Risk appetite fields on the Entity form
Summarize
Summary of Risk appetite fields on the Entity form
The risk appetite fields on the Entity form in the Risk Management application allow you to define, evaluate, and set boundaries for acceptable and unacceptable risks within your organization. These fields help in assessing risk appetite both qualitatively and quantitatively, enabling better risk management decisions.
Show less
Note that the visibility of these fields depends on advanced risk assessment properties configured by your risk administrator, and many values are inherited from upstream entities unless overridden.
Key Fields and Their Purpose
- Override qualitative risk appetite: Allows an entity to override the inherited qualitative risk appetite from its parent entity, enabling custom risk settings for specific entities.
- Qualitative appetite: Defines risk appetite on a numerical scale (default 1-5, from Averse to Hungry) that is compared against qualitative risk ratings to determine appetite status. Risk administrators can customize this scale.
- Quantitative appetite: Specifies risk appetite in monetary terms, representing the maximum acceptable loss (e.g., $10,000). It is compared with the annual loss expectancy (ALE) to evaluate risk status.
- Qualitative tolerance: Represents the allowable deviation from the qualitative appetite, using the same numerical scale. It should be greater than the qualitative appetite and helps assess when risk exceeds acceptable levels.
- Quantitative tolerance: Defines the allowable monetary deviation from the quantitative appetite, such as a higher loss threshold (e.g., $15,000). It must be greater than the quantitative appetite and is used in ALE comparisons.
- Risk appetite statuses: These fields show the qualitative and quantitative appetite statuses by comparing risk ratings and ALE against the defined appetites and tolerances. The overall appetite status reflects the most severe condition between qualitative and quantitative assessments.
Practical Implications for ServiceNow Customers
By configuring these fields accurately, you can:
- Customize risk appetite at various organizational levels by overriding inherited settings where needed.
- Use both qualitative scales and quantitative monetary values to comprehensively measure and monitor risk appetite.
- Evaluate risk appetite status dynamically through comparisons with risk ratings and annual loss expectancy, supporting effective risk decision-making.
- Understand when risks are within acceptable limits, outside appetite, or beyond tolerance, enabling timely risk mitigation actions.
Roles with limited permissions (such as snriskadvanced.qualitativeriskappetitereader and snriskadvanced.quantitativeriskappetitereader) can view but not modify these appetite and tolerance values, ensuring controlled access.
Learn about the risk appetite fields on the Entity form. Use these fields to define the risk appetite, evaluate all the possible risks, and set the boundaries for the acceptable and unacceptable risks in the Risk Management application.
See the following table for a description of the field values.
| Field | Description |
|---|---|
| Override qualitative risk appetite | Option to override the qualitative risk appetite of the parent entity. By
default, all entities inherit the risk appetite of the upstream entity in the
entity form. When you select this option, you can define the risk appetite values
for the current entity separately. Note: This field appears only when there’s an
upstream entity available for the current entity. |
| Qualitative appetite | Risk appetite in numerical scale and rating terms. The qualitative appetite
is compared with the qualitative risk rating to compute the qualitative appetite
status. You can define the qualitative appetite based on the appetite scale set by
the risk administrator. The default options are as follows:
A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale. After you define the qualitative appetite, you can copy it to the downstream entities. Note: A risk user and risk reader with the
sn_risk_advanced.qualitative_risk_appetite_reader role can only view the
qualitative appetite and qualitative tolerance values on the form and in other
places. |
| Quantitative appetite | Risk appetite in quantitative terms. The quantitative risk appetite can be
measured and expressed in monetary values. The quantitative appetite is the amount
of loss that an organization is willing to risk. For example, an organization
decides to have $10,000 (US dollars) as a target non-performing asset (NPA) for
this year, which means that the organization defines $10,000 (US dollars) as the
quantitative risk appetite. The quantitative appetite is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status. Note: A risk user and risk reader with the
sn_risk_advanced.quantitative_risk_appetite_reader role can only view the
quantitative appetite and the quantitative tolerance values on the form and in
other places. |
| Qualitative tolerance | Risk tolerance in numerical scale and rating terms. The risk tolerance is the
standard deviation from the defined risk appetite. The qualitative tolerance is
compared with the qualitative risk rating to compute the qualitative appetite
status. The qualitative tolerance should be greater than the defined qualitative
appetite. You can define the qualitative tolerance based on the appetite scale
that is set by the risk administrator. The default options are as follows:
A risk administrator can modify or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale. |
| Quantitative tolerance | Risk tolerance in quantitative terms. The risk tolerance is the standard
deviation from the defined risk appetite. The quantitative risk tolerance can be
measured and expressed in monetary values. For example, an organization decides to
have $15,000 (US dollars) as a target non-performing asset (NPA) for this year,
which means that the organization defines $15,000 as the quantitative risk
tolerance. The quantitative tolerance is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status. Note: The
quantitative tolerance should be greater than the defined quantitative
appetite. |
| Risk appetite status | |
| Qualitative appetite status | Qualitative appetite status of the entity. The qualitative appetite status is
calculated by comparing the defined qualitative appetite with the qualitative
appetite that is mapped to the final risk rating. A risk administrator can map the
appetite scales to the risk rating criteria for the final assessment type in the
risk assessment methodology (RAM). Note:
The primary RAM that is associated with
the entity class is considered for status calculation. For example, if
you define the qualitative appetite as 2-Minimalist and the qualitative
tolerance as 4-Open, then the following statuses appear:
|
| Quantitative appetite status | Quantitative appetite status of the entity. The annual loss expectancy (ALE)
values are compared with the defined quantitative appetite to calculate this
appetite status. Note:
The aggregated ALE value from the primary RAM that is
associated with the entity class are considered for the status
calculation. For example, if you define the quantitative appetite as
$1000 (US dollars) and the quantitative tolerance as $1500, then the following
statuses appear:
|
| Appetite status | Overall appetite status. The overall appetite status considers the worst-case scenario between the qualitative and quantitative status. For example, if the qualitative appetite status is within the appetite and the quantitative appetite status is outside the appetite, then the overall appetite status is outside the appetite. |