Why is Inherent impact referencing to risk criteria ?

Sanel
Tera Expert

I have found out that the inherent likelihood and inherent impact is referencing to the risk criteria table , I want to know why is it this way ?

I want to know the entire functionality behind this , and if possible the entire risk management ?

Is there any document related to this , if possible can anyone share it over here?

Thank You for any kind of help:)

1 ACCEPTED SOLUTION

Phil Swann
Tera Guru
Tera Guru

Just to add a bit of detail which may not be immediately available:

 

Risk in ServiceNow is really based on the question 'what will this cost me if it actually happens?' in monetary terms, and 'how likely is it to occur this year?' in percentage

Termed Impact and Likelihood respectively, these are presented in qualitative terms 'High, Medium, Low' and 'Likely, Unlikely, etc' and will result in a 'Score' which is equivalent to the impact.

Organisations will often refer to some scoring mechanism they have chosen such as a 4x4 or 5x5 matrix and moving that into ServiceNow can be the crux of the Risk Management implementation. 

Assuming you choose to use qualitative, then behind the scenes the quantitative values are still being maintained. These are Single Loss Expectancy (SLE), Annual Rate of Occurence (ARO) and Annual Loss Expectancy (ALE). The calculation is simple: ALE = SLE x ARO. So a Risk score tells you how much this thing is likely to cost your organisation in any given year.

 

Risk Criteria takes care of a lot of the magic here. You define your scoring matrix, but what does High mean? To one company it might be 10k or 100k, 1m or 100m - depending on their business and risk appetite.  Lets say for Impact: Low is 100k, Medium is 1m and High is 10m 

For Likelihood: Unlikely is 25% (once every 4 years), Neutral is 50% (once every two years) and Likely is 100% (Once a year). Percentage is stored as a decimal (0.25, 0.5, 1)

The lookup is relatively simple. When you enter High, the system grabs the max threshold for impact (10,000,000). When you say Likely it grabs the max percentage (1)

Your score will be determined by 10,000,000 * 1 = 10,000,000 , this ALE result will then lookup for the max threshold which matches, or the next one in the list, or the last one (e.g. if you had 1,000,000 * 0.25 = 250,000... 250k is still greater than 100k, so the score would be Medium). 

Be careful as these are stored as currency and that does bring some challenges - but if you look at the risk in the list view and show all the scoring fields you will see they are always all populated regardless of if you score qualitative or quantitative. 

 

The way this is implemented, in order to deliver the simplicity, is actually complex. The fact the scores change dynamically in the form as you change your selections - is all based on client script > ui script > Ajax > server API - and I would not recommend changing how this works. Additionally, the scoring factor based on compliance and based on indicator creates a calculated score - to mark the risk somewhere between Inherent and Residual. 

 

Instead you can often find a way to work with the Risk Criteria settings. For instance, if you have a simple 5x5 matrix, linear scale, that 1x1 = 1 and 5x5 = 25, then you need to set up each Impact as 01,02,03,04,05 and the currency is 1,2,3,4,5 (whatever is system currency). Then set your likelihood the same, 01,02,03,04,05 = 1,2,3,4,5 (as these are percentage they will show 100% - 500% - but ignore that).

You then need to set the Scores as every possible value: 1,2,3,4,5,6,8,9,10,12,15,16,20,25 (as currency) and with leading zeroes in the values - and you will see that the scores "just work". 

Not the leading zeros in the label is for reporting, and to ensure that ordering by string is sensible especially in reporting. 

Be aware some of the Risk dashboard reports might look strange reporting very small values - but if you read it correctly it will make sense, based on the data!

 

Additionally, when you change any Risk Criteria - this will automatically sync the risk qualitative values and maintain them - should, for instance, your business divest or acquire some component - which means High is no longer 100m but 200m - it will scale with you. 

View solution in original post

5 REPLIES 5

Ct111
Giga Sage

Hello,

Below documentation will be useful to you for understand Risk Mgmt

https://docs.servicenow.com/bundle/orlando-governance-risk-compliance/page/product/grc-risk/concept/...

 

 

Mark my ANSWER as CORRECT and HELPFUL if it helps

Hello,

You can also watch a short video just to get idea

https://www.youtube.com/watch?v=NTO5np9oyAc

 

Can you Mark my ANSWER as CORRECT and HELPFUL if it helped your case.

Eric Le Martre4
Kilo Guru

The Risk Criteria table contains all the Risk scoring qualitative values and their relationships with Financial score (Impact, Likelihood, Score). You can change them, add now ones etc.

It is accessible from the Risk / Administration menu.

Best Regards

Eric

UTKARSH JAIN
ServiceNow Employee
ServiceNow Employee

Hi Sanel,

Since customer to customer the impact and likelihood scales can change, the product makes it configurable for customers to change the values in the risk criteria table. This way depending on the use case customer has they can change the values easily. 

For learning about Risk Management and GRC in general i would highly suggest to use the Now Learning platform:

https://nowlearning.service-now.com/

Regards,

Utkarsh