This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Workflow of a risk using Advanced Risk
When you migrate to the Advanced Risk Assessment in ServiceNow (starting with version 14.0), the lifecycle of risks shifts from a simple active/inactive classification to a more detailed state-based workflow.This enhanced workflow simplifies risk management by providing clear states and actions for each risk, enabling risk owners to take appropriate steps throughout the risk management process.Once the migration property is enabled by a risk administrator, it cannot be disabled.
Show full answerShow less
Risk States and Actions
Draft: Initial state when a risk is created or identified. The focus is on mapping and identifying the risk. Users can save, initiate assessment, monitor without assessment, retire the risk, or view the risk’s 360-degree relationships.
Assess: The risk assessment is in progress. After assessment, the risk either moves to Respond (if a response strategy exists) or Monitor. Actions include saving, viewing or canceling the assessment, returning to draft, retiring, or navigating to related scopes and views.
Respond: The risk response task is active. On task closure, the risk transitions to Monitor automatically. Users can save, re-assess (canceling the response task), retire, return to draft, or navigate to assessment scopes and 360-degree views.
Monitor: Risk has been assessed and response tasks are closed. Key Risk Indicators (KRIs) execute if defined, to monitor ongoing risk levels. Risk can be moved back to Assess for reassessment, retired, or returned to draft.
Retire: The risk is no longer active but retained as a system of record for audits. It can be reactivated to Draft if needed, with access to assessment scopes and 360-degree views.
Practical Benefits for ServiceNow Customers
This structured workflow enables clear visibility into a risk’s status and appropriate next steps, improving governance and compliance.
Direct initiation of risk assessments from the risk form streamlines risk evaluation processes.
Integration with KRIs during the Monitor state supports proactive risk tracking.
Maintaining retired risks as audit records supports organizational accountability without cluttering active risk management.
When you migrate to advanced risk assessment, you can view the various states of the
risks take the necessary actions. This ability simplifies your view of the risk form.
When your risk administrator enables the Migrate to Advanced Risk
Assessments property located under Advanced Risk Assessment > Administration > Properties, the life cycle of the classic or legacy risks undergo a change. You can also
initiate a risk assessment directly from the risk form.
Note:
Once you enable this property, you
cannot disable it.
Prior to version 14.0, when the Migrate to Advanced Risk Assessments
property was enabled, the risks were only classified as either active or inactive. Starting with
version 14.0, as a risk owner, when you enable Advanced Risk,
you can view the following states of your risks.
Draft
Assess
Respond
Monitor
Retired
Figure 1. States of a risk with advanced risk assessment
All the states and the actions available for each state are explained in the following
table.
State
Description
Actions available
Draft
This is the state of a risk when a risk is created by the second line of defense or
identified by the first line of defense.
The objective in this state is to map and
identify the risk pertaining to your organization. If you modify the entity or the primary
risk assessment methodology (RAM) for a risk, the state of the risk gets updated based on
the primary RAM's latest assessment.
Save
Assess: Pushes the workflow and initiates the risk
assessment.
Monitor: If you do not want to assess the risk but want to
monitor the risk.
Retire: The risk is retired along with all underlying risk
assessment and risk response.
Navigate to assessment scope: Shortcut to risk assessment scope.
The primary risk assessment methodology is passed.
360 degree: View the complete 360-degree relationships for the
risk.
Assess
This is the state of a risk when advanced risk assessment is initiated and being
performed. If there is a response strategy, then the risk moves to the Respond state
otherwise it moves to the Monitor state once the assessment is completed.
Save
View assessment: Navigates to the actual risk assessment
form.
Cancel assessment: If you want to cancel the current assessment.
The respective risk assessor is notified about the canceled assessment.
Return to draft: Cancels the current assessments and returns the
risk to the previous state.
Retire
Navigate to assessment scope
360 degree
Respond
This is the state of the risk when the risk response task is in progress.
Once the
risk response task is closed, the risk is automatically moved into the Monitor
state
Save
Assess: Pushes the workflow back in the workflow. The
in-progress risk response task would be canceled.
Retire
Navigate to assessment scope
360 degree
Return to draft
Monitor
This is the state of the risk when the risk has been assessed and the response task is
closed.
If KRIs are defined (through Metrics), they are executed to monitor the
risk.
Save
Assess: Moves the risk back to Assess state and initiates the
risk assessment.
Retire
Navigate to assessment scope
360 degree
Return to draft
Retire
This is the state of the risk when the risk is no longer valid but the organization
wants to keep a system of record for audit purposes.
360 degree
Activate: Reactivates the risk and moves it back to Draft
state.
