Implementing a 3-class, 2-tier risk taxonomy in ServiceNow - How?

RuneMJ · ‎03-27-2025

In our risk management framework we have defined, and are using a non-financial risk taxonomy which helps in categorising risk and casual factors. We have based this on the ORX Risk Reference Taxonomy which also aligns well with our risiko ontology and how we formulate risk statements.

The taxonomy is made up of three classes; event, cause and impact, and provides 2-tier structure for various categories in each class. However, how do we implement this in a feasible way in the Risk Management or Advanced Risk application?

I have understood that by deselecting "Inherit from risk statement" one can use the Risk Framework and Risk Statement structure to emulate at least our event class(?), but not without caveats.

Thoughts and tips, anyone?

Connor Levien · ‎04-01-2025

Hey there,

Hard to provide specifics without an example but one way this has been tacked is by doing the following.

What you call events should be loaded into the Risk statement table to then be used to create risk instances from for assessments.

Causes should be stored in the sn_risk_advanced_cause table. Consequences (or impacts) should be stored in sn_risk_advanced_consequence

You will have to do some additional configuration as part of this but you would create a many-2-many relationship between sn_risk_advanced_cause and the Risk statement and risk table, and the same for the sn_risk_advanced_consequence and the Risk statement and risk table. Ideally you would also set up a flow to copy the causes and consequences you link to a Risk statement to a risk as well to help with maintances