Control Assessment form

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment form

    The Control Assessment form in the Advanced Risk application enables ServiceNow customers to evaluate how effectively controls mitigate risks. It supports both broad assessments of the control environment and detailed evaluations of individual controls, helping organizations align risk management activities with their methodologies and improve risk mitigation.

    Show full answer Show less

    Key Features

    • Risk Assessment Methodology: Automatically sets the methodology and state based on your configured Risk Assessment Methodology (RAM), simplifying setup.
    • Assessment Contribution: Defaults to qualitative contribution, focusing on qualitative factors in control assessment.
    • Calculate Based On: Offers two modes:
      • Control environment assessment: Assess overall control environment effectiveness without individual control details.
      • Individual assessment of controls: Enables detailed evaluation of each control’s effectiveness. This requires the Policy and Compliance Management plugin.
    • Control Identification Options: Choose how controls are selected within a risk assessment—none, from a control library, ad-hoc creation, or both—when assessing individual controls.
    • Factor for Overall Effectiveness: Select manual, automated, or group factors to evaluate controls, applicable only for individual control assessments with qualitative or transformable factors.
    • Qualitative Scoring Logic: Multiple scoring formulas to calculate control effectiveness, including sum, minimum, maximum, average, product, weighted average, or a custom script for advanced scoring (requires developer role).
    • Script Customization: When using custom formulas, users with appropriate roles can define script variables and scripts to tailor scoring calculations.
    • Section Labels: Allows renaming of assessment section titles and qualitative score labels within the advanced risk assessment interface to align terminology with organizational preferences. Note that these changes do not affect reports or dashboards.

    Practical Benefits

    • Facilitates consistent and customizable control assessments aligned with your risk methodologies.
    • Supports both high-level and granular control evaluations, depending on your organizational needs and plugin availability.
    • Enables tailored scoring and reporting terminology to improve clarity and user adoption within your risk management processes.
    • Integrates with existing control libraries or allows creation of new controls directly within assessments.

    Use the Control Assessment form in the Advanced Risk application to assess the effectiveness of controls in mitigating risks.

    See the following table for a description of the field values.
    Table 1. Control Assessment form
    Field Description
    Risk assessment methodology Name of the risk assessment methodology used for control assessment. This field is automatically set based on your RAM.
    State State of the RAM. This field is automatically set to Draft.
    Assessment contribution Type of factor contribution. This field is automatically set to Qualitative contribution.
    Calculate based on Option to assess the types of control. Choices are the following:
    • Control environment assessment: Select this option if you don’t want to assess individual controls, but instead want to assess the overall effectiveness of the control environment.
    • Individual assessment of controls: Select this option if you want to perform assessment for individual controls. For example, you can select the risk of employees accepting bribes and then assess each existing control to mitigate the risk of bribery. This option is available only when the Policy and Compliance Management (com.sn_compliance) plugin is activated.
    Control identification Option to decide how to identify the controls in the risk assessment instance. The choices are the following:
    • None
    • From Library: Use this option when you want to identify controls from the library on the risk assessment instance.
    • Ad-hoc: Use this option when you want to identify new controls on the risk assessment instance.
    • From Library and Ad-hoc: Use this option when you want to identify controls from the library as well as identify new controls.

    This field appears only when the Calculate based on field has the value Individual assessment of controls.
    Factor for overall effectiveness Manual, automated, or group factors to assess controls. This field appears only when the option Individual assessment of controls is selected from the Calculate based on field. Only qualitative factors or factors with the option to transform the qualitative score will be displayed in this field.
    Qualitative scoring logic Formula for calculating the scoring logic. Choices are the following:
    • Sum: Sum of the factor responses.
    • Minimum: Minimum value of the factor responses.
    • Maximum: Maximum value of the factor responses.
    • Average: Average value of the factor responses.
    • Product: Value derived by multiplying the factor responses.
    • Weighted average: Average value of the weighting of factors. This value is then classified as low, medium, or high. When this option is selected, the control weight is fetched from the control form.
    • Script: User-defined formula to calculate the score. This option is available only to users with the sn_grc.developer role.
    Qualitative script variables Format of the script and the variables used in the script. This field is available only when Script is selected from the Qualitative scoring logic field.
    Qualitative script User-defined script to compute the scoring logic. This field enables you to have more control over the score computation.
    Section Labels

    This section appears only when Configure section terminology is selected in the RAM form.

    Note:
    Section label renaming applies only to the advanced risk assessment interface while leaving the terminology used in reports, dashboards, heatmaps, and other areas unchanged.
    Title Option to rename the section title of the assessment type. For example, if you rename Control assessment as Preventive assessment, the new title will be displayed in all sections where the Control assessment was previously referred.
    Score label Option to rename the qualitative score label in the Scoring section of the assessment form. For example, if you rename Control risk as Preventive risk, the new score label will be displayed in the scoring section where Control risk was previously referred.