Advanced Risk Assessment

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Advanced Risk Assessment

    The ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature allows organizations to create an integrated risk platform that supports various risk assessment methodologies. This tool digitizes the risk management lifecycle, enabling effective decision-making by customizing risk assessment processes to meet unique organizational needs.

    Show full answer Show less

    Key Features

    • Digitization of the entire risk management lifecycle, including identification, analysis, evaluation, treatment, and monitoring.
    • Customization of risk assessment criteria and scoring logic.
    • Support for both qualitative and quantitative risk assessment methods.
    • Automatic aggregation of risk assessment scores.
    • Integration of risk assessment processes into the workspace for easier decision-making.

    Key Outcomes

    By utilizing Advanced Risk Assessment, organizations can:

    • Evaluate inherent, control effectiveness, residual, and target risks.
    • Delegate risk assessments when necessary through the ServiceNow AI Platform.
    • Monitor risk posture through aggregated risk scores.
    • Define risk appetite and tolerance, aiding in the establishment of acceptable risk boundaries.
    • Perform target risk assessments to measure progress towards desired risk levels.

    Use the ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature to create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies. It enables you to integrate risk assessment as part of your overall decision-making process.

    Advanced Risk Assessment offers the following benefits:
    • Digitizes the complete risk management life cycle, including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring.
    • Customizes the risk assessment process based on the unique needs of your organization. This customization includes configuring the assessment criteria, the context, and the overall risk scoring logic.
    • Supports both qualitative and quantitative risk assessment methods.
    • Automatically aggregates the bottom-up risk assessment scores across the risk.
    • Embeds the risk assessment process in the workspace for first-line users. This embedding helps users make informed decisions based on risks that are associated with actions.
    Note:
    To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

    Steps of risk assessment

    Before understanding Advanced Risk Assessment in detail, it is important to understand the key steps of risk management:
    1. Risk identification: Find an uncertainty or risk that might prevent your organization from achieving its objectives​.
    2. Risk analysis: Understand the cause and consequence of the risk.
    3. Risk evaluation: To determine if additional action is required, compare the results of the risk analysis with the established risk criteria.
    4. Risk treatment: Define an action plan​ to address the risk.
    5. Risk monitoring: Track the risk posture of the organization and communicate it to relevant stakeholders.
    Figure 1. Steps of risk management
    Steps of risk management.
    Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk assessment is performed based on factors or questions and their responses. It can be performed for an entity such as an organization. To use advanced risk assessment, you must enable the Migrate to Advanced Risk Assessments property located under the Administration module. The assessor and approver for the risk assessment must have the sn_grc.business_user role. Advanced risk assessment enables you to do a detailed assessment of the risks where the inherent risks, mitigating controls, and residual risks are assessed. If you don't have the complete GRC setup for entities, risk statements, controls, and so on, then you can still assess the risks on any ServiceNow record or object. An example of object assessment is assessing change management. During risk assessment, the following risks are assessed.
    • Inherent risks: Inherent risks are risks that don't have controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
    • Control effectiveness: Controls can mitigate the impact or likelihood of a risk. For example, highways have speed limit monitors. If a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective.
      • Preventive controls are designed to prevent errors, inaccuracies, or fraud before these issues occur.
      • Detective controls are intended to discover the existence of errors, inaccuracies, or fraud.
      • Corrective controls are designed to correct errors or irregularities that have been detected.
    • Residual risks: Residual risks are the leftover risks that remain after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk. A residual risk score can be calculated using any of the following methods:
      • A matrix between inherent and residual effectiveness.
      • A mathematical formula such as the inherent score minus the control score.
      • Answers to factors.
    • Target risks: Target risks are the desired risk an organization want to achieve in the future. By evaluating the desired level of likelihood and impact of identified risks, organizations can establish target risk levels for each risk. For example, when assessing a risk, you consider various aspects such as inherent risk, the effectiveness of controls, and residual risks. However, it's equally important to capture the desired risk level that will be attained after your risk response is implemented. The target risk represents the optimum level of risk that you aim to achieve after your action plan is successfully executed. It enables you to measure the benefits your organization gets in relation to the cost of implementing those actions.