworks.
2. Click New.
3. Fill in the fields on the form, as appropriate.

© 2018 ServiceNow. All rights reserved. 105

Jakarta ServiceNow Risk Management

Table 33: Risk Framework

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
Active Check box that determines whether the risk
framework is active.
Name* The name of the risk framework.
Description A description of the risk framework.
Additional information Additional information for this risk
framework.

4. Click Submit.
5. Select the risk framework from the list to reopen it.
6. In the Risk Statements related list, select Edit to add the risk statements to the risk framework.
7. Click Save.

Create a risk statement

Risk managers create risk statements to group risks into manageable categories.
Role required: sn_risk.manager
1. Navigate to Risk > Risk Library > Risk Statements.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Note: When any of the following statement fields changes: Name, Description, Reference,
Category, Type, Classification, and Attestation, all the associated controls and risks are
updated, and their state is set back to Draft.

Table 34: Risk Statement

Field Description

Name* The name of the risk statement.

Framework Select the framework this risk statement is
associated with.

© 2018 ServiceNow. All rights reserved. 106

Jakarta ServiceNow Risk Management

Field Description

Description A description of the risk statement.

Additional information Additional information for this risk statement.
Inherent impact Select a number indicating how much
impact the risk poses.
• 5 - Very High
• 4 - High
• 3 - Moderate
• 2 - Low
• 1 - Very Low

Inherent likelihood Select a number indicating the likelihood of

the identified risk occurring.
• 5 - Extremely Likely
• 4 - Likely
• 3 - Neutral
• 2 - Unlikely
• 1 - Extremely Unlikely

Residual impact Select a number indicating how much

impact the risk poses with all mitigation
strategies in place
• 5 - Very High
• 4 - High
• 3 - Moderate
• 2 - Low
• 1 - Very Low

© 2018 ServiceNow. All rights reserved. 107

Jakarta ServiceNow Risk Management

Field Description

Residual likelihood Select a number indicating the likelihood

of the identified risk occurring with all
mitigation strategies in place.
• 5 - Extremely Likely
• 4 - Likely
• 3 - Neutral
• 2 - Unlikely
• 1 - Extremely Unlikely

Note: Accurate default scoring selections are important for normalizing risk across the
organization.

4. Click Submit.

Associate a risk framework or risk statement with a profile type to generate

risks
Making associations between risk frameworks or risk statements and profile types automatically generates
risks.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Scoping > Profile types.
2. Open the profile type record.
3. In the Risk Framework or Risk Statement related list, click Edit.
4. Select the risk frameworks or risk statements to associate to the profile, and click Save.
All risk frameworks (or risk statements) are associated to the profile type and a risk is created for every
risk statement against every profile in the profile type.

Generate a risk from a risk framework

Making associations with risk frameworks automatically creates risks.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Risk Library > Risk Framework.
2. Open the risk framework record.
3. In the Profile Type related list, click Edit.
4. Select the profile types to associate to the risk framework, and click Save.
All risk statements are associated to the profile type and a risk is created for every risk statement
against every profile in the profile type.

Generate a risk from a risk statement

Making associations with risk statements automatically creates risks.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Risk Library > Risk Statement.

© 2018 ServiceNow. All rights reserved. 108

Jakarta ServiceNow Risk Management

2. Open the risk statement record.

3. In the Profile Type Related List, click Edit.
4. Select the profile types to associate to the risk statement, and click Save.
One risk is generated for each profile in the profile type based on the risk statement.

Relate risks to each other

Create relationships between risks to better understand how risks affect each other and how they affect the
enterprise.
Role required: sn_risk.manager or sn_risk.admin
1. Navigate to Risk > Risk Register > All Risks.
2. Open a risk.
3. Perform one of the following actions:
Option Description

To specify that the current risk is downstream Click the Add button in the Upstream Risks
of another risk related list.
To specify that the current risk is upstream of Click the Add button in the Downstream Risks
another risk related list
4. Select the desired risks to relate to the current risk and click Create Relationship.
5. In the pop-up window, check all the desired risks to relate to the current risk, and click Create
Relationship.

Create a risk manually

Risk administrators can create risk records when they see a potential for a gain or loss of value.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Risk Register > Create New.
2. Fill in the fields on the form, as appropriate.

Table 35: Risk

Field Description

Name Enter a name for the risk. Field is auto-

© 2018 ServiceNow. All rights reserved. 109

Jakarta ServiceNow Risk Management

Field Description

State The risk state is a read-only field. Possible

choices are:
• Draft In this state, all risk users
can modify the risk. Only available
when creating a one-off control.
One-off controls are possible but not
recommended.
• Attest When the risk is created from a
risk statement, controls are in this state.

Note: When a risk is set back

to draft, the assessment is
canceled.
• Review Risks are automatically moved
to review from the assessment phase.
• Monitor In this state, all risk managers
can move the risk from review to monitor.
• Retired Risk managers or administrators
can move a risk from Monitor to Retired.
Indicators do not run when the risk is in
this state.

Note: When a risk is retired, any

assessment associated with it is
canceled.

Owning group Select an owning group for the risk.

Category Choose a category of risk which applies to
the profile.
• Legal
• Financial
• Operational
• Reputational
• Legal/Regulatory
• Credit
• Market
• IT

Field is auto-populated if risk is generated

from a risk statement.
Owner Select an owner for the risk.

Note: The owner is always added

as a respondent.

Statement Select the statement this risk is associated

with.

© 2018 ServiceNow. All rights reserved. 110

Jakarta ServiceNow Risk Management

Field Description

Profile* Relate the risk to a specific profile.

Note: Only active profiles are

shown.

Description Describe the Risk and how it is a threat to

the organization.
Additional Information Include any details which will help others
understand the risk record.

Note: * indicates a mandatory field.

3. Click the Assessment tab.

4. Fill in the fields on the form, as appropriate.

Table 36: Risk Scoring

Field Description

Assessment The assessment to attach to this risk.

Assessment respondents Users assigned to the assessment of this
risk.

Note: Only a user with the

sn_grc.user role can be added as a
respondent.

When both the Assessment and Assessment respondents fields are set, assessments are created
when you click Assess.
5. Click the Scoring tab.
6. Fill in the fields on the form, as appropriate.

Table 37: Risk Scoring

Field Description

Inherent SLE Monetary value of a risk if it occurs before

© 2018 ServiceNow. All rights reserved. 111

Jakarta ServiceNow Risk Management

Field Description

Inherent ALE Annualized loss expectancy ALE = SLE x

ARO before any mitigation strategies are in
place.
Residual ALE Annualized loss expectancy ALE = SLE
x ARO after all mitigation strategies are in
place.
Inherent score The score of the risk before any mitigation
strategies are in place.
Residual score The score of the risk after all mitigation
strategies are in place.
Calculated ALE Annualized loss expectancy based off all
calculations.
Calculated score The corresponding score for the calculated
ALE.

7. Click the Response tab.

8. Fill in the fields on the form, as appropriate.

Table 38: Risk Response

Field Description

Response • Accept
• Avoid
• Mitigate
• Transfer

Justification Enter a reasonable justification for the

selected response

9. Click the Monitoring tab.

Note: The fields on the Risk Monitoring tab are read-only.

Table 39: Risk Monitoring

Field Description

Control compliance Percentage of compliant controls

Control non-compliance Percentage of non-compliant controls
Control failure factor Sum of failed controls weighting divided by
total controls weighting
Indicator failure factor Uses the last result of each associated
indicator. Number of last results failed
divided by total number of indicators
associated.

© 2018 ServiceNow. All rights reserved. 112

Jakarta ServiceNow Risk Management

Field Description

Calculated risk factor This value is calculated from (Indicator

failure factor + Control
failure factor) / 2.

10. Click the Activity Journal tab.

11. Enter additional comments, as necessary.
12. Click Submit.

Follow a risk
Connect integrates with Risk Management providing an overlay to the standard interface, allowing users to
participate in conversations while they work and collaborate on the risk record.
Role required: sn_risk.user
1. Navigate to Risk > Risk Register > All Risks.
2. Open the risk record from the list.
3. Click the Follow tab and perform one of the following actions:
Option Action

To add the Connect sidebar • Click Open Connect mini.

To add the Connect full-screen view • Click Open Connect Full.

Retire a risk
Role required: admin
1. Navigate to Risk > Risk Register > All Risks.
2. Open the risk record from the list.
3. Click Retirein the top-right corner of the form.

Add an indicator to a risk

When adding indicators to a risk, templates must be associated to the risk statements.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Risk Register > All Risks.
2. Open the risk record from the list.
3. Continue with one of the following options.

© 2018 ServiceNow. All rights reserved. 113

Jakarta ServiceNow Risk Management

Option Description

Select an indicator from the indicator 1. In the Indicators related list, click Add.
templates
2. Select the indicator templates to associate to
the risk.
3. Click Save.

Add a new indicator 1. In the Indicators related list, click New.

2. Fill in the fields on the form, as appropriate.
3. Click Submit.

All indicators are associated to the risk.

Add a control to a risk

Controls are added to risks for the on-going review of processes.
Role required: sn_risk.admin and sn_risk.manager
1. Navigate to Risk > Risk Register > All Risks
2. Open the risk record from the list.
3. Continue with one of the following options.
Option Description

Add an existing control 1. In the Controls related list, click Add.

2. Select the controls that are associated with
the risk profile.
3. Click Add relationship.

Note: The controls displayed after

clicking the Add relationship button are
limited to controls that have the same
profile as the current risk. If there are no
eligible controls that can be related to the
risk, the Add button is not displayed on
the Controls related list.

Add a new control 1. In the Controls related list, click New.

2. Fill in the fields on the form, as appropriate.
3. Click Submit.

Assess a risk
Risks start in a Draft state then move to Assess, during which a notification is sent to the assessment
respondents.

© 2018 ServiceNow. All rights reserved. 114

Jakarta ServiceNow Risk Management

Role required: sn_grc.user

Risk assessments do not appear in the Self-Service > My assessments & surveys module, because
hundreds of GRC assessment records could be generated at once. Instead risk assessments are shown in
a separate list view.
1. Navigate to Risk > Risk Register > My Assessments.
2. Open the assessment and review the details.
Option Description

If you are unable to answer the questions 1. Reassign the assessment to another user in
the Assigned to field.
2. Click Update and close the record.

Note: Only a user with the sn_grc.user

role can be reassigned the assessment.

The list of assessments refreshes when you

reassign an assessment to another user.

If you are able to answer the questions 1. Click Take assessment.

2. Answer the questions and attach information,
as required.
3. Click Submit.

The list of assessments refreshes when you close

the Take Assessment pop-up window.

Risk assessments
Assessments are surveys that gather evidence to determine risk. Risks start in a Draft state then move to
Assess, which sends a notification to the Assessment respondents.
By default, GRC Assessment is used for risks and provides the following assessment questions:
• Is this control implemented?
• Attach evidence
• Explain

My Assessments is contained in the Risk Register module and contains active assessments for which
you are the respondent. The assessments appear in a list with a single assessments record per risk.
All Assessments is contained in the Risk Register module and contains all active assessments. The
assessments appear in a list with a single assessments record per risk.
Compliance managers can create a new set of questions for each policy statement.

Create a risk assessment using the Risk Assessment Designer

Use the Risk Assessment Designer to create and edit metric types, use different metric types for different
risks, select multiple respondents for a risk assessment, as well as change scoring parameters.
Role required: sn_risk.attest_creator, sn_risk.manager, sn_risk.administrator
1. Navigate to Risk > Administration > Assessment Types.
2. Click Risk Assessment Designer.

© 2018 ServiceNow. All rights reserved. 115

Jakarta ServiceNow Risk Management

The designer contains the following elements:

Element Description

Controls Controls for the supported question data

types are available in the Controls palette.
Drag a control onto the designer canvas to
create a question of that type.
Header bar The header bar contains tabs that display
different views and a menu of various
functions. The availability of each option
depends on the status of the assessment
that is opened in the designer.
Design canvas New assessment open in the Design view.
The assessment Name field appears above
the first category in the canvas. A blank
question field appears in the category
container.

3. Enter a name in the Name field.

4. Drag a control onto the designer canvas to create a question of that type.

Table 40: Question controls

Data type Description Scored

Attachment Question with a Manage Y

© 2018 ServiceNow. All rights reserved. 116

Jakarta ServiceNow Risk Management

Data type Description Scored

String Single or multi-line text field. N

Template Choice list of templates that Y
provide a predefined scale of
options.
Reference Choice list of fields from a
specified reference table.
This data type does not
support reference qualifiers.
Image Scale
Multiple Selection
Ranking

Note: Set the correct answer for the metric that you want to be scored. Scored metrics
determine the compliance status of the risk.

5. Click one of the following tabs to change the view in the canvas:
Option Description

Design Add categories and questions, and configure the

Note: The availability of each option depends on the status of the assessment that is opened
in the designer.

Option Description

Save Save the current assessment.

Preview Display a preview to the selected recipients.
Publish Distributes the assessment to the selected
recipients.
Save and Publish Saves and distributes the assessment in one
step.
New Attestation Opens a fresh canvas for a new assessment.
Load Attestation Opens a list of existing assessment that you can
select and edit.

Unlike other types of assessments, risk assessments do not appear in the Self-Service > My
assessments & surveys module, because hundreds of control attestations could be generated at

© 2018 ServiceNow. All rights reserved. 117

Jakarta ServiceNow Risk Management

once. Instead,risk assessments are shown as a list in the Risk > Risk Register > My Assessments
and Risk > Risk Register > All Assessments module.

Risk assessment designer

The risk assessment designer provides a single interface that users can use to create, edit, and distribute
assessment, as well as change scoring parameters.
All assessment records are stored in assessment tables and displayed in assessment views of those
tables.
The designer contains the following elements:

Table 41: Elements of the Assessment Designer

Element Description

Controls Controls for the supported question data types

are available in the Controls palette. Drag a
control onto the designer canvas to create a
question of that type.
Header bar The header bar contains tabs that display
different views and a menu of various functions.
The availability of each option depends on the
status of the assessment that is opened in the
designer.
Design canvas New assessments open in the Design view. The
assessment Name field appears above the first
category in the canvas. A blank question field
appears in the category container.

Create an assessment type

The risk manager can create a new set of questions for each risk assessment.
Role required: sn_risk.asmt_creator or sn_risk.manager or sn_risk.administrator
1. Navigate to Risk > Administration > Assessment Types.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 42: Assessment Metric Type

Field Description

Name The name of the assessment type.

Assessment duration Amount of time assessors have to complete
their assigned questionnaires, starting from
the time the assessment is generated.

© 2018 ServiceNow. All rights reserved. 118

Jakarta ServiceNow Risk Management

Field Description

Table [Required] Table that contains the records

you want to evaluate. The system creates
assessable records for records on this table
that meet the conditions you specify, if any.
The number of matching records appears
as a link by the Condition field. The link
dynamically updates if you change the table
selection. Click the link to open the list of
matching records in a new tab or window.

Note: Additional roles are required

to view the records on certain
tables. If you select a table that you
do not have access to, a warning
message appears by the Condition
field where the number of matching
records would be. You cannot
generate assessable records for
tables you do not have sufficient
roles for.

Scale factor [Required] Number to represent the best

possible score for assessment results. All
results for assessments of this type are
scaled to this number. 10 is generally a
good scale factor.

Note: This field becomes read-

only when it contains a value and
you save the metric type. Choose
a scale factor you are satisfied with
before you save the metric type.

Condition Condition builder that defines specific

records to assess from the selected table.
If you do not specify any conditions, the
system creates assessable records for all
records on the selected table. Click the
refresh icon to update the adjacent record
count.

Note: If you change the table or

conditions, you must click Generate
Assessable Records to create new
assessable records.

Description Helpful information about this type. Enter a

clear description of the type and its purpose.
State [Read-Only] Status of the assessment: Draft
or Published.

© 2018 ServiceNow. All rights reserved. 119

Jakarta ServiceNow Risk Management

Field Description

Enforce condition Check box that determines what happens

to assessable records when you change the
selected table or conditions.
Roles Additional user roles that can view the
results and access records associated with
this type. Users with the specified roles have
read access to this type record as well as to
associated categories, metrics, assessable
records and scorecards, category users,
stakeholders, and decision matrices.

Note: Users with these roles do

not have access to Assessments
modules unless they are also
assessment administrators. Users
with these roles can navigate to the
records by other means, such as
from reference fields on assessment
instances. This field provides the
option to easily grant certain users
access to specific assessment data
in special cases. For example, the
Vendor metric type provides access
to users with the vendor_manager
role so they can view results and
compare assessable records when
they open scorecards or decision
matrices in the Vendor Performance
application.

4. Click Submit.

Manage profile and risk dependencies using the GRC Workbench

The GRC Workbench utilizes CMBD information to show the upstream and downstream relationships
across all applications. These relationships enable consistent risk mapping and modeling across the
enterprise. The GRC Workbench does not work with Legacy GRC.
The GRC Manager [sn_grc.manager] uses the GRC Workbench to:
• Create profile classes
• Define the upstream/downstream relationships between profile classes. These relationships make up
the dependency model and they help ensure that risks are defined and evaluated consistently across
the enterprise.
• Create profile types, create profiles, and classify profiles
• Create relationships between profiles, which makes up the dependency map.

Note: The GRC Manager cannot view the GRC Workbench from Risk > GRC Workbench. The
GRC Manager [sn_grc.manager] enters /$grc_workbench.do after their instance name in the url
to access the GRC Workbench.

© 2018 ServiceNow. All rights reserved. 120

Jakarta ServiceNow Risk Management

The Risk Manager [sn_risk.manager] uses the GRC Workbench to:

• perform all the same tasks as the GRC Manager
• Create Risk frameworks, risk statement,s and risks
• define risk relationships

Model Setup Tab

The Model Setup tab contains links to perform the following tasks.

Link Action

Dependency Model Create profile classes and develop the

organizational relationship model
Profile Types Create and edit profile types
Dependency Map Create and visualize profile relationships

Risk Dependencies tab

The Risk Dependencies tab contains links to perform the following tasks.

Link Action

Risk Frameworks Create and edit risk frameworks

Risk Statements Create and edit risk statements
Relationships Create and visualize risk relationships

Activate GRC Workbench

The GRC: Workbench plugin is not activated by default, it is available as a separate subscription within the
GRC Suite.
Role required: admin
To create profile classes, profile dependencies, and risk dependencies using the GRC Workbench, activate
the GRC: Risk Management plugin [com.sn_risk] and the GRC: Profiles plugin [com.sn_grc].
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.
If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.

© 2018 ServiceNow. All rights reserved. 121

Jakarta ServiceNow Risk Management

You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

Create profile class using the GRC workbench

GRC managers create profile classes representing the types of things that will be part of the dependency
model. Reports can be filtered to define relationships between the different profile classes. A profile class
defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical
Business Services), in that a profile can belong to many profile types but a profile can have only one profile
class (for example, Business Service).
Role required: sn_grc_manager
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. On the left, in the Profile classes section, click Add Class.
3. Enter a profile class name and click the plus (+) icon
The newly created profile class is added to the list on the left.

Create relationships between profile classes using the GRC workbench on page 122.

Create relationships between profile classes using the GRC workbench

Managers create relationships between profile classes using the GRC workbench to build out the
dependency map and better understand how profiles relate to one another.
Role required: sn_grc.manager
Create profile class using the GRC workbench on page 122, before creating relationships between profile
classes.
Profile classes can roll up to each other, leading to the development of the dependency model.

Figure 6: Profile classes dependency model

1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.

© 2018 ServiceNow. All rights reserved. 122

Jakarta ServiceNow Risk Management

2. Select the Model Setup tab at the top, and select the Dependency Model tab below.
3. If needed, create profile classes.
4. Do one of the following actions:
Option Description

If there are no relationships between profile Drag a profile class from the left to the center and
classes drop it.
If there are relationships between profile Drag additional profile classes from the list on the
classes left and drop them on the top or bottom of any
profile class in the tree.

Note: Dragging to the top of a profile

class makes the target profile class roll
up to the class that is dropped. Dragging
to the bottom of a profile class makes the
class that is being dropped roll up to the
target class.

Note: As long as you remain on the GRC workbench, click Undo after creating a relationship
between profile classes to roll back the change. Leaving the GRC Workbench causes the undo
history to be lost.

After modeling out profiles, define the risks in your organization:

• Generate a risk from a risk framework on page 108
• Generate a risk from a risk statement on page 108
• Associate a risk framework or risk statement with a profile type to generate risks on page 108

After generating risks, Relate risks to each other on page 109.

Visualize and edit profile dependencies using the GRC Workbench

The GRC Workbench gives GRC administrators a graphical interface to create profile dependencies.
These relationships enable consistent profile and risk mapping and modeling across the enterprise.
Role required: sn_grc.manager
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Model Setup tab at the top, then select the Dependency tab below it.
3. Search for and select a profile from the list on the left.
Profiles are organized hierarchically by profile class, then by profile types.
4. After selecting a profile from the left, the profile is displayed in the center with its direct upstream and
downstream dependencies.
On the right, eligible profiles that can be added as upstream or downstream dependencies are listed.
5. Perform one of the following actions:
Option Description

To add an upstream profile dependency Drag an eligible upstream profile from the list of
eligible profiles on the right and drop it on the top
half of the profile in the center of the page.

© 2018 ServiceNow. All rights reserved. 123

Jakarta ServiceNow Risk Management

Option Description

To add a downstream profile dependency Drag an eligible downstream profile from the list
of eligible profiles on the right and drop it on the
bottom half of the profile in the center of the page.

The profiles are removed from the right menu when moved to the center of the page.

Delete profile dependencies using the GRC Workbench

When deleting profile dependencies, only the relationship between the profiles is deleted. The profiles
themselves remain unmodified.
Role required: admin
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Model Setup tab at the top, then select the Dependency Map tab below it.
3. Search for and select the desired profile from the list on the left.
After selecting a profile from the left, the profile is displayed in the center with its direct upstream and
downstream dependencies.
4. In the center tree, point to the upstream or downstream risk that should be disassociated from the
selected center risk. As you point to the risk, a delete icon appears, click the delete icon.
5. Click Delete in the confirmation dialog to confirm the deletion of the relationship.

Note: Only the relationship between the profiles is deleted. The profiles themselves remain
unmodified.

Delete a profile class using the GRC workbench

Deleting a profile class, deletes all of the relationships below it.
Role required: admin
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Model Setup tab at the top, and select the Dependency Model tab below.
3. Select the desired profile class from the list on the left.
After selecting a profile from the left, the profile is displayed in the center with its direct upstream and
downstream dependencies.
4. Click the delete icon to the right of the profile class name.
5. In the deletion confirmation popup, click Delete.
Deleting the profile class deletes all of the relationships below it.

Create a risk using the GRC Workbench

Risk managers can create risks directly from the GRC workbench.
Role required: sn._risk.admin or sn.risk.manager
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Risk Dependencies tab at the top, then select the Relationships tab below it.
3. On the left, in the Risks section, click Create Risk.
4. Fill in the fields on the form, as appropriate.

© 2018 ServiceNow. All rights reserved. 124

Jakarta ServiceNow Risk Management

Table 43: Risk

Field Description

Name Enter a name for the risk. Field is auto-

populated if the risk is generated from a
risk statement, but can be changed without
affecting the relationship between the risk
and risk statement.
Number Read-only field that is automatically
populated with a unique identification
number.
State The risk state is a read-only field. Possible
choices are:
• Draft In this state, all risk users
can modify the risk. Only available
when creating a one-off control.
One-off controls are possible but not
recommended.
• Attest When the risk is created from a
risk statement, controls are in this state.

Note: When a risk is set back

Note: When a risk is retired, any

assessment associated with it is
canceled.

Owning group Select an owning group for the risk.

© 2018 ServiceNow. All rights reserved. 125

Jakarta ServiceNow Risk Management

Field Description

Field is auto-populated if risk is generated

from a risk statement.
Owner Select an owner for the risk.

Note: The owner is always added

as a respondent.

Statement Select the statement this risk is associated

with.
Profile* Relate the risk to a specific profile.

Note: Only active profiles are

shown.

Description Describe the Risk and how it is a threat to

the organization.
Additional Information Include any details which will help others
understand the risk record.

Note: * indicates a mandatory field.

5. Click the Assessment tab.

6. Fill in the fields on the form, as appropriate.

Table 44: Risk Scoring

Field Description

Assessment The assessment to attach to this risk.

Assessment respondents Users assigned to the assessment of this
risk.

Note: Only a user with the

sn_grc.user role can be added as a
respondent.

© 2018 ServiceNow. All rights reserved. 126

Jakarta ServiceNow Risk Management

When both the Assessment and Assessment respondents fields are set, assessments are created
when you click Assess.
7. Click the Scoring tab.
8. Fill in the fields on the form, as appropriate.

Table 45: Risk Scoring

Field Description

Inherent SLE Monetary value of a risk if it occurs before

any mitigation strategies are in place.
Residual SLE Monetary value of a risk if it occurs after all
mitigation strategies are in place.
Inherent ARO Probability that a risk will occur in any given
year before any mitigation strategies are in
place.
Residual ARO Probability that a risk will occur in any given
year after all mitigation strategies are in
place.
Inherent ALE Annualized loss expectancy ALE = SLE x
ARO before any mitigation strategies are in
place.
Residual ALE Annualized loss expectancy ALE = SLE
x ARO after all mitigation strategies are in
place.
Inherent score The score of the risk before any mitigation
strategies are in place.
Residual score The score of the risk after all mitigation
strategies are in place.
Calculated ALE Annualized loss expectancy based off all
calculations.
Calculated score The corresponding score for the calculated
ALE.

9. Click the Response tab.

10. Fill in the fields on the form, as appropriate.

Table 46: Risk Response

Field Description

Response • Accept
• Avoid
• Mitigate
• Transfer

© 2018 ServiceNow. All rights reserved. 127

Jakarta ServiceNow Risk Management

Field Description

Justification Enter a reasonable justification for the

selected response

11. Click the Monitoring tab.

Note: The fields on the Risk Monitoring tab are read-only.

Table 47: Risk Monitoring

Field Description

Control compliance Percentage of compliant controls

12. Click the Activity Journal tab.

13. Enter additional comments, as necessary.
14. Click Submit.
The risk is created and centered in the middle of the page. Additionally, the risk is selected on the
right.

Visualize and edit risk dependencies using the GRC Workbench

The GRC Workbench gives GRC administrators a graphical interface to create risk dependencies. These
relationships enable consistent profile and risk mapping and modeling across the enterprise.
Role required: sn_risk.manager
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Risk Dependencies tab at the top, then select the Relationships tab below it.
3. Search for and select a risk from the list on the left.
Risks are organized hierarchically by profile class, then by profile.
4. After selecting a risk from the left, the risk is displayed in the center with its direct upstream and
downstream dependencies.
On the right, eligible risks that can be added as upstream or downstream dependencies are listed.
5. Perform one of the following actions:
Option Description

To add an upstream risk dependency Drag an eligible upstream risk from the list of
eligible risks on the right and drop it on the top
half of the risk in the center of the page.

© 2018 ServiceNow. All rights reserved. 128

Jakarta ServiceNow Risk Management

Option Description

To add a downstream risk dependency Drag an eligible downstream risk from the list
of eligible risks on the right and drop it on the
bottom half of the risk in the center of the page.

Delete risk dependencies using the GRC Workbench

When deleting risk dependencies, only the relationship between the risks is deleted. The risks themselves
remain unmodified.
Role required: sn_risk.manager
1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
2. Select the Risk Dependencies tab at the top, then select the Relationships tab below it.
3. Search for and select a risk from the list on the left.
Risks are organized hierarchically by profile class, then by profile.
4. In the center tree, point to the upstream or downstream risk that should be disassociated from the
selected center risk. As you point to the risk, a delete icon appears, click the delete icon.
5. Click Delete in the confirmation dialog to confirm the deletion of the relationship.

Note: Only the relationship between the risks is deleted. The risks themselves remain
unmodified.

Manage risk indicators

Continuous monitoring involves activities related to identifying and creating key risk and control indicators.
Supporting information can be collected for those indicators through automatic data collection or manual
tasks. Indicator results are then used to create issues for controls, update risk scores, and provide
supporting information for audit activities and control testings.

Indicators Indicators collect data to monitor controls and risks,

and collect audit evidence. Indicators monitor a
single control or risk.
Indicator templates Indicator templates allow the creation of multiple
indicators for similar controls or risks.

View the Risk Overview

The Risk Overview is contained in the Risk Management application and provides an executive view,
allowing risk managers to quickly identify areas of concern by pinpointing profiles with known high risk.
The Risk overview contains the following reports in the base system.

Table 48: Risk Overview

Name Visual Description

Inherent Risk
Residual Risk

© 2018 ServiceNow. All rights reserved. 129

Jakarta ServiceNow Risk Management

Name Visual Description

Inherent Annual Loss

Exposures
Residual Annual Loss
Exposures
Risk Issues by Framework
(Opened Date)
Risks by Response
Risk Expectations
Profile Drop down list Select one or many profiles to
view and compare their risks.
GRC - Risk States Check boxes Select one or many risk states
to view and compare.
Risks by Category
Very High Risk Single Score Displays the number of very
high risks.
High Risk Single Score Displays the number of high
risks.
Moderate Risk Single Score Displays the number of
moderate risks.
Low Risk Single Score Displays the number of low
risks.
Very Low Risk Single Score Displays the number of very low
risks.
Inherent Risk Heatmap
Residual Risk Heatmap

Create a risk indicator

Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC-related
application.
Role required: risk_admin or risk_manager
1. Navigate to Risk > Indicators > Indicators
2. Select New.
3. Fill in the fields on the form, as appropriate.

Table 49: Indicator

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.

© 2018 ServiceNow. All rights reserved. 130

Jakarta ServiceNow Risk Management

Field Description

Active Check box that determines whether the

indicator is active.
Name Name of the indicator.
Item The related control or risk.
Template The related indicator template.
Applies to The profile related to the Item.
Owner The indicator owner.
Owning group The group that owns the indicator.
Override Template Click to override the indicator template
associated to this indicator
Last result passed Read-only field indicating whether last result
passed.
Schedule
Collection frequency Select the collection frequency for indicator
results. Indicator tasks and results are
generated automatically based on the
indicator schedule.
Next run time Read-only field that is automatically
populated with the next collection time for
indicator results.
Method
Type Results can be gathered manually using
task assignment or automatically using
basic filter conditions, Performance
Analytics, or a script.
• Manual
• Basic
• Script

Short Description If Type is Manual, this field is present. Brief

© 2018 ServiceNow. All rights reserved. 131

Jakarta ServiceNow Risk Management

Field Description

Table Use supporting data to gather supporting

evidence from other applications.
Supporting data fields Supporting data fields based on the selected
table.

4. Click Submit.

Create a GRC indicator template

2. Select New.
3. Fill in the fields on the form, as appropriate.

Table 50: Indicator template

Field Description

Name Name of the indicator.

© 2018 ServiceNow. All rights reserved. 132

Jakarta ServiceNow Risk Management

Field Description

Type Results can be gathered manually using

task assignment or automatically using
basic filter conditions, Performance
Analytics, or a script.
• Manual
• Basic
• PA Indicator
• Script

Short Description If Type is Manual, this field is present. Brief

description of the issue.
Instructions If Type is Manual, this field is present.
Instructions for the collection of indicator
results.
Value Mandatory If Type is Manual, this field is present.
Passed/Failed If Type is Basic, this field is present.
Indicator passes or fails.
PA Threshold If Type is PA Indicator, this field is present.
The associated PA Threshold.
Script If Type is Script, this field is present. Script
that obtains the desired system information.
Supporting Data
Collect Supporting Data Check to gather supporting evidence from
other applications.

4. Click Submit.

Monitor risks using GRC Performance Analytics Indicators

You can link Risk Management risk statement and risks to Performance Analytics indicators, breakdowns
and thresholds. You can associate Performance Analytics indicators with risk statements, and risks to view
scorecards and trends and analyze current conditions and trends.
The risks and controls associated with a PA indicator or PA indicator/breakdown/element automatically
monitor any PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship.
Any PA threshold breach is reported at the risk or control and Performance Analytics indicators relationship
level within a breach counter. See Performance Analytics.

PA threshold breach impact

© 2018 ServiceNow. All rights reserved. 133

Jakarta ServiceNow Risk Management

Reset all PA Indicator breach counters

Reset breach counters associated to a risk or control by clicking Reset all PA Indicator breach counters
or opening the specific relationship and clicking Reset Breach Counter.

GRC PA indicator breach reports

There are two reports for the reporting of breaches:

• Risk PA Indicator Breaches
• Control PA Indicator Breaches

Activate GRC: Performance Analytics Integration

Associate a PA indicator with a risk statement or policy statement

2. Open a risk statement or policy statement.

© 2018 ServiceNow. All rights reserved. 134

Jakarta ServiceNow Risk Management

3. In the PA Indicators related list, click New.

4. Fill in the fields on the form, as appropriate.

Table 51: PA Indicators

Field Description

PA Indicator* The performance analytics indicator to

associate the Risk Statement or Policy
Statement with.

Associate a PA indicator with risks and controls

2. Open a risk or control.

3. In the PA Indicators related list, click New.
4. Fill in the fields on the form, as appropriate.

Table 52: PA Indicators

Field Description

PA Indicator* The performance analytics indicator to

Note: This field is dependent on

the Breakdown field is populated.
When visible, it is mandatory.

5. Click Submit.

© 2018 ServiceNow. All rights reserved. 135

Jakarta ServiceNow Risk Management

Update associated GRC indicators for a set of items

Manage risk issues and remediation

Control issue Created when a control attestation is completed

indicating that the control is Not implemented

Control test issue Created when a control test is closed complete with
the control effectiveness set to Ineffective

Other issue Created by the user manually

Create a GRC issue manually

1. Navigate to one of the following locations:

© 2018 ServiceNow. All rights reserved. 136

Jakarta ServiceNow Risk Management

• Policy and Compliance > Issues > Create New.

• Risk > Issues > Create New.
• Audit > Issues > Create New.

2. Fill in the fields on the form, as appropriate.

Table 53: Issue

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • New
• Analyze
• Respond
• Review
• Closed

Assignment group A group assigned to the issue.

Assigned to The user assigned to the issue.
Priority Priority for this issue:
• 1 - Critical
• 2 - High
• 3 - Moderate
• 4 - Low
• 5 - Planning

Short description Brief description of the issue.

Details
Profile The related profile.
Item The related control or risk.
Description A more detailed explanation of the issue.
Recommendation The recommended action to resolve this
issue.
Dates
Planned start date Date and time that work on the issue is
expected to begin.
Planned end date Date and time that work on the issue is
expected to end.
Planned duration Estimated amount of work time. Calculated
using the Planned state date and Planned
end date.
Actual start date Time when work began on this issue

© 2018 ServiceNow. All rights reserved. 137

Jakarta ServiceNow Audit Management

Field Description

Actual end date Time when work on this issue was

completed.
Actual duration Amount of work time. Calculated using the
Actual state date and Actual end date.
Activity
Work notes Information about how to resolve the issue,
or steps already taken to resolve it, if
applicable. Work notes are visible to users
who are assigned to the issue.
Additional comments (Customer visible) Public information about the issue.
Engagement
Engagement The related engagement.

3. Click Submit.

Audit Management
The ServiceNow® Audit Management application involves a set of activities related to planning audit
engagements, executing engagements, and reporting findings to the audit committee and executive board.
Engagement reporting assures key stakeholders that the organization's risk and compliance management
strategy is effective.
The GRC: Audit Management product allows users to schedule internal audits, conduct resource planning,
scope engagements, conduct audit activities, review continuous monitoring results, and report findings.

Explore Set up Administer

• GRC Common Release notes • Activate Audit Management on • Engagement Overview on
• Upgrade to Jakarta page 140 page 173

Use Develop
• Establish profile types, profile • Developer training
classes, and profiles on page • Developer documentation
149 • Components installed with
• Use the Audit Engagement Audit Management on page
Workbench to visually manage 141
engagements on page 171
• Manage test templates and
test plans on page 157

Troubleshoot and get help

• Ask or answer questions in the
GRC community
• Search the HI Knowledge
Base for known error articles

© 2018 ServiceNow. All rights reserved. 138

Jakarta ServiceNow Audit Management

• Contact ServiceNow Support

Understanding Audit Management

The Audit Management automates the work streams of internal audit teams, optimizing resources and
productivity, and eliminating recurring audit findings. Audit Management uses compliance and risk data to
scope, plan, and prioritize audit engagements. The on-going review of policies and procedures, risks, and
control breakdowns provide an opportunity for fixing issues before they become audit failures.

Who uses Audit Management?

Auditors (an independent body, typically reporting to the board of directors)

Key activities for Audit Management

Auditors are responsible for the following:
• Review policies and procedures
• Review risks
• Review control design
• Review control test design
• Review control test results
• Test controls
• Issue observations

© 2018 ServiceNow. All rights reserved. 139

Jakarta ServiceNow Audit Management

Audit Management and the ServiceNow platform

Activate Audit Management

The GRC: Audit Management (com.sn_audit) plugin is available as a separate subscription.
Role required: admin
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.

© 2018 ServiceNow. All rights reserved. 140

Jakarta ServiceNow Audit Management

Components installed with Audit Management

Activating the GRC: Audit Management (com.sn_audit) plugin adds or modifies several tables, user roles,
and other components.

Tables installed with Audit Management

GRC: Audit Management adds the following tables.

Table Description

Activity Extends Audit Task [sn_audit_task] and stores

audit activities
[sn_audit_activity]

Audit Task Extends Planned Task [planned_task] and is

a generic table for all tasks associated with an
[sn_audit_task]
audit
Base Audit Test Base table for Test Templates and Test Plans
[sn_audit_base_test]

Control Test Extends Audit Task [sn_audit_task] and stores

control tests
[sn_audit_control_test]

Control to Engagement Stores many-to-many relationships between

controls and engagements
[sn_audit_m2m_control_engagement]

Engagement Extends Planned Task [planned_task] and

stores engagements
[sn_audit_engagement]

Interview Extends Audit Task [sn_audit_task] and stores

interviews
[sn_audit_interview]

Profile to Engagement Stores many-to-many relationships between

profiles and engagements
[sn_audit_m2m_profile_engagement]

Risk to Engagement Stores many-to-many relationships between

risks and engagements
[sn_audit_m2m_risk_engagement]

© 2018 ServiceNow. All rights reserved. 141

Jakarta ServiceNow Audit Management

Table Description

Test Plan Extends Base Audit Test [sn_audit_base_test]

and stores test plans
[sn_audit_test_plan]

Test plan to Engagement Stores many-to-many relationships between test

plans and engagements
[sn_audit_m2m_test_plan_engagement]

Test Template Extends Base Audit Test [sn_audit_base_test]

and stores test templates
[sn_audit_test_template]

Walkthrough Extends Audit Task [sn_audit_task] and stores

walkthroughs
[sn_audit_walkthrough]

Note: All additional tables installed by the dependent plugins are also needed for GRC: Audit
Management.

Properties installed with Audit Management

GRC: Audit Management adds the following properties.

Name Description

? • Type: true or false

sn_audit.glide.script.block.client.globals • Default value: false

Name of the knowledge base used to publish • Type: string

Audit reports • Default value: Audit
sn_audit.knowledge_base

Roles installed with Audit Management

GRC: Audit Management adds the following roles.

Role title [name] Description Contains roles

Audit User In addition to the inherited • sn_grc.reader

permissions, the audit user • sn_grc.user
[sn_audit.user]
can be assigned audit tasks
and create test templates and
test plans. The audit user has
read-only access to the Risk
Management application and
modules and the Policy and
Compliance Management
application and modules.

© 2018 ServiceNow. All rights reserved. 142

Jakarta ServiceNow Audit Management

Role title [name] Description Contains roles

Audit Manager In addition to the inherited • sn_grc.reader

permissions, the audit manager • sn_grc.user
[sn_audit.manager]
can create authority documents,
• sn_grc.manager
citations, policies, policy
statements, and controls. • sn_audit.user

Audit Admin In addition to the inherited • sn_grc.reader

permissions, the audit admin • sn_grc.user
[sn_audit.admin]
can delete engagements, audit
• sn_grc.manager
tasks, test templates, and test
plans. • sn_grc.admin
• sn_audit.user
• sn_audit.manager

Audit Developer In addition to the inherited • sn_grc.reader

permissions, the audit • sn_grc.user
[sn_audit.developer]
developer can add and delete
• sn_grc.manager
audit report templates.
• sn_grc.admin
• sn_audit.user
• sn_audit.manager
• sn_audit.admin

External Auditor External auditors can be

assigned as auditors for an
[sn_audit.external_auditor]
engagement and can be
assigned to audit tasks. They
can view closed engagements,
audit tasks that are assigned to
them, and closed audit tasks.
If the Policy and Compliance
Management plugin or Risk
Management plugins are
installed, they can also view
published policies and controls
and risks in the Monitor state.

Client scripts installed with Audit Management

GRC: Audit Management adds the following client scripts.

Client script Table Description

Design effectiveness update Control Test Updates the control

effectiveness when the design
[sn_audit_control_test]
effectiveness changes.
Hide related list based on active Engagement If the Policy and Compliance
plugin Management or Risk
[sn_audit_engagement]
Management plugins are not
installed, hides certain Related
Lists.

© 2018 ServiceNow. All rights reserved. 143

Jakarta ServiceNow Audit Management

Client script Table Description

Operation effectiveness update Control Test Updates the control

effectiveness when the
[sn_audit_control_test]
operation effectiveness
changes.
Populate fields when Test Plan Control Test Updates the expectations
changes and assessment procedures
[sn_audit_control_test]
whenever the test plan field is
updated.
Populate fields from template Test Plan Certain fields on the test plan
are populated from fields on the
[sn_audit_test_plan]
test template.
Populate planned end on Engagement Populates the planned end date
duration change if the planned start is populated
[sn_audit_engagement]
and the duration changes.
Populate planned end on effort Audit Task Populates the planned end
change date when the planned duration
[sn_audit_task]
changes.
Populate planned end on start Audit Task Populates the planned end
change when the planned start date
[sn_audit_task]
changes.
Populate planned end on start Engagement Populates the planned end date
changed based on the planned start and
[sn_audit_engagement]
planned duration.
Set Control Effectiveness Control Test Sets the control effectiveness
to none when a control test is
[sn_audit_control_test]
closed as incomplete.
Show annotation message in Engagement Shows the annotation message
engagement in the workbench before
[sn_audit_engagement]
validating the engagement.
Update style and listen for Engagement
events
[sn_audit_engagement]

Update style and listen to evts Engagement

(bottom)
[sn_audit_engagement]

Validate actual end date Audit Task Validates that the actual end
date is after the actual start
[sn_audit_task]
date, and the actual end is
on or before the engagement
actual end.
Validate actual end date Engagement Validates that the actual end
date is after the actual start
[sn_audit_engagement]
date.
Validate actual start date Engagement Validates that the actual start
date is before the actual end
[sn_audit_engagement]
date.

© 2018 ServiceNow. All rights reserved. 144

Jakarta ServiceNow Audit Management

Client script Table Description

Validate actual start date Audit Task Validates that the actual start
date is before the actual end
[sn_audit_task]
date, and the actual start is
after the actual start of the
engagement.
Validate audit end date Engagement Validates that the audit end
date is after the audit start date.
[sn_audit_engagement]

Validate audit start date Engagement If the engagement is populated,

validates that the audit start
[sn_audit_engagement]
date is before the audit end
date.
Validate planned start date Audit Task Validates that the planned start
date is greater than or equal to
[sn_audit_task]
the planned start date.
Workbench event listener Engagement Refreshes the Profiles Related
List for the workbench.
[sn_audit_engagement]

Workbench onSubmit events Engagement

[sn_audit_engagement]

Script includes installed with Audit Management

GRC: Audit Management adds the following script includes.

Script include Description

AuditAjax AJAX functions for Audit Engagement and

Control Test forms.
AuditRollupUtils Utilities for rolling up data from audit tasks to
engagement.
AuditRollupUtilsBase Base utilities for rolling up data from audit tasks
to engagement
AuditUtils Utility functions in the Audit.
AuditUtiilsBase Base audit utilities
AuditWorkbenchAjaxService Ajax utility responsible for fetching data required
to draw the Audit Workbench.
AuditWorkbenchUtils Utilities for the audit workbench and timeline.
AuditWorkbenchUtilsBase Base utilities for use with the audit workbench
and timeline.
GRCI18nUtils Utilities for internationalizing GRC Workbench.

Business rules installed with Audit Management

GRC: Audit Management adds the following business rules.

© 2018 ServiceNow. All rights reserved. 145

Jakarta ServiceNow Audit Management

Business rule Tables Description

Add control to engagement Control Automatically relates a control

to all engagements that are in
[sn_compliance_control]
the validate or fieldwork states
and associate with the control
profile
Add risk to engagement Risk Automatically relates a risk to
all engagements that are in the
[sn_risk_risk]
validate or fieldwork states and
associate with the risk profile
Add test plan to engagement Test Plan Automatically relates a test plan
to all engagements that are in
[sn_audit_test_plan]
the validate or fieldwork states
and associate with the test plan
profile
Allow only one default Report Template
[sn_audit_report_template]

Associate records when Engagement Associates all risks, controls,

validated and test plans associated with
[sn_audit_engagement]
the profile when a profile is
associated with an engagement
in the Validate or Fieldwork
states
Associate to engagement after Profile to Engagement Associates all risks, controls,
scoped and test plans associated with
[sn_audit_m2m_profile_engagement]
an engagement scoped profiles
when the engagement moves
from the Scope state to the
Validate state
Audit task assignee changed Audit Task
[sn_audit_task]

Auto-approve if no approvers Engagement If the Approvers field is

empty, automatically moves
[sn_audit_engagement]
an engagement from Awaiting
Approval to Follow Up
Auto-close if no issues or tasks Engagement If there are no open issues
or tasks associated with the
[sn_audit_engagement]
engagement, automatically
moves an engagement from the
Follow Up state to the Closed
state
Cancel assignee change Audit Task
workflow
[sn_audit_task]

Check close incomplete Control Test If a control test is Closed

Incomplete, set the Control
[sn_audit_control_test]
effectiveness field to none

© 2018 ServiceNow. All rights reserved. 146

Jakarta ServiceNow Audit Management

Business rule Tables Description

Close Engagement • Audit Task [sn_audit_task] If there are no longer any

• Issue [sn_grc_issue] open audit tasks or issues,
automatically closes an
engagement in Follow up
Control Effectiveness Control Test Updates the control
effectiveness based on
[sn_audit_control_test]
changes to the design or
operation effectiveness
Copy profiles from previous Engagement
engagement
[sn_audit_engagement]

Create issue if test ineffective, Control Test If a control test is closed as

closed ineffective, create an issue
[sn_audit_control_test]

Disassociate records upon Profile to Engagement Disassociates risks, controls,

deletion and test plans when a
[sn_audit_m2m_profile_engagement]
relationship between a profile
and engagement is removed
Populate fields when Test plan Control Test Updates the expectations,
changes assessment procedures,
[sn_audit_control_test]
duration, and control whenever
a control test of a test plan
changes
Prevent duplicate association Profile to Engagement Prevents duplicate many-to-
many relationships between
[sn_audit_m2m_profile_engagement]
profiles and engagements
Populate plan from selected Test Plan
template
[sn_audit_test_plan]

Prevent duplicate association Profile to Engagement

[sn_audit_m2m_profile_engagement]

Prevent picking retired control • Control Test Prevents creating a control test
[sn_audit_control_test] or test plan against a retired
• Test Plan control
[sn_audit_test_plan]

Run approval workflow Engagement Runs the approval workflow for

engagements
[sn_audit_engagement]

Scratchpad to check active Engagement Sets scratchpad variables

plugin based on whether GRC: Risk
[sn_audit_engagement]
Management, GRC: Policy and
Compliance Management, and
GRC: Profiles are installed
Set actual end date Audit Task
[sn_audit_task]

© 2018 ServiceNow. All rights reserved. 147

Jakarta ServiceNow Audit Management

Business rule Tables Description

Set actual start date Audit Task

[sn_audit_task]

Set percent complete to 100 if Engagement If the engagement is Closed

no task Complete or Closed
[sn_audit_engagement]
Incomplete with no tasks, set
the percent complete of an
engagement to 100
Set popup scratchpad Engagement Sets scratchpad variables used
to display dialogs
[sn_audit_engagement]

Set workbench display Engagement Set scratchpad variables used

scratchpad in the Engagement view
[sn_audit_engagement]

Start Control Test approval Control Test Runs the approval workflow for
workflow control tests
[sn_audit_control_test]

Update engagement when top Audit Task

task changes
[sn_audit_task]

Update parent task percent Audit Task Updates the parent task
complete Percent complete when a child
[sn_audit_task]
task is closed
Update planned end date • Audit Task [sn_audit_task] Updates the End date of
• Engagement an engagement or audit
[sn_audit_engagement] task whenever the Duration
changes

Validate start and end dates • Audit Task [sn_audit_task] Validates that the planned
• Engagement start is before the planned
[sn_audit_engagement] end and that the actual start is
before the actual end, and that
the audit period start is before
the audit period end
Validate task date with Audit Task Validates that the planned
engagement date start and planned end date of
[sn_audit_task]
an audit task are within the time
defined by the engagement
planned start and planned
end date. Similar validation is
done for the actual work start
and actual work end

Create an audit report template

Audit developers manage the audit report templates.
Role required: sn_audit.developer
1. Navigate to Audit > Administration > Audit Report Templates.

© 2018 ServiceNow. All rights reserved. 148

Jakarta ServiceNow Audit Management

2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 54: Authority Document

Field Value

Name Name of the audit report template.

Type • Script
• HTML
• XML

Is default Check box to indicate that this template

is used as the default template for all KB
articles.
Script The script code. This field is dependent on
the Type field.
HTML The HTML code. This field is dependent on
the Type field.
XML The XML code. This field is dependent on
the Type field.

4. Click Submit.

Establish profile types, profile classes, and profiles

The Scoping module contains profiles and profile types for use in all GRC-related applications. They can
be created for any record on any table. Only one profile can exist for a record. That profile, however, can
belong to many profile types. Profile types and profiles are used differently depending on the application.
• Policy and compliance managers use profile types and profiles to create a system of internal controls
and monitor compliance.
• Risk managers use profile types and profiles to monitor risk exposure and perform risk assessments.

What is GRC dependency modeling and mapping?

© 2018 ServiceNow. All rights reserved. 149

Jakarta ServiceNow Audit Management

Figure 7: Dependency modeling and mapping

Dependency modeling

© 2018 ServiceNow. All rights reserved. 150

Jakarta ServiceNow Audit Management

Dependency mapping

© 2018 ServiceNow. All rights reserved. 151

Jakarta ServiceNow Audit Management

Create a profile class

2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 55: Authority Document

Field Value

Name Name of the profile class.

Roll up to Select dependencies to other profiles.
Useful for reporting how your lower-level
operational risks impact corporate-level
risks.

© 2018 ServiceNow. All rights reserved. 152

Jakarta ServiceNow Audit Management

Field Value

Is Root Select the check box to indicate that this is

the highest level class.

Note: Only one root class is

allowed and it cannot roll up to
another class.

4. Click Submit.

Create and edit a profile type

2. Do one of the following actions:

Option Description

To create a new profile type Click New.

To edit a profile type Open the profile type from the list.
3. Fill in the fields on the form, as appropriate.

Table 56: Profile type

Name Description

Name* The name of the profile type.

© 2018 ServiceNow. All rights reserved. 153

Jakarta ServiceNow Audit Management

Name Description

Default owner The field on the table specifying the person

The existing profile's class is updated under

Note: * indicates a mandatory field.

4. Click Submit.

Generate a profile from a profile type

2. Open a Profile Type record from the list.

3. Add or modify any conditions, as necessary.
Changing the Table, changes the number of records matching the condition.

© 2018 ServiceNow. All rights reserved. 154

Jakarta ServiceNow Audit Management

4. Assign the Owner field.

5. Click Update.
A profile is generated for every record that matches the filter condition.

Set a profile's class

2. Open the profile record from the list.

3. Set the class field to the desired class.
4. Click Update.

Assign profiles to classes

2. Open the profile record from the list.

3. Assign the Class.
4. Click Update.

© 2018 ServiceNow. All rights reserved. 155

Jakarta ServiceNow Audit Management

Relate profiles to each other

2. Open the profile record from the list.

3. Perform one of the following actions:
Option Description

The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles
related lists are limited based on the current profile's class and the defined dependency model.

Note: If there are no eligible profiles which can be related to the current profile, then the Add
button is not displayed on the Upstream profiles or Downstream profiles related lists.

2. Open the profile record from the list.

• If the Active check box is selected, then the profile is active.
• If the Active check box is not selected, then the profile is inactive.

3. Click Update.
• All associated controls change to Retired state.
• All the indicators and test plans associated with the retired control are marked inactive.

© 2018 ServiceNow. All rights reserved. 156

Jakarta ServiceNow Audit Management

2. Open the profile record from the list.

Manage test templates and test plans

An audit engagement may include control testing activities during which controls are evaluated for design
and operational effectiveness.

Test Templates and Test Plans

To conduct control testing, before an engagement starts, audit managers create test plans for the relevant
controls. Audit managers can use test templates to create multiple test plans for similar controls at one
time.
During the Validate state of an audit engagement, the test plans that are associated with the controls in
the engagement's scope are automatically associated with the engagement. Audit managers can generate
control tests from those associated test plans and create individual control tests as needed.

Create a test template

Test templates allow audit managers to quickly create many test plans using much of the same testing
criteria.
Role required: sn_audit.admin, sn_audit.manager, or sn_audit.user
1. Navigate to Audit > Audit Testing > Test Templates.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 57: Test template form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.

© 2018 ServiceNow. All rights reserved. 157

Jakarta ServiceNow Audit Management

Field Description

Duration Duration of the test.

Short description A brief and general description of the test
template.
Design Test*
Design expectations Expectations of how a control is designed.
Design assessment procedures Document how to assess if a control is
designed effectively.
Operation Test*
Operation expectations Expectations of how a control operates.
Operation assessment procedures Document how to assess if a control is
operating effectively

4. Click Submit.

Relate a test template to a policy statement

Audit owners can create generic control test templates for a policy statement, avoiding the creation of
individual control test plans for every control.
Role required: sn_audit.admin or sn_audit.manager
1. Navigate to Audit > Audit Testing > Test Templates.
2. Open the test template record.
3. Select a policy statement and click Update.

Create a test plan

Test plans can be created from scratch or based on test templates and describe how a feature is to be
tested.
Role required: admin
1. Navigate to Audit > Audit Testing > Test Plans.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 58: Test template form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.

© 2018 ServiceNow. All rights reserved. 158

Jakarta ServiceNow Audit Management

Field Description

Control The control that this test plan covers.

Note: This field is only visible

when the Policy and Compliance
Management plugin is activated.

Duration The expected duration of the test.

Test Template The related test template.
Short description A brief and general description of the test
plan.
Design Test*
Design expectations Expectations of how a control is designed.
Design assessment procedures Document how to assess if a control is
designed effectively.
Operation Test*
Operation expectations Expectations of how a control operates.
Operation assessment procedures Document how to assess if a control is
operating effectively.

4. Click Submit.

Create multiple test plans from a test template

If GRC: Policy and Compliance Management is installed, a test template can be used to create test plans
for all of the controls associated with the test plan’s policy statement.
Role required: sn_audit.manager or sn_audit.admin
1. Navigate to Audit > Audit Testing > Test Templates.
2. Select the test template from which to generate test plans.
3. Click the Create Test Plans for All Controls related link.

Note: This link is only visible if there are controls associated with the test plan's policy
statement that have not yet had a test plan generated from the current test template.

Manage engagements
The audit engagement process involves creating, planning, scoping, and conducting engagements as well
as reporting on engagement findings.

Engagement process

The base system audit engagement process includes steps for scoping, validating, conducting, and
approving engagement results. It also contains steps for following up on open audit tasks and issues, and
finally closing out the audit engagement.

Jakarta ServiceNow Audit Management

Table 59: States of the engagement process

State Description

Scope During the Scope state, audit managers define

which profiles will be involved in the audit
engagement. For example, for a financial audit,
one may include all business services that the
finance department relies on and the finance
department itself.
See Add profiles to an engagement scope on
page 170.

Validate After an engagement has moved to the

Validate state, all of the risks, controls, and
test plans associated with the profiles in the
engagement's scope will be associated with
the audit. Indicator results that were collected
during the engagement's audit period will also
be associated with the audit. Audit managers
can review the risks, controls, test plans, and
indicator results, and update the engagement's
scope, if necessary. Audit managers can also
begin creating and planning audit tasks for the
engagement.
To move an engagement into the Validate state,
click Validate on any engagement currently in
the Scope state.

Fieldwork Auditors complete their assigned audit tasks

during the Fieldwork state. These tasks include
control testing, interviews, walkthroughs,
and other activities. Issues that are found
during control testing are associated with the
engagement. Auditors can also create general
issues associated with the engagement. Audit
managers can create additional audit tasks as
needed. When the audit is done, audit managers
specify the result of the engagement, whether
it's satisfactory, adequate or inadequate, and
provide details on their opinion.
To move an engagement into the Fieldwork
state, click Advance to Fieldwork on any
engagement currently in the Validate state.
See Audit task management on page 161.

Jakarta ServiceNow Audit Management

State Description

Awaiting Approval During the "Awaiting Approval" state, the

approvers specified in the engagement's
Approvers field review the results of the audit
tasks conducted and the issues that were
created. After reviewing the results of the
engagements, approvers approve or reject the
engagement.
To move an engagement into the Awaiting
Approval state, click Request approval on any
engagement currently in the Fieldwork state.
See Approve or reject an engagement on page
170.

Follow Up After an engagement has been approved,

if there are any remaining open tasks or
issues associated with the engagement, the
engagement automatically goes into the Follow
Up state. During this stage, auditors most close
out all remaining issues and tasks before the
engagement will be marked as complete.
Closed Engagements move into the "Closed" state
under one of three conditions:
• The engagement is closed as incomplete
during the Scope, Validate, or Fieldwork
states.
• There are no open audit tasks or issues after
the engagement is approved. In this case,
the engagement automatically moves from
the Awaiting Approval state to the Closed
state.
• All of the follow up issues and tasks are
closed out. In this case, the engagement
automatically moves from the Follow Up
state to the Closed state.

Audit task management

Audit tasks are completed throughout an engagement and provide documented evidence that the
organization is complying with external regulations and internal policies.
When audit tasks are created or reassigned, a notification is sent to the assigned user. A notification is also
sent when the task reaches 75% of its planned duration.

Create an engagement
Audit managers create engagements to manage audit information and collect profiles, controls, and control
tests that are relevant to the audit.

Jakarta ServiceNow Audit Management

Role required: sn_audit.admin or sn_audit.manager

1. Navigate to Audit > Engagements > Create New.
2. Fill in the fields on the form, as appropriate.

Table 60: Engagement form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • New
• Analyze
• Respond
• Review
• Closed

Name The name of the engagement.

Percent complete Read-only field that is automatically
populated with a number representing the
percentage of the engagement that has
been completed.
Assigned to The user assigned to the engagement.
Auditors The auditors assigned to the engagement.
Audit period start Date that work on the engagement is
expected to begin.
Approvers The approvers assigned to the engagement.
Audit period end Date that work on the engagement is
expected to end.
Description A general description of the engagement.
Objectives The stated objectives of the engagement.
Schedule
Planned start date The intended date the activity should begin.
Planned end date The intended date the activity should end.
Planned duration The expected duration of this activity. As
with actual duration, the planned duration
shows total activity time and takes the
activity schedule into consideration.
Actual start date The date that this activity actually began.
Actual end date The date that this activity actually ended.
Actual duration The actual duration of the project from
project start to project closure.
Results

Jakarta ServiceNow Audit Management

Field Description

Result • Satisfactory
• Adequate
• Inadequate

Opinion Justification for the selected result.

Report
Report template The template to be used to generate
the knowledge base article reporting the
engagement results.
KB article The most recently generated knowledge
base article containing the engagement
results
Activity Journal
Additional comments Customer-viewable comments.
Work notes Comments that are viewable by the admin,
audit manager.

3. Click Submit.

Create an engagement from a previous engagement

Audit managers can create engagements from previous engagements to reduce the need to redefine the
scope, auditors, and approvers for similar engagements that are conducted throughout the year.
Role required: sn_audit.admin or sn_audit.manager
1. Navigate to Audit > Engagement > All Engagements.
2. If necessary, clear the search filter criteria.
3. Open the engagement to copy from.
4. Right-click the header of the engagement and click Copy Engagement.

Create a control test from an engagement

After defining a control, audit managers create control tests that run periodically and provide documented
evidence of whether the associated control is operating correctly.
Role required: sn_audit.admin and sn_audit.manager
1. Navigate to Audit > Engagements > All Engagements.
2. Open the engagement for the audit task you want to create.
Assign audit tasks to engagement in one of the following states:
• Validate
• Fieldwork
• Awaiting approval

3. In the Audit Tasks Related List, click New.

4. In the Audit Tasks Interceptor, click Control Test.

Jakarta ServiceNow Audit Management

5. Fill in the fields on the form, as appropriate.

Table 61: Control test form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • Open
• Work in Progress
• Review
• Closed Complete
• Closed Incomplete
• Closed Skipped

Parent The parent audit task.

Control effectiveness The effectiveness of the control.
Assigned to The user assigned to this control test.
Issue The issue related to this control test.
Test plan The test plan associated with this control
test.
Short description A brief and general description of the control
test.
Schedule
Planned start date The intended date the control test should
begin.
Planned end date The intended date the control test should
end.
Planned duration The expected duration of this control test.
As with actual duration, the planned duration
shows total activity time and takes the
control test schedule into consideration.
Actual start date The date that this control test actually
began.
Actual end date The date that this control test actually
ended.
Actual duration The actual duration of the control test from
control test start to control test closure.
Design Test
Design effectiveness • Effective
• Ineffective

Design expectations

Jakarta ServiceNow Audit Management

Field Description

Design assessment procedures

Design results
Operation Test
Operation effectiveness • Effective
• Ineffective

Operation expectations
Operation assessment procedures
Operation results
Activity Journal
Work notes Comments that are viewable by the audit
manager and audit manager.
Additional comments Customer-viewable comments.

6. Click Submit.

Create an activity
After defining a control, audit managers create activities that explore and provide documented evidence of
whether the associated control is operating correctly.
Role required: sn_audit.admin and sn_audit.manager
1. Navigate to Audit > Engagements > All Engagements.
2. Open the engagement for the audit task you want to create.
Assign audit tasks to engagement in one of the following states:
• Validate
• Fieldwork
• Awaiting approval

3. In the Audit Tasks Related List, click New.

4. In the Audit Tasks Interceptor, click Activity.
5. Fill in the fields on the form, as appropriate.

Table 62: Activity form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.

Jakarta ServiceNow Audit Management

Field Description

State • Open
• Work in Progress
• Review
• Closed Complete
• Closed Incomplete
• Closed Skipped

Parent The parent audit task.

Assigned to The user assigned to this activity.
Short description A brief and general description of the
activity.
Description A more detailed explanation of the activity.
Schedule
Planned start date The intended date the activity should begin.
Planned end date The intended date the activity should end.
Planned duration The expected duration of this activity. As
with actual duration, the planned duration
shows total activity time and takes the
activity schedule into consideration.
Actual start date The date that this activity actually began.
Actual end date The date that this activity actually ended.
Actual duration The actual duration of the project from
project start to project closure.
Activity
Additional comments Customer-viewable comments.
Work notes Comments that are viewable by the audit
manager and audit manager.

6. Click Submit.

Create an interview
After defining a control, audit managers create interviews with control owners to discuss and provide
documented evidence of whether the associated control is operating correctly.
Role required: sn_audit.admin and sn_audit.manager
1. Navigate to Audit > Engagements > All Engagements.
2. Open the engagement for the audit task you want to create.
Assign audit tasks to engagement in one of the following states:
• Validate
• Fieldwork
• Awaiting approval

Jakarta ServiceNow Audit Management

3. In the Audit Tasks Related List, click New.

4. In the Audit Tasks Interceptor, click Interview.
5. Fill in the fields on the form, as appropriate.

Table 63: Interview form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • Open
• Work in Progress
• Review
• Closed Complete
• Closed Incomplete
• Closed Skipped

Parent The parent audit task.

Assigned to The user assigned to this interview.
Short description A brief and general description of the
interview.
Description A more detailed explanation of the interview.
Schedule
Planned start date The intended date the interview should
begin.
Planned end date The intended date the interview should end.
Planned duration The expected duration of this interview. As
with actual duration, the planned duration
shows total activity time and takes the
interview schedule into consideration.
Actual start date The date that this interview actually began.
Actual end date The date that this interview actually ended.
Actual duration The actual duration of the interview from
interview start to interview end.
Assignment
Primary Contact The user to contact for this interview.
Other Contacts Other users to contact for this interview, if
the primary contact is unavailable.
Notes Additional notes about the interview
contacts.
Activity
Additional comments Customer-viewable comments.

Jakarta ServiceNow Audit Management

Field Description

Work notes Comments that are viewable by the audit

administrator and audit manager.

Create a walkthrough
After defining a control, audit managers create walk throughs that will be conducted to observe and provide
documented evidence of whether the associated control is operating correctly.
Role required: sn_audit.admin and sn_audit.manager
1. Navigate to Audit > Engagements > All Engagements.
2. Open the engagement for the audit task you want to create.
Assign audit tasks to engagement in one of the following states:
• Validate
• Fieldwork
• Awaiting approval

3. In the Audit Tasks Related List, click New.

4. In the Audit Tasks Interceptor, click Walkthrough.
5. Fill in the fields on the form, as appropriate.

Table 64: Walkthrough form

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • Open
• Work in Progress
• Review
• Closed Complete
• Closed Incomplete
• Closed Skipped

Parent The parent audit task.

Assigned to The user assigned to this walkthrough.
Short description A brief and general description of the
walkthrough.
Description A more detailed explanation of the
walkthrough.
Schedule
Planned start date The intended date the walkthrough should
begin.
Planned end date The intended date the walkthrough should
end.

Jakarta ServiceNow Audit Management

Field Description

Planned duration The expected duration of this walkthrough.

As with actual duration, the planned duration
shows total activity time and takes the
walkthrough schedule into consideration.
Actual start date The date that this walkthrough actually
began.
Actual end date The date that this walkthrough actually
ended.
Actual duration The actual duration of the walkthrough from
walkthrough start to walkthrough end.
Walkthrough
Primary Contact The user to contact for this walkthrough.
Other Contacts Other users to contact for this walkthrough,
if the primary contact is unavailable.
Execution Steps Detail the activities to be performed during
the walkthrough.
Explanation Intended purpose of the walkthrough.
Additional Information Additional information the user conducting
the walkthrough needs to be aware of.
Results Details of what transpired during the
walkthrough.
Activity
Additional comments Customer-viewable comments.
Work notes Comments that are viewable by the audit
manager and audit manager.

6. Click Submit.

Generate a KB article from an engagement

Audit managers can generate a KB article that summarizes the findings of an engagement so report
findings can be communicated to executives.
Role required: sn_audit_manager
KB articles can be generated for engagements in the Awaiting approval, Follow up, and Closed
complete states.
1. Navigate to Audit > All Engagements.
2. Open the engagement record.
3. Fill in the fields on the Reports tab, as appropriate.

Jakarta ServiceNow Audit Management

Table 65: Reports tab on engagement form

Field Description

Report template Select the report template to use for this KB

article.
KB article Read-only field that is automatically
populated with a unique identification
number.

4. Click Generate report.

Approve or reject an engagement

Audit users that are assigned as approvers for an engagement can approve or reject engagements in the
Awaiting Approval state.
Role required: sn_audit.user
1. Navigate to Audit > My Audit Approvals.
2. Open the approval record associate with the engagement.
3. Click Approve or Reject
One of the following actions occurs:
• If the engagement is approved and there are remaining open tasks or issues, it automatically
moves into the Follow Up state.
• If the engagement is approved and there are no remaining open tasks or issues, it automatically
moves into the Closed state.
• If the engagement is rejected, it automatically moves back to the Fieldwork state

Add profiles to an engagement scope

Audit managers define which profiles will be involved in the audit engagement.
Role required: sn_audit.manager or sn_audit.admin
1. Navigate to Audit > Engagements > All Engagements.
2. Open an engagement in the Scope or Validate state.
3. In the Profiles related list, click Add.
4. Select the desired profiles that will be included in the audit engagement.
5. Click Add.

Jakarta ServiceNow Audit Management

Use the Audit Engagement Workbench to visually manage engagements

The Engagement Workbench provides a timeline view from which you can select an audit engagement to
view details or create a new engagement.

Figure 8: Audit Engagement

Jakarta ServiceNow Audit Management

Create an engagement from Audit Workbench

The Engagement Workbench provides a timeline view from which you can select an audit engagement
to view details or create a new engagement. Audit managers create engagements directly from the
Workbench to manage audit information and collect profiles, controls, and control tests that are relevant to
the audit.
Role required: sn_audit.admin or sn_audit.manager
1. Navigate to Audit > Engagements > Workbench.
2. Click Create Engagement.
3. Fill in the fields on the form, as appropriate.

Table 66: Engagement form

Field Description

Name The name of the engagement.

Assigned to The user assigned to the engagement.
Description A general description of the engagement.
Objectives The stated objectives of the engagement.
Planned start date The intended date the activity should begin.
Planned duration The expected duration of this activity. As
with actual duration, the planned duration
shows total activity time and takes the
activity schedule into consideration.
Audit period start Date that work on the engagement is
expected to begin.
Audit period end Date that work on the engagement is
expected to begin.
Auditors The auditors assigned to the engagement.
Approvers The approvers assigned to the engagement.

4. Click Create.

Manage GRC key risk and control indicators

Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single
control or risk.

Jakarta ServiceNow Audit Management

Indicator templates

Indicator templates allow the creation of multiple indicators for similar controls or risks.

Engagement Overview
The Engagement Overview is contained in the Audit Management application and provides an executive
view into audit results, engagement breakdowns by task, and allows areas of concern to be identified
quickly.
The Engagement Overview module displays audit information that is tailored to the role of the user.

Audit Engagement Overview

Users with the Audit Administrator, Audit User, and Audit Manager roles view the Audit Engagement
Overview. It contains the following reports in the base system.

Table 67: Audit Engagement Overview reports

Name Visual Description

Engagement Results Column Chart Displays an overall count of

audit engagements conducted
for each profile. The chart is
stacked to display the overall
audit results for each profile.
Profiles by Engagement Donut chart Displays the total number of
profiles included in the scope of
each audit engagement.
Controls by Engagement Donut chart Displays the total number of
controls included in scope of
each audit engagement.
Profile Drop down list Select one or many profiles to
view and compare their audit
findings.
Select Engagement Drop down list Select one or many
engagements to view and
compare their audit findings.
Satisfactory Engagements Single Score Displays the number of
engagements closed with a
satisfactory result.
Adequate Engagements Single Score Displays the number of
engagements closed with an
adequate result.
Inadequate Engagements Single Score Displays the number of
engagements closed with an
inadequate result.

Jakarta ServiceNow Audit Management

Name Visual Description

Control Test Results Donut chart The number of completed

control tests, broken down by
overall control effectiveness
rating.
Issue Breakdown Bar Chart Count of issues grouped
by Engagement, State, or
Response
Audit Task Breakdown Bar Chart Count of audit tasks grouped
by Task Type, Assigned to, Top
Task and State. Stacked by
Task Type, Assigned to, Top
Task, and State.
Overdue Audit Tasks List List of open audit tasks that
have exceeded the planned end
date.

Create a GRC indicator

Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC-related
application.
Role required: compliance_admin or compliance_manager, risk_admin or risk_manager, audit_admin or
audit_manager
1. Navigate to one of the following locations:
• Policy and Compliance > Indicators > Indicators.
• Risk > Indicators > Indicators.
• Audit > Indicators > Indicators.

2. Select New.
3. Fill in the fields on the form, as appropriate.

Table 68: Indicator

Field Description

Number Read-only field that is automatically

Jakarta ServiceNow Audit Management

Field Description

Override Template Click to override the indicator template

associated to this indicator
Last result passed Read-only field indicating whether last result
passed.
Schedule
Collection frequency Select the collection frequency for indicator
results. Indicator tasks and results are
generated automatically based on the
indicator schedule.
Next run time Read-only field that is automatically
populated with the next collection time for
indicator results.
Method
Type Results can be gathered manually using
task assignment or automatically using
basic filter conditions, Performance
Analytics, or a script.
• Manual
• Basic
• Script

Short Description If Type is Manual, this field is present. Brief

4. Click Submit.

Jakarta ServiceNow Audit Management

Create a GRC indicator template

2. Select New.
3. Fill in the fields on the form, as appropriate.

Table 69: Indicator template

Field Description

Name Name of the indicator.

Short Description If Type is Manual, this field is present. Brief

description of the issue.
Instructions If Type is Manual, this field is present.
Instructions for the collection of indicator
results.
Value Mandatory If Type is Manual, this field is present.

Jakarta ServiceNow Audit Management

Field Description

Passed/Failed If Type is Basic, this field is present.

Indicator passes or fails.
PA Threshold If Type is PA Indicator, this field is present.
The associated PA Threshold.
Script If Type is Script, this field is present. Script
that obtains the desired system information.
Supporting Data
Collect Supporting Data Check to gather supporting evidence from
other applications.

4. Click Submit.

Manage audit issues and remediation

Issue Created when an indicator fails

Control issue Created when a control attestation is completed

indicating that the control is Not implemented

Control test issue Created when a control test is closed complete with
the control effectiveness set to Ineffective

Other issue Created by the user manually

Create a GRC issue manually

1. Navigate to one of the following locations:

• Policy and Compliance > Issues > Create New.
• Risk > Issues > Create New.
• Audit > Issues > Create New.

2. Fill in the fields on the form, as appropriate.

Jakarta ServiceNow Audit Management

Table 70: Issue

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • New
• Analyze
• Respond
• Review
• Closed

Assignment group A group assigned to the issue.

Assigned to The user assigned to the issue.
Priority Priority for this issue:
• 1 - Critical
• 2 - High
• 3 - Moderate
• 4 - Low
• 5 - Planning

Short description Brief description of the issue.

Jakarta ServiceNow Vendor Risk Management

Field Description

Work notes Information about how to resolve the issue,

3. Click Submit.

Vendor Risk Management

The Vendor Risk Management application provides a centralized process for managing your organization's
vendor portfolio and completing the vendor assessment and remediation lifecycle.

Note: Activating the Vendor Risk Management plugin automatically installs the Explicit roles
plugin. Review changes to your ServiceNow® instance, including changes to catalog items, security
rules, and assigned user roles. See for more information on the platform areas that will be modified
after installing Explicit Roles.

Explore Set up Administer

• Vendor Risk Management • Activate Vendor Risk • Vendor Risk Management and
release notes Management on page 180 the Explicit Roles plugin on
• • Vendor Risk Management and page 181
the Explicit Roles plugin on • Set up different types of
page 181 vendor assessments on page
• Roles installed with Vendor 209x
Risk Management on page
183
• Components installed with
Vendor Risk Management on
page 181

Use Develop Integrate

• Open assessment in the • Developer training • Use the SIG questionnaire
Vendor Portal on page 226 • Developer documentation for risk assessment on page
• Review assessment 222
responses on the Vendor
Portal on page 226

Troubleshoot and get help

• Ask or answer questions in the
community
• Search the HI knowledge base
for known error articles

Jakarta ServiceNow Vendor Risk Management

• Contact ServiceNow Support

Understanding Vendor Risk Management

The Vendor Risk Management application provides a centralized process for managing your organization's
vendor portfolio and completing the vendor assessment and remediation lifecycle. Also, integrating with
other GRC applications, provides top-down traceability for compliance with controls and risks.

Who uses Vendor Risk Management?

• Risk analysts
• Vendor risk manager
• Functional department heads responsible for vendor compliance. For example:
• Account Executive
• Senior Corporate Counsel
• Director, Information Security
• Director, HR Operations
• Director, Information Technology

Vendor Risk Management workflow

Vendors and vendor risk managers work together to complete the vendor assessment and remediation
lifecycle workflow.
1. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with
another onboarding solution. Vendor risk managers make on-going updates to the vendor information.
2. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps
controls to the assessment questions.
3. The vendor risk manager creates risk assessment templates, questionnaire templates, and document
request template, and prepares the risk assessments.
4. The vendor risk assessor prepares and sends risk assessment to the vendor.
5. The vendor primary contact receives the risk assessment in email and signs into the Vendor Portal.
From the portal, the primary contact can invite other collaborators to complete portions of the risk
assessments.
6. The Vendor Portal provides a listing of all risk assessments and the status of each. Once complete,
the primary contact submits the risk assessment through the Vendor Portal back to the vendor risk
analyst.
7. The vendor risk analyst uses the Vendor Portal to see the progress of all assessments, see all the
responses and see any generated observations.

Activate Vendor Risk Management

The GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin is available as a separate
subscription.

Jakarta ServiceNow Vendor Risk Management

Role required: admin

Activating the Vendor Risk Management plugin also installs the Explicit roles plugin. To understand the
changes that will be made to catalog items, security rules, and assigned user roles, see and Roles installed
with Vendor Risk Management on page 183.
This plugin includes demo data and activates related plugins if they are not already active.
1. Navigate to System Definition > Plugins.
2. Find and click the plugin name.
3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.
If the plugin depends on other plugins, these plugins are listed along with their activation status.
If the plugin has optional features that depend on other plugins, those plugins are listed under Some
files will not be loaded because these plugins are inactive. The optional features are not installed
until the listed plugins are installed (before or after the installation of the current plugin).
4. Optional: If available, select the Load demo data check box.
Some plugins include demo data—Sample records that are designed to illustrate plugin features for
common use cases. Loading demo data is a good practice when you first activate the plugin on a
development or test instance.
You can also load demo data after the plugin is activated by clicking the Load Demo Data Only
related link on the System Plugin form.
5. Click Activate.

Note: Verify all changes to your catalog items, security rules, and assigned user roles. See the
Explicit roles plugin, for its impact on Vendor Risk Management.

Components installed with Vendor Risk Management

Activating the GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin adds or modifies several
tables, user roles, and other components, including the Explicit Roles plugin.

Note:
Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. The
snc_internal and snc_external roles are installed, enabling the administrator to give internal and
external users access to your instance. When vendor contacts are created, they are automatically
assigned the snc_external role, giving them access to resources related to the vendor portal.

Vendor Risk Management and the Explicit Roles plugin

Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. Administrators assign
the snc_internal and snc_external roles to provide internal and external users access to the instance.
When vendor contacts are created, they are automatically assigned the snc_external role, giving them
access to resources related to the vendor portal.
Various tables provide role-based access to record by setting the Roles field. If the Roles field is empty,
then all users have access to that record. For example, if the Roles field for a Service Catalog item has an
empty Roles field, then all users have access to that Service Catalog item.
However, when the Explicit Roles plugin is installed, the Roles field is updated to snc_internal.
Additionally, all users are given the snc_internal role. Continuing with the previous example:
• before installing the Explicit Roles plugin, if a Service Catalog item had an empty Roles field, it was
accessible to every user.

Jakarta ServiceNow Vendor Risk Management

• after installing the Explicit roles plugin, that Service Catalog item’s Roles field is updated to snc_internal
and all existing users are given the snc_internal role, making the catalog item is accessible to those
users.
• After that, when new users are created, they must have the snc_internal role, or they will not have
access to that Service Catalog item.

Without the Explicit Roles plugin, various tables allow record-based access to all users. For example,
all users can access Service Catalog items without role assignment. Once the Explicit Roles plugin is
installed, all users are assigned the snc_internal role. Additionally, in order to preserve the role-based
access, changes are made to the following tables:
Table Changes

Access Control For all existing and newly created ACLs without
a role requirement, the snc_internal role is
[sys_security_acl]
assigned.
Catalog item For all records where the Roles field is
empty, the snc_internal role is added. If the
[sc_cat_item]
glide.sc.use_user_criteria property is set to false,
newly created catalog items are automatically
assigned the snc_internal role. If the property
is set to true, the SNC External user criteria
is added to all newly created catalog items,
excluding external users from viewing the record.
Page For sites that have a login page, where the Read
roles field is empty, the snc_internal role is
[content_page]
added. For sites that have no login page or that
have automatically created content pages, the
public role is added.
Overview Help Panel For all records where the Roles field is empty,
[sys_ui_overview_help_panel] the snc_internal role is added. Newly created
overview panels with an empty Roles field are
also assigned the snc_internal role.
Navigation Menu [sys_app_application] For all records where the Roles field is empty,
the snc_internal role is added. Newly created
navigation menus with an empty Roles field are
also automatically assigned the snc_internal
role.
Report [sys_report] For all records where the Roles field is empty,
snc_internal is added. Newly created reports that
have an empty Roles field when sharing are also
automatically assigned the snc_internal role.

Portal Page [sys_portal_page] For all records where the Read roles field is
empty, the snc_internal role is added. Newly
created portal pages with an empty Read
roles field are also automatically assigned the
snc_internal role.

Jakarta ServiceNow Vendor Risk Management

Table Changes

Processor [sys_processor] For all records where the Roles field is empty,
the snc_internal role is added. Newly created
processors with an empty Roles field are also
automatically assigned the snc_internal role.

Roles installed with Vendor Risk Management

Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. The snc_internal and
snc_external roles are installed, enabling the administrator to give internal and external users access to
your instance. When vendor contacts are created, they are automatically assigned the snc_external role,
giving them access to resources related to the vendor portal.

GRC: Vendor Risk Management adds the following roles.

Role title [name] Description Contains roles

Vendor risk assessor Manages vendors, manages • sn_vdr_risk_asmt.vendor_assessment_rev

vendor contacts, manages • vendor_editor
[sn_vdr_risk_asmt.vendor_assessor]
vendor risk assessments and
• vendor_reader
issues, and completes vendor
risk assessment requests. • compliance reader

Vendor risk manager Manages vendors, manages • assessment_admin

vendor contacts, manages • sn_vdr_risk_asmt.vendor_assessment_rev
[sn_vdr_risk_asmt.vendor_risk_manager]
vendor assessment templates,
• sn_vdr_risk_asmt.vendor_assessor
manages questionnaire
templates, manages
documentation request
templates, and manages
scheduled assessments.
vendor_assessment_reviewer • sn_compliance.reader
[sn_vdr_risk_asmt.vendor_assessment_reviewer] • sn_risk.reader
• vendor reader
• task editor

Vendor contact Answers questionnaires • snc_external

regarding risk. Primary contacts
[vendor_contact]
can also manage other contacts
for the vendor.

Tables Installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following tables.

Table Description

Assessment Template to Document Request

Template
[sn_vdr_risk_asmt_m2m_asmt_template_doc_req_template]

Jakarta ServiceNow Vendor Risk Management

Table Description

Assessment Template
[sn_vdr_risk_asmt_template]

Assessment Template to Questionnaire

Template
[sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template]

Associated Questionnaire
[sn_vdr_risk_asmt_doc_assessment]

Business Service Rating Scale

[sn_vdr_risk_asmt_bs_weight_config]

Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Document Request
[sn_audit_interview]

Questionnaire
[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Repeating Assessment
[sn_vdr_risk_asmt_repeating_assessment]

Risk Rating Scale

[sn_vdr_risk_asmt_score_mapping]

Take Assessment Link

[sn_vdr_risk_asmt_take_link]

Vendor Assessment to Questionnaire

[sn_vdr_risk_asmt_m2m_assessment_instance]

Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Vendor Risk Task

[sn_vdr_risk_asmt_task]

Note: All additional tables installed by the dependent plugins are also needed for GRC: Vendor
Risk Management.

Jakarta ServiceNow Vendor Risk Management

Properties installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following properties.

Name Description

sn_vdr_risk_asmt.company.name • Type: string

• Default value: ServiceNow

sn_vdr_risk_asmt.glide.script.block.client.globals • Type: true | false

• Default value: false

Client scripts installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following client scripts.

Client script Table Description

Check if assessment varies Vendor Risk Assessment

from template
[sn_vdr_risk_asmt_assessment]

Check questionnare duration Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Check questionnare duration on Vendor Risk Assessment

duration
[sn_vdr_risk_asmt_assessment]

Clear fields on vendor change Vendor Risk Task

[sn_vdr_risk_asmt_task]

Configure state choice list Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Copy information from template Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Hide View Response link if no Vendor Risk Assessment

responses
[sn_vdr_risk_asmt_assessment]

Populate default metric types Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Remove assessment when Vendor Risk Issue

vendor is changed
[sn_vdr_risk_asmt_issue]

Reset contacts on vendor Vendor Risk Issue

update
[sn_vdr_risk_asmt_issue]

Jakarta ServiceNow Vendor Risk Management

Client script Table Description

Set assigned to on load Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set assignee to be current login Vendor Risk Issue

user
[sn_vdr_risk_asmt_issue]

Set fields when assessment Vendor Risk Task

changes
[sn_vdr_risk_asmt_task]

Set fields when issue changes Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set name when vendor is set Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set vendor when assessment Vendor Risk Issue

changes
[sn_vdr_risk_asmt_issue]

State read only for new Vendor Risk Assessment

assessments
[sn_vdr_risk_asmt_assessment]

Validate questionnare due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Script includes installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following script includes.

Script include Description

VendorResponse
VendorResponseBase
VendorRiskAsmtAjax
VendorRiskAssessment
VendorRiskAssessmentBase
VendorRiskAssessmentStrategy
VendorRiskAssessmentStrategyBase
VendorRiskFilters
VendorRiskFiltersBase
VendorRiskOwnerUtils
VendorRiskOwnerUtilsBase
VendorRiskRepeatingAsmt
VendorRiskRepeatingAsmtBase

Jakarta ServiceNow Vendor Risk Management

Script include Description

VendorRiskScoring
VendorRiskScoringBase

Business rules installed with Vendor Risk Management

GRC: Vendor Risk Management adds the following business rules.

Business rule Tables Description

Add additional assignee for Assessment Instance

VRM
[asmt_assessment_instance]

Add owner to vendor Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Calculate assessment risk Assessment Instance

score
[asmt_assessment_instance]

Calculate document request Assessment Instance

risk rating
[asmt_assessment_instance]

Calculate risk quantitative store Assessment Category Result

[asmt_category_result]

Calculate risk rating Assessment Category Result

[asmt_category_result]

Cancel assessment Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Cancel document request Document request

[sn_vdr_risk_asmt_m2m_asmt_doc_request]

Cancel questionnaires Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Cancel questionnaires if Vendor Risk Assessment

assessment dele
[sn_vdr_risk_asmt_assessment]

Check contact exists when set • Vendor Risk Issue

visible [sn_vdr_risk_asmt_issue]
• Vendor Risk Task
[sn_vdr_risk_asmt_task]

Configure state scratchpad Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Jakarta ServiceNow Vendor Risk Management

Business rule Tables Description

Copy template and doc Vendor Risk Assessment

requests
[sn_vdr_risk_asmt_assessment]

Create an assessent on prior Vendor Risk Assessment

closure
[sn_vdr_risk_asmt_assessment]

Create default metrics Assessment Metric Type

[asmt_metric_type]

Create missing category results Assessment Instance

[asmt_assessment_instance]

Create or delete score mapping • Assessment Instance

[asmt_assessment_instance]
• Assessment Metric Type
[asmt_metric_type]

Create vendor risk assessment Repeating Assessment

[sn_vdr_risk_asmt_repeating_assessment]

Delete take links on delete Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Delete take links on update Vendor Risk Assessment l

[sn_vdr_risk_asmt_assessment]

Enforce valid state changes Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Enforce vendor when Vendor Risk Issue

submitting issue
[sn_vdr_risk_asmt_issue]

Enforce vendor when Vendor Risk Task

submitting task
[sn_vdr_risk_asmt_task]

Evaluate controls Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

File role for Vendor Risk Assessment Metric Type

Assessments
[asmt_metric_type]

Issue assignee changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Issue contract changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Jakarta ServiceNow Vendor Risk Management

Business rule Tables Description

Issue task changed Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Prevent adding both SIG types • Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]
• Assessment template to
Questionnaire template
[sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template]

Prevent closure if has open Vendor Risk Issue

tasks
[sn_vdr_risk_asmt_issue]

Prevent duplicate Business Business Service Rating Scale

critiality
[sn_vdr_risk_asmt_bs_weight_config]

Questionnaire due date Vendor Risk Assessment

changed
[sn_vdr_risk_asmt_assessment]

Remove business owner on Business Service

vendor
[cmdb_ci_service]

Remove owner from vendor Business Service to Vendor

[sn_vdr_risk_asmt_m2m_vendor_service]

Remove user from vendor User

business owners
[sys_user]

Restart workflow for due date Vendor Risk Assessment

change
[sn_vdr_risk_asmt_assessment]

Review duration changes Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Send single document request Document request

[sn_vdr_risk_asmt_m2m_asmt_doc_request]

Send single questionnaire Questionnaire

[sn_vdr_risk_asmt_m2m_asmt_questionnaire_template]

Set 'Visible in vendor portal" Vendor Risk Issue

flag
[sn_vdr_risk_asmt_issue]

Set actual duration Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set actual end date Vendor Risk Task

[sn_vdr_risk_asmt_task]

Jakarta ServiceNow Vendor Risk Management

Business rule Tables Description

Set actual start date Vendor Risk Issue

[sn_vdr_risk_asmt_issue]

Set default risk quantitative Assessment Category Result

score
[asmt_category_result]

Set questionnaire due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Set the 'visible in vp' flag Vendor Risk Task

[sn_vdr_risk_asmt_task]

Set vendor contact if it is empty • Vendor Risk Task

[sn_vdr_risk_asmt_task]
• Vendor Risk Issue
[sn_vdr_risk_asmt_issue]

Set vendor if parent is empty Vendor Risk Issue

(display)
[sn_vdr_risk_asmt_issue]

Set vendor values from related Vendor Risk Task

record
[sn_vdr_risk_asmt_task]

Submit to vendor Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Sync planned duration field Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Task assignee changed Vendor Risk Task

[sn_vdr_risk_asmt_task]

Update business owner on Business Service

vendor
[cmdb_ci_service]

Update instance and category Risk Rating Scale

risk rating
[sn_vdr_risk_asmt_score_mapping]

Update percent complete Vendor Assessment to

Questionnaire
[sn_vdr_risk_asmt_m2m_assessment_instance]

Update scale range Risk Rating Scale

[sn_vdr_risk_asmt_score_mapping]

Validate durations Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Jakarta ServiceNow Vendor Risk Management

Business rule Tables Description

Validate questionnaire due date Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]

Vendor finished assessment Assessment Instance

[asmt_assessment_instance]

Vendor Risk Assessment Vendor Risk Assessment

Assigned
[sn_vdr_risk_asmt_assessment]

Update vendor information

Most organizations import their vendor portfolio through an excel spreadsheet or an integration with
another onboarding solution. Vendor risk managers make on-going updates to the vendor information,
including risk security scores and vendor tiering scores.
Role required: vendor risk manager
Contact your sys admin for the creation of your vendor portfolio, before making any updates.
1. Navigate to Vendor Risk > All Vendors.
2. Select the vendor record.
3.
4. Fill in the fields on the form, as appropriate.

Table 71: Vendor

Field Value

Name Vendor name.

Website URL for the vendor.
Industry Type of industry.
Vendor type Type of vendor.
Security Score The third-party provided secuity score.
Score provider The company providing the normalized
security score.
Status Status of the vendor.
Risk rating Risk rating calculated by the vendor risk
assessment responses.
Rank tier Type of supplier.
Vendor tier Vendor tier calculated by mapping the
tiering score against the vendor tiering
scale.

Note: Assigned when the tiering

assessment is closed.

Jakarta ServiceNow Vendor Risk Management

Field Value

Vendor manager The employee assigned as the manager to

this vendor.
Business owner The employees using this vendor in the
course of daily business.
Notes Additional information.
Contact
Street Street address of vendor.
City City of vendor.
State / Providence State or Providence of the vendor.
Zip / Postal code Zip code of postal code of the vendor.
Country Country of the vendor.
Phone Phone number for the vendor.
Fax phone Fax number for the vendor.
Profile
Publicly traded Is the vendor publically traded?
Stock symbol Stock symbol of the vendor.
Revenue per year Revenue per year of the vendor.
Number of employees Number of employees employed by the
vendor.
Banner image Banner image for the vendor.
Banner text Banner text for the vendor.

5. If Vendor Risk Management is integrated with other GRC applications, the related lists on the Vendor
form can include:
• Vendor Contacts
• Business Services
• Tiering Assessments
• Repeating Assessments
• Assessments
• Issues
• Tasks
• Profile Types
• Risks
• Controls
• Security Scores

Vendor risk ratings and scoring calculations

Within a vendor risk assessment, multiple ratings and scored are calculated.

Jakarta ServiceNow Vendor Risk Management

Risk Rating Scale

Every time a questionnaire is created, a default risk rating is applied. The risk rating scale (categories,
minimum, and maximum values) is configurable and can vary per assessment.

Note: The default scale factor of a questionnaire is 100.

Jakarta ServiceNow Vendor Risk Management

Score Calculation Mechanism

The score calculation mechanism for each vendor risk assessment uses the platform assessment score
calculation engine. The calculations are performed using a series of related equations that are dynamically
recalculated. Multiple user-defined parameters affect the calculated assessment rating:
• Questions (metrics)
• Metric Scale Definition
• Categories
• Weights
• Risk Rating Scale
• Business Service Rating Scale

For more information, see View a metric result

Jakarta ServiceNow Vendor Risk Management

Equation 1 questionRating

The questionRating calculation defines the relative degree of significance of the individual assessment
metric, especially when compared to other metrics. This variable is one of the key variables in calculating
the normalized value later in the process.
The Scale definition is stated within an individual Assessment Metric.

• High means that large numerical values indicate a positive result. If the rating is high, the following
formula is used:

• Low means that small numerical values indicate a positive result. If the rating is low, the following
equation is used:

The value used in the formula is taken from the vendor’s response to the question. The configuration of the
metric defines the correct answer (value) and the values that are associated with other (incorrect or less
desirable) answers.

Jakarta ServiceNow Vendor Risk Management

Equation 2 questionPercentContribution

The questionPercentContribution defines the degree of significance of the assessment metric,

within the category where it is included. This variable is one of the key variables in calculating the
normalized value later in the process.

The Category represents a theme for evaluating assessable records in a given metric type. The category
is user-defined with examples being ROI, risk, performance, security, personal data, and so on.
The Weight is a numerical value that represents the metric importance relative to other metrics. A higher
weight in proportion to the overall weight of the category has a stronger bearing on the final score.

Jakarta ServiceNow Vendor Risk Management

Equation 3 questionNormalizedValue

The questionNormalizedValue calculates a value so questions with different weights and ratings can
be compared equally on the same scale.

Each answer to every question (assessment metric) has a normalized value. This normalized value
conducts a more meaningful comparison which is later rolled up to the category and the overall
assessment results.

Jakarta ServiceNow Vendor Risk Management

Equation 4 categoryRating

Now that there are normalized values for each metric within the category, the categoryRating
calculates a value for the entire category which can then be normalized using Equation 5
categoryNormalizedValue to facilitate inter-category comparisons.

The category Rating is the sum of all normalized values for the metrics within the category.

Jakarta ServiceNow Vendor Risk Management

The stated Risk Rating for each category is derived from the associated Risk Rating Scale.

Equation 5 categoryNormalizedValue

With the Category Ratings established, the categoryNormalizedValue formula uses this rating and the
Category Weight to normalize the result across all categories.

This calculated Normalized value conducts a more meaningful comparison which is later rolled up to the
overall assessment results. A higher category Weight has a stronger influence on the normalized value the
category.

Jakarta ServiceNow Vendor Risk Management

Equation 6 questionnaireQuantitativeScore

With all of the categories normalized, the overall quantitative score for the assessment is calculated.

The output from the questionnaireQuantitativeScore formula is the sum of the normalized
category scores. It is presented as the Risk Score on the record for the questionnaire.

Jakarta ServiceNow Vendor Risk Management

Qualitative Score for Documents

Document Requests have a risk rating that is a qualitative score. The preliminary risk rating is based on the
answer to the default question “Do you have document ‘document name’?”

Jakarta ServiceNow Vendor Risk Management

The document risk rating uses the following scale:

Response Risk Rating

Yes Low
No or unanswered High
N/A Moderate

Once the document is reviewed, it may be found to be deficient, so the analyst can override the default
rating. The assessment retains the current Risk Rating and the Original Risk Rating. As always, the
stated Risk Rating for each category is derived from the associated Risk Rating Scale.

Jakarta ServiceNow Vendor Risk Management

Equation 7 assessmentRating

The risk rating from all questionnaires and document requests is rolled up to the parent vendor risk
assessment providing an overall assessmentRating

Finally, the assessment rating with the risk rating scale determines the risk rating for the assessment.

Jakarta ServiceNow Vendor Risk Management

getBusinessServiceCriticality finds the most critical business service and finds a record in the
business service rating scale table that best matches that critical business service. The weight from that
rating scale record is used.

Jakarta ServiceNow Vendor Risk Management

Manage vendor risk assessments

The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk
manager closes the assessment, issues and tasks are created on-demand, usually during the Generating
Observations state. The vendor risk analyst assigns vendors as needed and communicates using
comment streams to achieve closure on non-compliance.

Vendor Risk Assessment workflow

1. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with
another onboarding solution. Vendor risk managers make on-going updates to the vendor information,
including risk security scores and vendor tiering scores.
2. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps
controls to the assessment questions.
3. The vendor risk manager creates internal and external assessment templates, questionnaire
templates, document request templates, and creates the notifications associated with the workflow.
4. The vendor risk manager prepares and sends the vendor risk tiering assessment to internal
stakeholders.
5. Internal stakeholders navigate to Self-service > My Assessments and Surveys > to complete and
submit the assessment.
6. After receiving the completed vendor tiering assessments, the vendor risk assessor updates and
closes the tiering assessment.
7. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to
that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or
vendor tier.
8. The vendor signs into the Vendor Portal to complete the risk assessment.
• The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal,
the primary contact can invite other collaborators to complete portions of the assessments. Once
complete, the primary contact submits the assessment.

Jakarta ServiceNow Vendor Risk Management

9. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor
assessment, creating issues for remediation, as necessary.

Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed.
Accepting an issue means you will create an exception for a known control failure or risk. Controls that are
Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be
used to document observations during audits.

Vendor Assessment Portal

The vendor assessment portal is a web interface providing a primary point of interaction for vendors and
risk assessors, with a centralized workflow for those involved in the assessment. All remediations that
result from those assessments are also coordinated through the Vendor Portal.
To customize this portal, navigate to Service Portal > Portals, and click Vendor Portal. See Service
Portalfor more information.

Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

Jakarta ServiceNow Vendor Risk Management

Role Purpose

Vendors Uses the Vendor Assessment Portal to:

• View and respond to current assessments.
• Delegate responses to other contacts.
• View or update contact information.
• Update notification preferences.
• Change a password or request a new
password.

Vendor risk assessor Uses the Vendor Risk Management instance to:
• Create a login for a new contact.
• Enable or disable a contact login.
• Reset a password for a contact.
• Assign a user role to a contact.
• Assign a contact to an assessment.
• View and update customer contact
information.
• Access completed assessments.

Set up different types of vendor assessments

Internal stakeholders complete the tiering assessment to determine the vendor tier. External vendor
contacts complete the risk assessment to determine the risk rating. Both types of assessments, risk
assessments and risk tiering assessments, are created from templates which define the regular
questionnaire, document request questionnaire, and tiering assessment questionnaire.

Define vendor assessment templates

When defining an assessment template, the vendor risk manager provides scheduling information for the
vendor risk assessment.
Role required: [sn_vdr_risk_admin]
1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 72: Vendor Assessment Template

Field Description

Name The name of the assessment template.

Assessment duration (days) The time provided for the entire vendor risk
assessment to be completed.
Questionnaire duration (days) The time allocated for the assessor to
complete the questionnaire portion of the
assessment.

Jakarta ServiceNow Vendor Risk Management

Field Description

Questionnaire review duration (days) The time allocated for the vendor risk
admin to review the responses provided to
questionnaire.
Created by Read-only. User who created the template.
Created Read-only. Time when the template was
created.
Updated Read-only. Time when the template was last
updated.
Description A more detailed description of the
assessment.

4. Click Submit.

Create vendor questionnaire templates

Vendor risk managers use the Questionnaire Template Designer to create and edit questionnaire
templates which can be used as a basis for other templates.
Role required: vendor risk manager

Note: A questionnaire template must have at least one category and that category must contain at
least one question.

1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.

2. Click New or New (Designer).
The designer contains the following elements:

Element Description

Controls Controls for the supported question data

types are available in the Controls palette.
Drag a control onto the designer canvas to
create a question of that type.
Header bar The header bar contains a menu of various
functions. The availability of each option
depends on the status of the assessment
that is opened in the designer.
Design canvas New assessment open in the Design view.
The questionnaire Name field appears
above the first category in the canvas.

3. Enter a name in the Name field.

4. Drag a control onto the designer canvas to create a question of that type.

Jakarta ServiceNow Vendor Risk Management

Table 73: Question controls

Data type Description Scored

Attachment Question with a Manage Y

Attachments icon for users
to attach one or more files.
Boolean Question with a check box
or a Yes/No list for user
responses.
Choice List of predefined options. Y
For more information, see
the definition for Choices.
Date Date field. N
Date/Time Date and time field. N
Number Number field with predefined N
minimum and maximum
values. The default is 1–10.
Percentage Percentage field with a N
prescribed range.
Scale Predefined Likert scale. Y
Answer options appear as
radio buttons.
Numeric Scale Selectable number scale. Y
The default is 1–5. Answer
options appear as radio
buttons.
String Single or multi-line text field. N
Template Choice list of templates that Y
provide a predefined scale of
options.
Reference Choice list of fields from a
specified reference table.
This data type does not
support reference qualifiers.
Image Scale
Multiple Selection
Ranking

Note: Set the correct answer for the metric that you want to be scored. Scored metrics
determine the compliance status of the risk.

5. Point to the menu icon in the upper right of the designer to select one of the following options:

Jakarta ServiceNow Vendor Risk Management

Note: The availability of each option depends on the status of the questionnaire that is opened
in the designer.

Option Description

Save Save the current questionnaire.

Preview Display a preview of the questionnaire.
New Questionnaire Open a fresh canvas for a new questionnaire.
Open Questionnaire Open a list of existing questionnaire that you can
select and edit.
Copy Questionnaire Create a copy of the questionnaire that you can
edit.

Create vendor document request templates

Risk managers use the Document Request Template Designer to create and edit questionnaire templates
which can be used as a basis for other templates.
Role required: vendor risk manager

Note: Three default questions are created automatically for each new document request
templates.

1. Navigate to Vendor Risk > Assessment Setup > Assessment Templates.

2. Click New or New (Designer).
The designer contains the following elements:

Element Description

Controls Controls for the supported question data

types are available in the Controls palette.
Drag a control onto the designer canvas to
create a question of that type.
Header bar The header bar contains a menu of various
functions. The availability of each option
depends on the status of the assessment
that is opened in the designer.
Design canvas New assessments open in the Design view.
The questionnaire Name field appears
above the first category in the canvas. A
blank question field appears in the category
container.

3. Enter a name in the Name field.

4. Drag a control onto the designer canvas to create a question of that type.

Jakarta ServiceNow Vendor Risk Management

Table 74: Question controls

Data type Description Scored

Attachment Question with a Manage Y

Note: Set the correct answer for the metric that you want to be scored. Scored metrics
determine the compliance status of the risk.

5. Point to the menu icon in the upper right of the designer to select one of the following options:

Jakarta ServiceNow Vendor Risk Management

Note: The availability of each option depends on the status of the questionnaire that is opened
in the designer.

Option Description

Save Save the current questionnaire.

Preview Display a preview of the questionnaire.
New Questionnaire Open a fresh canvas for a new questionnaire.
Open Questionnaire Open a list of existing questionnaire that you can
select and edit.
Copy document request Copy the document request and edit.

Configure vendor risk assessment notifications

Email notifications communicate the status of items within the vendor risk management product. Email
notifications are useful when assessment records are created or updated, so analysts and assessors are
informed throughout the assessment process. Creating an email notification involves specifying when to
send it, who receives it, and what it contains.
Role required: vendor risk manager
1. Navigate to System Notifications > Notifications.
2. Go to Category, Vendor Risk Assessment.
3. Select the notification record to open details associated with that notification or click New, to create a
new notification.

Note: Click Preview Notificationto preview the notification while configuring the details.

Notification Applied to

Vendor Risk Issue Assigned (External) • Table: defaults to Vendor Risk Issue
[sn_vdr_risk_asmt_issue]
• Category: Vendor Risk Assessment

Vendor Tiering Assessment to Assessor • Table: defaults to Tiering Assessment

[sn_vdr_risk_asmt_vdr_tiering_assessment]
• Category: Vendor Risk Assessment

Vendor Risk Task Assigned (Internal) • Table: defaults to Vendor Risk Task
[sn_vdr_risk_asmt_task]
• Category: Vendor Risk Assessment

Vendor Risk Assessment Assigned • Table: defaults to

Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category: Vendor Risk Assessment

Jakarta ServiceNow Vendor Risk Management

Notification Applied to

Vendor Risk Request Assigned • Table: defaults to Assessment Instance

[asmt_assessment_instance]
• Category: Vendor Risk Assessment

Vendor Risk Issue Assigned (Internal) • Table: defaults to Vendor Risk Issue
[sn_vdr_risk_asmt_issue]
• Category: Vendor Risk Assessment

Vendor Assessment Submitted to Vendor • Table: defaults to

Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category: Vendor Risk Assessment

Vendor Assessment Responses Overdue • Table: defaults to

Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category: Vendor Risk Assessment

Vendor Risk Task Assigned (External) • Table: defaults to Vendor Risk Task
[sn_vdr_risk_asmt_task]
• Category: Vendor Risk Assessment

Vendor Assessment Responses Received • Table: defaults to

Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category: Vendor Risk Assessment

Vendor Assessment Responses Due 1 • Table: defaults to

Week Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category: Vendor Risk Assessment

Vendor Assessment New Request to • Table: defaults to

Vendor Vendor Risk Assessment
[sn_vdr_risk_asmt_assessment]
• Category:

Vendor Contact Invited • Table: defaults to Vendor Contact

[vm_vdr_contact}
• Category:

Email Vendor Manager (based on risk tier • Table: Vendor Risk Assessment
rule) [sn_vdr_risk_asmt_assessment]
• Category:

Jakarta ServiceNow Vendor Risk Management

Notification Applied to

Vendor Assessment Responses Due 3 Days • Table: Vendor Risk Assessment

[sn_vdr_risk_asmt_assessment]
• Category:

Email Vendor Manager (based on change in • Table: Vendor Risk Assessment

third-party score) [sn_vdr_risk_asmt_assessment]
• Category:

For detailed instructions, see Create an email notification.

Create a vendor risk assessment and initiate the lifecycle

The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor
risk assessments can be created on-demand or from a repeating assessment. When creating an on-
demand vendor risk assessment, select the vendor, questionnaire template, and document request
template. Additionally, vendor risk managers can select multiple vendors at a time and trigger vendor risk
assessments.
Role required: vendor risk assessor
1. Navigate to Vendor Risk > Assessments > All Assessments.
2. Do any of the following actions:
Option Description

To associate any existing document requests Click Edit.

or questionnaires.
To create on-demand document requests or Click New.
questionnaires for the assessments.
To associate any existing document requests 1. Click New.
or questionnaires from the assessment
template. 2. In the Assessment template field, select the
document requests or questionnaires.

3. Fill in the fields on the form, as appropriate.

Table 75: Vendor Risk Assessment

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • Draft
• Submitted to vendor
• Closed
• Cancelled

Vendor The vendor that is being assessed.

Jakarta ServiceNow Vendor Risk Management

Field Description

Risk rating The overall risk rating for this vendor.

• Critical
• High
• Moderate
• Low
• Minor

Note: The Risk rating is

determined by finding a risk rating
scale range in which the risk score
falls. It defines how a minimum and
maximum range of assessment
scores maps to a qualitative risk
score.

Repeating assessment The assessment that is used to create the

current assessment.
Created by The person who created this assessment.
Assessment template The template used to create the current
assessment.
Assigned to The vendor contact assigned to this vendor
risk assessment.

Note: Primary contacts can

reassign requests, issues, and tasks
to other vendor contacts.

Updated The date the VRA record was last updated.

Watch list The names of users who are notified when
the record is modified.
Name The name of the vendor risk assessment.
Description A more detailed explanation of the issue.
Notes and Comments
Work notes Information about the vendor risk
assessment. Work notes are visible to users
who are assigned to the issue.
Additional comments (Customer visible) Public information about the vendor risk
assessment.
Assessment Schedule
Planned duration (days) Estimated duration period of the
assessment
Actual duration The amount time it took to complete the
vendor risk assessment. This field is
calculated using the Actual state date and
Actual end date.

Jakarta ServiceNow Vendor Risk Management

Field Description

Planned start date Date and time that work on the vendor risk
assessment is expected to begin.
Actual start date Date and time that work on the vendor risk
assessment began.
Planned end date Date and time that work on the vendor risk
assessment is expected to end.
Actual end date Date and time that work on the vendor risk
assessment was completed.
Questionnaire Schedule
Planned duration (days) The amount of time given to the vendor for
completing the vendor risk assessment. This
field is calculated using the Planned state
date and Planned end date.
Submitted to vendor The date that questionnaires are sent to
vendor
Due date deadline for vendor to answer all the
questionnaires
Review duration (days) The review duration given to customer to
review all the questionnaires
Completion date The actual date when vendor completed all
the questionnaires
Responses expected by The date the vendor is expecting the
responses

4. Click Submit to vendor.

The primary vendor contact is notified, and the state of assessment changes to Submitted to
vendor. The vendor responds to the notification through the Vendor Risk Portal, changing the state of
assessment to Response received. All the risk scores are calculated automatically.
5. The vendor assessor moves the state of the assessment to Generating Observations. During this
time, the vendor assessor can click the View Response link in the document requests/questionnaires
related list to view the response and provide comments or change responses, as necessary.
For any problems that rise, the vendor assessor creates an issue to track the remediation process
(Finalizing with vendor).
6. The vendor assessor moves the assessment to Closed state.
The vendor risk assessor works with the vendor through the vendor portal to close the assessment.

Jakarta ServiceNow Vendor Risk Management

Review the vendor's assessment responses

The vendor assessor can view assessment responses after the vendor has submitted an assessment. The
status of all controls are updated when the vendor completes the assessment.
Role required: sn_vdr_risk_asmt.vendor_assessor
1. Navigate to Vendor Risk > Assessments > My Open Assessments.
2. Click the assessment in the Response received state.
3. In the Questionnaires/Document Requests related list, click View Response.

Jakarta ServiceNow Vendor Risk Management

4. Add comments or change responses, as necessary.

Note: Changing a response, may affect the risk rating of the vendor.

Jakarta ServiceNow Vendor Risk Management

Use the SIG questionnaire for risk assessment

Survey Analytics's Standardized Information Gathering Questionnaire (SIG) is used to obtain required
assessment documentation from a vendor. The vendor contact can upload the pre-filled SIG spreadsheet
or take a form-based questionnaire which gets imported to the instance.
Role required: vendor contact
SIG version 2017 or later, is considered to be the latest version. If a vendor uploads a version prior to the
2017 SIG, all responses for matching questions are imported and any unmatching questions are imported
with blank responses for the vendor to answer later.

Note: Only 2014 and later versions of the SIG are supported.

1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.

Jakarta ServiceNow Vendor Risk Management

2. Click Import.

Jakarta ServiceNow Vendor Risk Management

Create a vendor risk issue

Issues are created to document audit observations and remediations, or to accept any problems. Issues
and tasks can be assigned directly to vendor contacts without the need for a vendor risk assessment.
Role required: vendor risk assessor
1. Navigate to Vendor Risk > Issues > Create New .
2. Fill in the fields on the form, as appropriate.

Table 76: Vendor Risk Issue

Field Description

Number Read-only field that is automatically

populated with a unique identification
number.
State • New
• Analyze
• Respond
• Review
• Closed

Vendor The vendor with the issue.

Priority Priority for this issue:
• 1 - Critical
• 2 - High
• 3 - Moderate
• 4 - Low
• 5 - Planning

Assessment
Assessment group A group assigned to the issue.
Visible in portal Indicates if issues is visible to the vendor in
the Vendor Portal.
Assigned to The user assigned to the issue.
Vendor Contact The vendor contact associated with this
issue.
Created by
Created
Updated
Watch list
Short description Brief description of the issue.
Description
Notes and Comments

Jakarta ServiceNow Vendor Risk Management

Field Description

Work notes Information about how to resolve the issue,

or steps already taken to resolve it, if
applicable. Work notes are visible to users
who are assigned to the issue.
Additional comments (Customer visible) Public information about the issue.
Recommendations
Recommendation The recommended action to resolve this
issue.
Explanation An explanation of the recommended action.
Issue Schedule
Duration Estimated amount of work time. Calculated
using the Planned state date and Planned
end date.
Actual duration Estimated amount of work time. Calculated
using the Actual state date and Actual end
date.
Planned start date Date and time that work on the issue is
expected to begin.
Actual start date Time when work began on this issue
Planned end date Date and time that work on the issue is
expected to end.
Actual end date Time when work ended on this issue.

3. Click Submit.

Open assessment in the Vendor Portal

The vendor primary contact logs into the Vendor Portal to view all assessments.
Role required: vendor contact
1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
2. Click through each questionnaire and provide a response to each question.

Review assessment responses on the Vendor Portal

After submitting an assessment, the vendor contact can view all responses in read-only mode on the
Vendor Portal.
Role required: vendor contact
1. Log into the vendor assessment portal through https://myCompany.service-now.com/vdp.
2. Click through each questionnaire and view the responses.

Jakarta ServiceNow Vendor Risk Management

Note: All responses are read-only since the assessment has already been sent back to the
customer.

Create repeating vendor risk assessments

Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.
Role required: vendor risk assessor
1. Navigate to Vendor Risk > Assessments > Repeating Assessments.
2. Click New.
3. Fill in the fields on the form, as appropriate.

Table 77: Repeating Assessment

Field Description

Number
Created by
Vendor The vendor that is being assessed.
Created
Assessment template The template used to create the current
assessment.
Updated
Next assessment creation (months) Next assessment will be created in specific
number of months after the previous
assessment is closed
Next assessment end date (months) The end date for the new assessment after
the previous assessment is closed
Active Indicates if the current repeating
assessment is active.
Name The name of the repeating assessment.
Description A more detailed description of the repeating
assessment.

4. Click Submit.
5. The Assessment Occurrences related list displays the status of all assessments and its associated
risk rating.

Jakarta ServiceNow Index

Index
A deactivate 43

activate
Audit Management 140
C
Policy and Compliance Management 10 citation deactivation
Risk Management 80 compliance 43
activity, create an citations
Audit Tasks 165 creating 42
assessment designer 118 Compliance module
attestation designer 65 Policy and Compliance Management 68
attestations configure
Controls 64, 115 Policy and Compliance Management 18
Audit Risk Management 91
installed components control test, create a 163
tables 141 control, add a
Audit Management to a risk 114
activate 140 control, create a
Audit Tasks module 161 Controls 58
Audit Testing module 157 Controls
description 138 attestations 64, 115
Engagement Overview 173 control, create a 58
Engagement Workbench 171 create
Engagements module 159 authority documents 35
installed components create a
tables 141 risk 109
installed with 141 risk framework 105
Issues module 206 risk statement 106
Scoping module 149 create an
Audit Managementbusiness rules engagement 161
installed components 141, 142, 142, 143, 145, 145
Audit Managementclient scripts
installed components 141, 142, 142, 143, 145, 145 D
Audit Managementproperties
deactivate
installed components 141, 142, 142, 143, 145, 145
authority documents 43
Audit Managementroles
description
installed components 141, 142, 142, 143, 145, 145
Audit Management 138
Audit Managementscript includes
Policy and Compliance Management 8
installed components 141, 142, 142, 143, 145, 145
Risk Management 79
Audit Tasks
activity, create an 165
control test, create a 163 E
from an engagement 163
interview, create an 166 engagement
walkthrough, create a 168 create an 161
Audit Tasks module Engagement Overview
Audit Management 161 Audit Management 173
Audit Testing Engagement Workbench
test plan, create a 158 Audit Management 171
test template, create a 157 Engagements module
test template, relate a 158 Audit Management 159
to a policy 158
Audit Testing module F
Audit Management 157
authority documents from a profile 27, 102, 154
create 35 from an engagement 163

Jakarta ServiceNow Index

G Compliance module 68
configure 18
governance, risk, and compliance Controls module 57
citations description 8
creating 42 installed with 11
UCF Policies and Procedures module 30
authority documents 44 Scoping module 149
Governance, risk, and compliance Policy and Compliance Managementbusiness rules
GRC 4 installed components 11, 12, 13, 14, 15, 15
Policy and Compliance Managementclient scripts
installed components 11, 12, 13, 14, 15, 15
I Policy and Compliance Managementproperties
indicator template, create an installed components 11, 12, 13, 14, 15, 15
Indicators 71, 132, 176 Policy and Compliance Managementroles
indicator, add an installed components 11, 12, 13, 14, 15, 15
to a risk 113 Policy and Compliance Managementscript includes
indicator, create an installed components 11, 12, 13, 14, 15, 15
Indicators 174 Policy and Compliance Managementtables
Indicators installed components 11, 12, 13, 14, 15, 15
indicator template, create an 71, 132, 176 policy statement, create a
indicator, create an 174 Policies and Procedures 37
installed components 183 policy statement, deactivate
installed with Policies and Procedures 39
Audit Management 141 policy statement, relate a 40, 40
Policy and Compliance Management 11 policy, approve a
Risk Management 81 Policies and Procedures 34
Vendor Risk Management 181 policy, create a
interview, create an Policies and Procedures 32
Audit Tasks 166 policy, retire a
issue, create an Policies and Procedures 35
Issues 76, 136, 177 policy, review a
Issues Policies and Procedures 34
issue, create an 76, 136, 177 profile type, create a
Issues module Scoping 26, 101, 153
Audit Management 206 profile, generate a 27, 102, 154
Policy and Compliance Management 206 profile, reactivate
Risk Management 206 Scoping 30, 105, 157

O R
Overview risk
Risk Management 129 create a 109
risk framework
create a 105
P Risk Management
activate 80
Policies and Procedures
configure 91
approve, create a 34
description 79
approve, retire a 35
installed with 81
policy statement, create a 37
Issues module 206
policy statement, deactivate 39
Overview 129
policy statement, relate a 40, 40
Risk Register module 105
policy, create a 32
Scoping module 149
policy, review a 34
Risk Managementbusiness rules
to a citation 40
installed components 81, 82, 83, 85, 88, 89
to a policy 40
Risk Managementclient scripts
Policies and Procedures module
installed components 81, 82, 83, 85, 88, 89
Policy and Compliance Management 30
Risk Managementproperties
policy and compliance
installed components 81, 82, 83, 85, 88, 89
citation
Risk Managementroles
deactivate 43
installed components 81, 82, 83, 85, 88, 89
Policy and Compliance Management
activate 10

Jakarta ServiceNow Index

Risk Managementscript includes Vendor Risk Managementproperties

installed components 81, 82, 83, 85, 88, 89 installed components 185, 185, 186, 187
Risk Managementtables Vendor Risk Managementscript includes
installed components 81, 82, 83, 85, 88, 89 installed components 185, 185, 186, 187
Risk Register
risk, generate a
from a profile type 108
W
from a risk 108 walkthrough, create a
from a risk statement 108 Audit Tasks 168
Risk Register module
Risk Management 105
risk statement
create a 106
risk, generate a
from a profile type 108
from a risk 108
from a risk statement 108

S
Scoping
from a profile 27, 102, 154
profile type, create a 26, 101, 153
profile, generate a 27, 102, 154
profile, reactivate 30, 105, 157
Scoping module
Audit Management 149
Policy and Compliance Management 149
Risk Management 149

T
tables 183
test plan, create a
Audit Testing 158
test template, create a
Audit Testing 157
test template, relate a 158
to a citation 40
to a policy 40, 158
to a risk
control, add a 114
indicator, add an 113

U
UCF
download files 53
Unified Compliance Framework (UCF)
authority documents 44
download 53

V
Vendor Risk Management
installed with 181
Vendor Risk Managementbusiness rules
installed components 185, 185, 186, 187
Vendor Risk Managementclient scripts
installed components 185, 185, 186, 187

IT Governance, Risk and Compliance
No ratings yet
IT Governance, Risk and Compliance
24 pages
GRC Implementation Checklist - N
67% (3)
GRC Implementation Checklist - N
7 pages
Essential ServiceNow Resources List
100% (1)
Essential ServiceNow Resources List
3 pages
CMDB Documentation
No ratings yet
CMDB Documentation
1,796 pages
Servicenow It Asset MGT PDF
No ratings yet
Servicenow It Asset MGT PDF
12 pages
Servıcenow Learning Paths
No ratings yet
Servıcenow Learning Paths
30 pages
ServiceNow Knowledge Sources 2022-11-01
100% (1)
ServiceNow Knowledge Sources 2022-11-01
250 pages
ServiceNow Basics, Studio, Applications
No ratings yet
ServiceNow Basics, Studio, Applications
84 pages
Knowledge Management - Servicenow
100% (2)
Knowledge Management - Servicenow
64 pages
Servicenow Automationpdf Compress
100% (1)
Servicenow Automationpdf Compress
272 pages
ServiceNow Data Model v3.4
100% (3)
ServiceNow Data Model v3.4
66 pages
ServiceNow Case Studies - Abhra Inc
100% (3)
ServiceNow Case Studies - Abhra Inc
13 pages
ServiceNow GRC Training Course
No ratings yet
ServiceNow GRC Training Course
2 pages
SMF M010 GilmoreBook PDF
No ratings yet
SMF M010 GilmoreBook PDF
443 pages
ServiceNow Administration Fundamentals - BONUS Materials
100% (3)
ServiceNow Administration Fundamentals - BONUS Materials
134 pages
Participant Guide Servicenow Module
No ratings yet
Participant Guide Servicenow Module
80 pages
ServiceNow Data Model v2.7
100% (8)
ServiceNow Data Model v2.7
41 pages
Core Topics For ServiceNow System Administration
50% (2)
Core Topics For ServiceNow System Administration
4 pages
ServiceNow System Administrator From 0 To Hero PDF
100% (4)
ServiceNow System Administrator From 0 To Hero PDF
41 pages
Snow Admin FAQ
100% (4)
Snow Admin FAQ
50 pages
Change Management: Servicenow User Guide
100% (2)
Change Management: Servicenow User Guide
35 pages
Service Now Preparation Part2
67% (3)
Service Now Preparation Part2
25 pages
Servicenow Cookbook 2nd PDF
91% (11)
Servicenow Cookbook 2nd PDF
583 pages
Webinar ITIL4 and ServiceNow
No ratings yet
Webinar ITIL4 and ServiceNow
24 pages
Now On Now: How Servicenow Has Transformed Its Own GRC Processes
No ratings yet
Now On Now: How Servicenow Has Transformed Its Own GRC Processes
13 pages
ITSM Solutions for ServiceNow Users
No ratings yet
ITSM Solutions for ServiceNow Users
107 pages
ServiceNow Interview Questions
100% (4)
ServiceNow Interview Questions
13 pages
IT Asset Management
100% (1)
IT Asset Management
237 pages
ServiceNow Admin Exam Practice 2019
No ratings yet
ServiceNow Admin Exam Practice 2019
49 pages
Service-Now Implementations Exam Questions
80% (15)
Service-Now Implementations Exam Questions
22 pages
Servicenow Interview Questions From Interviewbit
No ratings yet
Servicenow Interview Questions From Interviewbit
20 pages
ServiceNow Integrations With Microsoft Teams Installation Guide
100% (1)
ServiceNow Integrations With Microsoft Teams Installation Guide
17 pages
ServiceNow ITIL Incident Implementation
100% (2)
ServiceNow ITIL Incident Implementation
42 pages
ServiceNow CSA - Study Items Checklist (Answers)
No ratings yet
ServiceNow CSA - Study Items Checklist (Answers)
32 pages
Introduction To ServiceNow
No ratings yet
Introduction To ServiceNow
112 pages
ServiceNow Integration Manual for Geneos
No ratings yet
ServiceNow Integration Manual for Geneos
11 pages
9.scheduled Script Executions and Events Objectives
No ratings yet
9.scheduled Script Executions and Events Objectives
34 pages
ServiceNow Certified System Administrator Practice Exam 2019 Set 5
No ratings yet
ServiceNow Certified System Administrator Practice Exam 2019 Set 5
48 pages
ServiceNow Scripting Guide
100% (1)
ServiceNow Scripting Guide
141 pages
Sciencelogic Integration Service Servicenow 1-8-0
No ratings yet
Sciencelogic Integration Service Servicenow 1-8-0
119 pages
Servicenow Tutorial
100% (1)
Servicenow Tutorial
413 pages
ServiceNow Roadmap: Quick Value Guide
No ratings yet
ServiceNow Roadmap: Quick Value Guide
5 pages
The Lightspeed Enterprise: © 2017 Servicenow All Rights Reserved 1 © 2017 Servicenow All Rights Reserved
No ratings yet
The Lightspeed Enterprise: © 2017 Servicenow All Rights Reserved 1 © 2017 Servicenow All Rights Reserved
81 pages
Servicenow Newyork Release Notes
100% (2)
Servicenow Newyork Release Notes
580 pages
SAM Process Guide
No ratings yet
SAM Process Guide
115 pages
Servicenow Training Course Content
0% (1)
Servicenow Training Course Content
18 pages
Service Management With CSDM
100% (2)
Service Management With CSDM
3 pages
CMDB - Process Guide - 09 - 20 - 23
No ratings yet
CMDB - Process Guide - 09 - 20 - 23
34 pages
ServiceNow-FlexNet Manager Integration Guide
No ratings yet
ServiceNow-FlexNet Manager Integration Guide
24 pages
Aptris ServiceNow Ebook
100% (1)
Aptris ServiceNow Ebook
14 pages
ServiceNow System Administration Course
0% (1)
ServiceNow System Administration Course
4 pages
Scripting Guide ServiceNow
63% (8)
Scripting Guide ServiceNow
140 pages
H.Governance, Risk, and Compliance (GRC) (PDFDrive)
100% (2)
H.Governance, Risk, and Compliance (GRC) (PDFDrive)
261 pages
I.governance, Risk, and Compliance (GRC) (PDFDrive)
No ratings yet
I.governance, Risk, and Compliance (GRC) (PDFDrive)
291 pages
Servicenow Governance, Risk, and Compliance
No ratings yet
Servicenow Governance, Risk, and Compliance
2 pages
SN-GRCF-M010 Course Syllabus
No ratings yet
SN-GRCF-M010 Course Syllabus
5 pages
BRE1619 Law ServiceNow Knowledge 19 Final Presentation
No ratings yet
BRE1619 Law ServiceNow Knowledge 19 Final Presentation
25 pages
GRC Projects - 6c5c-Af29-F834d5cdc05c
No ratings yet
GRC Projects - 6c5c-Af29-F834d5cdc05c
2 pages
Orlando Governance Risk and Compliance 7-1-2020
No ratings yet
Orlando Governance Risk and Compliance 7-1-2020
4 pages
IT Compliance - Anushree Randad
No ratings yet
IT Compliance - Anushree Randad
21 pages
Blueprint MC Configure The CMDB Simulator
No ratings yet
Blueprint MC Configure The CMDB Simulator
4 pages
ServiceNow Admin Essentials
No ratings yet
ServiceNow Admin Essentials
11 pages
Certified System Administrator Exam Questions
No ratings yet
Certified System Administrator Exam Questions
4 pages
You'Re Using ChatGPT Wrong! Here's How To Be Ahead of 99% of ChatGPT Users - by The PyCoach - Mar, 2023 - Artificial Corner
No ratings yet
You'Re Using ChatGPT Wrong! Here's How To Be Ahead of 99% of ChatGPT Users - by The PyCoach - Mar, 2023 - Artificial Corner
1 page
Lessons from Makato's Journey
No ratings yet
Lessons from Makato's Journey
29 pages
Program Coordinator - ICT Position Overview
No ratings yet
Program Coordinator - ICT Position Overview
4 pages
Hardware
100% (1)
Hardware
2 pages
RP9 Standard Table Views PDF
100% (1)
RP9 Standard Table Views PDF
291 pages
Catalogue
No ratings yet
Catalogue
13 pages
Harrison
No ratings yet
Harrison
5 pages
Clinton's Presentation
No ratings yet
Clinton's Presentation
80 pages
Recertification Guide
No ratings yet
Recertification Guide
32 pages
Executive Order
No ratings yet
Executive Order
5 pages
Bank Reconciliation Statement-Theory
No ratings yet
Bank Reconciliation Statement-Theory
29 pages
MOURI Tech Aptitude Test Instructions
No ratings yet
MOURI Tech Aptitude Test Instructions
3 pages
KWIA2082
No ratings yet
KWIA2082
4 pages
Chapter 2
No ratings yet
Chapter 2
6 pages
Gopala Tapani Upanishad Overview
100% (1)
Gopala Tapani Upanishad Overview
2 pages
Money
No ratings yet
Money
3 pages
Speech On Science and Technology
No ratings yet
Speech On Science and Technology
4 pages
Amara - RETHINKING THE BEDOUIN IN OTTOMAN SOUTHERN PALESTINE PDF
No ratings yet
Amara - RETHINKING THE BEDOUIN IN OTTOMAN SOUTHERN PALESTINE PDF
19 pages
SS Grade 1 - Environmental Activities
No ratings yet
SS Grade 1 - Environmental Activities
22 pages
Tamil Brahmins: A Cultural Journey
No ratings yet
Tamil Brahmins: A Cultural Journey
5 pages
Mejia-Espinoza Ejectment Case Ruling
No ratings yet
Mejia-Espinoza Ejectment Case Ruling
1 page
Talk To Me Like The Rain and Let Me Listen by Tennessee Williams
67% (3)
Talk To Me Like The Rain and Let Me Listen by Tennessee Williams
11 pages
MSW Assignment 3 23261 NC 019
No ratings yet
MSW Assignment 3 23261 NC 019
9 pages
Chartered Engineer Profile: Doug Scott
No ratings yet
Chartered Engineer Profile: Doug Scott
6 pages
Understanding Family Legacies
No ratings yet
Understanding Family Legacies
32 pages
Muhammad Suleman CV
No ratings yet
Muhammad Suleman CV
2 pages
Iraq Visa Application Requirements Guide
No ratings yet
Iraq Visa Application Requirements Guide
3 pages
BY, K.Naveen Kumar 121563
No ratings yet
BY, K.Naveen Kumar 121563
20 pages
Xii Arts Result 2025
No ratings yet
Xii Arts Result 2025
2 pages
Sustainable Agriculture Conference 2026
No ratings yet
Sustainable Agriculture Conference 2026
41 pages