Risk rating in Service Now

Pragati Sharma · ‎08-29-2022

Can someone clarify below 2 points in risk rating:

1. The risk criteria in Service now has 3 elements - likelihood, impact and score. I understand the impact of score, when we enter SLE and ARO for risk it picks up calculated score basis risk criteria.

Likewise what is the use of likelihood and impact? where do these 2 factors affect my risk rating?

2. There is option to include default score while defining risk statement and also while doing scoring for risk. Why are we defining Inherent SLE & ARO and Residual SLE & ARO at both risk statement and risk level?

Community Alums · ‎08-29-2022

Hi @Pragati Sharma ,

likelihood Is more of like a probability of the Risk occurrence and due to this risk what would be the underlying Impact .

The inherent and residual scores for a risk are calculated using the risk criteria, likelihood, and impact

For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.

Controls can mitigate the impact or likelihood of a risk. For example, highways have speed limit monitors. If a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective.

Example :- Qualitative Inherent Score = Inherent Likelihood x Inherent impact

While Creating the Risk Statements, you can Define the Default Scores:

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

Community Alums · ‎08-30-2022

Hi @Pragati Sharma ,

Any update to this ?Any follow-up required? if not

Kindly mark the answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep

Rakesh Chigari · ‎08-31-2022

Hi @Pragati Sharma

I hope you are clear with 1st point with detailed explanation by Sandeep, i would like to touch base on 2nd point .

You can create orphan risk or create risk from risk statement or even risk from risk framework.

Creating risk from risk statement help you to group similar risk together and follow standard content something like a template.

You can define the default risk score, risk assessment type in the risk statement so that when you create risk using risk statements these value will be auto copied into risk.

Default scores can always be over ridden via risk assessment submitted by risk assessment respondent

If your requirement is to use default score from risk statement should be used in risk than you can leave risk assessment blank in risk statement. create risk from risk statement. there will be no assessment in risk lifecycle. from draft state, if you click on "Assess" tab, risk will move to respond state.

There are multiple use case based on requirements. risk assessment can be done with default score at risk statement level or individual assessment at risk level