Risk score rollup in Advanced Risk Assessment

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk score rollup in Advanced Risk Assessment

    In Advanced Risk Assessment, risk scores are aggregated across risk statement hierarchies, entity hierarchies, or both, enabling stakeholders such as risk managers and entity owners to effectively monitor their overall risk posture. This rollup functionality provides a consolidated view of inherent risk scores, residual risk scores, Annual Loss Expectancy (ALE), and control effectiveness scores based on selected risk assessment methodologies.

    Show full answer Show less

    Only risk assessments in the Monitor state contribute to the rollup scores. Different risk assessment methodologies may use distinct formulas for calculating qualitative and quantitative rollup scores, which are configured within each methodology’s Rollup configurations.

    Key Features

    • Risk Statement Hierarchy Rollup: Automatically aggregates scores such as inherent risk, ALE, control effectiveness, and residual risk across the risk statement hierarchy, helping risk managers assess enterprise-wide risk posture.
    • Entity Hierarchy Rollup: Aggregates risk scores and ALE values across entity hierarchies for each risk assessment methodology, enabling entity owners to monitor their entity’s risk posture using formulas like Sum, Average, Maximum, or Minimum.
    • Combined Reporting Dimensions: Using the Manage Aggregated Risk report, customers can define additional dimensions for monitoring risks, such as internal fraud risks within specific business units.
    • Automatic Rollup Activation: Rollup scores are calculated automatically upon activation of the Advanced Risk plugin.

    Migration and Reporting Changes

    When migrating to Advanced Risk Assessment, risk administrators with the snrisk.admin role must enable the Migrate to Advanced Risk Assessments property via the administration properties. This property is disabled by default and enabling it changes how rollup scores are calculated and displayed.

    Important considerations during migration:

    • Customizations on the risk overview dashboard will be hidden; customers should contact ServiceNow for support.
    • Certain legacy reports and dashboard tabs (e.g., Aggregated Risk Report, Exposure by Entity, Entity Tolerance Status) become hidden.
    • New modules under Aggregated Risk Report become visible, showing rolled-up scores by risk statements, entities, and combined views.
    • Individual risk score values no longer roll up directly; instead, aggregated values from advanced risk assessments are used.
    • Risk Rollup and Tolerance sections are replaced with an Aggregated Risk related list on entity and risk statement forms, displaying key metrics such as residual rating, inherent rating, control effectiveness, ALE values, contributing risk assessments, and rollup status.

    Practical Benefits for ServiceNow Customers

    This rollup feature enables ServiceNow customers to gain a unified, accurate, and hierarchical view of risk across their organization. It simplifies monitoring and reporting of risk posture at multiple levels, supports customized risk dimension reporting, and aligns risk data with advanced methodologies. Migration to this approach requires administrative setup but results in enhanced visibility and consolidated risk management capabilities.

    In Advanced Risk Assessment, risk scores are calculated across risk statement hierarchy, entity hierarchy, or a combination of both. These methods enable stakeholders to monitor their risk posture and provide visibility of the overall aggregated risk score.

    Before you understand the rollup feature, consider the following points:
    • Each entity might have multiple scores based on the different risk assessment methodologies.
    • Only the risk assessments in the Monitor state contribute to the risk score.
    • Each risk assessment methodology might have a different formula to calculate the rollup qualitative score and the rollup quantitative score. The formula is specified in the Rollup configurationssection in the risk assessment methodology form.
    • Whenever the Advanced Risk plugin is activated the risk scores get rolled up.

    Risk statement hierarchy

    Based on the assessments, the system automatically rolls up the inherent risk scores, the Annual Loss Expectancy (ALE), control effectiveness score, residual risk score, and ALE across the risk statement hierarchy for the selected methodology​. This rollup allows the risk managers to monitor their enterprise risk posture​.

    Entity hierarchy

    Like risk statement hierarchy, the system also automatically rolls up the risk scores and ALE values across the entity hierarchy for a risk assessment methodology​. This rollup allows the entity owner to monitor the entity's risk posture. The rollups are done using the following formulae:
    • Sum
    • Average
    • Maximum
    • Minimum

    Entity hierarchy and risk statement

    Using the Manage Aggregated Risk report, customers can define additional reporting dimensions on which they want to monitor the risk posture for an entity. For example, if you want to understand an internal fraud related risk for Retail Banking, you can define that reporting dimension and monitor the risk.

    Changes in reports and risk rollup method after migrating to Advanced Risk Assessment

    To utilize the new rollup score calculation, the risk administrator, with the role sn_risk.admin, must first enable the Migrate to Advanced Risk Assessments property by navigating to Advanced Risk Assessment > Administration > Properties. This property is not enabled by default.
    Note:
    It is crucial to note that when you enable the mentioned property, any customizations in the risk overview dashboard will be hidden. Contact ServiceNow for assistance. Also, the following properties in risk are not hidden when you migrate to advanced risk rollup:
    • Compare risk tolerance based on
    • Compare calculated risk score with
    When customers migrate to Advanced Risk, the following reports are hidden from the user's view:
    • Aggregated Risk Report
    • Exposure by Entity
    • Exposure by Risk Statement
    In the Risk Overview dashboard, the following tabs are hidden:
    • Entity Tolerance Status
    • Risk Tolerance Status
    • Aggregated Entity Information
    • Aggregated Risk Information
    Under the Aggregated Risk Report, the following modules are visible that show the rolled up risk scores:
    • Aggregation by Risk Statements
    • Aggregation by Entities
    • Entity by Risk Statements
    When you migrate to advanced risk assessment, individual risk score values do not roll up to give you the risk score. Instead, the values from advanced risk assessment are considered. For example, for an entity, in the Entity form, the Risk Rollup and Tolerance section is not displayed. The same applies to any risk statement. Instead, a related list called Aggregated Risk is displayed. The Aggregated Risk related list contains the following values derived from various risk assessments:
    • Risk assessment methodology
    • Residual rating
    • Inherent rating
    • Control effectiveness
    • Residual ALE
    • Inherent ALE
    • Contributing risk assessments
    • Risk rollup status