Risk assessments in Privacy Management

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk assessments in Privacy Management

    ServiceNow Privacy Management enables you to perform risk assessments on data processing activities to evaluate their risk scores and understand your organization's privacy risk posture. These assessments help prioritize actions based on risk levels and ensure informed decision-making regarding privacy risks.

    Show full answer Show less

    Key Features

    • Criticality Assessments: Determine the initial risk level of a processing activity to prioritize or deprioritize it. Criticality factors include whether personal data processing influences key decisions or autonomous decision making.
    • Manual Criticality Assessment: Privacy managers can manually trigger criticality assessments from the processing activity interface. The system calculates scores based on current form data and regulatory details, allowing recalculations whenever updated data is entered.
    • Automated Criticality Assessment: Utilizes a pre-defined Risk Assessment Methodology (RAM) that privacy managers must publish before use. During screening assessments, users answer criticality-related questions, and the system automatically calculates risk scores displayed on the processing activity overview. Only two RAMs are supported simultaneously, and deactivating a RAM cancels in-progress assessments linked to it.
    • Privacy Risk Assessments: Conducted when the criticality score is high, these detailed assessments evaluate each associated risk and provide an aggregated risk score. Results are visualized on a risk heatmap showing inherent and residual risks.
    • Risk Heatmap Scores: Display risk assessment outcomes on the processing activity homepage, offering a clear view of privacy risk postures.
    • Risk Assessment Methodology (RAM): Provides a systematic, repeatable approach for identifying, evaluating, and mitigating privacy risks linked to data processing activities.
    • Privacy Assessment Configurations: Two default RAMs are provided for criticality and privacy risk assessments to streamline evaluation processes.

    Key Outcomes

    • Enables prioritization of processing activities based on privacy risk levels.
    • Supports both manual and automated risk scoring methods for flexible assessment workflows.
    • Provides visual risk heatmaps for clear understanding of privacy risk posture.
    • Helps privacy teams systematically identify, evaluate, and mitigate risks associated with data processing.

    You can perform risk assessments on your processing activities to determine their risk scores and find out the privacy risk posture of your organization.

    To understand the risk posture, the following assessments are performed.

    Criticality assessments

    A criticality assessment uses risk assessment to determine the initial risk level of a processing activity. Using the resulting criticality score, the privacy team can prioritize or deprioritize the activity accordingly. An example of a criticality factor could be that the assessment questions help identify whether personal data is being processed in a way that influences key decisions or enables impactful autonomous decision making.

    Criticality assessments can be performed using one of the following two methods.
    Manual criticality assessment
    Using the manual method, as a privacy manager initiates the criticality assessment from a processing activity. If you're already working on a processing activity and want to assess its criticality, you can manually trigger this assessment using the Assess criticality action in the user interface. When you trigger the criticality assessment, the system automatically calculates the criticality score based on the information already available in the fields of the processing activity form. On the Regulatory details tab of a processing activity, you can provide the risk-related details. After entering this information, triggering the criticality assessment uses these values to calculate the risk score. The system can calculate the criticality score multiple times if triggered manually. Each time, it uses the most recent data entered in the processing activity fields and regulatory details.
    Automated criticality assessment
    Using the automated method, the privacy manager uses the Automated criticality factors risk assessment methodology (RAM) that is provided by default to calculate the criticality score of a processing activity. The privacy managers must publish this RAM before it can be used. By default, the RAM is provided in the Draft state. When a user performs a screening assessment, they are prompted to respond to several questions, including those related to criticality and risk assessment. If the user provides answers to these criticality-related questions during the screening assessment, the system automatically calculates the criticality risk score. The calculated score is then displayed on the Overview page when the user proceeds to the processing activity. Because only two RAMs are supported at a time, they must deactivate any other existing criticality factors RAM. It is crucial to note that when an existing criticality factors RAM is deactivated, all the in-progress risk assessments associated with that RAM get canceled.
    Manually initiate criticality assessment.

    Privacy risk assessments

    Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap in the overview section. The heatmaps provide detailed information about your inherent and residual risks. See the following image to understand how you can initiate the detailed risk assessment.Perform advanced risk assessments.

    Risk heatmap scores

    The risk assessments results and the risk heatmaps appear on the processing activity home page as shown in the following image.

    Figure 1. Risk scores on a processing activity
    Risk criticality score and risk heatmap view.

    To understand the details about how to perform the risk assessments, see Privacy assessment configurations.