With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated risk
platform. This integrated platform supports various kinds of risk assessment methodologies and
enables customers to integrate risk assessment as a part of their overall decision-making
process.
Advanced risk assessment offers the following benefits:
Digitizes the complete risk management life cycle including risk identification, risk
analysis, risk evaluation, risk treatment, and monitoring
Customizes the risk assessment process as per the unique needs of an organization. This
customization includes configuring the assessment criteria, the context, and overall risk
scoring logic in an easy method.
Supports both qualitative and quantitative risk assessment methods so that you can analyze
the risks efficiently.
Aggregates the bottom-up risk assessments scores automatically across the risk.
Enables embedding the risk assessment process in the workspace for the first line users.
This embedding helps users to make informed decisions based on the risks associated with the
actions.
Note: To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow .
Before understanding Advanced Risk Assessment in detail, it is important to understand the five
key principles of risk management:
Figure 1. Principles of risk management
Risk identification: Find, describe, and recognize an uncertainty that might help or prevent
an organization in achieving its objectives.
Risk analysis: Understand the cause and consequence of the risk if the risk
materializes.
Risk evaluation: Compare of the results of the risk analysis, with the established risk
criteria, to determine if additional action is required.
Risk treatment: Define an action plan to address the risk.
Risk monitoring: Track the risk posture of the organization and communicating it to relevant
stakeholders.
Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced
risk assessment is performed based on factors or questions and their responses. It can be
performed for an entity such as an organization. To be able to use advanced risk assessment,
users must enable the Migrate to Advanced Risk Assessments property located
under the Administration module.
Advanced risk assessment enables the users to do a detailed assessment of the risks where the
inherent risks, mitigating controls, and residual risks are assessed. If a user does not have the
complete GRC setup for entities, risk statements, controls, and so on, they
can still assess the risks on any ServiceNow® record or object. An example of
object assessment is assessing change management. During risk assessment, the following risks are
assessed:
Inherent risks: Inherent risk is the risk level without controls. For example, driving at a
high speed on a highway is inherently more of a risk than driving at a moderate speed. The score
of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the
risk.
Control effectiveness: Controls can either mitigate the impact or the likelihood. Examples of
controls can be that the highways have speed limit monitors, speed control mechanisms within the
vehicle and so on. In case a risk materializes, the controls mitigate the impact. Controls can
be preventive, detective, or corrective. Preventive controls are designed to prevent errors,
inaccuracies, or fraud before they occur. Detective controls are intended to discover the
existence of errors, inaccuracies, or fraud that has already occurred. Corrective controls are
designed to correct errors or irregularities that have been detected.
Residual risks: Residual risk is the leftover risk after the implementation of controls. For
example, despite the safety measures in place, if there’s still an accident, then the damage
caused by the accident is a residual risk.
The steps for setting up advanced risk assessment are:
Risk Assessment Methodology (RAM): This is a setup activity performed by a risk
administrator, with the role sn_risk.admin, where the administrator defines
What is being assessed? Is it a risk or is it an object?
How it being assessed? This includes assessment criteria, risk scoring, and reporting
preferences.
Assessment scope: After the RAM is defined, the entity owner defines and identifies the
following:
The relevant risks for the entity.
The assessors and approvers for those assessments.
Periodicity of those risk assessments.
Risk Assessment: During this stage, the risk assessor with the role sn_risk.user role
performs the assessment tasks by:
Assessing the inherent risks, effectiveness of mitigating controls
Reviewing the residual risk and defining the risk treatment plan.
Triggering the review and approval workflow.
To use advanced risk assessment, you must first define factors or questions that appear
during the assessment. Factors that require human input are called Manual factors. Factors for
which the responses are automatically calculated are called Automated factors. When factors are
grouped logically, they are called Group factors. After you define the factors and publish them,
you must create a RAM and associate the factors to the assessment types within the RAM. Publish
each of the selected assessment types before the RAM is published. A risk administrator can
select the assessment types for which the assessment must be performed. Depending on the
assessment types and options that you select for your RAM, your risk assessment instance is
created. The risk assessment instance is where the risk assessor evaluates the risks.
