Risk assessments in Privacy Management

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk assessments in Privacy Management

    Risk assessments in Privacy Management enable you to evaluate the privacy risk posture of your organization's data processing activities. By performing these assessments, you can determine risk scores, prioritize activities, and gain detailed insights into inherent and residual privacy risks. This process helps ensure compliance and effective risk mitigation for personal data handling.

    Show full answer Show less

    Key Features

    • Criticality Assessments: These determine the initial risk level of a processing activity to prioritize or deprioritize it. Criticality factors include whether personal data influences key decisions or autonomous decision-making.
    • Manual Criticality Assessment: Privacy managers can manually initiate this from the processing activity interface. The system calculates the criticality score using information entered on the processing activity form and the Regulatory details tab. Scores can be recalculated multiple times with updated data.
    • Automated Criticality Assessment: Utilizes an Automated criticality factors Risk Assessment Methodology (RAM) provided by default. Privacy managers must publish and activate this RAM for use. During screening assessments, users answer criticality-related questions, enabling automatic criticality score calculation. Only two RAMs can be active at a time, and deactivating a RAM cancels all associated in-progress assessments.
    • Privacy Risk Assessments: Conducted for processing activities with high criticality scores. These detailed assessments evaluate each associated risk, providing an aggregated risk score and visualization on a risk heatmap.
    • Risk Heatmaps: Display the privacy risk posture, showing inherent and residual risks for processing activities on the overview page for quick, visual interpretation.
    • Risk Assessment Methodology (RAM): Provides a systematic, repeatable approach to identifying, evaluating, and mitigating privacy risks related to data processing. Two default RAMs support criticality and privacy risk assessments.

    Practical Use for ServiceNow Customers

    ServiceNow customers can leverage these risk assessment tools to systematically evaluate the privacy impact of their data processing activities. Manual or automated criticality assessments help prioritize efforts, while detailed privacy risk assessments provide comprehensive risk insights. The use of RAMs standardizes assessments, and risk heatmaps offer intuitive visualizations to monitor privacy risk posture. This functionality supports informed decision-making and compliance with privacy regulations.

    You can perform risk assessments on your processing activities to determine their risk scores and find out the privacy risk posture of your organization.

    To understand the risk posture, the following assessments are performed.

    Criticality assessments

    A criticality assessment uses risk assessment to determine the initial risk level of a processing activity. Using the resulting criticality score, the privacy team can prioritize or deprioritize the activity accordingly. An example of a criticality factor could be that the assessment questions help identify whether personal data is being processed in a way that influences key decisions or enables impactful autonomous decision making.

    Criticality assessments can be performed using one of the following two methods.
    Manual criticality assessment
    Using the manual method, as a privacy manager initiates the criticality assessment from a processing activity. If you're already working on a processing activity and want to assess its criticality, you can manually trigger this assessment using the Assess criticality action in the user interface. When you trigger the criticality assessment, the system automatically calculates the criticality score based on the information already available in the fields of the processing activity form. On the Regulatory details tab of a processing activity, you can provide the risk-related details. After entering this information, triggering the criticality assessment uses these values to calculate the risk score. The system can calculate the criticality score multiple times if triggered manually. Each time, it uses the most recent data entered in the processing activity fields and regulatory details.
    Automated criticality assessment
    Using the automated method, the privacy manager uses the Automated criticality factors risk assessment methodology (RAM) that is provided by default to calculate the criticality score of a processing activity. The privacy managers must publish this RAM before it can be used. By default, the RAM is provided in the Draft state. When a user performs a screening assessment, they are prompted to respond to several questions, including those related to criticality and risk assessment. If the user provides answers to these criticality-related questions during the screening assessment, the system automatically calculates the criticality risk score. The calculated score is then displayed on the Overview page when the user proceeds to the processing activity. Because only two RAMs are supported at a time, they must deactivate any other existing criticality factors RAM. It is crucial to note that when an existing criticality factors RAM is deactivated, all the in-progress risk assessments associated with that RAM get canceled.
    Manually initiate criticality assessment.

    Privacy risk assessments

    Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap in the overview section. The heatmaps provide detailed information about your inherent and residual risks. See the following image to understand how you can initiate the detailed risk assessment.Perform advanced risk assessments.

    Risk heatmap scores

    The risk assessments results and the risk heatmaps appear on the processing activity home page as shown in the following image.

    Figure 1. Risk scores on a processing activity
    Risk criticality score
    Figure 2. Risk heatmap on the processing activity
    Risk heatmap view.

    To understand the details about how to perform the risk assessments, see Privacy assessment configurations.