Using Smart Assessment Engine as part fo the Operational Resilience process

ServiceNow Operational Resilience gives you a structured way to measure, test, certify, and remediate the resilience of your business services — and the Smart Assessment Engine quietly powers most of it. If you've ever been handed a request for "evidence that you've assessed and tested service criticality," this is the workflow built for that question.

 

What is Operational Resilience on ServiceNow?

 

Operational Resilience is the ability to anticipate, prevent, respond to, and adapt to disruptions—such as pandemics, cyber events, or supplier failures. The ServiceNow GRC: Operational Resilience application enables this through four integrated features:

• IIA Assessments : Measure importance and impact tolerance across four dimensions.
• Scenario Analysis : Test service resilience against simulated disruptions.
• Self-Attestation : Certify compliance with resilience standards, producing regulator-ready documentation.
• OVM : Track and remediate vulnerabilities identified across all assessments.

 

The Smart Assessment Engine (SAE) underpins these processes, providing a unified framework for assessments. SAE powers IIA, Self-Attestation, and OVM; Scenario Analysis feeds its findings into SAE-driven vulnerability records.

 

Key takeaway: IIA, Scenario Analysis, Self-Attestation, and OVM are the what; SAE is the how.

Watch the <YouTube video> tutorial in the ServiceNow Risk’s SAE Speed learning series on YouTube to explore how Smart Assessment Engine powers the Operational Resilience process on the ServiceNow platform.

 

 

How it Works?

The four capabilities operate in a continuous cycle:

1. Assess: Owners create IIA assessments using SAE templates, add services, and assign roles. Responses generate scores for importance and four tolerance dimensions. Approvers validate or reject; rejected records return for retake.
2. Test: Scenario Analysis owners define scope and dependencies, assign approvers, and select events. Participants add observations; the system calculates disruption duration and flags breaches against IIA tolerance.
3. Certify: Owners run self-attestation using SAE-powered templates, referencing IIA and scenario analyses. Submission generates a signed PDF for regulators.
4. Remediate: Gaps identified anywhere are tracked as operational vulnerabilities. Analysts assess impact, select treatment, and assign action tasks. All actions must close before approval.
5. Reassess: Updated IIA scores refresh dashboards; resilience improves as gaps close.

The cycle relies on a CSDM-aware data model:

• Service hierarchy: Business Services, Service Offerings, Business Processes, Application Services
• Dependency pillars: Technology, People, Suppliers, Facilities, Data, and user-defined
• Key tables track CSDM objects and entity hierarchies
• Property switches dashboard views by service type
• Scheduled jobs update hierarchy, dependencies, and recalculate red flags for dashboards

Operational Resilience enriches its own tables but never alters CMDB. CMDB remains the source of truth, with OR as an added resilience layer.

 

Why it Matters

 

Most resilience programmes begin in spreadsheets, with critical information scattered across Excel files, PDFs, Jira, ServiceNow, and inboxes. This leads to three issues:

 

1 Assessments don’t connect. Criticality ratings aren’t visible for scenario analysis or breach detection, requiring manual checks.

 

2 No audit trail. Regulators require documented decisions, not informal discussions.

 

3 Gaps get lost. Resilience weaknesses found in exercises often remain unresolved.

This workflow addresses all three, offering a platform with IIA scoring based on UK PRA guidance, automated scenario analysis, signed PDF attestations, and OVM to track and resolve gaps.

SAE consolidation brings further benefits: all assessors use the same engine, scoring, collaboration, and delegation framework, simplifying training and use.

 

FAQ

 

1.    Setup & Foundation

Do I need CSDM v4 or v5 to use Operational Resilience? Recommended for new deployments. Legacy cmdb_ci_serviceinstallations are still supported via the Service (CMDB) Main Node Configuration, but modern CSDM (v4 or v5) unlocks the resilience views and red flag roll-ups.

 

Does Operational Resilience require BCM? No. BCM is optional but complementary. OR measures and testsresilience; BCM plans for recovery. They're different disciplines, not interchangeable products. The recommended plugins list includes Business Continuity Planning, Business Impact Analysis, and Crisis Management as optional companions, but none are hard dependencies.

 

What's the minimum plugin set? 

Hard dependencies are re com.sn_grc_oper_res, com.sn_grc_workspace, com.sn_grc, com.sn_grc_case_mgmt, com.sn_app_grc_relationship_config, com.sn_app_grc_data_registry, com.irm-shared-common-components, and com.snc.app-document-templates. For full SAE collaboration (Contributors on IIA and self-attestation), you also want Smart Assessment Collaboration (sn_smart_collab) — it's not formally listed as a hard dependency, but you'll feel its absence the moment you try to add Contributors.

 

2.    IIA & Smart Assessment

What are the four tolerance dimensions, and why four? Duration, Customer Impact, Financial Impact, and Transaction Volume. Each is scored independently within a single assessment. The rationale: duration alone misses the question. A payment service might survive 48 hours of downtime, but not a $10M loss in 4 hours. Four dimensions give you a fuller picture of who's hurt, how much, and how fast.

 

Can I customize the rating scale? Yes — but customize it before creating IIA assessment templates. When a new IIA questionnaire template is created, the application clones the default rating scale to it. Changes made after template creation don't propagate backward. Rating scales live at Admin > Importance and Impact Tolerance Rating Scale, configurable via the GRC Choice table (choice_category = Assessment Rating, set = Operational Resilience).

 

What happens when an IIA gets rejected at approval? SAE reverts the assessment to Pending Response for retake. Legacy (non-SAE) assessments don't support retake — they have to be cancelled and recreated. This is a meaningful SAE advantage.

 

Can I assign multiple SAE templates to one IIA? Yes. You can pick any combination of Importance / Impact Tolerance / Combined templates on a single IIA record. Useful when different service tiers warrant different assessment depths.

 

3.    Scenario Analysis

Why doesn't Scenario Analysis use SAE? Scenario Analysis has a different shape: it's event-driven, multi-participant, with response tasks per participant and a dual-approval workflow (plan approver before testing, analysis approver before close). That model doesn't fit SAE's questionnaire-and-scoring pattern. The integration point is downstream — breach findings and gaps from scenario analysis feed into SAE-powered operational vulnerability assessments.

 

How does breach detection actually calculate? Per service, the system compares total disruption duration (from scenario events) against the IIA tolerance threshold. When multiple events overlap, it calculates both "duration with overlaps" (additive — 3+3+2 = 8 days) and "duration without overlaps" (merged windows — 4+2 = 6 days). When disruption exceeds tolerance, the service is flagged breached, and a deviation % shows the overshoot magnitude.

 

Who configures the scenario library? Admin (sn_oper_res.admin). Four building blocks: Scenarios (the risks — Flooding, Cyber Attack, linked to pillars), Event Groups (categories like Weather, Energy Issues, configured as GRC Choices), Events (the specific occurrences linked to scenarios and event groups), and Participant Roles (HR, Legal, Finance, Technology, Security, Supplier Tier1/2/3, Data, People).

 

4.    Self-Attestation & Operational Vulnerability

Can Contributors submit a self-attestation? No (22.0.x and later). Contributors can answer questions, but only the assessor can submit. Plan accordingly when assigning collaboration roles on attestation records.

 

Where can operational vulnerabilities be raised from? Six sources: the Operational Vulnerabilities related list on the IIA record, the same related list on a scenario analysis record, the same on a self-attestation record, directly from a service / service offering / business process / application record, from the Employee Center (Self-Service > Risk & Compliance — open to any employee), or manually by an Ops Res Manager in the workspace.

 

Why can't I add operational vulnerabilities to an assessment that's already in flight? You can — but only before the record reaches a terminal assessment state. Specifically: not in Assessment Received (IIA), Pending Analysis Approval(scenario), or Attestation Received (self-attestation). Create vulnerabilities earlier in the workflow if you expect to capture findings.

 

Does the workflow ship with an OVM impact assessment template? No. You configure a SAE template per vulnerability type in Assessment Workspace. Build one early — without it, the vulnerability can't move out of the Assessment state.

 

5.    Data & Architecture

 

Does Operational Resilience write back to CMDB? No. All OR data lives in its own tables (sn_oper_res_profile, sn_grc_m2m_profile_profile, and the rest). CMDB is the source; OR is the lens. Communicate this clearly during implementation — it's the single biggest source of customer confusion.

 

What's the difference between the weekly and daily scheduled jobs? Weekly — Update CSDM and other dependencies: rebuilds the entity hierarchy, updates CSDM objects, refreshes class assignments and parent nodes. Daily — Calculate red flags for CSDM and dependencies: aggregates issues, risks, failed controls, operational vulnerabilities, outages, incidents, and change requests into the rollup metrics that drive dashboards and the resilience workspace. Both must run successfully before dashboard data appears. Use Execute Now to test changes without waiting for the next cycle.

 

What does the sn_oper_res.top_class_name property do? It tells the dashboard which CSDM level to visualize as the "top" — Business Service, Service Offering, Business Process, or Application Service. Use the Main Node Configurations(one per CSDM class, five OOB) to wire dependency roll-ups into whichever top class you've picked.

 

Where can I learn more?

Visit the ServiceNow product documentation for exploring Operational Resilience, or join the discussion on the ServiceNow GRC Community.

 

Some useful resources

Product Documentation

Operational Resilience: docs.servicenow.com → Governance, Risk, and Compliance → Operational Resilience

Operational Resilience product page: servicenow.com/products/operational-resilience.html

Common Service Data Model: servicenow.com/platform/common-services-data-model.html

Practical Guides (Community)

Smart Assessment Simplified Guide , ServiceNow MVP

Smart Assessment Engine Blog Series — GRC Community articles

SAE Webinar Recording — GRC Community blog

 

Stay connected

ServiceNow GRC Community: community.servicenow.com/governance-risk-and-compliance

ServiceNow Store — Operational Resilience: store.servicenow.com (App ID: com.sn_grc_oper_res)

Latest GRC release notes: ServiceNow Docs → Store release notes → Operational Resilience