Risk score rollup in Advanced Risk Assessment

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Score Rollup in Advanced Risk Assessment

    In Advanced Risk Assessment, risk scores are calculated across risk statement and entity hierarchies, enabling stakeholders to monitor their risk posture through aggregated risk scores. Only assessments in the Monitor state contribute to these scores, with different methodologies applying unique formulas for qualitative and quantitative rollup scores.

    Show full answer Show less

    Key Features

    • Risk Statement Hierarchy: Automatically rolls up inherent risk scores, Annual Loss Expectancy (ALE), control effectiveness, and residual risk scores based on selected methodologies.
    • Entity Hierarchy: Similar to risk statement hierarchy, this feature rolls up risk scores and ALE values across entities, aiding entity owners in monitoring their risk posture.
    • Manage Aggregated Risk Report: Allows customers to define additional reporting dimensions to monitor specific risks, such as internal fraud in Retail Banking.
    • Migrate to Advanced Risk Assessments: Requires enabling a specific property by the risk administrator, which affects visibility of certain reports and dashboard elements.

    Key Outcomes

    Upon migrating to Advanced Risk Assessment, users will notice changes in report visibility and the way risk scores are rolled up. Individual risk scores will not aggregate as before; instead, an Aggregated Risk related list will display values derived from various assessments. Significant properties and modules will either remain visible or be hidden, requiring users to adapt to the new reporting structure.

    In Advanced Risk Assessment, risk scores are calculated across risk statement hierarchy, entity hierarchy, or a combination of both. These methods enable stakeholders to monitor their risk posture and provide visibility of the overall aggregated risk score.

    Before you understand the rollup feature, consider the following points:
    • Each entity might have multiple scores based on the different risk assessment methodologies.
    • Only the risk assessments in the Monitor state contribute to the risk score.
    • Each risk assessment methodology might have a different formula to calculate the rollup qualitative score and the rollup quantitative score. The formula is specified in the Rollup configurationssection in the risk assessment methodology form.
    • Whenever the Advanced Risk plugin is activated the risk scores get rolled up.

    Risk statement hierarchy

    Based on the assessments, the system automatically rolls up the inherent risk scores, the Annual Loss Expectancy (ALE), control effectiveness score, residual risk score, and ALE across the risk statement hierarchy for the selected methodology​. This rollup allows the risk managers to monitor their enterprise risk posture​.

    Entity hierarchy

    Like risk statement hierarchy, the system also automatically rolls up the risk scores and ALE values across the entity hierarchy for a risk assessment methodology​. This rollup allows the entity owner to monitor the entity's risk posture. The rollups are done using the following formulae:
    • Sum
    • Average
    • Maximum
    • Minimum

    Entity hierarchy and risk statement

    Using the Manage Aggregated Risk report, customers can define additional reporting dimensions on which they want to monitor the risk posture for an entity. For example, if you want to understand an internal fraud related risk for Retail Banking, you can define that reporting dimension and monitor the risk.

    Changes in reports and risk rollup method after migrating to Advanced Risk Assessment

    To utilize the new rollup score calculation, the risk administrator, with the role sn_risk.admin, must first enable the Migrate to Advanced Risk Assessments property by navigating to Advanced Risk Assessment > Administration > Properties. This property is not enabled by default.
    Note:
    It is crucial to note that when you enable the mentioned property, any customizations in the risk overview dashboard will be hidden. Contact ServiceNow for assistance. Also, the following properties in risk are not hidden when you migrate to advanced risk rollup:
    • Compare risk tolerance based on
    • Compare calculated risk score with
    When customers migrate to Advanced Risk, the following reports are hidden from the user's view:
    • Aggregated Risk Report
    • Exposure by Entity
    • Exposure by Risk Statement
    In the Risk Overview dashboard, the following tabs are hidden:
    • Entity Tolerance Status
    • Risk Tolerance Status
    • Aggregated Entity Information
    • Aggregated Risk Information
    Under the Aggregated Risk Report, the following modules are visible that show the rolled up risk scores:
    • Aggregation by Risk Statements
    • Aggregation by Entities
    • Entity by Risk Statements
    When you migrate to advanced risk assessment, individual risk score values do not roll up to give you the risk score. Instead, the values from advanced risk assessment are considered. For example, for an entity, in the Entity form, the Risk Rollup and Tolerance section is not displayed. The same applies to any risk statement. Instead, a related list called Aggregated Risk is displayed. The Aggregated Risk related list contains the following values derived from various risk assessments:
    • Risk assessment methodology
    • Residual rating
    • Inherent rating
    • Control effectiveness
    • Residual ALE
    • Inherent ALE
    • Contributing risk assessments
    • Risk rollup status