RAM (Risk Assessment Methodology) A Simplified Practical Guide!

Hemanth M1 · yesterday

Hello Community,

Have you worked with Advanced Risk in ServiceNow IRM?

If yes, you may have come across a configuration/feature called Risk Assessment Methodology (RAM) and wondered what exactly is this, and why do I need it, when I already have risk assessments set up? Here is a simple, practical guide to help you understand and set it up end to end!

*** This article is intended to help you understand RAM in simple terms, not to explain every field or every configuration. I’ll include references for more in-depth capabilities and features ***

1) Why Do We Need RAM When We already have Risk Assessments ?

That’s a fair question! Let’s compare.
In Classic Risk, assessments are basic mostly Impact × Likelihood. Smart Assessments can provide more context, however, there’s no structured, factor-based scoring, no way to run different methodologies for different domains and no dynamic heatmaps driven by actual responses.

2) What is a Risk Assessment Methodology (RAM)?

A RAM is a configurable blueprint that defines how risks are assessed in your organization.
Think of it this way - if Risk is the “what,” then RAM is the “how.”
It is part of the Advanced Risk application in ServiceNow IRM. At a high level, a RAM includes:

∙ Assessment Context - what are you assessing and in what scope
∙ Assessment Types - Inherent, Control Effectiveness, Residual, Target
∙ Factors - the actual questions/data points used to score a risk (Manual, Automated)
∙ Scoring & Rating Criteria - how factor scores map to risk ratings (Low → Critical)
∙ Roll-up Preferences - how scores bubble up through entity, risk hierarchies

Published RAM can drive assessments across hundreds of risks. It keeps everything structured, repeatable and consistent.

3) When Should You Use RAM?
Not every organization needs RAM on Day 1. Here are some key factors to consider!

You need structured, repeatable risk assessments across business units or processes
You need different methodologies for different domains - ex: Operational Risk vs IT Risk vs Third-Party Risk etc..
You need automated factors and heatmaps

4) How to Set It Up - Step-by-Step guide

Will approach this in 4 steps

1. Define/use existing factors to use in the assessments set up.

2. Create RAM record with context.

3. Build Assessment Types.

4. Simulate RAM, Publish it.

Before we dive in, lets understand the prerequisites:

A)Enable Advance Risk Plugins (this will install all the dependency plugins like - Classic Risk.

B)Install Risk Workspace if not already done.

C) Enable "Migrate to Advanced Risk Assessment" (sn_risk_advanced.hide_risk_legacy_lifecycle) property to true - Keep it mind if you enable this you will not able to revert and will not able to migrate inflight Risk Assessments.

Let’s take an example to build a RAM: we want to assess operational risks across business processes. Each risk will be scored on an inherent (before controls) and residual (after controls) basis, using factors such as financial impact and likelihood.

A)Factors:

Let’s use existing factors: copy them, adjust as needed and publish (you can also create them from scratch).
i) Financial impact
ii) Likelihood
iii) Control effectiveness
Example: Financial impact as below - repeat the same steps for the other two factors. We’ll use these factors during the assessment setup.

B) Lets create a RAM record.

Navigate to Advanced Risk Assessment > Administration > Risk Assessment Methodology.

Important tabs to set up on the RAM record.

C)Lets set up Assessments which are tagged to RAM based on the assessments types opted above.

1)Inherit Assessment - set up and Publish.

Control Assessments - Set up and Publish.

Residual Assessments - Set up and Publish

Now all the assessments are published and good with RAM settings, Simulate to verify how it works before you publish.

Select a Risk for the Simulation.

A risk assessment will be created (as per the RAM settings). Complete the assessment.

Complete the assessment- this is how the results look.😍
An approval is created. Once it’s approved, the assessment moves to the Monitor state.

If you verify the assessment status after approval, it will be in the Monitor state, and the risk will move to the Respond state. Once the risk response tasks are addressed, the risk will move to the Monitor state

Once it looks good, publish the RAM.

Once a RAM is published, it becomes the primary RAM for that entity type (in this case, Business Process).

You can add multiple RAMs to a risk

E)Risk Assessment Scoping and Risk Assessment Scheduler
Now that the RAM is published, you need to run assessments using it. This happens through two mechanisms: risk assessment scopes and the risk assessment scheduler.

A risk assessment scope defines the who, what, and when for a specific assessment run.

F)Risk Assessment Scheduler

F) Risk Assessment Scheduler

Running assessments manually every quarter is manageable, but what if you have hundreds of entities and need monthly assessments? That’s where the Risk Assessment Scheduler comes in.

You can also trigger the RAM from the risk record if the entity is tagged to the risk with a published RAM, by moving it to Assess.

Happy learning!!!😍

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025, 2026

My other articles :

Webhooks in Action: Understanding Adobe Sign - ServiceNow Integration.

ServiceNow Smart Assessment Simplified: A Step-by-Step Practical Guide!

Take Control of Your flow Designer Flow Variables- Practical Example #1 Reference Type

Script Action: A Practical Example!

A Quick Guide to Adding a Wizard Section to a Catalog Item in Catalog Builder!

Set different “From” and “Reply To” emails for the Native and Flow designer Emails/Notifications.

Read .CSV formatted files in ServiceNow

Automate Assessment/Survey Testing with ATF(Including Multiple Option,Attachments &Reference fields)