Risk Assessment plugin within ServiceNow

sam352120 · Thursday

Dear Experts,

Please provide the activities required to implement the Risk Assessment plugin within ServiceNow and also

the level of effort required from the support team if any in general.

Expecting a quick reply.

Thanks,

Sambit

MaxMixali · yesterday

ServiceNow – Risk Assessment Plugin Implementation Guide

1. Overview
The Risk Assessment plugin (com.sn_risk_assessment) extends Integrated Risk Management (IRM) capabilities, enabling risk evaluation, questionnaires, and scoring tied to business entities, controls, or policies.

2. Prerequisites
- Required Plugins: Governance, Risk, and Compliance (com.sn_grc), Risk Management (com.sn_risk)
- Required Roles: admin or risk_admin for setup; risk_manager, risk_user, and risk_assessor for daily operations
- Prepare baseline data: risk statements, frameworks, business entities, and scoring methodology

3. Implementation Activities
------------------------------------------------------------
Phase 1: Activation & Setup
- Activate the plugin via Plugin Manager or HI Request.
- Validate dependent plugins and roles.

Phase 2: Access & Roles
- Assign roles to risk managers and assessors.

Phase 3: Data Model Configuration
- Align risk frameworks, categories, and scoring logic (qualitative or quantitative).

Phase 4: Questionnaire Templates
- Create templates with assessment questions, response options, and scoring logic.

Phase 5: Assessment Configuration
- Configure triggers: manual, scheduled, or tied to control/risk updates.

Phase 6: Workflow Setup
- Customize the approval/review workflow using Flow Designer.

Phase 7: Notifications & Reporting
- Configure notifications for assignment, completion, and reminders.
- Create dashboards and reports for assessment progress and results.

Phase 8: Testing
- Validate questionnaire scoring, user permissions, and data integrity.

Phase 9: Training & Documentation
- Provide training and quick reference materials for users.

Phase 10: Go-Live
- Deploy to production, monitor usage, and ensure proper access and performance.

4. Support Team Level of Effort (General Estimate)
------------------------------------------------------------
| Role | Effort Estimate | Activities |
|---------------------------|----------------|-------------|
| Platform Administrator | 4–8 hours | Plugin activation, dependency validation, access setup |
| Risk Manager / Analyst | 16–24 hours | Template design, workflow configuration, testing |
| Support Team (Post-Go-Live)| 4–6 hours/month| Monitor assessments, update templates, fix access issues |
| PA/Reporting Specialist | 4–8 hours | Build dashboards, define KPIs |

Total initial setup effort: approx. 2–4 working days.

5. Best Practices
------------------------------------------------------------
- Use out-of-box templates before customizing.
- Prefer Flow Designer over legacy workflows.
- Integrate with Policy and Compliance and Vendor Risk for unified risk visibility.
- Implement audit tracking for changes in templates and scoring.
- Pilot with a limited group before full rollout.

6. Summary
------------------------------------------------------------
- Risk Assessment plugin setup includes activation, configuration, and workflow tuning.
- Overall effort: ~3 days initial, minimal recurring effort.
- Main ongoing tasks: maintaining templates, dashboards, and user access.
- Technical maintenance is minimal; focus on governance and continuous improvement.

Sarthak Kashyap · yesterday

Hi @sam352120 ,

Please check below link

https://www.servicenow.com/docs/bundle/zurich-it-service-management/page/product/change-management/t...

Please mark my answer correct and helpful if this works for you

Thanks and Regards,

Sarthak

MaxMixali · yesterday

ServiceNow – Implementation of the Risk Assessment Plugin

1. Overview
--------------------------------------------------
The Risk Assessment plugin enables structured evaluation of organizational, IT, and operational risks using questionnaires, scoring models, and workflows. It integrates with the Integrated Risk Management (IRM) suite, helping organizations assess control effectiveness and risk exposure.

--------------------------------------------------
2. Activities Required for Implementation
--------------------------------------------------

A. Preparation Phase
--------------------
1. **Confirm Licensing**
- Verify that the organization has the appropriate IRM / GRC license tier that includes Risk Assessment.
- Coordinate with ServiceNow account representative to confirm entitlement.

2. **Define Objectives**
- Clarify whether the assessments will target Enterprise Risk, IT Risk, Vendor Risk, or Audit Risk.
- Identify stakeholders (Risk Managers, Compliance Officers, Control Owners).

3. **Instance Review**
- Check if IRM foundation data (Risk Framework, Risk Statements, Risk Scoring Profiles) is already present.
- Review if the required tables (sn_risk_asmt, sn_risk_asmt_template, sn_risk_condition, etc.) exist.

B. Plugin Activation Phase
--------------------------
1. Navigate to **System Definition → Plugins**.
2. Search for **“Risk Assessment” (ID: com.snc.risk_asmt)**.
3. Click **Activate / Upgrade**.
- Optionally activate dependent plugins (e.g., Risk Management, Risk Scoring, Risk Framework).

4. Verify Activation
- Confirm that the following modules appear under **Risk Management → Assessments**:
• Risk Assessments
• Assessment Templates
• Assessment Questions
• Assessment Results
• Risk Scoring Profiles

C. Configuration Phase
----------------------
1. **Create Assessment Templates**
- Define templates linked to specific risk types or entities.
- Configure question categories, response types, weights, and scoring logic.

2. **Build Questionnaires**
- Use single-choice, multiple-choice, or scaled questions.
- Align questions with key control objectives or risk indicators.

3. **Define Risk Scoring Models**
- Create risk scoring profiles to normalize results (e.g., High, Medium, Low).
- Map question weights and thresholds to business impact and likelihood.

4. **Set Triggers / Workflows**
- Configure flows to automatically launch risk assessments based on triggers (e.g., new risk, policy change, vendor onboarding).
- Use Flow Designer or GRC workflows.

5. **Assign Assessments**
- Assign assessments to stakeholders for completion and review.
- Configure notifications for due dates and results submission.

6. **Testing & Validation**
- Test sample assessments for scoring accuracy.
- Validate workflows, email notifications, and role-based access.

7. **Reporting & Dashboards**
- Configure Performance Analytics indicators for assessment status, overdue items, and average risk scores.
- Use OOB dashboards under “Risk Overview.”

--------------------------------------------------
3. Roles and Access Setup
--------------------------------------------------
- sn_risk_manager – manage risk assessments and templates.
- sn_risk_reader – read-only access to results.
- sn_risk_editor – modify risk data.
- sn_assessment_admin – manage assessment templates and configuration.
- sn_assessment_user – perform assigned assessments.

--------------------------------------------------
4. Post-Implementation Activities
--------------------------------------------------
- Train users on completing assessments and reviewing results.
- Define a governance process for question library updates.
- Establish recurring schedules for reassessment cycles.
- Integrate assessment results with Risk Register or Policy Exception workflows.

--------------------------------------------------
5. Level of Effort (LOE) from Support Team
--------------------------------------------------
| Phase | Activities | Estimated Effort |
|--------|-------------|-----------------|
| Preparation | License validation, stakeholder alignment | 4–6 hours |
| Activation | Plugin activation, dependency validation | 2–3 hours |
| Configuration | Templates, questions, scoring setup | 16–24 hours |
| Workflow Integration | Triggers, Flow Designer automation | 8–12 hours |
| Testing & UAT | Validation with sample users | 8 hours |
| Reporting & Dashboard Setup | PA widgets and dashboard alignment | 6–8 hours |
| Training & Documentation | User guide and training session | 4–6 hours |

**Total Estimated LOE:** ~48–60 hours (5–7 business days).

--------------------------------------------------
6. Support Team Responsibilities (Post Go-Live)
--------------------------------------------------
- Maintain assessment templates and question library.
- Manage role access and permissions.
- Monitor failed assessment flows or overdue tasks.
- Periodically archive completed assessments to optimize performance.
- Apply updates after each major ServiceNow release to ensure IRM alignment.

--------------------------------------------------
7. Summary
--------------------------------------------------
Implementing the Risk Assessment plugin involves:
- Activating the plugin and dependencies.
- Creating templates, questionnaires, and scoring models.
- Integrating workflows for automation.
- Configuring dashboards for insights.

Level of effort is moderate (~1 week). Once configured, ongoing support mainly involves governance and monitoring rather than heavy maintenance.

sam352120 · yesterday

Thanks for your quick reply. So are these efforts mentioned above are for the ServiceNow support team only not the ServiceNow Vendor?? Also Is it a paid or a free plug in for ServiceNow ?