Using Smart Assessments in IRM’s CRI Profile Accelerator

What is IRM’s CRI Profile Accelerator?

The Cyber Risk Institute or CRI, a group of 50+ financial institutions and regulators, created an industry-standard approach for cyber risk management. The framework includes: a Profile Core based on NIST CSF 2.0 functions, 318 diagnostic statements linked to 2,500+ regulations, a tiering questionnaire for institution size, and a profile assessment with guidance and evidence recommendations.

The CRI Profile Accelerator is ServiceNow’s built-in implementation of the CRI framework for IRM. ServiceNow automates these processes via its Smart Assessment Engine (SAE). The accelerator replaces manual spreadsheets with ready-to-use content and automation.

 

Watch the Using Smart Assessments in IRM's CRI Profile Accelerator video tutorial in the ServiceNow Risk’s SAE Speed learning series on YouTube to explore how Smart Assessment Engine works using the accelerator. (The PDF for the YouTube presentation is attached below.)

 

How it Works

The CRI Profile Accelerator uses a five-step flow. Your team triggers only two of them — the ServiceNow platform handles the rest.

1. Set the “Is CRI” flag on your entity to enable CRI.
2. The assessment owner completes the SAE Tiering Questionnaire, which skips irrelevant sections and locks the tier after submission.
3. Controls are then automatically generated based on tier.
4. A compliance manager initiates the CRI Profile Assessment, generating a tier-specific questionnaire.
5. Smart Assessment Engine updates compliance status, scores, and issues, synchronizing across frameworks without manual intervention.

Configure once, trigger twice—the platform handles everything else.

 

Why it Matters

Most CRI member institutions still use spreadsheets for compliance: manual tiering, profile assessments, and cross-framework scoring.

 

The CRI Accelerator automates these tasks using 318 diagnostic statements, updating scores across CRI Profile, NIST CSF 2.0, and FFIEC CAT via common control mapping and delivering true “test once, comply many” functionality. The platform’s tiering avoids over-scoping controls, automatically tracks remediation, and integrates with other SAE workflows for a consistent user experience. For teams managing overlapping frameworks, this consolidation turns compliance from a quarterly scramble into a sustainable process.

 

Getting Started & Licensing

 

1. Does the CRI Profile Accelerator cost extra for IRM customers?

This depends on your current licensing package, so check with your ServiceNow account team. Available from the ServiceNow store, the accelerator ships with the CRI Profile (318 citations and control objectives), FFIEC CAT content, and pre-built SAE assessment templates per tier. NIST CSF 2.0 content is activated separately through the NIST CSF Accelerator.  Once installed, it plugs into the CRI Profile as mapped citations.

 

2. What plugins are installed when I activate the CRI Profile Accelerator?

Installing the CRI Profile Accelerator (app ID: sn_grc_cri) automatically activates several dependencies. On the Policy and Compliance side, it installs GRC: Policy and Compliance Management and the Compliance Management Workspace. On the SAE side, three plugins are installed: SAE Designer (for creating assessment templates), SAE Connected (for managing and submitting assessment instances), and SAE Migration Tools (for migrating any existing legacy assessments into the SAE format). NIST CSF 2.0 content requires a separate install of the NIST CSF Accelerator.

 

3. Who can initiate CRI tiering and profile assessments?

Three personas can trigger assessments: entity owners (with the business user role), compliance managers (with either the corporate or it compliance manager role), and compliance analysts. In addition, ensure you assign the necessary SAE roles: the template manager role for manager profiles and the assessment reader and actor roles for all user profiles. Refer to the product documentation for the full SAE role matrix.

 

Tiering & Assessment Mechanics

 

1. How does the CRI tiering questionnaire work?

The tiering questionnaire is an SAE-powered assessment that determines your institution's CRI tier (1 through 4). When the entity owner initiates it, SAE presents prescriptive tier-level sections. As the assessor responds, SAE automation intelligently skips sections that don't apply based on previous answers. For example, if your responses indicate a Tier 1 institution, SAE will not present Tier 2 and Tier 3 questions. Once submitted, the tier value is automatically determined and locked on the entity record.

 

2. What happens after the tier is assigned to my entity?

After the tier value is determined and assigned, SAE and Policy and Compliance workflows work together to automatically create downstream control instances from the CRI diagnostic statements — no manual intervention required. For a Tier 1 entity, this means 318 controls are generated automatically. Tier 2 generates approximately 311, Tier 3 around 282, and Tier 4 around 208 controls.

 

3. Can I run a CRI profile assessment while tiering is still in progress?

No. SAE enforces a strict sequence to maintain data integrity. While tiering is in progress, you cannot trigger a CRI profile assessment. Conversely, if a CRI profile assessment is already open, the tiering option is locked. Complete tiering first—it determines the tier value, which drives control creation and the scope of the subsequent profile assessment.

 

Compliance Scoring & Frameworks

 

1. How does "test once, comply many" work on the platform?

CRI diagnostic statements are mapped as common controls across three frameworks: CRI Profile, NIST CSF 2.0, and FFIEC CAT. When you complete a CRI Profile Assessment, the responses determine control compliance status (compliant or non-compliant). Because these controls are shared across all three frameworks, a single CRI assessment response automatically updates compliance scores for CRI, CSF 2.0, and FFIEC CAT simultaneously — without requiring separate assessments of those frameworks.

 

2. What happens to non-compliant controls after submission?

After the CRI Profile Assessment is submitted, SAE and Policy and Compliance workflows work in tandem to update control compliance status, calculate entity-level and framework-level compliance scores, and automatically generate issues for non-compliant controls. These issues feed into your remediation tracking workflow, creating a closed-loop compliance lifecycle.

 

3. Do compliance scores roll up across entity hierarchies?

Yes. IRM's existing hierarchical rollup capabilities are available to the CRI Accelerator. This means compliance scores can be aggregated and viewed across your entity hierarchy, giving leadership a consolidated view of the organization's CRI compliance posture.

 

4. Can I map additional regulations beyond FFIEC CAT and NIST CSF 2.0 to the CRI Profile?

Yes. The CRI Profile Accelerator ships with FFIEC CAT and NIST CSF 2.0 mappings out of the box, but if you have content for other regulations, you can map those to the CRI Profile control objectives as well. This extends the "test once, comply many" benefit to additional regulatory frameworks relevant to your organization.

 

SAE Platform & Features

 

1. What SAE capabilities are most relevant to the CRI workflow?

Under Design:

• Unified Template Designer hosts the pre-configured CRI tiering and profile assessment templates.
• Scoring and normalization drive compliance score calculation.

Under Assess:

• Modern Assessor UX provides auto-save, progress tracking, and inline justifications.
• Combined Assessments support multi-stakeholder collaboration.
• Granular Delegation allows scoped permissions.

Under Automate:

• Response Automation enables auto-prefill from prior assessments.
• Post Assessment Actions trigger notifications and record updates.
• Flow Action Integration connects SAE to Flow Designer for end-to-end workflow automation,

2. Do I need to build the CRI assessment templates from scratch in SAE?

The CRI Profile Accelerator ships with preconfigured SAE assessment templates for each tier. These templates include CRI-prescribed questions, guidance, and evidence recommendations. Using these built-in templates is considered best practice. You install the accelerator and the templates are ready to use.

 

Scope, Coverage & Adoption

 

1. How do I enable CRI on an entity?

Navigate to Policy and Compliance, then Compliance Workspace. Open the entity record and set the entity class's "Is CRI" flag to enabled. This one-time configuration at the entity class level unlocks CRI tiering and profile assessment options for all entities of that class. Once enabled, the entity owner can initiate the CRI Tiering Questionnaire from the entity's action menu.

 

2. What prerequisites should I be familiar with before implementing CRI?

While not mandatory, familiarity with three areas will help you get the most value: (1) Policy and Compliance Management fundamentals, specifically authority documents, citations, control objectives, and entity configuration; (2) the NIST CSF 2.0 Accelerator, since CRI's profile core is built on CSF content; and (3) Smart Assessment Engine fundamentals. The CRI Accelerator product documentation is available for a deeper dive into the implementation details.

 

3. Where can I learn more?

Visit the ServiceNow product documentation for exploring the CRI Profile Accelerator, or join the discussion on the ServiceNow GRC Community.

 

Some useful resources

• Smart Assessment Engine YouTube playlist
• Cyber Risk Institute website
• GRC: CRI Profile Accelerator store listing
• GRC: Cyber Risk Institute (CRI) Profile Accelerator product documentation
• ServiceNow Community Blog on CRI powered by Smart Assessment Engine
• NIST CSF 2.0 Accelerator product documentation
• Smart Assessment Engine product documentation
• ServiceNow Smart Assessment Simplified: A Step-by-Step Practical Guide
• GRC: Policy and Compliance Management
• ServiceNow Community Blog on Understanding Policy & Compliance Mgmt.
• Respond to attestations from Tasks page of Compliance Workspace
• ServiceNow GRC Community