Advanced Risk Assessment

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Advanced Risk Assessment

    The Advanced Risk Assessment feature in ServiceNow Governance, Risk, and Compliance (GRC) provides an integrated platform for conducting comprehensive risk assessments using various methodologies. It digitizes the entire risk management life cycle—spanning risk identification, analysis, evaluation, treatment, and monitoring—enabling organizations to embed risk assessment into their decision-making processes effectively.

    Show full answer Show less

    This capability supports customization to fit unique organizational needs, accommodates both qualitative and quantitative risk methods, and automates aggregation of risk scores. It also integrates risk insights directly into workspaces for frontline users to make informed decisions based on associated risks.

    Key Features

    • Comprehensive Risk Life Cycle Support: Covers identification, analysis, evaluation, treatment, and ongoing monitoring of risks.
    • Customization: Allows configuration of assessment criteria, context, and risk scoring logic to align with organizational requirements.
    • Risk Scoring and Types: Supports qualitative, semi-quantitative, and quantitative rating methodologies and assesses inherent, control effectiveness, residual, and target risks.
    • Flexible Assessment Scope: Enables risk assessments on entities or any ServiceNow record/object, such as change management, even without full GRC setup.
    • Delegation: Risk assessors can appoint delegates to perform assessments temporarily, facilitated by the ServiceNow AI Platform.
    • Risk Assessment Instances: Structured assessments based on factors (questions) to analyze risks.
    • Risk Score Rollup: Aggregates risk scores across hierarchical risk statements and entities to provide comprehensive visibility of risk posture.
    • Integration with Risks and Controls: Migrates legacy risk life cycle to advanced risk assessments, presenting an Assessment Summary for risk managers to view consolidated results.
    • Risk Appetite and Tolerance: Defines organizational boundaries for acceptable and unacceptable risks within the Advanced Risk application.
    • Target Risk Assessment: Facilitates defining and monitoring desired future risk levels to evaluate risk management effectiveness.
    • Privacy Risk Management: Offers limited advanced risk assessment capabilities for Privacy Management users without full Integrated Risk Management license.
    • Risk Assessment Scheduler: Enables bulk initiation of risk assessments by assigning schedules to risk managers for efficient management.

    Practical Application for ServiceNow Customers

    ServiceNow customers can leverage Advanced Risk Assessment to digitize and standardize their risk management processes, ensuring detailed evaluation and treatment of risks with clear visibility and reporting. The ability to customize assessment criteria and scope allows organizations to tailor risk assessments to their specific contexts. Delegation features and integration with existing records and controls streamline workflow and improve efficiency.

    This feature supports organizations in defining risk appetite and target risk levels, helping measure the effectiveness of risk responses and align risk posture with business objectives. The automated rollup and assessment summary enhance stakeholder insight into overall risk exposure, supporting informed decision-making.

    To activate Advanced Risk Assessment, customers must enable the migration property and ensure assessors have the appropriate roles. For Privacy Management users, limited assessment capabilities are available even without full licensing.

    Use the ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature to create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies. It enables you to integrate risk assessment as part of your overall decision-making process.

    Advanced Risk Assessment offers the following benefits:
    • Digitizes the complete risk management life cycle, including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring.
    • Customizes the risk assessment process based on the unique needs of your organization. This customization includes configuring the assessment criteria, the context, and the overall risk scoring logic.
    • Supports both qualitative and quantitative risk assessment methods.
    • Automatically aggregates the bottom-up risk assessment scores across the risk.
    • Embeds the risk assessment process in the workspace for first-line users. This embedding helps users make informed decisions based on risks that are associated with actions.
    Note:
    To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

    Steps of risk assessment

    Before understanding Advanced Risk Assessment in detail, it is important to understand the key steps of risk management:
    1. Risk identification: Find an uncertainty or risk that might prevent your organization from achieving its objectives​.
    2. Risk analysis: Understand the cause and consequence of the risk.
    3. Risk evaluation: To determine if additional action is required, compare the results of the risk analysis with the established risk criteria.
    4. Risk treatment: Define an action plan​ to address the risk.
    5. Risk monitoring: Track the risk posture of the organization and communicate it to relevant stakeholders.
    Figure 1. Steps of risk management
    Steps of risk management.
    Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk assessment is performed based on factors or questions and their responses. It can be performed for an entity such as an organization. To use advanced risk assessment, you must enable the Migrate to Advanced Risk Assessments property located under the Administration module. The assessor and approver for the risk assessment must have the sn_grc.business_user role. Advanced risk assessment enables you to do a detailed assessment of the risks where the inherent risks, mitigating controls, and residual risks are assessed. If you don't have the complete GRC setup for entities, risk statements, controls, and so on, then you can still assess the risks on any ServiceNow record or object. An example of object assessment is assessing change management. During risk assessment, the following risks are assessed.
    • Inherent risks: Inherent risks are risks that don't have controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
    • Control effectiveness: Controls can mitigate the impact or likelihood of a risk. For example, highways have speed limit monitors. If a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective.
      • Preventive controls are designed to prevent errors, inaccuracies, or fraud before these issues occur.
      • Detective controls are intended to discover the existence of errors, inaccuracies, or fraud.
      • Corrective controls are designed to correct errors or irregularities that have been detected.
    • Residual risks: Residual risks are the leftover risks that remain after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk. A residual risk score can be calculated using any of the following methods:
      • A matrix between inherent and residual effectiveness.
      • A mathematical formula such as the inherent score minus the control score.
      • Answers to factors.
    • Target risks: Target risks are the desired risk an organization want to achieve in the future. By evaluating the desired level of likelihood and impact of identified risks, organizations can establish target risk levels for each risk. For example, when assessing a risk, you consider various aspects such as inherent risk, the effectiveness of controls, and residual risks. However, it's equally important to capture the desired risk level that will be attained after your risk response is implemented. The target risk represents the optimum level of risk that you aim to achieve after your action plan is successfully executed. It enables you to measure the benefits your organization gets in relation to the cost of implementing those actions.