How to Add a Custom Option to OOTB GRC Assessment Question and Calculate a Custom Compliance Score?

Pratiksha KC · 3 weeks ago

We have a new requirement in GRC (Governance, Risk, and Compliance) in ServiceNow. Currently, we are using the out-of-the-box assessment for attestation in a control named “GRC CR Attestation.” One of the questions in this assessment is:
“Is the control implemented?” — which has two choices: Yes and No (Yes/No type).

By default:

If the user selects Yes, it calculates the compliance score as 100%.
If the user selects No, it calculates the compliance score as 0%.

Now, the client wants to modify this question to include an additional choice, such as Partially Compliant (or a similar label). When the user selects this new option, the compliance score should be calculated as 50%.

I have searched online and on the ServiceNow Community, but haven’t found exact steps for achieving this. Could someone please provide the exact steps or configuration required to:

Add a new choice (e.g., Partially Compliant) to this question.
Ensure that selecting this option results in a 50% compliance score.

Thank you in advance for your help!

JadaP · 2 weeks ago

Hey Pratiksha, before jumping to configuration steps, a couple of things worth clarifying:

First, which assessment engine are you using? Classic OOTB assessment or the Smart Assessment Engine? The approach differs significantly between the two, and the GRC CR Attestation metric type behavior you’re describing is the classic engine. If you’ve enabled Smart Assessments (sn_compliance.enable_smart_assessments = true), the configuration path is different.

Second — and this is the more important conversation — I’d challenge the requirement itself before customizing.

Out of the box, ServiceNow IRM treats control attestation as a binary outcome: the control is either Compliant, Non-Compliant, or Not Applicable. That’s by design. The GRCAssessmentUtilsBase script include drives this logic, and modifying it to support a third state like “Partially Compliant” means customizing core script includes AND adding new choice values to the control status field — which creates upgrade risk and ongoing maintenance overhead.

But more importantly: in my experience, when a client asks for “partially compliant” on a single control, it almost always means the control objective is too broad. The control is trying to cover multiple requirements, and the person attesting knows some pieces are in place and others aren’t — so neither Yes nor No feels accurate.

The platform already solves this problem natively through its compliance scoring roll-up. Here’s how:
Break your broad control objective into clear, concise, individually attestable control objectives. Each one maps to a single verifiable requirement. Then when someone attests:
∙ Controls that pass → Compliant
∙ Controls that fail → Non-Compliant
∙ The compliance score at the parent control objective, citation, or entity level automatically calculates the percentage based on the ratio of compliant control weights to total assessed control weights

So if you have 10 granular controls under a control objective and 5 pass, your compliance score is 50% — without any customization, without touching script includes, and fully upgrade-safe. Plus, you now have visibility into exactly which requirements are failing, rather than a vague “partially compliant” that doesn’t tell anyone where the gap is.

This is also how frameworks like NIST 800-53 are structured — granular controls that aggregate upward.

If after reviewing the control structure there’s still a legitimate need for a third attestation response, it IS possible but requires customizing the GRCAssessmentUtilsBase script include and adding custom choices to the control status field (there was a recent thread on this for “Effective/Partially Effective/Ineffective” outcomes). Just know that’s a customization path with real maintenance implications.

Happy to go deeper on either approach, just let me know what further questions you may have!