Workflow of project risk assessment

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Workflow of project risk assessment

    This workflow explains how Project Portfolio Management (PPM) integrates with Governance, Risk, and Compliance (GRC) to facilitate project risk assessment. It outlines the sequential steps involved in identifying, assessing, and managing risks within projects and how certain risks may escalate to enterprise-level risks. Understanding this workflow helps ServiceNow customers effectively manage project risks, prioritize them, and align risk assessments with enterprise risk management processes.

    Show full answer Show less

    Key Features

    • Risk Identification and Addition: Project managers with the itprojectmanager and sngrc.businessuser roles identify risks and add them to projects either by creating new risks or selecting from a risk library.
    • Risk Assessment Initiation: Assessors and approvers are configured in the Project Integration Configuration form and receive email notifications to assess the risks. Only risks in Pending, Open, or Work in Progress states can be assessed.
    • Risk Assignment: If stakeholders are assessors, project managers manually assign risks to relevant stakeholders.
    • Risk Assessment Execution: Risk assessors, notified by email, can perform assessments via provided links or by navigating to Advanced Risk Assessment tasks within ServiceNow.
    • Risk Review and Elevation: Project managers review assessment scores in the Risk Assessment Summary. If a project risk impacts the enterprise, they can elevate it, copying it to the enterprise risk register for further evaluation by enterprise risk managers.
    • Risk Materialization and Issue Conversion: When a risk materializes, project managers can convert it into an issue to track actions, following the RIDAC (Risk, Issue, Decision, Action, and Request Changes) process.
    • Risk Visualization and Prioritization: The project form includes a heatmap that highlights high-impact and high-likelihood risks, enabling priority management and focused attention.
    • Aggregated Risk Scoring and Reporting: Assessed risks contribute to an aggregated risk score that is reported to stakeholders, providing a consolidated view of risk posture.
    • Risk Reassessment Notifications: If reassessment changes risk scores, enterprise risk assessors receive notifications with options to reassess enterprise risks.

    Key Outcomes

    • Project managers can systematically identify, assess, and escalate risks, ensuring alignment between project-level and enterprise-level risk management.
    • Risk assessors and approvers are clearly defined and notified, streamlining the risk assessment process and accountability.
    • Visibility into risk posture through heatmaps and dashboards enables proactive risk prioritization and management.
    • Integration with issue management (RIDAC) supports timely action on materialized risks within projects.
    • Aggregated scoring and dashboards provide stakeholders with comprehensive insights into project and enterprise risk exposure.

    To understand the integration of Project Portfolio Management and Governance, Risk, and Compliance risk management capabilities, it is important to understand the workflow of project risk assessment.

    Project risk assessment follows a sequence of steps. Sometimes, a risk is elevated to an enterprise risk after the risk is assessed. An enterprise risk is a risk that can cause monetary or reputational losses. It can jeopardize your ability to stay in business.

    The workflow of project risk assessment is as follows:
    1. A project manager identifies risks and adds those risks to a project. The manager can either create risks or add them from a library. The project manager has the it_project_manager and sn_grc.business_user roles. For more information, see Add risks for a project.
    2. The project manager then initiates risk assessment for the newly added risks. In the Project Integration Configuration form, the assessors and approvers are defined for the assessment. They get an email notification to assess the risks.
      Note:
      You can only assess the risks that are in the Pending, Open, or Work in Progress state.
    3. If the Project Integration Configuration form has stakeholders selected as assessors, then the project manager must manually assign the risks to the relevant stakeholder.
    4. As a risk specialist, the risk assessor is notified about the new risks for assessment.

      The risk assessor can use the link in the email notification to start the assessment. Alternatively, the risk assessor can navigate to Advanced Risk Assessment > Risk Assessment Tasks > My Tasks to perform advanced risk assessment. See Advanced Risk Assessment.

    5. In the project risk form, the project manager reviews the Risk Assessment Summary section to view the risk assessment scores.
    6. If the project manager determines that the project risk has an impact on the enterprise, then the project manager can elevate the risk to an enterprise risk.
      Note:
      When a project risk is elevated to an enterprise risk, the project risk is copied from the project risk register to the enterprise risk register.
    7. If a risk is elevated to an enterprise risk, the enterprise risk manager is requested to assess the risk.
    8. The project manager views the enterprise inherent risk score and the enterprise residual risk score in the Risk Assessment Summary.
    9. As part of the Project Portfolio Management workflow, if a risk materializes and an action must be taken for this risk, then the project manager can convert the risk into an issue. For more information, see RIDAC (Risk, Issue, Decision, Action, and Request Changes) record entries for a project.
    10. The project manager can also view the project risk posture through the heatmap in the Risk Overview section on the project form. The heatmap displays high impact risks and high likelihood risks. With the heatmap, you can prioritize the risks that need immediate attention. The risks that are assessed contribute to the aggregated risk score. The aggregated risk score is a single score that can be reported to all the stakeholders. For more information, see Create a project.
    11. View the Project Risk Overview dashboard to understand the overall risk posture of project risks and of enterprise risks. For more information, see Project Risk Overview dashboard.
    Note:
    The assessor and the approver must have risk business user role (sn_grc.business_user) to perform the required tasks. If the project risks are reassessed for any reason and the scores change, then the enterprise risk assessor gets an email notification with the option to reassess the enterprise risk.
    The key users and the user journey are shown in the following figures.
    Figure 1. Key users of Project Portfolio Management and Risk Integration
    Key personas who use the PPM and Risk integration feature
    Figure 2. User journey of Project Portfolio Management and risk integration
    PPM and Advanced Risk Assessment integration user journey