Factors in Advanced Risk Assessment

  • Release version: Zurich
  • Updated July 31, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Factors in Advanced Risk Assessment

    Factors in Advanced Risk Assessment are questions used to analyze risks within a risk assessment instance in ServiceNow. To utilize Advanced Risk Assessment, you must define these factors and configure a Risk Assessment Methodology (RAM), which forms the basis for evaluating risks. Factors can be reused across multiple assessment types within the same RAM, but not across different RAMs. Risk assessors respond to these factors during assessments, enabling structured and consistent risk evaluation.

    Show full answer Show less

    Types of Factors

    • Manual Factors: Require human input with subjective responses such as text, choices, numbers, currency, or percentages. These are useful for qualitative assessments like reputational impact or expected speed of onset.
    • Group Factors: Logical collections of manual factors whose scores aggregate the responses of their constituent factors. For example, combining financial and non-financial risk factors into an overall impact score.
    • Automated Factors: Automatically fetch current data from internal or external sources without manual input, reducing subjectivity. Examples include data such as number of employees, business revenue, or political conditions.
    • Scripted Automated Factors: Use scripts to retrieve data from ServiceNow records or external sources and automatically calculate responses. These are ideal for automating complex assessments like control effectiveness based on compliance data.

    Factor Contributions

    Responses to factors contribute to risk assessments in three ways:

    • Qualitative: Subjective ratings such as high, medium, or low, or numeric scores converted into qualitative ratings.
    • Quantitative: Numeric values such as monetary losses, contributing to metrics like Annual Loss Expectancy (ALE).
    • Both (Semi-Quantitative): Combine qualitative ratings with quantitative dollar values for a nuanced view.

    Practical Application for ServiceNow Customers

    By defining and publishing factors within a RAM, users with the snrisk.user role can select relevant assessment types and create risk assessment instances tailored to their organizational needs. Manual factors enable capturing expert judgment, while automated and scripted factors enhance accuracy and efficiency by leveraging real-time data and scripted logic.

    For example, scripted automated factors can streamline the assessment of control effectiveness by automatically calculating failure rates of controls and translating these into effectiveness ratings, eliminating the need for manual calculations and improving assessment consistency.

    Factors are questions that you can use to analyze risks. Factors appear on a risk assessment instance.

    Factors are questions that appear during the risk assessment. To use Advanced Risk Assessment, you must first define these factors and configure a risk assessment methodology (RAM). For more information on RAMs, see Configure a risk assessment methodology. Each factor or question has a response. There are different types of factors:
    • Manual factor: A factor that requires human input. The response is a manual response. An example is your name.
    • Automated factor: A factor whose response is automatically calculated. An example is the temperature in your city today. The information is fetched from external sources.
    • Scripted automated factors: A factor that is used to write scripts.
    • Group factor: A set of factors that are grouped logically.

    These factor types are explained more in the following sections. After you define the factors and publish them, you can configure a RAM and associate the factors to the assessment types within the RAM. The RAM forms the basis of the risk assessment. Publish each of the selected assessment types, and then publish the RAM. Users with the sn_risk.user role can select the assessment types for which the assessment must be performed.

    Your risk assessment instance is then created. Its properties depend on the assessment types and options that you selected for your RAM. The risk assessment instance is where the risk assessor evaluates the risks. As a question, a factor can be used in multiple assessment types. For example, a question such as "What is the probability of a building getting flooded?" can be a part of either an inherent assessment or a residual assessment after the control effectiveness assessment.

    Note:
    A factor can be used in multiple assessment types, but it can be used in only one RAM. A factor that is created and used in one RAM cannot be reused in other RAMs.

    Types of factor contributions

    An assessor provides responses to factors. Risk assessors can contribute to factors in the following ways:
    • Qualitative: Losses are in the form of subjective terms such as high, medium, and low. The losses can also be in the form of a numerical score that is converted into a rating.
    • Quantitative: Losses are in a numerical form. They can be incurred from a risk in monetary terms. They contribute to the inherent Annual Loss Expectancy (ALE).
    • Both: Losses have both a qualitative risk rating and a quantitative dollar value. These ratings are also called semi-quantitative.
    For more information on understanding qualitative, quantitative, and semi-quantitative ratings, see Types of risk rating methodologies

    Manual factors

    In a risk assessment, questions that need human responses from the respondents are called manual factors. In manual factors, the response is subjective and difficult to classify. Some questions require human intelligence and assessment. Therefore, a manual factor is a subjective assessment of a person's view. Examples of manual factors are reputational impact, expected speed of onset, and so on. In manual factors, users can provide the following types of responses:
    • Text: A descriptive answer. For example, feedback. This choice does not contribute toward the risk score calculation​.
    • Choice: User-defined choices to the questions in the assessment. For example, users can select risk ratings from low, medium, or high.
    • Number: A numeric value. For example, the number of open issues.
    • Currency: An amount in the local currency of the user. For example, the financial impact of a certain risk.
    • Percentage: A percentage value for the questions in the assessment. For example, the percentage of employees satisfied with the organization strategies.

    Group factors

    When factors are grouped logically, they are called group factors. A group factor's score depends on the responses of the corresponding manual factors​. For example, organizations are affected from financial risks and non-financial risks. You can create some factors for financial risks, and other factors for non-financial risks. You can combine these two sets of factors into a single group factor called Overall Impact. Like manual factors, group factors can contribute either to a numerical risk score that is converted to a qualitative contribution, or to the ALE values as a quantitative contribution.

    Automated factors

    Automated factors automatically fetch the latest data, during an assessment, from any of the data sources such as tables or database views. Automated factors help to automate the risk assessment process. They do not rely on manual inputs, and thus reduce subjectivity. For example, a risk assessor wants to perform an assessment for different locations. One of the automated factors is the political condition of a country, and this information is publicly available on a website. Because this data does not reside within ServiceNow, the assessor can use automated factors to fetch the data. Some other examples of automated factors are the following:
    • The number of employees on a project.
    • The revenue of a business unit.
    • The business criticality of a process.

    Scripted automated factors

    Automated scripted factors are used to write scripts. The scripts fetch the data from either ServiceNow records or from external sources. Scripted automated factors automatically provide the responses for factors during risk assessment.

    The following use cases demonstrate an example of how you can model scripted factors. For example, if you want to use the results from the compliance function to assess the mitigation effectiveness of the controls, there are two ways for assessing the controls:
    • Individual assessment of controls
    • Control environment assessment.
    In the individual assessment of controls, each control is separately assessed. To understand control assessment in the context of scripted factors, consider the example of money laundering as a risk. In this example, the control effectiveness is assessed based on the percentage of the failed controls. The values of the failed controls are then transformed into a rating to calculate the control effectiveness of that control. For example, the risk of money laundering has three mitigating controls:
    • Employee training
    • Internal audit on employees
    • Customer due diligence
    Assume that you have defined the control effectiveness criteria in the following manner:
    Control Design Effectiveness Failure Control Effectiveness
    0%-30% Effective
    30%-60% Needs improvement
    > 60% Ineffective

    Now, assume that out of the three controls, one control passed and two controls failed. The failure of two controls translates into a 66.67% failure rate. Based on the transformation and based on the previous table, the control effectiveness rating is ineffective. You can use this defined script to automate the response to the factor to assess the risk of money laundering.

    As for control environment assessment, you can assess the complete control environment instead of assessing each control individually. To understand control environment assessment, consider the following example. Assume that you want to assess the control environment based on two aspects: design effectiveness and operating effectiveness. To calculate the design effectiveness, you can fetch the related controls that are related to the risk of money laundering. You can then look at the test results to understand how many of the controls had failed. Assume that you have defined the control effectiveness criteria in the following manner:
    Control Design Effectiveness Failure Control Effectiveness
    0%-30% Effective
    30%-60% Needs improvement
    > 60% Ineffective

    Now, assume that two controls failed and one control passed. Thus, the control design effectiveness failure rate is 33.33%. Based on the previous table, this low value of 33.33% means that the control design needs improvement. This response can be automatically scripted in the automated scripted factor because it does not need any human calculation or intervention.