Current situation (offline on excels) where the client does Risk assessment where:

• Risks are assessed by evaluating controls at the lowest level (Risk Instance).

• Inherent Risk is calculated at the Business Process level.

• The overall Residual Risk score is derived from these evaluations.

In the past, I used two separate RAMs - one for Inherent Risk (at the Business Process level) and another for Control Assessments (at the Risk Instance level). While this approach worked technically (I used scripts to pass the Inherent score down to lower levels), it required users to manage multiple RAMs, which added a lot of complexity and isn’t ideal from this client’s maturity.

I am aiming to design a simpler configuration using a single RAM, where:

• Inherent Risk is assessed once at the Business Process level (to represent overall exposure).

• Control Assessments are done at the Sub-Process (Risk Instance) level.

• The Residual Risk score is automatically calculated based on both the Inherent and Control assessments.

Is this even possible within ServiceNow? How will the rolls-ups even work in this situation?