Create a Risk Assessment Methodology

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Configure a risk assessment methodology (RAM) in the Privacy Management application so that you can assess the risks in your organization.

    Before you begin

    Role required: sn_privacy.manager or sn_privacy.admin

    About this task

    Create a standardized method to support risk-based decision-making across departments, projects, and systems. By using a RAM, your organization can have different methodologies for assessing risks.

    After you move a RAM to the Retired state, you can also move it back to the Draft state if you want to make some changes later. You can only move a RAM to the Draft state if it doesn’t have any assessments in the Monitor state or the Closed state. When you move a RAM back to the Draft, the on-going assessments and the associated scopes are deleted.

    Procedure

    1. Navigate to All > Privacy Management > Risk Assessments > Risk assessment methodologies.
    2. On the Risk Assessment Methodology page, select New.
    3. On the form, fill the details.
      For a description of the field values on the risk assessment methodology form, see Risk Assessment Methodology form.
    4. Right-click and save the form.
    5. To configure the various assessments, select one of the following options.
      ChoiceRelated link
      Configure inherent assessment See Configure an inherent assessment.
      Configure control effectiveness See Configure a control effectiveness assessment
      Configure residual assessment See Configure a residual assessment
      Configure target assessment See Configure a target assessment
    6. Select Publish.
      Note:
      After a new assessment is created on the same risk and the assessment is in the Monitor state, the other assessments automatically move to the Completed state. When an assessment instance is in the Monitor state, you can’t move the RAM back to the Draft state. A RAM can only be moved back to the Draft state if there are no assessment instances.

    Result

    A new Risk Assessment Methodology is created and is available for use.