Workflow of a risk using Advanced Risk

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Workflow of a Risk Using Advanced Risk

    The Advanced Risk Workflow in ServiceNow introduces a refined lifecycle for managing risks, enhancing visibility and control compared to the classic risk assessment. When enabled by a risk administrator through theMigrate to Advanced Risk Assessmentsproperty, risks progress through defined states that help risk owners systematically assess, respond, monitor, and retire risks. This updated workflow simplifies risk management by allowing direct initiation of risk assessments from the risk form and provides a more granular view of risk statuses.

    Show full answer Show less

    Risk States and Actions

    With Advanced Risk enabled (starting from version 14.0), risks move through the following states, each with specific actions to facilitate risk management:

    • Draft: Initial state when a risk is created or identified. Focus is on mapping and identifying the risk. Available actions include saving, initiating assessment, monitoring without assessment, retiring the risk, navigating to assessment scope, and viewing a 360-degree relationship overview.
    • Assess: The state during active risk assessment. After assessment, the risk moves either to Respond (if a response strategy exists) or Monitor. Actions include saving, viewing or canceling the assessment, returning to draft, retiring, navigating to assessment scope, and 360-degree views.
    • Respond: When a risk response task is underway. Once the response task is closed, the risk moves automatically to Monitor. Actions include saving, reassessing, canceling the response task, retiring, navigating to assessment scope, returning to draft, and 360-degree views.
    • Monitor: Post-assessment and response completion state where Key Risk Indicators (KRIs) may be executed for ongoing risk monitoring. Actions include saving, reassessing, retiring, navigating to assessment scope, returning to draft, and 360-degree views.
    • Retire: Indicates the risk is no longer active but retained for audit and historical purposes. Actions include viewing 360-degree relationships and reactivating the risk back to Draft.

    Practical Considerations for ServiceNow Customers

    • Once the Advanced Risk Assessment property is enabled, it cannot be disabled, so careful planning is advised before migration.
    • The enhanced workflow provides a clearer and more actionable view of risk status, enabling risk owners to efficiently manage risk assessments, responses, and monitoring activities.
    • Direct initiation of risk assessments from the risk form streamlines user experience and ensures timely risk evaluation.
    • The system supports audit requirements by retaining retired risks as records.

    When you migrate to advanced risk assessment, you can view the various states of the risks take the necessary actions. This ability simplifies your view of the risk form.

    When your risk administrator enables the Migrate to Advanced Risk Assessments property located under Advanced Risk Assessment > Administration > Properties, the life cycle of the classic or legacy risks undergo a change. You can also initiate a risk assessment directly from the risk form.
    Note:
    Once you enable this property, you cannot disable it.
    Prior to version 14.0, when the Migrate to Advanced Risk Assessments property was enabled, the risks were only classified as either active or inactive. Starting with version 14.0, as a risk owner, when you enable Advanced Risk, you can view the following states of your risks.
    1. Draft
    2. Assess
    3. Respond
    4. Monitor
    5. Retired
    Figure 1. States of a risk with advanced risk assessment
    States of a risk with advanced risk assessments enabled.
    All the states and the actions available for each state are explained in the following table.
    State Description Actions available
    Draft This is the state of a risk when a risk is created by the second line of defense or identified by the first line of defense.

    The objective in this state is to map and identify the risk pertaining to your organization. If you modify the entity or the primary risk assessment methodology (RAM) for a risk, the state of the risk gets updated based on the primary RAM's latest assessment.
    • Save
    • Assess: Pushes the workflow and initiates the risk assessment.
    • Monitor: If you do not want to assess the risk but want to monitor the risk.
    • Retire: The risk is retired along with all underlying risk assessment and risk response.
    • Navigate to assessment scope: Shortcut to risk assessment scope. The primary risk assessment methodology is passed.
    • 360 degree: View the complete 360-degree relationships for the risk.
    Assess This is the state of a risk when advanced risk assessment is initiated and being performed. If there is a response strategy, then the risk moves to the Respond state otherwise it moves to the Monitor state once the assessment is completed.
    • Save
    • View assessment: Navigates to the actual risk assessment form.
    • Cancel assessment: If you want to cancel the current assessment. The respective risk assessor is notified about the canceled assessment.
    • Return to draft: Cancels the current assessments and returns the risk to the previous state.
    • Retire
    • Navigate to assessment scope
    • 360 degree
    Respond This is the state of the risk when the risk response task is in progress.

    Once the risk response task is closed, the risk is automatically moved into the Monitor state
    • Save
    • Assess: Pushes the workflow back in the workflow. The in-progress risk response task would be canceled.
    • Retire
    • Navigate to assessment scope
    • 360 degree
    • Return to draft
    Monitor This is the state of the risk when the risk has been assessed and the response task is closed.

    If KRIs are defined (through Metrics), they are executed to monitor the risk.
    • Save
    • Assess: Moves the risk back to Assess state and initiates the risk assessment.
    • Retire
    • Navigate to assessment scope
    • 360 degree
    • Return to draft
    Retire This is the state of the risk when the risk is no longer valid but the organization wants to keep a system of record for audit purposes.
    • 360 degree
    • Activate: Reactivates the risk and moves it back to Draft state.
    • Navigate to assessment scope.