Explore the role of assessments in IRM Risk Management

To learn more about implementing IRM Risk Management, including the different types of assessments, visit our IRM Risk Management Speed Learning Series on YouTube. 

 

ServiceNow provides two approaches to risk assessments that support organizations at different maturity levels.

 

Classic Risk Management

This is ServiceNow’s foundational assessment engine that enables teams to identify, assess, mitigate, and continuously monitor enterprise, operational, and IT risks. It supports basic assessments and a range of response strategies while keeping risk data current and actionable.

 

Review the Speed Learning content on Classic Risk Assessments, Setup, and Navigation.

Advanced Risk Management
This builds on Classic Risk Management by embedding structured, repeatable assessments based on a Risk Assessment Methodology (RAM).

 

The RAM provides a configurable blueprint for how risks are assessed. The framework is domain-agnostic, and its configurable nature makes it an ideal tool for Enterprise, Operational, or IT risk domains, individually or collectively.

 

At a high level, a RAM record captures four critical configurations:

• Assessment context
• Assessment types
• Assessment preferences
• Roll-up and reporting preferences

These configurations form the backbone of how risks—or even risk-related objects—are assessed, scored, and reported. Review the essentials of RAM here.

 

Whether assessing organizational entities, processes, applications, projects, or standalone risks, Advanced Risk Management is the configurable engine that supports scaling up or down the risk management across the enterprise.

 

To learn more, review the following Speed Learning video resources for Advanced Risk:

• Setup and Navigation
• Risk Assessment Methodology (RAM)
• Risk Assessment Lifecycle
• Advanced Risk Assessments

Both Classic and Advanced Risk Management integrate into your broader Integrated Risk Management (IRM) ecosystem. They leverage risk and control libraries, entity management, etc., to ensure assessments are aligned with organizational assets and frameworks.

 

Risk Scoring in Advanced Risk Assessment

Assessments collect information. Scoring turns that information into decisions.

Risk Scoring in Advanced Risk Assessment (ARA) defines how your organization calculates inherent risk, residual risk, and target risk. Instead of relying on gut feel or inconsistent spreadsheets, you configure the scoring logic once and apply it consistently across all assessments.

 

Scoring uses factors — the inputs that feed your calculations:

• Manual factors – Assessors provide judgment-based input (likelihood, impact, control effectiveness)
• Automated factors – The platform pulls data from other ServiceNow records automatically

You define how factors combine to produce scores. For example:

• Inherent risk = Impact × Likelihood (before controls)
• Residual risk = Inherent risk adjusted by control effectiveness
• Target risk = Where leadership wants the risk to land

Scores map to rating criteria — the labels your organization uses to communicate risk levels (Critical, High, Medium, Low). These ratings drive what shows up in heatmaps, dashboards, and reports.

Why does this matter?

Without configured scoring:

• Assessors guess how to rate risks
• Scores aren't comparable across teams or entities
• Leadership can't trust the heatmap

With configured scoring:

• Every assessment follows the same logic
• Automated factors reduce manual effort and bias
• Ratings are consistent and auditable

Risk Scoring is configured within your RAM. Once set, it applies to all assessments using that methodology. Review this Speed Learning video on ARA Risk Scoring to see how to configure factors, scoring logic, and rating criteria step-by-step.

 

Risk and Controls Self Assessment (RCSA) 

RCSA in ServiceNow is a structured way for teams to evaluate risks and controls within their business context in a consistent and repeatable manner. RCSAs may be organized for any entity in the organization, but the most common use cases of self–assessments are within functions, business units, or processes to provide a top-down view of risk exposure. They support assessments of inherent risk, review of control design and effectiveness, evaluation of residual risk against, and optionally target risk. RCSAs also influence risk appetite, enabling management to make informed decisions about actions to take based on the organization's risk tolerance and capacity.

RCSAs in ServiceNow are executed using the Advanced Risk Assessment framework. Assessments can be conducted individually or in a workshop format using ServiceNow Risk Assessment Projects. This approach enables the assessment of multiple risks and process owners in a single session. Outcomes such as control gaps, issues, and remediation actions are captured in the platform and feed into risk registers, reporting, and roll-ups for ongoing risk management.

Review this Speed Learning on RCSA video to gain further insights. (The overview presentation is attached below.) 

 

By selecting the most suitable assessment approach, risk teams can streamline workflows, enhance consistency, and gain a comprehensive understanding of risk exposure across the business.

FAQs

A. Classic vs Advanced Risk

1. Are the heatmaps in Classic Risk dynamic?

No. In Classic Risk, heatmaps pull from the initial values on the Risk Statement — they don't update based on assessment responses. If you need heatmaps that reflect actual assessed risk scores, you need Advanced Risk.

2. Can I run both Classic and Advanced Risk in the same instance?

Yes, but with limits. Once you enable Advanced Risk, you can use both, but you cannot migrate in-flight assessments. Complete active assessments before migrating. Also note: once migrated, you cannot roll back to Classic Risk only.

3. What should I complete before migrating to Advanced Risk?

Finish all active risk assessments — there's no in-flight migration. Plan for this, especially in mature instances with many assessments running.

4. When should I use Classic Risk vs Advanced Risk?

Use Classic Risk if you're starting out or need basic risk tracking without complex scoring. Move to Advanced Risk when you need configurable assessment methodologies, automated factors, or dynamic heatmaps that reflect actual assessment results.

5. Can I upgrade from Classic to Advanced Risk later?

Yes. Advanced Risk builds on Classic Risk — it doesn't replace it. You can enable Advanced Risk when your program matures and needs more structure. Review your entitlements with your Account Team before making the decision to Advanced Risk.

 

B. Advanced Risk 

6. What is a Risk Assessment Methodology (RAM)?

A RAM is a reusable template that defines how risks are assessed. It captures your assessment types (inherent, control, residual, target), scoring logic, factors, and reporting preferences. One RAM can apply to many assessments.

 

7. Can I have different methodologies for different risk types?

Yes. You can create multiple RAMs. Operational risk can use one methodology while IT risk or project risk uses another.

C. Risk Scoring

8. How are inherent and residual scores calculated?

In Classic Risk, it's simply Impact × Likelihood using values from the Risk Statement. In Advanced Risk, you define the calculation in your RAM using factors. Factors can be manual (assessor input) or automated (pulling data from other ServiceNow records).

9. Can I customize the scoring logic?

Yes — in Advanced Risk. You create factors, group them, and define calculation rules (weighted average, maximum, sum, etc.). You can even use scripted automated factors to pull data from incidents, indicators, or other records.

10. Why is my residual score the same as my inherent score?

If no controls are mapped to the risk, or if residual values aren't set, the platform defaults residual = inherent. In Advanced Risk, residual scores come from the control assessment — if you skip that step or have no mitigating controls, the scores stay the same.

11. What's the difference between qualitative and quantitative scoring?

Qualitative uses labels (High, Medium, Low) based on assessor judgment. Quantitative uses numeric values like ALE (Annual Loss Expectancy). You can configure your RAM to support either or both.

D. Risk and Controls Self Assessment 

 

12. How do I run an RCSA in ServiceNow?

RCSAs use the Advanced Risk Assessment framework. Create a RAM configured for self-assessment, assign it to your entity class (business units, processes, functions), and either run individual assessments or use Risk Assessment Projects for workshop-style sessions.

13. Can I assess multiple risks and controls in one session?

Yes. Use Risk Assessment Projects. This lets assessors evaluate multiple risks and process owners in a single workshop. Grid Mode is also available for bulk assessment with a spreadsheet-style interface.

14. Can I bulk approve RCSA assessments?

Yes. As an approver, you can bulk approve assessments from the task page. Enable dynamic and bulk approvals using the Approval Configurator.

15. What happens when an RCSA identifies a control gap?

The platform captures it as an Issue. You assign remediation tasks, track progress, and the issue links back to the risk and control for reporting. This feeds into your risk register and roll-ups.