Risk appetite fields on the Risk Statement form

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk appetite fields on the Risk Statement form

    The Risk appetite fields on the Risk Statement form in ServiceNow’s Risk Management application enable organizations to define, evaluate, and set boundaries for acceptable and unacceptable risks. These fields help risk managers understand the organization’s tolerance levels and make informed decisions about risk exposure. The visibility of these fields depends on advanced risk assessment properties configured by the risk administrator.

    Show full answer Show less

    Key Features

    • Override Qualitative Risk Appetite: Allows overriding the parent risk statement’s qualitative appetite to define unique values for the current risk statement, applicable when a parent risk statement exists.
    • Qualitative Appetite: Represents risk appetite on a numerical scale (default 1-5: Averse to Hungry) based on qualitative ratings. It is compared with qualitative risk ratings to determine appetite status. Risk administrators can customize this scale.
    • Quantitative Appetite: Expresses risk appetite in monetary terms, such as the maximum loss an organization is willing to accept (e.g., $10,000). It is compared with the annual loss expectancy (ALE) for status calculation.
    • Qualitative Tolerance: Defines the acceptable deviation from the qualitative appetite, must be greater than the appetite, and is used to calculate appetite status.
    • Quantitative Tolerance: Defines the acceptable deviation from the quantitative appetite in monetary terms, also must exceed the appetite value.
    • Risk Appetite Statement: Provides narrative context describing the types and amounts of risk acceptable to the organization, supporting risk-informed decision-making.
    • Next Review Date: Schedules the date to review and update risk appetite fields and statement. Notifications are sent to risk statement owners as configured by administrators.
    • Risk Appetite Status Fields:
      • Methodology for Status Calculation: Selects the Risk Assessment Methodology (RAM) used for aggregating results.
      • Qualitative & Quantitative Appetite Status: Calculated by comparing current risk ratings or ALE values to the defined appetite and tolerance, indicating whether risks are within or outside appetite/tolerance.
      • Overall Appetite Status: Reflects the worst-case status from qualitative and quantitative evaluations to provide a consolidated risk appetite posture.

    What This Enables for ServiceNow Customers

    By using these risk appetite fields, ServiceNow customers can:

    • Precisely define risk appetite both qualitatively and quantitatively at various risk statement levels, including overriding inherited values when needed.
    • Assess risk exposure against established appetite and tolerance levels to identify when risks fall within acceptable boundaries or require attention.
    • Maintain clear documentation of risk appetite statements that guide organizational risk strategy and communication.
    • Automate periodic reviews and receive notifications to keep risk appetite definitions current and aligned with evolving organizational goals.
    • Leverage configurable risk assessment methodologies to calculate risk appetite status, ensuring alignment with internal risk frameworks.

    This structured approach supports informed risk management decisions, enhances transparency, and aligns risk-taking with organizational objectives.

    Learn about the risk appetite fields on the Risk Statement form. Use these fields to define the risk appetite, evaluate all the possible risks, and set the boundaries for the acceptable and unacceptable risks in the Risk Management application.

    See the following table for a description of the field values.

    Note:
    The risk appetite fields that appear on the entity form depends on the advanced risk assessment properties that are set by the risk administrator.
    Table 1. Risk appetite fields on the Risk Statement form
    Field Description
    Override qualitative risk appetite Option to override the qualitative risk appetite of the parent risk statement. By default, all risk statements inherit the risk appetite of the parent risk statement. When you select this option, you can define the risk appetite values for the current risk statement separately.
    Note:
    This field appears only when there’s a parent risk statement available for the current risk statement.
    Qualitative appetite Risk appetite in numerical scale and rating terms. The qualitative appetite is compared with the qualitative risk rating to compute the qualitative appetite status. You can define the qualitative appetite based on the appetite scale that is set by the risk administrator. The default options are as follows:
    • 1 - Averse
    • 2 - Minimalist
    • 3 - Cautious
    • 4 - Open
    • 5 - Hungry

    A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale.

    After you define the qualitative appetite, you can copy it to the downstream risks and risk statements.

    Note:
    A risk manager with the sn_risk_advanced.qualitative_risk_appetite_reader role can only view the qualitative appetite and qualitative tolerance values on the form and in other places.
    Quantitative appetite Risk appetite in quantitative terms. The quantitative risk appetite can be measured and expressed in monetary values. The Quantitative appetite is the amount of loss that an organization is willing to risk. For example, an organization decides to have $10,000 (US dollars) as a target non-performing asset (NPA) for this year, which means that the organization defines $10,000 (US dollars) as the quantitative risk appetite.

    The quantitative appetite is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status.

    Note:
    A risk manager with the sn_risk_advanced.quantitative_risk_appetite_reader role can only view the quantitative appetite and quantitative tolerance values on the form and in other places.
    Qualitative tolerance Risk tolerance in numerical scale and rating terms. The risk tolerance is the standard deviation from the defined risk appetite. The qualitative tolerance is compared with the qualitative risk rating to compute the qualitative appetite status. The qualitative tolerance should be greater than the defined qualitative appetite. You can define the qualitative tolerance based on the appetite scale set by the risk administrator. The default options are as follows:
    • 1 - Averse
    • 2 - Minimalist
    • 3 - Cautious
    • 4 - Open
    • 5 - Hungry

    A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale.
    Quantitative tolerance Risk tolerance in quantitative terms. The risk tolerance is the standard deviation from the defined risk appetite. The quantitative risk tolerance can be measured and expressed in monetary values. For example, an organization decides to have $15,000 (US dollars) as the target non-performing assets (NPAs) for this year. This means that the organization defines $15000 (US dollars) as the quantitative risk tolerance.

    The quantitative tolerance is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status.

    Note:
    The quantitative tolerance should be greater than the defined quantitative appetite.
    Risk appetite statement Risk appetite statement that defines the amount and types of risk that an organization is willing to accept to achieve its objectives. It documents what the organization considers threats and its response strategies. These statements give additional context to understand the risk appetite and help the business to make risk-informed decisions. For example, "ACME Inc. has no appetite for unauthorized access to systems and confidential data and will maintain strong controls to mitigate external threats against its technology infrastructure. ACME Inc. has a low appetite for losing the continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. ACME Inc. has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology."
    Next review date Date to update the risk appetite fields and review the risk appetite statement. An email notification is sent to the risk statement owner before the next review date. A risk administrator can schedule the email notification in the advanced risk assessment properties. For more information, see Configure a risk appetite and tolerance in Advanced Risk.
    Risk appetite status
    Methodology for status calculation Risk assessment methodology (RAM) whose aggregated results are used to calculate the risk appetite status of the risk statement.
    Qualitative appetite status Qualitative appetite status of the risk statement. The qualitative appetite status is calculated by comparing the defined qualitative appetite with the qualitative appetite that is mapped to the final risk rating. A risk administrator can map the appetite scales to the risk rating criteria for the final assessment type in RAM.
    Note:
    The RAM selected from the Methodology for status calculation field is considered for the status calculation.
    For example, if you define the qualitative appetite as 2-Minimalist and qualitative tolerance as 4-Open, then the following statuses appear:
    • For a qualitative risk rating of 1- Averse or 2-Minimalist, the appetite status is within appetite.
    • For a qualitative risk rating of 3-Cautious or 4-Open, the appetite status is outside appetite.
    • For a qualitative risk rating of 5-Hungry, the appetite status is outside the tolerance.
    Quantitative appetite status Quantitative appetite status of the risk statement. The annual loss expectancy (ALE) values are compared with the defined quantitative appetite to calculate this appetite status.
    Note:
    The aggregated ALE value from the RAM that are selected from the Methodology for status calculation field are considered for the status calculation.
    For example, if you define the quantitative appetite as $1000 (US dollars) and the quantitative tolerance as $1500 (US dollars), then the following statuses appear:
    • For ALE equal to or less than $1000, the appetite status is within appetite.
    • For ALE ranges from $1001 to $1500, the appetite status is outside the appetite.
    • For ALE more than $1500, the appetite status is outside the tolerance.
    Appetite status Overall appetite status. The overall appetite status considers the worst-case scenario between the qualitative and quantitative status. For example, if the qualitative appetite status is within the appetite and the quantitative appetite status is outside the appetite, then the overall appetite status is outside the appetite.