Risk assessments in Privacy Management

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk assessments in Privacy Management

    ServiceNow Privacy Management enables organizations to perform risk assessments on data processing activities to determine risk scores and understand their overall privacy risk posture. These assessments help privacy teams prioritize activities based on their risk levels and manage privacy risks effectively.

    Show full answer Show less

    Key Features

    • Criticality Assessments: These identify the initial risk level of a processing activity, helping prioritize or deprioritize it. Criticality factors assess whether personal data processing affects key decisions or autonomous decision-making.
    • Manual Criticality Assessment: Privacy managers can manually trigger criticality assessments from a processing activity, with the system calculating the score using current form data and regulatory details. Scores can be recalculated anytime based on updated information.
    • Automated Criticality Assessment: Utilizes a predefined Risk Assessment Methodology (RAM) to automatically calculate criticality scores during screening assessments. Privacy managers must publish this RAM before use, and only two RAMs are supported simultaneously. Deactivating a RAM cancels all in-progress assessments linked to it.
    • Privacy Risk Assessments: Conducted when a processing activity has a high criticality score. These detailed assessments evaluate individual risks and provide an aggregated risk score visible on the processing activity’s overview.
    • Risk Heatmaps: Visual tools on the processing activity homepage display inherent and residual risk scores, helping privacy teams visualize and monitor risk postures effectively.
    • Risk Assessment Methodology (RAM): A systematic approach provided by default to identify, evaluate, and mitigate privacy risks consistently across processing activities.

    Practical Application

    ServiceNow customers can leverage these assessments to continuously evaluate and prioritize privacy risks associated with their data processing activities. By using manual or automated criticality assessments, privacy teams get an initial risk level, and when needed, perform in-depth privacy risk assessments for high-risk activities. The risk heatmaps provide clear risk visualization, aiding in proactive risk management and compliance efforts.

    You can perform risk assessments on your processing activities to determine their risk scores and find out the privacy risk posture of your organization.

    To understand the risk posture, the following assessments are performed.

    Criticality assessments

    A criticality assessment uses risk assessment to determine the initial risk level of a processing activity. Using the resulting criticality score, the privacy team can prioritize or deprioritize the activity accordingly. An example of a criticality factor could be that the assessment questions help identify whether personal data is being processed in a way that influences key decisions or enables impactful autonomous decision making.

    Criticality assessments can be performed using one of the following two methods.
    Manual criticality assessment
    Using the manual method, as a privacy manager initiates the criticality assessment from a processing activity. If you're already working on a processing activity and want to assess its criticality, you can manually trigger this assessment using the Assess criticality action in the user interface. When you trigger the criticality assessment, the system automatically calculates the criticality score based on the information already available in the fields of the processing activity form. On the Regulatory details tab of a processing activity, you can provide the risk-related details. After entering this information, triggering the criticality assessment uses these values to calculate the risk score. The system can calculate the criticality score multiple times if triggered manually. Each time, it uses the most recent data entered in the processing activity fields and regulatory details.
    Automated criticality assessment
    Using the automated method, the privacy manager uses the Automated criticality factors risk assessment methodology (RAM) that is provided by default to calculate the criticality score of a processing activity. The privacy managers must publish this RAM before it can be used. By default, the RAM is provided in the Draft state. When a user performs a screening assessment, they are prompted to respond to several questions, including those related to criticality and risk assessment. If the user provides answers to these criticality-related questions during the screening assessment, the system automatically calculates the criticality risk score. The calculated score is then displayed on the Overview page when the user proceeds to the processing activity. Because only two RAMs are supported at a time, they must deactivate any other existing criticality factors RAM. It is crucial to note that when an existing criticality factors RAM is deactivated, all the in-progress risk assessments associated with that RAM get canceled.
    Manually initiate criticality assessment.

    Privacy risk assessments

    Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap in the overview section. The heatmaps provide detailed information about your inherent and residual risks. See the following image to understand how you can initiate the detailed risk assessment.Perform advanced risk assessments.

    Risk heatmap scores

    The risk assessments results and the risk heatmaps appear on the processing activity home page as shown in the following image.

    Figure 1. Risk scores on a processing activity
    Risk criticality score and risk heatmap view.

    To understand the details about how to perform the risk assessments, see Privacy assessment configurations.