Workflow of project risk assessment

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Workflow of Project Risk Assessment

    This workflow outlines the integration of Project Portfolio Management (PPM) with Governance, Risk, and Compliance (GRC) risk management capabilities in ServiceNow. It details how project risks are identified, assessed, and potentially escalated to enterprise risks, enabling project managers and risk specialists to manage risk systematically and maintain organizational resilience.

    Show full answer Show less

    Risk Identification and Assessment Process

    • Risk Identification: Project managers with the itprojectmanager and sngrc.businessuser roles identify risks and add them to a project, either by creating new risks or selecting from a risk library.
    • Initiating Assessment: The project manager initiates risk assessment. Assessors and approvers are defined in the Project Integration Configuration form and notified via email to perform assessments.
    • Assessment Conditions: Only risks in Pending, Open, or Work in Progress states can be assessed. If stakeholders are assessors, the project manager must assign risks manually.
    • Risk Assessment: Risk assessors receive notifications and can assess risks via email links or through Advanced Risk Assessment tasks in the platform.
    • Review and Elevation: Project managers review assessment scores in the Risk Assessment Summary section. If a risk impacts the enterprise, it can be elevated to an enterprise risk, which copies the risk to the enterprise risk register and triggers assessment by an enterprise risk manager.

    Risk Escalation and Management

    • Enterprise Risk Assessment: When elevated, enterprise risk scores (inherent and residual) are visible to the project manager, and reassessments notify the enterprise risk assessor.
    • Materialized Risks: If a risk materializes, the project manager can convert it into an issue for resolution using the RIDAC (Risk, Issue, Decision, Action, and Request Changes) framework.

    Risk Monitoring and Reporting

    • Risk Posture Visualization: The project risk heatmap highlights risks with high impact and likelihood, helping prioritize attention and resources.
    • Aggregated Risk Score: Assessed risks contribute to a composite risk score that can be reported to stakeholders for transparency and decision-making.
    • Dashboards: The Project Risk Overview dashboard provides a consolidated view of project and enterprise risk postures.

    Roles and Notifications

    • Assessors and approvers must have the sngrc.businessuser role to perform risk assessments and approvals.
    • Email notifications support timely assessments and reassessments, ensuring prompt risk management actions.

    This workflow empowers ServiceNow customers to systematically identify, assess, escalate, and monitor project risks within the broader enterprise risk framework, enhancing risk visibility and enabling proactive mitigation strategies.

    To understand the integration of Project Portfolio Management and Governance, Risk, and Compliance risk management capabilities, it is important to understand the workflow of project risk assessment.

    Project risk assessment follows a sequence of steps. Sometimes, a risk is elevated to an enterprise risk after the risk is assessed. An enterprise risk is a risk that can cause monetary or reputational losses. It can jeopardize your ability to stay in business.

    The workflow of project risk assessment is as follows:
    1. A project manager identifies risks and adds those risks to a project. The manager can either create risks or add them from a library. The project manager has the it_project_manager and sn_grc.business_user roles. For more information, see Add risks for a project.
    2. The project manager then initiates risk assessment for the newly added risks. In the Project Integration Configuration form, the assessors and approvers are defined for the assessment. They get an email notification to assess the risks.
      Note:
      You can only assess the risks that are in the Pending, Open, or Work in Progress state.
    3. If the Project Integration Configuration form has stakeholders selected as assessors, then the project manager must manually assign the risks to the relevant stakeholder.
    4. As a risk specialist, the risk assessor is notified about the new risks for assessment.

      The risk assessor can use the link in the email notification to start the assessment. Alternatively, the risk assessor can navigate to Advanced Risk Assessment > Risk Assessment Tasks > My Tasks to perform advanced risk assessment. See Advanced Risk Assessment.

    5. In the project risk form, the project manager reviews the Risk Assessment Summary section to view the risk assessment scores.
    6. If the project manager determines that the project risk has an impact on the enterprise, then the project manager can elevate the risk to an enterprise risk.
      Note:
      When a project risk is elevated to an enterprise risk, the project risk is copied from the project risk register to the enterprise risk register.
    7. If a risk is elevated to an enterprise risk, the enterprise risk manager is requested to assess the risk.
    8. The project manager views the enterprise inherent risk score and the enterprise residual risk score in the Risk Assessment Summary.
    9. As part of the Project Portfolio Management workflow, if a risk materializes and an action must be taken for this risk, then the project manager can convert the risk into an issue. For more information, see RIDAC (Risk, Issue, Decision, Action, and Request Changes) record entries for a project.
    10. The project manager can also view the project risk posture through the heatmap in the Risk Overview section on the project form. The heatmap displays high impact risks and high likelihood risks. With the heatmap, you can prioritize the risks that need immediate attention. The risks that are assessed contribute to the aggregated risk score. The aggregated risk score is a single score that can be reported to all the stakeholders. For more information, see Create a project.
    11. View the Project Risk Overview dashboard to understand the overall risk posture of project risks and of enterprise risks. For more information, see Project Risk Overview dashboard.
    Note:
    The assessor and the approver must have risk business user role (sn_grc.business_user) to perform the required tasks. If the project risks are reassessed for any reason and the scores change, then the enterprise risk assessor gets an email notification with the option to reassess the enterprise risk.
    The key users and the user journey are shown in the following figures.
    Figure 1. Key users of Project Portfolio Management and Risk Integration
    Key personas who use the PPM and Risk integration feature
    Figure 2. User journey of Project Portfolio Management and risk integration
    PPM and Advanced Risk Assessment integration user journey