What does the term 'overridden' mean in ServicNow GRC

Nick T
Tera Contributor

I have developed a number of RAMs using Qualitative scoring and making use of Qualitative Transformation Criteria and each time I do so I try to figure out what OVERRIDDEN means in the context of Qualitative criteria. I have had it explained to me by out SME but still do not understand what it does and why it is a mandatory field. Does it mean that a risk manager can override the risk score given by the assessor or does it mean that the system overrides the user score and inserts a different one? Nick 

3 REPLIES 3

Connor Levien
ServiceNow Employee
ServiceNow Employee

Hey @Nick T,

 

OOTB the Override score gives a user the ability to override the system-generated score. For example, as part of an Advanced risk assessment you might build your own calculation to calculate the final Qualitative score based on a number of factors. If you user, either a risk manager or an assessor, doesn't agree with the calculated answer they can choose to override and pick another risk rate. OOTB the overridden field isn't mandatory.

 

Community Alums
Not applicable

Hi @Nick T ,

"Overridden score" is the Score that is used when the assessor overrides the risk rating.

Now what is about is if in my RAM i had said that the assessor could override the score, the when the assessor overrides it, they might select very Low and they're not going to enter a 1,2,3,4,5,6, Score (As this is Qualitative). They are just going to override it by selecting a rating , if they do that , what do i want teh score to be, so that's score is store in this "Overridden score"

Sandeep, many thanks for your response and that is my understanding of the term.

However... My RAM has been configured without allowing a score to be overwritten, so it should not be necessary for a score to be entered into the 'overridden score' field when creating the transformation criteria. A score must be entered as it's a mandatory field, in this case I entered 11 when the lowest score for the rating was 10. My feeling is that the overridden score has a connection to the way qualitative risk ratings are used and displayed in the tool.

Whilst I'm on the subject - why are there, in a number of lists, two columns named the same (Computed residual risk) that display different scores - one provides the risk rating lowest level and the other presents the actual scored residual risk. The example below shows:

  • First column -Risk rating with score of 11 being the mandatory overridden score (although overriding is not permitted in the RAM)
  • Second column - Actual residual risk score derived from Impact x Likelihood calculation
  • Third column - Residual risk, presumably risk rating with 11 being the mandatory overridden score.

 

RAM - showing override disallowedRAM - showing override disallowed

 

Risk Assessments View: risk_approvalRisk Assessments View: risk_approval