With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated
risk platform. This integrated platform supports various kinds of risk assessment
methodologies and enables customers to integrate risk assessment as a part of their overall
decision-making process.
Advanced risk assessment offers the following benefits:
Digitizes the complete risk management life cycle, including risk
identification, risk analysis, risk evaluation, risk treatment, and
monitoring.
Customizes the risk assessment process as per the unique needs of an
organization. This customization includes configuring the assessment criteria,
the context, and overall risk scoring logic in an easy method.
Supports both qualitative and quantitative risk assessment methods so that you
can analyze the risks efficiently.
Aggregates the bottom-up risk assessments scores automatically across the
risk.
Embeds the risk assessment process in the workspace for the first line users.
This embedding helps users to make informed decisions based on the risks
associated with the actions.
Note: To know if your current license entitles you to Advanced Risk Assessments,
contact ServiceNow .
Before understanding Advanced Risk Assessment in detail, it is important to understand
the five key principles of risk management:
Figure 1. Principles of risk management
Risk identification: Find, describe, and recognize an uncertainty that might
prevent an organization in achieving its objectives.
Risk analysis: Understand the cause and consequence of the risk if the risk
materializes.
Risk evaluation: Compare of the results of the risk analysis, with the established
risk criteria, to determine if additional action is required.
Risk treatment: Define an action plan to address the risk.
Risk monitoring: Track the risk posture of the organization and communicating it to
relevant stakeholders.
Risk assessment consists of risk identification, risk analysis, and risk evaluation.
Advanced risk assessment is performed based on factors or questions and their responses.
It can be performed for an entity such as an organization. To be able to use advanced
risk assessment, users must enable the Migrate to Advanced Risk
Assessments property located under the Administration module. The
assessor and approver for the risk assessment must have the sn_grc.business_user
role.
Advanced risk assessment enables users to do a detailed assessment of the risks where the
inherent risks, mitigating controls, and residual risks are assessed. If a user does not
have the complete GRC setup for entities, risk statements,
controls, and so on, they can still assess the risks on any ServiceNow record or object. An example of object assessment is
assessing change management. During risk assessment, the following risks are
assessed:
Inherent risks: Inherent risk is the risk level without controls. For example,
driving at a high speed on a highway is inherently more of a risk than driving at a
moderate speed. The score of this inherent risk is derived by multiplying the impact
of the risk and the likelihood of the risk.
Control effectiveness: Controls can either mitigate the impact or the likelihood.
Examples of controls can be that the highways have speed limit monitors, speed
control mechanisms within the vehicle and so on. In case a risk materializes, the
controls mitigate the impact. Controls can be preventive, detective, or corrective.
Preventive controls are designed to prevent errors, inaccuracies, or fraud before
they occur. Detective controls are intended to discover the existence of errors,
inaccuracies, or fraud that has already occurred. Corrective controls are designed
to correct errors or irregularities that have been detected.
Residual risks: Residual risk is the leftover risk after the implementation of
controls. For example, despite the safety measures in place, if there’s still an
accident, then the damage caused by the accident is a residual risk.
The workflow for setting up advanced risk assessment is:
Risk Assessment Methodology (RAM): This is a setup activity performed by a risk
administrator, with the role sn_risk.admin, where the administrator defines the
following:
What is being assessed? Is it a risk or is it an object?
How it being assessed? This includes assessment criteria, risk scoring,
and reporting preferences.
Assessment scope: After the RAM is defined, the entity owner defines and
identifies the following:
The relevant risks for the entity.
The assessors and approvers for those assessments.
Periodicity of those risk assessments.
Risk Assessment: During this stage, the risk assessor with the role
sn_grc.business_user role performs the assessment tasks by:
Assessing the inherent risks, effectiveness of mitigating controls
Reviewing the residual risk and defining the risk treatment plan.
Triggering the review and approval workflow.
To use advanced risk assessment, you must first define factors or questions that
appear during the assessment. Factors that require human input are called Manual
factors. Factors for which the responses are automatically calculated are called
Automated factors. When factors are grouped logically, they are called Group factors.
After you define the factors and publish them, create a RAM and associate the factors to
the assessment types within the RAM. Publish each of the selected assessment types
before the RAM is published. A risk administrator with the role sn_grc.business_user can
select the assessment types for which the assessment must be performed. Depending on the
assessment types and options that you select for your RAM, your risk assessment instance
is created. The risk assessment instance is where the risk assessor evaluates the risks.