Risk score rollup in Advanced Risk Assessment

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk score rollup in Advanced Risk Assessment

    In Advanced Risk Assessment, risk scores are aggregated across both risk statement hierarchies and entity hierarchies, or a combination, to provide stakeholders with a clear view of overall risk posture. This rollup functionality helps risk managers and entity owners monitor inherent risk, residual risk, control effectiveness, and Annual Loss Expectancy (ALE) based on selected risk assessment methodologies.

    Show full answer Show less

    Key Features

    • Multiple Risk Scores per Entity: Each entity may have several scores depending on different risk assessment methodologies. Only assessments in the Monitor state contribute to score calculations.
    • Custom Rollup Formulas: Rollup qualitative and quantitative scores use formulas defined in the Rollup configurations section of each risk assessment methodology.
    • Automatic Rollup: Upon activation of the Advanced Risk plugin, risk scores roll up automatically across the risk statement and entity hierarchies.
    • Rollup Methods: Scores can be aggregated using sum, average, maximum, or minimum formulas.
    • Additional Reporting Dimensions: The Manage Aggregated Risk report allows customization of reporting dimensions for detailed risk posture monitoring, such as focusing on specific risk types within an entity.

    Migration Considerations

    • To apply the new rollup score calculations, a risk administrator with the snrisk.admin role must enable the Migrate to Advanced Risk Assessments property in the administration settings. This property is disabled by default.
    • Enabling migration hides customizations on the Risk Overview dashboard, and some legacy reports and tabs become inaccessible, including Aggregated Risk Report, Exposure by Entity, and certain dashboard tabs. ServiceNow support can assist with this transition.
    • After migration, individual risk scores no longer roll up directly. Instead, aggregated values from Advanced Risk Assessment are shown in a related list called Aggregated Risk on entity and risk statement forms.

    What to Expect

    • Enhanced visibility into enterprise and entity-specific risk postures through consolidated risk scores and ALE values.
    • Streamlined monitoring of risk across multiple hierarchies and dimensions, enabling targeted risk management actions.
    • Updated reporting and dashboard views aligned with the advanced rollup methodology, requiring administrative configuration during migration.
    • The Aggregated Risk related list displays key aggregated metrics including residual and inherent ratings, control effectiveness, ALE values, contributing risk assessments, and rollup status, improving risk assessment transparency.

    In Advanced Risk Assessment, risk scores are calculated across risk statement hierarchy, entity hierarchy, or a combination of both. These methods enable stakeholders to monitor their risk posture and provide visibility of the overall aggregated risk score.

    Before you understand the rollup feature, consider the following points:
    • Each entity might have multiple scores based on the different risk assessment methodologies.
    • Only the risk assessments in the Monitor state contribute to the risk score.
    • Each risk assessment methodology might have a different formula to calculate the rollup qualitative score and the rollup quantitative score. The formula is specified in the Rollup configurationssection in the risk assessment methodology form.
    • Whenever the Advanced Risk plugin is activated the risk scores get rolled up.

    Risk statement hierarchy

    Based on the assessments, the system automatically rolls up the inherent risk scores, the Annual Loss Expectancy (ALE), control effectiveness score, residual risk score, and ALE across the risk statement hierarchy for the selected methodology​. This rollup allows the risk managers to monitor their enterprise risk posture​.

    Entity hierarchy

    Like risk statement hierarchy, the system also automatically rolls up the risk scores and ALE values across the entity hierarchy for a risk assessment methodology​. This rollup allows the entity owner to monitor the entity's risk posture. The rollups are done using the following formulae:
    • Sum
    • Average
    • Maximum
    • Minimum

    Entity hierarchy and risk statement

    Using the Manage Aggregated Risk report, customers can define additional reporting dimensions on which they want to monitor the risk posture for an entity. For example, if you want to understand an internal fraud related risk for Retail Banking, you can define that reporting dimension and monitor the risk.

    Changes in reports and risk rollup method after migrating to Advanced Risk Assessment

    To utilize the new rollup score calculation, the risk administrator, with the role sn_risk.admin, must first enable the Migrate to Advanced Risk Assessments property by navigating to Advanced Risk Assessment > Administration > Properties. This property is not enabled by default.
    Note:
    It is crucial to note that when you enable the mentioned property, any customizations in the risk overview dashboard will be hidden. Contact ServiceNow for assistance. Also, the following properties in risk are not hidden when you migrate to advanced risk rollup:
    • Compare risk tolerance based on
    • Compare calculated risk score with
    When customers migrate to Advanced Risk, the following reports are hidden from the user's view:
    • Aggregated Risk Report
    • Exposure by Entity
    • Exposure by Risk Statement
    In the Risk Overview dashboard, the following tabs are hidden:
    • Entity Tolerance Status
    • Risk Tolerance Status
    • Aggregated Entity Information
    • Aggregated Risk Information
    Under the Aggregated Risk Report, the following modules are visible that show the rolled up risk scores:
    • Aggregation by Risk Statements
    • Aggregation by Entities
    • Entity by Risk Statements
    When you migrate to advanced risk assessment, individual risk score values do not roll up to give you the risk score. Instead, the values from advanced risk assessment are considered. For example, for an entity, in the Entity form, the Risk Rollup and Tolerance section is not displayed. The same applies to any risk statement. Instead, a related list called Aggregated Risk is displayed. The Aggregated Risk related list contains the following values derived from various risk assessments:
    • Risk assessment methodology
    • Residual rating
    • Inherent rating
    • Control effectiveness
    • Residual ALE
    • Inherent ALE
    • Contributing risk assessments
    • Risk rollup status