Risk appetite fields on the Risk Statement form

  • Release version: Xanadu
  • Updated August 1, 2024
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk appetite fields on the Risk Statement form

    The risk appetite fields on the Risk Statement form within the ServiceNow Risk Management application allow organizations to define, evaluate, and manage their risk appetite and tolerance levels. These fields help set boundaries for acceptable and unacceptable risks, supporting risk-informed decision-making aligned with organizational objectives.

    Show full answer Show less

    Visibility and availability of these fields depend on advanced risk assessment properties set by the risk administrator.

    Key Fields and Their Practical Use

    • Override qualitative risk appetite: Enables defining risk appetite values specific to the current risk statement instead of inheriting from a parent statement. This option appears only when a parent risk statement exists.
    • Qualitative appetite: Defines risk appetite on a numerical and rating scale (default 1-5: Averse to Hungry) based on an appetite scale configured by the risk administrator. It is used to compare and compute qualitative appetite status against risk ratings.
    • Quantitative appetite: Expresses risk appetite in monetary terms (e.g., maximum acceptable loss in dollars), useful for calculating quantitative appetite status against annual loss expectancy (ALE).
    • Qualitative tolerance: Represents the allowable deviation (standard deviation) above the qualitative appetite. It must be greater than the qualitative appetite and follows the same scale.
    • Quantitative tolerance: Represents the allowable quantitative deviation above the quantitative appetite, expressed in monetary terms, and must exceed the quantitative appetite.
    • Risk appetite statement: A descriptive narrative outlining the organization's risk acceptance levels and response strategies, providing context for the numerical appetite values.
    • Next review date: Specifies when the risk appetite fields and statement should be reviewed and updated. Email notifications can be automated for the risk statement owner prior to this date.
    • Risk appetite status calculation: Uses a selected Risk Assessment Methodology (RAM) to aggregate qualitative and quantitative risk data for status determination.
    • Qualitative appetite status: Computed by comparing defined qualitative appetite and tolerance with the qualitative risk rating, indicating whether risk is within appetite, outside appetite, or outside tolerance.
    • Quantitative appetite status: Determined by comparing ALE values against quantitative appetite and tolerance, indicating the risk status similarly.
    • Overall appetite status: Reflects the worst-case scenario between qualitative and quantitative statuses, ensuring conservative risk assessment.

    Why It Matters for ServiceNow Customers

    Using these fields, ServiceNow customers can:

    • Precisely define organizational risk appetite and tolerance both qualitatively and quantitatively.
    • Customize risk appetite scales and statements to align with their unique risk management policies.
    • Automatically calculate risk appetite status based on aggregated risk ratings and loss expectancy, enabling dynamic monitoring.
    • Ensure timely reviews through configurable notifications, maintaining up-to-date risk appetite frameworks.
    • Make informed risk decisions with clear visibility into whether risks fall within acceptable boundaries.

    Practical Application

    Risk managers and administrators can use these fields to tailor risk appetite settings per risk statement and parent relationships, monitor risk exposure against defined limits, and document organizational risk preferences. Role-based access controls ensure appropriate visibility and editing permissions based on user roles, supporting governance and compliance.

    Learn about the risk appetite fields on the Risk Statement form. Use these fields to define the risk appetite, evaluate all the possible risks, and set the boundaries for the acceptable and unacceptable risks in the Risk Management application.

    See the following table for a description of the field values.

    Note:
    The risk appetite fields that appear on the entity form depends on the advanced risk assessment properties that are set by the risk administrator.
    Table 1. Risk appetite fields on the Risk Statement form
    Field Description
    Override qualitative risk appetite Option to override the qualitative risk appetite of the parent risk statement. By default, all risk statements inherit the risk appetite of the parent risk statement. When you select this option, you can define the risk appetite values for the current risk statement separately.
    Note:
    This field appears only when there’s a parent risk statement available for the current risk statement.
    Qualitative appetite Risk appetite in numerical scale and rating terms. The qualitative appetite is compared with the qualitative risk rating to compute the qualitative appetite status. You can define the qualitative appetite based on the appetite scale that is set by the risk administrator. The default options are as follows:
    • 1 - Averse
    • 2 - Minimalist
    • 3 - Cautious
    • 4 - Open
    • 5 - Hungry

    A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale.

    After you define the qualitative appetite, you can copy it to the downstream risks and risk statements.

    Note:
    A risk manager with the sn_risk_advanced.qualitative_risk_appetite_reader role can only view the qualitative appetite and qualitative tolerance values on the form and in other places.
    Quantitative appetite Risk appetite in quantitative terms. The quantitative risk appetite can be measured and expressed in monetary values. The Quantitative appetite is the amount of loss that an organization is willing to risk. For example, an organization decides to have $10,000 (US dollars) as a target non-performing asset (NPA) for this year, which means that the organization defines $10,000 (US dollars) as the quantitative risk appetite.

    The quantitative appetite is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status.

    Note:
    A risk manager with the sn_risk_advanced.quantitative_risk_appetite_reader role can only view the quantitative appetite and quantitative tolerance values on the form and in other places.
    Qualitative tolerance Risk tolerance in numerical scale and rating terms. The risk tolerance is the standard deviation from the defined risk appetite. The qualitative tolerance is compared with the qualitative risk rating to compute the qualitative appetite status. The qualitative tolerance should be greater than the defined qualitative appetite. You can define the qualitative tolerance based on the appetite scale set by the risk administrator. The default options are as follows:
    • 1 - Averse
    • 2 - Minimalist
    • 3 - Cautious
    • 4 - Open
    • 5 - Hungry

    A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale.
    Quantitative tolerance Risk tolerance in quantitative terms. The risk tolerance is the standard deviation from the defined risk appetite. The quantitative risk tolerance can be measured and expressed in monetary values. For example, an organization decides to have $15,000 (US dollars) as the target non-performing assets (NPAs) for this year. This means that the organization defines $15000 (US dollars) as the quantitative risk tolerance.

    The quantitative tolerance is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status.

    Note:
    The quantitative tolerance should be greater than the defined quantitative appetite.
    Risk appetite statement Risk appetite statement that defines the amount and types of risk that an organization is willing to accept to achieve its objectives. It documents what the organization considers threats and its response strategies. These statements give additional context to understand the risk appetite and help the business to make risk-informed decisions. For example, "ACME Inc. has no appetite for unauthorized access to systems and confidential data and will maintain strong controls to mitigate external threats against its technology infrastructure. ACME Inc. has a low appetite for losing the continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. ACME Inc. has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology."
    Next review date Date to update the risk appetite fields and review the risk appetite statement. An email notification is sent to the risk statement owner before the next review date. A risk administrator can schedule the email notification in the advanced risk assessment properties. For more information, see Configure a risk appetite and tolerance in Advanced Risk.
    Risk appetite status
    Methodology for status calculation Risk assessment methodology (RAM) whose aggregated results are used to calculate the risk appetite status of the risk statement.
    Qualitative appetite status Qualitative appetite status of the risk statement. The qualitative appetite status is calculated by comparing the defined qualitative appetite with the qualitative appetite that is mapped to the final risk rating. A risk administrator can map the appetite scales to the risk rating criteria for the final assessment type in RAM.
    Note:
    The RAM selected from the Methodology for status calculation field is considered for the status calculation.
    For example, if you define the qualitative appetite as 2-Minimalist and qualitative tolerance as 4-Open, then the following statuses appear:
    • For a qualitative risk rating of 1- Averse or 2-Minimalist, the appetite status is within appetite.
    • For a qualitative risk rating of 3-Cautious or 4-Open, the appetite status is outside appetite.
    • For a qualitative risk rating of 5-Hungry, the appetite status is outside the tolerance.
    Quantitative appetite status Quantitative appetite status of the risk statement. The annual loss expectancy (ALE) values are compared with the defined quantitative appetite to calculate this appetite status.
    Note:
    The aggregated ALE value from the RAM that are selected from the Methodology for status calculation field are considered for the status calculation.
    For example, if you define the quantitative appetite as $1000 (US dollars) and the quantitative tolerance as $1500 (US dollars), then the following statuses appear:
    • For ALE equal to or less than $1000, the appetite status is within appetite.
    • For ALE ranges from $1001 to $1500, the appetite status is outside the appetite.
    • For ALE more than $1500, the appetite status is outside the tolerance.
    Appetite status Overall appetite status. The overall appetite status considers the worst-case scenario between the qualitative and quantitative status. For example, if the qualitative appetite status is within the appetite and the quantitative appetite status is outside the appetite, then the overall appetite status is outside the appetite.