As an administrator, you can embed risk assessments within other workflows and define rules for when risk assessments must be initiated. The key benefit of embedding risk assessments is the digitization of the workflow so that assessments are initiated automatically without manual effort.

Prior to the San Diego release, you could perform risk assessments in a cyclic manner. This means that earlier risk assessments were performed only few times in a year and thus your risk posture reporting might not be accurate. To address this issue, you can now perform event-driven risk assessments. Event-driven risk assessments mean that when an event occurs, you can perform a risk assessment. Performing event-driven risk assessments help you to get a quick view of the actual risk posture and take the necessary corrective actions. You can integrate advanced risk assessment with any application and perform risk-based assessments in your workspaces. By default, ServiceNow® provides the integration of advanced risk assessment with risk events in the Risk Workspace.

To integrate risk assessment in an application in your workspace, you must perform the configuration steps given in the Risk assessment integration in workspace [KB0999135] article in the Now Support Knowledge Base. After you perform the configuration steps, you can see the Initiate risk assessment button on the user interface. The following image shows the new button.

Although you can integrate the Initiate risk assessment feature on any application in your workspace, this article uses risk events as an example. When you analyze a risk event and identify the relevant risks, you can easily initiate risk assessments for those risks by integrating the advanced risk assessment workflow in your risk events. This integration enables you to perform risk assessments without going through the entire process of creating risk assessment scopes. Prior to the San Diego release, for a risk assessor to perform a risk assessment, the risk user was required to create a risk assessment scope defining the entity, the assessor, and the approver.

When you initiate an assessment for a risk that is created for a risk event, although the risk assessment methodology (RAM) is set to the primary RAM of the entity class, you can select a different relevant risk assessment methodology. Only those risk assessment methodologies that are associated with the entity class of the selected risk are available for selection. You can then specify the assessor and approver for the risk assessment. Only users with the sn_risk_advanced.ara_assessor role can be the assessors and users with the sn_risk_advanced.ara_approver role can be the approvers. For more information on these roles, see Roles for performing advanced risk assessment. Earlier, the approvers were defined when the risk administrators created the risk assessment scopes. However, when you initiate a risk assessment from an application, you can specify the approvers at the time creating the assessment. You cannot change the approvers once you have specified them. If the approver is set as Same as assessor's manager, then the approver is automatically set depending on the assessor. You can also define the number of days after which the assessment will be considered overdue.

Even when you initiate a risk assessment from an application using the API, you can add those risks to the risk assessment scope at any time. After the risk is added to the risk assessment scope, the frequency of the assessment is based on the frequency defined in the risk assessment scope.