Target risk assessment in Advanced Risk

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Target Risk Assessment in Advanced Risk

    The target risk assessment in the Advanced Risk application allows ServiceNow customers to define and monitor their organization's desired future risk levels. This assessment type focuses on establishing the optimum risk level that an organization aims to achieve after implementing risk response actions. It helps measure the benefits of these actions relative to their costs by evaluating the desired likelihood and impact of identified risks.

    Show full answer Show less

    Setting Up a Target Risk Assessment

    Risk administrators can enable target risk assessments within the Advanced Risk application by configuring the Risk Assessment Methodology (RAM) form. This feature can be enabled for existing published RAMs but cannot be turned off once activated. Target risk assessments are only applicable for new assessments and cannot be performed on assessments already in progress.

    Assessing a Target Risk

    Assessors evaluate the future state of risks using predefined factors, scoring logic, and rating criteria from the RAM form. This process aligns with other assessment types such as inherent, control, and residual risk assessments. The system computes a future risk appetite status to indicate whether the target risk aligns with organizational risk appetite. Risk approvers review and approve the target risk ratings and appetite status.

    Target risk assessments can be applied to both risk-based and object-based assessments; however, the future appetite status is only computed for risk-based assessments. When enabled, assessments must be conducted using the updated (next) experience interface.

    Reporting on Target Risk

    Customers can visualize the target risk profile on the heatmap, which shows inherent, residual, and target risk states. This comprehensive view supports analysis of risk progression from current states to desired targets. Additionally, the risk trend feature allows monitoring of risk changes over the past five periods to evaluate if risk levels are moving toward the target.

    You can perform a target risk assessment to define your desired future risk level using the Advanced Risk application. The target risk assessment enables you to assess your target risk posture and monitor progress toward its achievement.

    Overview of a target risk assessment

    A target risk assessment is an assessment type to define the desired risk level the organization want to achieve in the future. By evaluating the desired level of likelihood and impact of identified risks, organizations can establish target risk levels for each risk.

    For example, when assessing a risk, organizations consider various aspects such as inherent risk, the effectiveness of controls, and residual risks. However, it's equally important to capture the desired risk level that will be attained after the risk response is implemented. The target risk represents the optimum level of risk that you aim to achieve after your action plan is successfully executed. It enables you to measure the benefits your organization gets in relation to the cost of implementing those actions.

    Setting up a target assessment

    A risk administrator can configure and set up a target risk assessment for your organization in the Advanced Risk application. Risk administrator can enable the option for assessing a target risk on the Risk assessment methodology (RAM) form. For more information, see Configure a target assessment.

    Important:
    You can enable target risk assessment for existing published RAMs. However, after you enabled, it can’t be turned off. Additionally, target risk assessment can only be conducted for new assessments and not for assessments that are already in progress.

    Assessing a target risk

    Assessors can analyze the future state of the risk based on the defined factors, scoring logic, and rating criteria in the RAM form. Assessing the future state of risk is a structured process that shares similarities with inherent, control, and residual assessment types. Based on the target risk profile, the system also computes the future risk appetite status. It enables assessors to analyze if the target risk profile is in line with the risk appetite or not. Risk approvers can review the target risk rating and the future appetite status and approve them. Target risk assessment can be performed for both risk and object-based assessments. However, if it’s object-based, the future appetite status isn’t computed and displayed. For more information, see Perform advanced risk assessment in the Risk Workspace.

    Important:
    If target risk assessment is enabled for a methodology, the risk or object can only be assessed in the next experience.

    Reporting a target risk

    On the heatmap, you can view the target risk profile, which provides a comprehensive understanding of the inherent, residual, and target states of the risk. When the risk assessment criteria are shared, you can analyze the risk movement from inherent state to residual state and then to its target state. By using the risk trend capability, you can assess risk changes over the past five periods to determine if it’s moving in the desired direction. For more information, see Risk heatmap workbench.