Configure a Risk Assessment Methodology (RAM) for assessing either the risks or objects in your organization. A RAM is configured to specify the types of risk assessments and the entities on which risk assessment is performed. A configured RAM is an object with associated assessment types that have associated factors.

1. Navigate to Advanced Risk Assessment > Administration > Risk Assessment Methodologies.
2. On the form, fill in the fields.

   Table 1. Risk Assessment Methodology form

   Field	Description
   Name	Name of the RAM such as Organizational risk assessment.
   State	Default value is Draft for a new RAM.
   Assessment Context
   Assess	Context on which the assessment must be performed. Choices are: Risk: Option to perform the assessment for an entity and a risk statement associated with it. Object: Option to perform an assessment on any ServiceNow record. For example, users can perform Exception Risk Assessment or Change Risk Assessment directly on any table.
   First entity class	Entity class to which the RAM applies. For example, Business Service.
   Table	Record or table on which the risk assessment must be performed. This field appears when the Assess field has Object. The relationship between the table and the risk assessment methodology must be unique. This means users cannot perform two direct assessments on the same table.
   Assess
   Inherent risk	Option to assess inherent risk.
   Control effectiveness	Option to assess control effectiveness.
   Residual risk	Option to assess residual risk.
   Reference Information
   This section appears if the Assess field has Risk. Enabling these options shows the reference information in the risk assessment instance.
   Show related risk events	Option to show the related risk events on the risk assessment instance.
   Show related risk indicators	Option to show the related risk indicators on the risk assessment instance.
   Show open issues	Option to show the open issues on the risk assessment instance.
   Show previous assessments	Option to show the previous assessment on the risk assessment instance. This option helps analyze and understand the risk trends efficiently and provide necessary justification, if required.
   Rollup Configurations
   This section appears if the Assess field has Risk.
   Calculate ALE based on	Formula used for calculating the ALE. Choices are: Sum Average Maximum Minimum
   Calculate score based on	Formula used for calculating the score. Choices are: Average Maximum Minimum
   Other Configurations
   Allow override of results	Option to enable the users to override the computed scores and ALE during risk assessment.
   Show previous assessments	Option to show the previous assessments on the risk assessment instance. This option helps to analyze and understand the risk trends efficiently and provide necessary justification, if required.
   Advanced reminder (days)	Number of days before the due date of the risk assessment for the assessor to get a notification. For example, if you enter 3 in this field, then three days before the due date the assessor receives a reminder notification.
   Risk identification	Method to identify risks in the risk assessment scope. The choices are: None From Library: Use this option when you want to identify risks from the library on the risk assessment instance. Ad-hoc: Use this option when you want to create new risks on the risk assessment instance. From Library and Ad-hoc: Use this option when you want to create new risks as well as create risks from the library.
   Copy previous responses	Option to copy the factor responses and comments whenever a reassessment is performed. By default, this option is not selected.
   Update assessment results to source record	Option to copy the assessment results to the source record on which the assessment is performed. This field appears when the Assess field has Object.
   Enable risk response	Option to enable the Risk Response tab on the risk assessment instance.
   Overdue reminder (days)	Number of days after the due date till when the reminder emails will be sent. For example, if you enter 5 in this field, then for 5 days after the due date is over the assessor will keep receiving reminder emails that the due date is over. On the sixth day, an email notification will be sent to the assessor and the assessor's manager.
   Schedule
   Reassessment frequency	Choice of how frequently the reassessment must be performed. The choices are: None Weekly Monthly Quarterly Semi-annually Annually This field appears when the Assess field has Object.
   Days to overdue	Number of days after which an assessment is considered overdue from the date of assessment initiation. This field appears when the Assess field has Object.

3. Save the form.
4. To configure inherent assessment, see Configure inherent assessment.
5. To configure control effectiveness, see Configure control effectiveness assessment.
6. To configure residual assessment, see Configure residual assessment.
7. Click Publish.
8. To make a copy of this RAM, click Copy.
   Note: Assessments automatically move to completed state when a new assessment on that same risk is created in the Monitor state. When an assessment instance is in Monitor state, you cannot move the RAM back to draft state. A RAM can only be moved back to draft if there are no assessment instances.
9. To set a risk assessment methodology as primary, click Set as primary.
   The first assessment methodology that is published for a given entity class, is by default marked as primary. The entity and the corresponding risks by default carry the risk scores for the assessment methodology marked as primary.