Risk score rollup in Advanced Risk Assessment

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk score rollup in Advanced Risk Assessment

    In ServiceNow's Advanced Risk Assessment, risk scores are aggregated across risk statement hierarchies, entity hierarchies, or both, providing stakeholders with a comprehensive view of their overall risk posture. This functionality enables risk managers and entity owners to monitor inherent and residual risks, control effectiveness, and Annual Loss Expectancy (ALE) using risk assessments that are specifically in the Monitor state.

    Show full answer Show less

    Each entity can have multiple risk scores based on different assessment methodologies, with each methodology potentially using distinct formulas for calculating qualitative and quantitative rollup scores. These formulas are configurable within the risk assessment methodology settings.

    Key Features

    • Risk Statement Hierarchy Rollup: Automatically aggregates inherent risk scores, ALE, control effectiveness, and residual risk scores across risk statements for selected methodologies, aiding enterprise-wide risk monitoring.
    • Entity Hierarchy Rollup: Automatically aggregates risk scores and ALE values across organizational entities, allowing entity owners to track their entity-specific risk posture. Rollups can use sum, average, maximum, or minimum calculations.
    • Combined Hierarchy Rollup: Using the Manage Aggregated Risk report, customers can define custom reporting dimensions (e.g., risk type within a business unit) to monitor specific risk areas more precisely.
    • Migration to Advanced Risk Assessment: To adopt the new rollup calculation methods, risk administrators must enable the "Migrate to Advanced Risk Assessments" property. This change hides certain legacy reports and dashboard tabs, while new aggregated risk-related modules become available.

    Practical Impact for Customers

    • By enabling Advanced Risk Assessment rollups, customers gain centralized and granular visibility into risk across both risk statements and organizational entities, facilitating better-informed risk management decisions.
    • Migration to the advanced rollup method requires administrative action and impacts existing dashboards and reports; customers should coordinate with ServiceNow support for assistance with customizations.
    • Post-migration, legacy individual risk rollup fields on entity and risk statement forms are replaced by an Aggregated Risk related list that consolidates data such as residual and inherent ratings, control effectiveness, ALE values, contributing assessments, and rollup status.

    In Advanced Risk Assessment, risk scores are calculated across risk statement hierarchy, entity hierarchy, or a combination of both. These methods enable stakeholders to monitor their risk posture and provide visibility of the overall aggregated risk score.

    Before you understand the rollup feature, consider the following points:
    • Each entity might have multiple scores based on the different risk assessment methodologies.
    • Only the risk assessments in the Monitor state contribute to the risk score.
    • Each risk assessment methodology might have a different formula to calculate the rollup qualitative score and the rollup quantitative score. The formula is specified in the Rollup configurationssection in the risk assessment methodology form.
    • Whenever the Advanced Risk plugin is activated the risk scores get rolled up.

    Risk statement hierarchy

    Based on the assessments, the system automatically rolls up the inherent risk scores, the Annual Loss Expectancy (ALE), control effectiveness score, residual risk score, and ALE across the risk statement hierarchy for the selected methodology​. This rollup allows the risk managers to monitor their enterprise risk posture​.

    Entity hierarchy

    Like risk statement hierarchy, the system also automatically rolls up the risk scores and ALE values across the entity hierarchy for a risk assessment methodology​. This rollup allows the entity owner to monitor the entity's risk posture. The rollups are done using the following formulae:
    • Sum
    • Average
    • Maximum
    • Minimum

    Entity hierarchy and risk statement

    Using the Manage Aggregated Risk report, customers can define additional reporting dimensions on which they want to monitor the risk posture for an entity. For example, if you want to understand an internal fraud related risk for Retail Banking, you can define that reporting dimension and monitor the risk.

    Changes in reports and risk rollup method after migrating to Advanced Risk Assessment

    To utilize the new rollup score calculation, the risk administrator, with the role sn_risk.admin, must first enable the Migrate to Advanced Risk Assessments property by navigating to Advanced Risk Assessment > Administration > Properties. This property is not enabled by default.
    Note:
    It is crucial to note that when you enable the mentioned property, any customizations in the risk overview dashboard will be hidden. Contact ServiceNow for assistance. Also, the following properties in risk are not hidden when you migrate to advanced risk rollup:
    • Compare risk tolerance based on
    • Compare calculated risk score with
    When customers migrate to Advanced Risk, the following reports are hidden from the user's view:
    • Aggregated Risk Report
    • Exposure by Entity
    • Exposure by Risk Statement
    In the Risk Overview dashboard, the following tabs are hidden:
    • Entity Tolerance Status
    • Risk Tolerance Status
    • Aggregated Entity Information
    • Aggregated Risk Information
    Under the Aggregated Risk Report, the following modules are visible that show the rolled up risk scores:
    • Aggregation by Risk Statements
    • Aggregation by Entities
    • Entity by Risk Statements
    When you migrate to advanced risk assessment, individual risk score values do not roll up to give you the risk score. Instead, the values from advanced risk assessment are considered. For example, for an entity, in the Entity form, the Risk Rollup and Tolerance section is not displayed. The same applies to any risk statement. Instead, a related list called Aggregated Risk is displayed. The Aggregated Risk related list contains the following values derived from various risk assessments:
    • Risk assessment methodology
    • Residual rating
    • Inherent rating
    • Control effectiveness
    • Residual ALE
    • Inherent ALE
    • Contributing risk assessments
    • Risk rollup status