Advanced Risk Assessment

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Advanced Risk Assessment

    The ServiceNow Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature enables organizations to create an integrated risk platform that supports diverse risk assessment methodologies. It digitizes the entire risk management lifecycle—from risk identification to monitoring—allowing you to customize assessment criteria, context, and scoring logic based on your organization's specific needs. This feature supports both qualitative and quantitative risk assessments and integrates risk evaluation within user workspaces to promote informed decision-making.

    Show full answer Show less

    Key Features

    • Complete Risk Lifecycle Digitization: Supports all risk management steps: identification, analysis, evaluation, treatment, and monitoring.
    • Customization: Tailor assessment criteria, context, and scoring logic to fit your organization's requirements.
    • Methodology Support: Enables qualitative, semi-quantitative, and quantitative risk rating methods.
    • Risk Types Assessed: Includes inherent risk (risk without controls), control effectiveness (preventive, detective, corrective), residual risk (leftover risk after controls), and target risk (desired future risk level).
    • Flexible Usage: Allows assessment of risks on any ServiceNow record or object, even without a full GRC setup.
    • Role-Based Access: Requires users to have the sngrc.businessuser role for assessment and approval.
    • Delegation: Risk assessors can appoint delegates to perform assessments using the ServiceNow AI Platform.
    • Risk Score Aggregation: Automatically rolls up risk scores across risk statement and entity hierarchies for comprehensive monitoring.
    • Integration: Migrates legacy risk lifecycle to Advanced Risk Assessment, adding an Assessment Summary section for consolidated visibility.
    • Scheduler: Enables bulk initiation of risk assessments via schedulers assigned to risk managers.
    • Privacy Risk Management: Allows limited advanced risk assessments for Privacy Management users without full Integrated Risk Management licensing.

    Practical Application for ServiceNow Customers

    By enabling Advanced Risk Assessment, your organization can embed risk evaluation into daily workflows, enhancing decision-making with clear visibility into inherent, residual, and target risks. The system’s flexibility means you can assess risks for various entities or records, including non-traditional GRC objects like change management. Delegation features ensure continuity of assessments, and automated score rollups provide executives and risk managers with an aggregated risk posture overview.

    Next Steps

    • Enable the Migrate to Advanced Risk Assessments property under the Administration module to start using this feature.
    • Ensure risk assessors and approvers have the necessary sngrc.businessuser role.
    • Define your risk assessment methodology and scope to align with organizational needs.
    • Leverage the risk assessment scheduler for efficient bulk assessments.
    • Use the Assessment Summary on risk forms to monitor and report on risk evaluation results.
    • Consider defining risk appetite and tolerance thresholds within the Advanced Risk application to establish clear boundaries for acceptable risks.
    • Perform target risk assessments to set and track your desired future risk levels.

    Use the ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature to create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies. It enables you to integrate risk assessment as part of your overall decision-making process.

    Advanced Risk Assessment offers the following benefits:
    • Digitizes the complete risk management life cycle, including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring.
    • Customizes the risk assessment process based on the unique needs of your organization. This customization includes configuring the assessment criteria, the context, and the overall risk scoring logic.
    • Supports both qualitative and quantitative risk assessment methods.
    • Automatically aggregates the bottom-up risk assessment scores across the risk.
    • Embeds the risk assessment process in the workspace for first-line users. This embedding helps users make informed decisions based on risks that are associated with actions.
    Note:
    To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

    Steps of risk assessment

    Before understanding Advanced Risk Assessment in detail, it is important to understand the key steps of risk management:
    1. Risk identification: Find an uncertainty or risk that might prevent your organization from achieving its objectives​.
    2. Risk analysis: Understand the cause and consequence of the risk.
    3. Risk evaluation: To determine if additional action is required, compare the results of the risk analysis with the established risk criteria.
    4. Risk treatment: Define an action plan​ to address the risk.
    5. Risk monitoring: Track the risk posture of the organization and communicate it to relevant stakeholders.
    Figure 1. Steps of risk management
    Steps of risk management.
    Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk assessment is performed based on factors or questions and their responses. It can be performed for an entity such as an organization. To use advanced risk assessment, you must enable the Migrate to Advanced Risk Assessments property located under the Administration module. The assessor and approver for the risk assessment must have the sn_grc.business_user role. Advanced risk assessment enables you to do a detailed assessment of the risks where the inherent risks, mitigating controls, and residual risks are assessed. If you don't have the complete GRC setup for entities, risk statements, controls, and so on, then you can still assess the risks on any ServiceNow record or object. An example of object assessment is assessing change management. During risk assessment, the following risks are assessed.
    • Inherent risks: Inherent risks are risks that don't have controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
    • Control effectiveness: Controls can mitigate the impact or likelihood of a risk. For example, highways have speed limit monitors. If a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective.
      • Preventive controls are designed to prevent errors, inaccuracies, or fraud before these issues occur.
      • Detective controls are intended to discover the existence of errors, inaccuracies, or fraud.
      • Corrective controls are designed to correct errors or irregularities that have been detected.
    • Residual risks: Residual risks are the leftover risks that remain after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk. A residual risk score can be calculated using any of the following methods:
      • A matrix between inherent and residual effectiveness.
      • A mathematical formula such as the inherent score minus the control score.
      • Answers to factors.
    • Target risks: Target risks are the desired risk an organization want to achieve in the future. By evaluating the desired level of likelihood and impact of identified risks, organizations can establish target risk levels for each risk. For example, when assessing a risk, you consider various aspects such as inherent risk, the effectiveness of controls, and residual risks. However, it's equally important to capture the desired risk level that will be attained after your risk response is implemented. The target risk represents the optimum level of risk that you aim to achieve after your action plan is successfully executed. It enables you to measure the benefits your organization gets in relation to the cost of implementing those actions.