Home New York Governance, Risk, and Compliance Governance, Risk, and Compliance Risk Management Understanding Risk Management Advanced risk assessment

Advanced risk assessment

With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies and enables customers to integrate risk assessment as a part of their overall decision-making process.

Advanced risk assessment offers the following benefits:

Digitizes the complete risk management life cycle including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring
Customizes the risk assessment process as per the unique needs of an organization. This customization includes configuring the assessment criteria, the context, and overall risk scoring logic in an easy method.
Supports both qualitative and quantitative risk assessment methods so that you can analyze the risks efficiently.
Aggregates the bottom-up risk assessments scores automatically across the risk.
Enables embedding the risk assessment process in the workspace for the first line users. This embedding helps users to make informed decisions based on the risks associated with the actions.

Note: To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

Before understanding Advanced Risk Assessment in detail, it is important to understand the five key principles of risk management:

Risk identification: Find, describe, and recognize an uncertainty that might help or prevent an organization in achieving its objectives.
Risk analysis: Understand the cause and consequence of the risk if the risk materializes.
Risk evaluation: Compare of the results of the risk analysis, with the established risk criteria, to determine if additional action is required.
Risk treatment: Define an action plan to address the risk.
Risk monitoring: Track the risk posture of the organization and communicating it to relevant stakeholders.

Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk assessment is performed based on factors or questions and their responses. It can be performed for an entity such as an organization. To be able to use advanced risk assessment, users must enable the Migrate to Advanced Risk Assessments property located under the Administration module.

Advanced risk assessment enables the users to do a detailed assessment of the risks where the inherent risks, mitigating controls, and residual risks are assessed. If a user does not have the complete GRC setup for entities, risk statements, controls, and so on, they can still assess the risks on any ServiceNow® record or object. An example of object assessment is assessing change management. During risk assessment, the following risks are assessed:

Inherent risks: Inherent risk is the risk level without controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
Control effectiveness: Controls can either mitigate the impact or the likelihood. Examples of controls can be that the highways have speed limit monitors, speed control mechanisms within the vehicle and so on. In case a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective. Preventive controls are designed to prevent errors, inaccuracies, or fraud before they occur. Detective controls are intended to discover the existence of errors, inaccuracies, or fraud that has already occurred. Corrective controls are designed to correct errors or irregularities that have been detected.
Residual risks: Residual risk is the leftover risk after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk.

The steps for setting up advanced risk assessment are:

Risk Assessment Methodology (RAM): This is a setup activity performed by a risk administrator, with the role sn_risk.admin, where the administrator defines
- What is being assessed? Is it a risk or is it an object?
- How it being assessed? This includes assessment criteria, risk scoring, and reporting preferences.
Assessment scope: After the RAM is defined, the entity owner defines and identifies the following:
- The relevant risks for the entity.
- The assessors and approvers for those assessments.
- Periodicity of those risk assessments.
Risk Assessment: During this stage, the risk assessor with the role sn_risk.user role performs the assessment tasks by:
- Assessing the inherent risks, effectiveness of mitigating controls
- Reviewing the residual risk and defining the risk treatment plan.
- Triggering the review and approval workflow.

To use advanced risk assessment, you must first define factors or questions that appear during the assessment. Factors that require human input are called Manual factors. Factors for which the responses are automatically calculated are called Automated factors. When factors are grouped logically, they are called Group factors. After you define the factors and publish them, you must create a RAM and associate the factors to the assessment types within the RAM. Publish each of the selected assessment types before the RAM is published. A risk administrator can select the assessment types for which the assessment must be performed. Depending on the assessment types and options that you select for your RAM, your risk assessment instance is created. The risk assessment instance is where the risk assessor evaluates the risks.

Previous topic

Next topic

Release version

Advanced risk assessment

Advanced risk assessment offers the following benefits:

Digitizes the complete risk management life cycle including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring
Customizes the risk assessment process as per the unique needs of an organization. This customization includes configuring the assessment criteria, the context, and overall risk scoring logic in an easy method.
Supports both qualitative and quantitative risk assessment methods so that you can analyze the risks efficiently.
Aggregates the bottom-up risk assessments scores automatically across the risk.
Enables embedding the risk assessment process in the workspace for the first line users. This embedding helps users to make informed decisions based on the risks associated with the actions.

Note: To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

Before understanding Advanced Risk Assessment in detail, it is important to understand the five key principles of risk management:

Risk identification: Find, describe, and recognize an uncertainty that might help or prevent an organization in achieving its objectives.
Risk analysis: Understand the cause and consequence of the risk if the risk materializes.
Risk evaluation: Compare of the results of the risk analysis, with the established risk criteria, to determine if additional action is required.
Risk treatment: Define an action plan to address the risk.
Risk monitoring: Track the risk posture of the organization and communicating it to relevant stakeholders.

Inherent risks: Inherent risk is the risk level without controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
Control effectiveness: Controls can either mitigate the impact or the likelihood. Examples of controls can be that the highways have speed limit monitors, speed control mechanisms within the vehicle and so on. In case a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective. Preventive controls are designed to prevent errors, inaccuracies, or fraud before they occur. Detective controls are intended to discover the existence of errors, inaccuracies, or fraud that has already occurred. Corrective controls are designed to correct errors or irregularities that have been detected.
Residual risks: Residual risk is the leftover risk after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk.

The steps for setting up advanced risk assessment are:

Risk Assessment Methodology (RAM): This is a setup activity performed by a risk administrator, with the role sn_risk.admin, where the administrator defines
- What is being assessed? Is it a risk or is it an object?
- How it being assessed? This includes assessment criteria, risk scoring, and reporting preferences.
Assessment scope: After the RAM is defined, the entity owner defines and identifies the following:
- The relevant risks for the entity.
- The assessors and approvers for those assessments.
- Periodicity of those risk assessments.
Risk Assessment: During this stage, the risk assessor with the role sn_risk.user role performs the assessment tasks by:
- Assessing the inherent risks, effectiveness of mitigating controls
- Reviewing the residual risk and defining the risk treatment plan.
- Triggering the review and approval workflow.

How search works:

Topics are ranked in search results by how closely they match your search terms

Advanced risk assessment

Advanced risk assessment

On this page

Advanced risk assessment

Advanced risk assessment

Log in to personalize your search results and subscribe to topics