1. ServiceNow IRM Overview
Definition:
ServiceNow IRM helps organizations identify, assess, and monitor risks and compliance across IT and business processes. It integrates risk, audit, and compliance management into a single platform.
Key Modules in IRM:
Policy and Compliance Management (PCM) – Track policies, standards, and compliance controls.
Risk Management – Identify, assess, and mitigate risks.
Third Party Risk Management (TPRM) – Manage vendor risks.
Audit Management – Plan and manage audits.
Issue Management – Track issues arising from risks or audits.
Continuous Monitoring – Monitor controls continuously.
2. IRM Lifecycle
The IRM lifecycle represents how risks and compliance are managed from identification to closure:
Identify
Identify business assets, processes, and risks.
Tools: Risk register, TPRM assessments.
Assess
Evaluate risks based on impact and likelihood.
Methods: Inherent vs residual risk, scoring, control effectiveness.
Respond / Mitigate
Implement controls or action plans to reduce risk.
Use workflows, task assignments, and remediation plans.
Monitor / Review
Continuously track risk status, control effectiveness, and compliance.
Automated dashboards, notifications, and reports.
Report / Close
Generate reports for stakeholders.
Close risks or issues when resolved.
3. IRM Configuration Steps (Implementation)
Below are steps typically performed by a ServiceNow IRM developer/admin:
| Step | Description | Table Names (backend) |
|---|---|---|
| 1. Activate Plugins | Enable IRM, PCM, Risk, TPRM, Audit modules | sys_plugins |
| 2. Configure Risk Categories & Subcategories | Define categories to classify risks | sn_risk_category, sn_risk_sub_category |
| 3. Configure Risk Assessments | Setup assessment templates for risks | sn_risk_assessment_template, sn_risk_assessment |
| 4. Configure Controls | Define controls and map to risks | sn_compliance_control |
| 5. Configure Policies & Compliance | Create policies, standards, and assign controls | sn_compliance_policy, sn_compliance_standard |
| 6. Configure Third Party/Vendor Risk | Setup vendor records, questionnaires, and assessments | sn_tprm_vendor, sn_tprm_assessment |
| 7. Configure Risk Scoring | Setup risk scoring criteria (impact, likelihood, risk score formula) | sn_risk_score |
| 8. Configure Workflows & Tasks | Automate risk mitigation, issue management | wf_workflow, sn_risk_task |
| 9. Configure Dashboards & Reports | Create IRM dashboards for risk/compliance reporting | pa_dashboards, pa_indicators |
| 10. Configure Notifications | Alerts for risk changes, issue assignments | sysevent_email_action |
4. Common IRM Interview Q&A (2-Year Experience Level)
Q1: What is the difference between Risk and Issue in ServiceNow IRM?
A: Risk is a potential event that can affect business objectives. Issue is an actual event that has occurred and requires remediation.
Q2: What is a Control in IRM?
A: Control is a measure implemented to reduce risk likelihood or impact. Controls are linked to policies and risks.
Q3: How do you configure a Risk Assessment?
Navigate to Risk > Assessments.
Select a Risk Assessment Template.
Define assessment questions.
Assign to risk owners.
Automate notifications and scoring.
Q4: Explain Residual vs Inherent Risk.
Inherent Risk: Risk level without controls.
Residual Risk: Risk level after implementing controls.
Q5: How do you link a Policy to a Control?
Open the policy record → Related Controls → Add existing control(s) from
sn_compliance_control.
Q6: How is TPRM different from standard Risk Management?
TPRM focuses on third-party/vendor risks.
Includes vendor assessments, questionnaires, and mitigation plans.
Risk Management can include internal and operational risks.
Q7: What tables are most used in IRM?
sn_risk,sn_risk_category,sn_compliance_control,sn_compliance_policy,sn_tprm_vendor,sn_audit_task,sn_risk_assessment.
Q8: How do you automate risk mitigation tasks?
Create a workflow → Assign task to risk owner → Configure SLA/notifications → Update risk upon completion.
Q9: How do you measure risk effectiveness?
Track risk scores (likelihood × impact)
Monitor control effectiveness (effective, partially effective, ineffective)
Continuous monitoring dashboards.
Q10: What are Key Dashboards in IRM?
Risk Heatmap
Control Compliance Status
Audit Findings
Vendor Risk Status
Risk Aging/Trends
IRM Workflow Automation & Dashboard – Key Points
1. IRM Workflow Automation
Key Concepts
Automates repetitive risk management tasks: risk creation, risk scoring, risk acceptance, notifications, and remediation assignments.
Tools in ServiceNow:
Flow Designer: Automates risk workflows across IRM modules (Risk, Control, Policy, Issue).
Business Rules: Server-side automation for scoring or status updates.
Scheduled Jobs: Periodic risk assessments, control testing, or risk review reminders.
Notifications & Alerts: Automatic emails for overdue actions or high-risk alerts.
Common Automated Tasks
Risk Scoring: Auto-calculate inherent and residual risk when a risk record is created.
Issue/Control Reminders: Notify owners of overdue issues or control tests.
High-Risk Escalation: Automatically escalate high-risk items to risk manager.
Policy Compliance Checks: Automatically check if risks align with policies.
Workflow for Risk Acceptance: Route risks for approval and document acceptance in IRM.
Tables & Fields
| Task | Table | Key Fields |
|---|---|---|
| Risk Scoring Automation | sn_risk | risk_score, inherent_risk, residual_risk, risk_status |
| Issue / Control Reminders | sn_risk_issue, sn_risk_control | status, owner, due_date |
| Risk Acceptance Workflow | sn_risk_acceptance | risk, approver, status |
| Risk Lifecycle Updates | sn_risk | risk_status, risk_owner, last_reviewed |
Tricky Workflow Interview Q&A
Q1: How do you automate risk scoring in IRM?
A:
Use Business Rule or Flow Designer triggered when a risk is created or updated.
Formula example:
residual_risk = inherent_risk × (1 – control_effectiveness)Update
risk_levelautomatically based on thresholds.Tip: Mention scheduled re-assessment for ongoing monitoring.
Q2: How do you manage overdue risk remediation tasks?
A:
Flow Designer checks
due_dateinsn_risk_issue.Send email alerts to risk owner, manager, and escalates after SLA.
Add audit note in
sn_risk_issuefor compliance tracking.
Q3: Can workflows in IRM integrate with TPRM or CMDB?
A:
Yes: High-risk vendors in TPRM → IRM risk register (
sn_risk).Risks associated with critical CIs (
cmdb_ci) trigger workflows to asset owners.Shows enterprise-level risk aggregation across systems.
2. Dashboard, KPI & KRI
Key Concepts
KPIs (Key Performance Indicators): Track effectiveness of IRM processes.
KRIs (Key Risk Indicators): Track risk exposure and threat trends.
Widgets: Visualize metrics, trends, and alerts in dashboards.
Common KPIs & KRIs in IRM
| Type | Metric | Table/Fields | Purpose |
|---|---|---|---|
| KPI | % Risks Reviewed On Time | sn_risk → last_reviewed, review_due_date | Ensures timely risk management |
| KPI | % Issues Resolved On Time | sn_risk_issue → due_date, status | Tracks risk mitigation efficiency |
| KRI | # High-Risk Items | sn_risk → risk_level | Tracks enterprise risk exposure |
| KRI | Overdue Control Tests | sn_risk_control → status, due_date | Measures compliance & control effectiveness |
| KRI | Pending Risk Acceptances | sn_risk_acceptance → status | Tracks unapproved risks |
Widgets for IRM Dashboards
Pie Chart: Risk distribution by level (High, Medium, Low)
Bar Chart: Overdue issues or control tests per department
List/Grid Widget: Pending risk acceptance or remediation tasks
KPI Indicator: % risks reviewed on time
Trend Chart / Heatmap: Track risk exposure over time or by business unit
Tricky Dashboard / KPI Q&A
Q4: What is the difference between KPI and KRI in IRM?
A:
KPI: Measures process efficiency (e.g., % risk reviews on time).
KRI: Measures actual risk exposure (e.g., # high-risk risks overdue).
Trick: Always link KRI to business impact or regulatory compliance.
Q5: How do you prioritize risk remediation if multiple high-risk issues exist?
A:
Sort by risk_level × criticality (
sn_risk+sn_risk_issue).Assign remediation tasks to responsible owners.
Escalate overdue items via workflow.
Monitor completion via dashboard KRI widgets.
Q6: Scenario: “Several high-risk risks are not reviewed, and dashboards show overdue. What steps would you take?”
A:
Identify the risk owners → check
sn_risk.last_reviewed.Trigger automated reminder notifications.
Escalate to risk manager if overdue beyond SLA.
Document audit note for compliance.
Update dashboard once action taken.
Q7: How do you ensure dashboards always reflect real-time data?
Use Performance Analytics with scheduled refreshes.
Use real-time widgets querying current risk and issue records.
Customize dashboards for roles: Risk Officer, Audit, Compliance, and Management.
Quick Daily-Life Tricks for IRM Interviews
Always link automation → dashboards → KRIs/KPIs → risk mitigation.
Use tables and fields examples:
sn_risk,sn_risk_issue,sn_risk_control,sn_risk_acceptance.Scenario-based Qs test how you prioritize high-risk risks, handle overdue issues, or automate alerts.
Know common dashboard widgets and how KPIs/KRIs differ.
Show understanding of TPRM integration, CMDB integration, and IRM lifecycle flow.
Category 1: Risk Identification & Categorization
Q1: A business process has multiple dependencies across departments. How do you ensure all risks are identified?
A: Map the process end-to-end, identify assets, stakeholders, and dependencies, and use workshops/questionnaires to capture hidden risks.
Q2: You find a risk that could impact multiple business units. How do you categorize it?
A: Assign primary category based on the most affected unit but link to all impacted units using risk relationships.
Q3: A risk is detected but has no control assigned. What’s your approach?
A: Document the risk, assess its inherent impact and likelihood, and escalate to assign a mitigation control.
Q4: A new regulation affects multiple policies. How do you identify risks due to this?
A: Conduct a regulatory impact assessment linking policies, controls, and affected processes.
Q5: A risk shows low likelihood but high impact. How is it prioritized?
A: Prioritize using risk scoring (Impact × Likelihood). Even low probability/high impact risks require attention.
Category 2: Risk Assessment & Scoring
Q6: How do you handle a risk where multiple people provide conflicting impact scores?
A: Use a consensus approach, weighted scoring, or involve a risk committee for final assessment.
Q7: Residual risk score remains high even after control implementation. What would you do?
A: Reassess control effectiveness, implement additional controls, or escalate to management for acceptance.
Q8: A risk is detected mid-audit. How do you assess it quickly?
A: Use rapid assessment templates, assign to risk owner, and document preliminary impact/likelihood.
Q9: You notice risk scores vary between departments. What could be the reason?
A: Differences in perception, scoring methodology, or incomplete risk data. Standardize scoring criteria.
Q10: When is it acceptable to accept a risk without mitigation?
A: When residual risk is within risk appetite/tolerance or mitigation cost outweighs benefit.
Category 3: Control Mapping & Effectiveness
Q11: A control is partially effective against a risk. How do you reflect this?
A: Mark control effectiveness as “Partial” and consider additional mitigation or alternative controls.
Q12: One control maps to multiple risks. How do you monitor effectiveness?
A: Track control performance for all linked risks; update scores if the control fails any risk.
Q13: How do you handle obsolete controls?
A: Retire obsolete controls and update linked risks; document reason for audit trail.
Q14: A control fails testing. What’s your next step?
A: Trigger remediation tasks, update risk residual score, notify control owner.
Q15: Control testing is scheduled but evidence is missing. How do you proceed?
A: Escalate to control owner, document missing evidence, and update compliance dashboard.
Category 4: Advanced Risk Assessment Methodology
Q16: A risk is hard to quantify financially. How do you assess it?
A: Use qualitative scoring (High/Medium/Low) or scenario analysis with estimated impact ranges.
Q17: How do you perform risk aggregation across business units?
A: Aggregate risk scores using weighted average or cumulative scoring; present in risk heatmaps.
Q18: A risk has multiple potential causes. How do you document this?
A: Use root cause analysis and link multiple causes to the same risk record.
Q19: How do you deal with interdependent risks?
A: Use risk relationships in ServiceNow; assess cascading effects and combined impact.
Q20: How do you track emerging risks?
A: Monitor trend indicators, regulatory updates, and stakeholder inputs; add them as new risk records.
Category 5: Risk Treatment & Mitigation
Q21: A high residual risk cannot be fully mitigated. What is your approach?
A: Document mitigation plan, escalate for risk acceptance, and continuously monitor.
Q22: How do you prioritize multiple risks with similar scores?
A: Use additional criteria like risk velocity, regulatory requirement, or business impact.
Q23: A mitigation plan is delayed. What is your action?
A: Notify risk owner, update risk status, and escalate if necessary.
Q24: How do you ensure mitigation tasks are completed on time?
A: Use workflow automation, SLAs, reminders, and dashboards to track task completion.
Q25: How do you handle a risk when multiple mitigation options exist?
A: Evaluate cost-benefit, feasibility, and control effectiveness; select the best option.
Category 6: Risk Monitoring & Reporting
Q26: A risk has multiple owners. Who receives monitoring alerts?
A: All owners linked in the risk record; workflow ensures alerts are sent to all.
Q27: How do you detect if residual risk is increasing?
A: Monitor control failures, incidents, audit findings, and risk trends.
Q28: A report shows outdated risk data. How do you fix it?
A: Validate risk records, update scores, and refresh dashboards.
Q29: How do you measure risk appetite compliance?
A: Compare residual risk scores to predefined risk thresholds.
Q30: How do you communicate risk to executives?
A: Use heatmaps, trend charts, dashboards, and executive summary reports.
Category 7: TPRM / Third-Party Risk Scenarios
Q31: A vendor risk assessment is overdue. What action do you take?
A: Notify vendor manager, escalate to procurement, and update TPRM dashboard.
Q32: Vendor provides incomplete evidence for control testing.
A: Mark assessment as incomplete, escalate to vendor, and document gap.
Q33: A high-risk vendor is critical to operations. What’s the approach?
A: Implement risk mitigation plan, continuous monitoring, and business continuity review.
Q34: How do you handle duplicate vendor risk records?
A: Merge duplicates, update linked risks and assessments.
Q35: Vendor risk assessment shows conflicting risk scores from departments.
A: Align scoring methodology, reconcile differences, document final assessment.
Category 8: Scenario-Based Problem Solving
Q36: You receive a sudden regulatory audit with gaps in risk controls.
A: Prioritize high-impact gaps, assign mitigation tasks, document action plan, and escalate.
Q37: A risk owner disputes your scoring.
A: Review scoring criteria, present data, reach consensus, and update record.
Q38: Residual risk suddenly spikes due to a new incident.
A: Update risk score, trigger mitigation workflow, notify stakeholders.
Q39: A control is effective but not documented in the system.
A: Document control, link to associated risks, and schedule testing.
Q40: Multiple risks are interrelated and affect a project timeline.
A: Map dependencies, assess combined impact, update risk treatment plan.
Category 9: Process & Workflow Challenges
Q41: Automated workflow for risk mitigation fails.
A: Debug workflow, verify task assignment, re-run, and document issue.
Q42: Notifications are not sent to risk owners.
A: Check email actions, workflow triggers, user records, and SLA setup.
Q43: A risk record has inconsistent data across modules.
A: Identify data source, reconcile fields, update risk and related modules.
Q44: Multiple users update the same risk simultaneously.
A: Implement locking mechanism or update workflow to prevent conflicts.
Q45: How do you ensure risk data integrity?
A: Validate input, enforce mandatory fields, automate audits, and use reports.
Category 10: Advanced Methodology & Best Practices
Q46: How do you handle unknown or “emerging” risks?
A: Document as potential risks, monitor triggers, and periodically reassess.
Q47: How do you combine quantitative and qualitative risk scoring?
A: Use a hybrid scoring model with impact value + qualitative assessment.
Q48: How do you justify risk acceptance to management?
A: Provide risk score, mitigation costs, business impact, and risk appetite alignment.
Q49: How do you maintain audit readiness for risk records?
A: Ensure documentation, evidence, control linkage, timestamps, and approvals.
Q50: How do you improve risk assessment efficiency across departments?
A: Use templates, automated workflows, dashboards, training, and standardized scoring methodology
=================================================================
Comments
Post a Comment