Exploring Risk Management

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Risk Management

    The Risk Management product in ServiceNow offers a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that could negatively affect business operations. It provides structured workflows for managing risk assessments, risk indicators, and risk issues, enabling organizations to systematically handle risks across all levels.

    Show full answer Show less

    Key Features

    • Risk Library and Register: Manage risk statements grouped by frameworks to categorize risks effectively. The risk register serves as a central repository for all potential risks.
    • Risk Events Management: Track potential or actual financial/non-financial losses, near-misses, and gains within the organization.
    • Risk Hierarchy and Scoring: Create hierarchical risk structures (e.g., operational, IT, strategic risks) with automatic roll-up of risk scores to support tactical and strategic decisions.
    • Classic Risk Assessments: Use the Risk Assessment Designer to create and manage risk surveys, leveraging a question bank to streamline questionnaire creation. Assessments progress from Draft to Assess state with notifications to respondents.
    • Advanced Risk Assessments: Integrate various risk assessment methodologies into a unified platform to embed risk evaluation into decision-making processes.
    • Policy Exceptions and Extensions: Manage temporary relief requests for non-compliant controls, capturing rationale and evidence, involving control owners, compliance managers, and risk managers.
    • Entity and Risk Dependencies: Utilize the GRC Workbench with CMDB data to visualize upstream/downstream application relationships for consistent risk mapping and modeling.
    • Risk and Control Indicators: Support continuous monitoring by defining key indicators, collecting data automatically or manually, and using results to create issues or update risk scores.
    • Risk Issues and Remediation: Create and track audit observations, remediation actions, and problem acceptances manually or automatically from indicator and attestation results.
    • Integration with Vulnerability Response: Enhance continuous monitoring by linking risk management with Security Operations to prioritize vulnerabilities based on business impact.
    • Analytics and Reporting: Access preconfigured Performance Analytics dashboards with actionable visualizations to improve risk management processes.

    Key Outcomes

    • Comprehensive identification and assessment of risks across the enterprise and IT domains.
    • Structured workflows to manage risk assessments, responses, and continuous monitoring efficiently.
    • Improved decision-making through hierarchical risk scoring and integrated risk frameworks.
    • Enhanced collaboration among audit committees, risk officers, management, and compliance teams.
    • Automated and manual mechanisms to monitor risk indicators and manage remediation efforts promptly.
    • Seamless integration between risk management and security vulnerability processes to prioritize risk mitigation effectively.
    • Visibility into risk posture with analytical insights that drive continuous improvement.

    The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Who uses Risk Management

    The complete risk process involves all areas of your organization working together.

    • Audit committee
    • IT steering committee
    • Risk officers (conduct risk assessment and identify all that can go wrong in business)
    • All levels of management (assist the risk officers with the identification of what can go wrong in their processes)

    Key activities for Risk Management

    Once the key roles are identified, work to identify the following items:
    • Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable.
    • Develop a risk management policy, through risk frameworks and risk statements.
    • Develop risk assessment and response procedures.
    • Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval.
    • Measure your risk exposure and improvements.

    Risk Management and the ServiceNow AI Platform


    Risk Management and the NowPlatform
    The Risk Management and the Advanced Risk applications enable you to do the following.
    • Manage risks, risk statements, and risk frameworks: The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.
    • Manage risk events: Risk events are potential or actual financial and non-financial losses, near-misses, and gains that occur within an organization.
    • Risk hierarchy and scoring: Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.
    • Manage classic risk assessments: Risk assessments are surveys that gather evidence to determine risk. The Risk Assessment Designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. The question bank offers a library of questions for various categories, so you do not have to build each questionnaire from scratch. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents.
    • Manage Advanced Risk Assessments: With Advanced Risk Assessment, create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies and enables you to integrate risk assessment as a part of your overall decision-making process.
    • Manage policy exceptions and extensions: Policy exceptions and extensions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. Also, extension to an approved policy exception can be requested before the policy exception validity period. The control owner, the compliance manager, and the risk manager may be involved in the policy exception and extension workflow.
    • Use entity and risk dependencies using the GRC: Workbench: The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.
    • Risk indicators, control indicators, and indicator templates: Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings.
    • Manage risk issues and remediation: Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness.
    • Manage continuous monitoring for risks between Risk Management and Vulnerability Response: Continuous monitoring for risks is a feature integration between the GRC: Risk Management and the Security Operations Vulnerability Response products, which uses indicators to quickly identify high impact vulnerabilities based on business impact.
    • Analytics and reporting solutions for Risk Management: Performance Analytics Solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.