Risk Assessment in Change Management

When managing change requests in ServiceNow, assessing risk is a critical step to ensure changes are implemented safely and effectively. ServiceNow provides two primary methods for calculating the risk of a change:

 1. Change Risk Calculator (Recommended Best Practice)

This is enabled by default in the system and uses predefined properties and conditions to automatically calculate the risk of a change.

2. Change Management - Risk Assessment

This method uses user input through configurable questionnaires to determine the risk score. It offers a flexible and tailored approach to risk evaluation based on your organization’s needs.

How to Configure Change Risk Using Risk Assessment

The Change Management - Risk Assessment plugin allows administrators to design custom risk assessment questionnaires. Based on the users’ responses, the system calculates the overall risk of the associated change request.

Prerequisite: Plugin Activation

Activate the plugin:

Plugin Name: Change Management - Risk Assessment

Plugin ID: com.snc.change_management.risk_assessment

Steps to Configure Risk Assessment

1. Create a Risk Assessment

• Navigate to All > Change > Administration > Risk Assessments

• Click New

• Fill in the required form fields

• Use the form context menu to Save the record

🔄After saving, two related lists appear at the bottom:

• Assessment Categories

• Assessment Thresholds

2. Design Assessment Questionnaire

• Click the Edit in Assessment Designer related link

  

• Use the designer to create your assessment questions

  

• Click Save or Save and Publish

3. Configure Assessment Categories

• Return to the Change Risk Assessment (change_risk_asmt) form

• Open a record from Assessment Categories (auto-created by the designer)

• Define filter conditions if not already set

📌Tip: Review the Assessment Metrics (question list). These contain:

Weight

Min and Max scale values

The Min and Max scale values are derived from the values defined in the metric choices (Assessment Metric Definitions).
For example, when we open the metric “Affect critical CI or Business Service”, the Min and Max values are automatically determined based on the lowest and highest values configured in its answer choices.

4. Define Risk Thresholds

• Go back to the Change Risk Assessment form

• Use the Assessment Thresholds related list to set risk level boundaries

  

🧮 How Risk Score is Calculated

This is how the risk assessment score is calculated and set.

• asmt_metric_result stores the score set.

For better understanding, let’s update the weight of the ‘Complexity of Change’ metric to 3.

In the assessment, we selected the value Easy, which has a score value of 1 (see screenshots below).

• The weight is calculated as sum(asmt_metric_result.normalized_value) where asmt_metric_result.normalized_value = actual_value * weight.

Actual Value = 1

Weight=3

Weighted value = Actual Value * Weight = 1*3 = 3

Because the weight has been changed to 3, the Weighted value is reflected as 3.

• The risk calculated as sum(actual_value * weight) > threshold. For example, If the result is 7 and moderate threshold is 6 risk is moderate.

📚Reference:
For more detailed documentation, refer to ServiceNow Docs – Define a Risk Assessment