Understanding the risk assessment instance

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the risk assessment instance

    A risk assessment instance in ServiceNow enables risk assessors to evaluate risks by responding to configured questions or factors, helping determine a risk score for a given entity. This process begins after a risk assessment methodology (RAM) is created and the scope is defined. Risk administrators initiate assessments, and assessors with thesngrc.businessuserrole receive notifications to perform the assessment. Note that advanced risk assessment roles must be manually assigned to this role.

    Show full answer Show less

    Assessment Process and Roles

    • Assessors answer questions configured in the RAM, which include both manual factors requiring human input and automated factors calculated automatically on a schedule.
    • Completed assessments can trigger automatic reassessments based on a defined frequency, but only if the assessment is in the Monitor state.
    • Assessors can reassign assessments to other assessors and modify their responses after initially submitting them.
    • If enabled in the RAM, responses from previous assessments can be automatically copied to new assessments, except for automated factor responses and overridden scores.

    Components of a Risk Assessment Instance

    The risk assessment instance form displays related lists, which provide important contextual information:

    • Previous Assessments: Shows the last five assessments for the current risk.
    • Risk Events: Displays the number of associated risk events.
    • Risk Indicators: Shows counts of passed and failed risk indicators.
    • Open Issues: Lists open issues related to the risk, including their status and owners.
    • Risk Response Tasks: Displays tasks created for the assessment.
    • Related Controls: Appears when controls are part of the assessment scope, showing controls linked to the risk.

    Note: For customers on older releases, updating counts for indicators and controls may require running a fix script.

    Control Assessment and Opt-Out Option

    Assessors can opt out of assessing mitigating controls when no controls exist for a risk (e.g., a pandemic without available vaccines). In such cases, the risk score is set to Not applicable. However, if controls are configured and linked, the opt-out option is not available, as controls are required. Opting out of controls means residual risk assessments become not applicable because only inherent risks remain.

    Stages of Risk Assessment Lifecycle

    The risk assessment instance progresses through defined states:

    • Ready to assess: Assessment instance is created and ready.
    • Inherent assessment: Evaluation of inherent risks.
    • Control assessment: Evaluation of controls mitigating the risks.
    • Residual assessment: Evaluation of residual risk after controls.
    • Target assessment: Evaluation of target risk levels.
    • Respond: Users respond to identified risks.
    • Awaiting approval: Assessment awaits approval if approvers are defined.
    • Monitor: Completed assessments are monitored, and automated factors can update scores.

    Practical Takeaways for ServiceNow Customers

    • Ensure risk assessors have the proper sngrc.businessuser role with advanced risk assessment permissions assigned.
    • Configure the RAM carefully to define questions, factors, reassessment frequency, and role assignments.
    • Leverage automated factors to maintain up-to-date risk scores without manual intervention.
    • Use reassessment and monitoring to keep risk assessments current over time.
    • Understand when and how assessors can reassign tasks or opt out of control assessments to reflect real-world risk conditions accurately.

    A risk assessment instance is where a risk assessor can assess risks and objects by responding to questions or factors.

    After the risk assessment methodology (RAM) is created and the risk assessment scope is defined, the assessments are initiated by the risk administrator. The assessor receives a notification to assess the risks. To perform the risk assessment, an assessor must have the sn_grc.business_user role. The assessment is used to arrive at a risk score for an entity.
    Note:
    You must manually assign the advanced risk assessment roles to the sn_grc.business_user role. To understand how you can adjust granting of roles and groups, refer to see the How to adjust granting of roles and groups to use background jobs [KB0963693] article in the Now Support Knowledge Base.

    The questions that a risk assessor answers are configured in the RAM. An assessment can contain manual factors and automated factors. Manual factors need human input as responses. For automated factors, the responses are automatically calculated. Automated factors are automatically executed based on the schedule that is defined in their configuration.

    After an assessment is completed, then based on the defined reassessment frequency, a reassessment is automatically triggered. A reassessment is triggered only if the existing risk assessment instance is in the Monitor state. If an assessment is in the Monitor state, then whenever automated factors run according to their schedule, the assessment scores will change and the factors will contribute new scores to the rollup.

    If the risk assessor determines that an assessment must be reassigned to another relevant assessor, then the assessor can reassign the assessment. The assessor can also modify the responses after responding to the factors.

    If an assessment is taken more than once, and if the option to copy the previous assessment responses is enabled in the RAM, then the responses from the previous assessments get automatically copied to the current assessment.
    Note:
    Automated factor responses and overridden scores aren’t copied from previous assessments.

    Components of a risk assessment instance

    Based on the configurations in the RAM, the risk assessment instance form also displays the following related lists:
    • Previous Assessments: The previous five assessments for the risk that is currently being assessed.
    • Risk Events: The number of risk events that are associated with the risk.
    • Risk Indicators: The number of risk indicators that passed and failed for this risk.
    • Open Issues: The number of open issues for the risk and their state and owners.
    • Risk Response Tasks: The number of risk response tasks that are created for the assessment.
    • Related controls: The controls that are related to the risk. This related list appears only when the control environment is being assessed.
      Note:
      Customers on previous releases might not be able to see the updated count for passed and failed indicators. To resolve this issue, run the Update indicator and Controls Count fix script.

    An assessor has the option to not assess the mitigating controls. The option to opt out of controls is useful in cases where there is a risk but there are no controls to mitigate it. For example, consider a scenario where a pandemic is a risk but there are no vaccines to control it. In such a case, the risk is assessed but the controls can be left out of the assessment. When an assessor decides to opt out of assessing mitigating controls and residual risks, the score is set to Not applicable.

    If the control assessment is configured to assess individual controls, and the controls are associated with the risk being assessed, then the option to opt out of controls does not appear. This happens because the controls are defaulted.

    If the residual assessment is for inherent risks and controls, and if the risk assessor opts out of control assessment, then the residual risks are not applicable. This condition is created because if there are no controls, that automatically means there are only inherent risks and no residual risks.

    Stages of risk assessment

    The risk assessment life cycle goes through the following states:
    1. Ready to assess: A new assessment instance is created.
    2. Inherent assessment: The inherent risk assessment is performed.
    3. Control assessment: The control assessment is performed.
    4. Residual assessment: The residual risk assessment is performed.
    5. Target assessment: The target risk assessment is performed.
    6. Respond: You respond to the risks.
    7. Awaiting approval: The risk assessment is awaiting approval from the approvers if they have been identified.
    8. Monitor: The risk assessment is complete and is being monitored.