Just to add a bit of detail which may not be immediately available:

Risk in ServiceNow is really based on the question 'what will this cost me if it actually happens?' in monetary terms, and 'how likely is it to occur this year?' in percentage

Termed Impact and Likelihood respectively, these are presented in qualitative terms 'High, Medium, Low' and 'Likely, Unlikely, etc' and will result in a 'Score' which is equivalent to the impact.

Organisations will often refer to some scoring mechanism they have chosen such as a 4x4 or 5x5 matrix and moving that into ServiceNow can be the crux of the Risk Management implementation. 

Assuming you choose to use qualitative, then behind the scenes the quantitative values are still being maintained. These are Single Loss Expectancy (SLE), Annual Rate of Occurence (ARO) and Annual Loss Expectancy (ALE). The calculation is simple: ALE = SLE x ARO. So a Risk score tells you how much this thing is likely to cost your organisation in any given year.

Risk Criteria takes care of a lot of the magic here. You define your scoring matrix, but what does High mean? To one company it might be 10k or 100k, 1m or 100m - depending on their business and risk appetite.  Lets say for Impact: Low is 100k, Medium is 1m and High is 10m 

For Likelihood: Unlikely is 25% (once every 4 years), Neutral is 50% (once every two years) and Likely is 100% (Once a year). Percentage is stored as a decimal (0.25, 0.5, 1)

The lookup is relatively simple. When you enter High, the system grabs the max threshold for impact (10,000,000). When you say Likely it grabs the max percentage (1)

Your score will be determined by 10,000,000 * 1 = 10,000,000 , this ALE result will then lookup for the max threshold which matches, or the next one in the list, or the last one (e.g. if you had 1,000,000 * 0.25 = 250,000... 250k is still greater than 100k, so the score would be Medium). 

Be careful as these are stored as currency and that does bring some challenges - but if you look at the risk in the list view and show all the scoring fields you will see they are always all populated regardless of if you score qualitative or quantitative. 

The way this is implemented, in order to deliver the simplicity, is actually complex. The fact the scores change dynamically in the form as you change your selections - is all based on client script > ui script > Ajax > server API - and I would not recommend changing how this works. Additionally, the scoring factor based on compliance and based on indicator creates a calculated score - to mark the risk somewhere between Inherent and Residual. 

Instead you can often find a way to work with the Risk Criteria settings. For instance, if you have a simple 5x5 matrix, linear scale, that 1x1 = 1 and 5x5 = 25, then you need to set up each Impact as 01,02,03,04,05 and the currency is 1,2,3,4,5 (whatever is system currency). Then set your likelihood the same, 01,02,03,04,05 = 1,2,3,4,5 (as these are percentage they will show 100% - 500% - but ignore that).

You then need to set the Scores as every possible value: 1,2,3,4,5,6,8,9,10,12,15,16,20,25 (as currency) and with leading zeroes in the values - and you will see that the scores "just work". 

Not the leading zeros in the label is for reporting, and to ensure that ordering by string is sensible especially in reporting. 

Be aware some of the Risk dashboard reports might look strange reporting very small values - but if you read it correctly it will make sense, based on the data!

Additionally, when you change any Risk Criteria - this will automatically sync the risk qualitative values and maintain them - should, for instance, your business divest or acquire some component - which means High is no longer 100m but 200m - it will scale with you.