Mary Hain
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 10-06-2025 03:58 PM - edited 3 weeks ago
To learn more about implementing IRM Risk Management, including the different types of assessments, visit our IRM Risk Management Speed Learning Series on YouTube.
ServiceNow provides two approaches to risk assessments that support organizations at different maturity levels.
Classic Risk Management
This is ServiceNow’s foundational assessment engine that enables teams to identify, assess, mitigate, and continuously monitor enterprise, operational, and IT risks. It supports basic assessments and a range of response strategies while keeping risk data current and actionable.
Review the Speed Learning content on Classic Risk Assessments, Setup, and Navigation.
Advanced Risk Management
This builds on Classic Risk Management by embedding structured, repeatable assessments based on a Risk Assessment Methodology (RAM).
The RAM provides a configurable blueprint for how risks are assessed. The framework is domain-agnostic, and its configurable nature makes it an ideal tool for Enterprise, Operational, or IT risk domains, individually or collectively.
At a high level, a RAM record captures four critical configurations:
- Assessment context
- Assessment types
- Assessment preferences
- Roll-up and reporting preferences
These configurations form the backbone of how risks—or even risk-related objects—are assessed, scored, and reported. Review the essentials of RAM here.
Whether assessing organizational entities, processes, applications, projects, or standalone risks, Advanced Risk Management is the configurable engine that supports scaling up or down the risk management across the enterprise.
To learn more, review the following Speed Learning video resources for Advanced Risk:
- Setup and Navigation
- Risk Assessment Methodology (RAM)
- Risk Assessment Lifecycle
- Advanced Risk Assessments
Both Classic and Advanced Risk Management integrate into your broader Integrated Risk Management (IRM) ecosystem. They leverage risk and control libraries, entity management, etc., to ensure assessments are aligned with organizational assets and frameworks.
Risk and Controls Self Assessment (RCSA)
RCSA in ServiceNow is a structured way for teams to evaluate risks and controls within their business context in a consistent and repeatable manner. RCSAs may be organized for any entity in the organization, but the most common use cases of self–assessments are within functions, business units, or processes to provide a top-down view of risk exposure. They support assessments of inherent risk, review of control design and effectiveness, evaluation of residual risk against, and optionally target risk. RCSAs also influence risk appetite, enabling management to make informed decisions about actions to take based on the organization's risk tolerance and capacity.
RCSAs in ServiceNow are executed using the Advanced Risk Assessment framework. Assessments can be conducted individually or in a workshop format using ServiceNow Risk Assessment Projects. This approach enables the assessment of multiple risks and process owners in a single session. Outcomes such as control gaps, issues, and remediation actions are captured in the platform and feed into risk registers, reporting, and roll-ups for ongoing risk management.
Review this Speed Learning on RCSA video to gain further insights. (The overview presentation is attached below.)
By selecting the most suitable assessment approach, risk teams can streamline workflows, enhance consistency, and gain a comprehensive understanding of risk exposure across the business.
