🔍 Introduction
In ServiceNow IRM, risks are not a one-size-fits-all concept. Depending on the context, risk can be tied directly to business assets, or it can be assessed at a broader operational level. This leads us to two distinct approaches: Entity-Based Risk Management and Operational Risk Management.
Both are crucial, but they serve different purposes. In this article, we’ll explore their differences, how they’re applied, and when to use one over the other.
🧱 What Is Entity-Based Risk?
Entity-Based Risk Management links risks directly to specific items or entities in the CMDB — such as:
-
Business Services
-
Applications
-
Servers or Network Devices
-
Organizational Units
These risks are contextual — they impact a specific configuration item or business capability. For example:
-
“Risk of unpatched vulnerabilities on critical application XYZ.”
-
“Database outage risk for Customer Billing CI.”
Benefits of Entity-Based Risk:
-
Deep CMDB integration
-
Impact analysis via dependency maps
-
Prioritized remediation based on asset criticality
-
Useful for incident correlation and automation
⚙️ What Is Operational Risk?
Operational Risk Management, on the other hand, is broader and process-focused. It captures risks that span departments, processes, or organizational behaviors. These are not necessarily tied to one asset, but rather to how business is done.
Examples:
-
“Risk of policy violation due to lack of employee training.”
-
“Risk of fraud in vendor procurement process.”
Operational risks are typically derived from:
-
Control failures
-
Policy exceptions
-
Internal audits
-
Self-assessments and questionnaires
Benefits of Operational Risk:
-
Suitable for compliance and regulatory tracking
-
Strong integration with Policy and Compliance Management
-
Flexible scoring based on control health and assessments
🔄 When to Use Each Type
| Scenario | Use This Type |
|---|---|
| You need to assess risk to a specific business-critical app | Entity-Based Risk |
| You're tracking SOX compliance for financial reporting | Operational Risk |
| The risk is tied to IT infrastructure or CI availability | Entity-Based Risk |
| The risk is behavioral or procedural | Operational Risk |
| Risk ties into CMDB or impact maps | Entity-Based Risk |
| Risk is discovered during audits or control testing | Operational Risk |
🧩 How ServiceNow Supports Both
ServiceNow IRM allows you to:
-
Create risks that reference a Configuration Item (via CMDB)
-
Or risks that are purely process-oriented without CI linkage
-
Use different Risk Scoring Methods depending on the context
-
Leverage different Workflows and Owners (e.g., Service Owner vs. Compliance Manager)
You can even link both types of risk to the same control environment. For example, an operational risk of “weak access controls” could surface an entity-based risk to “Payroll Application.”
✅ Real-World Example
Scenario: A major financial company has an audit finding around data access control.
-
An operational risk is logged for “Improper access management processes.”
-
The same control failure exposes sensitive data on a cloud-hosted HR system, triggering an entity-based risk tied to that CI.
This dual-layer approach helps:
-
Identify systemic (operational) weaknesses
-
Trace direct (entity) impact on IT assets
🧭 Conclusion
Understanding the distinction between entity-based and operational risks is key to building a mature, scalable IRM implementation. By using both effectively, organizations can monitor risks at both a strategic and tactical level — and prioritize response based on real-world business impact.
0 comments:
Post a Comment