What is the difference between classic risk and advanced risk in GRC?

Priyanka_77 · ‎11-04-2025

Please do not give me generic answer.
I really want to understand it in a simpler way1

Anand Kumar P · ‎11-04-2025

Classic Risk

You assess risks using fixed factors like Impact and Likelihood.
Example: You identify a risk that “Server might crash.” You rate it as High Impact and Medium Likelihood, and the system calculates the Inherent and Residual scores.
It follows a top-down approach — management identifies high-level risks (like “Data Breach”) and then breaks them into smaller, specific risks (like “Unauthorized access to customer data”).
It’s simple and quick, but not very flexible — you can’t easily change the way assessments are done.

Advanced Risk Management

Advanced Risk is like the “customizable version” with more power and flexibility.

You can create your own Risk Assessment Methodologies (RAMs) — choose what factors to include (e.g., “Financial Impact,” “Reputation Impact,” “Detectability,” etc.) and how scoring should work.
Example: You might design one methodology for IT Risks and another for Project Risks, each with different scoring criteria.
Supports a bottom-up approach — employees or systems can report risks directly using Risk Events.
Example: If an Incident or Change in ServiceNow could cause a risk, it can automatically generate a Risk Event that goes into the risk workflow for review and approval.
When a new entity (like an Application, Project, or Department) is onboarded, you can run a Risk Identification Process to map multiple relevant risks automatically.
Offers advanced controls, automation, and reporting to fit your organization’s unique needs.

Refer below link for more info:

If my response helped, please mark it as the accepted solution ✅ and give a thumbs up👍.
Thanks,
Anand

Hemanth M1 · ‎11-04-2025

Can you go through - Simple explanation here, if you still an explanation let us know!.

Accept and hit Helpful if it helps.

Thank you,
Hemanth
Certified Technical Architect (CTA), ServiceNow MVP 2024, 2025

Anand Kumar P · ‎11-04-2025

Classic Risk

You assess risks using fixed factors like Impact and Likelihood.
Example: You identify a risk that “Server might crash.” You rate it as High Impact and Medium Likelihood, and the system calculates the Inherent and Residual scores.
It follows a top-down approach — management identifies high-level risks (like “Data Breach”) and then breaks them into smaller, specific risks (like “Unauthorized access to customer data”).
It’s simple and quick, but not very flexible — you can’t easily change the way assessments are done.

Advanced Risk Management

Advanced Risk is like the “customizable version” with more power and flexibility.

You can create your own Risk Assessment Methodologies (RAMs) — choose what factors to include (e.g., “Financial Impact,” “Reputation Impact,” “Detectability,” etc.) and how scoring should work.
Example: You might design one methodology for IT Risks and another for Project Risks, each with different scoring criteria.
Supports a bottom-up approach — employees or systems can report risks directly using Risk Events.
Example: If an Incident or Change in ServiceNow could cause a risk, it can automatically generate a Risk Event that goes into the risk workflow for review and approval.
When a new entity (like an Application, Project, or Department) is onboarded, you can run a Risk Identification Process to map multiple relevant risks automatically.
Offers advanced controls, automation, and reporting to fit your organization’s unique needs.

Refer below link for more info:

If my response helped, please mark it as the accepted solution ✅ and give a thumbs up👍.
Thanks,
Anand