Risk assessment methodologies reference
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Risk assessment methodologies reference
This reference outlines the default risk assessment methodologies (RAMs) provided with the AI Risk and Compliance solution in ServiceNow. RAMs establish the frameworks, classification criteria, and contributing factors for evaluating risks related to AI assets such as AI systems, models, and datasets. These methodologies enable organizations to systematically identify and score risks, ensuring compliance with regulatory requirements and internal governance standards.
Show less
Key Features
- Default RAMs Included: The platform includes predefined RAMs that cover various aspects of AI risk evaluation, including regulatory risk classification and detailed risk scoring.
- Custom RAM Creation: Administrators can create and configure custom risk assessment methodologies to align with specific organizational needs and policies.
- Risk Scoring and Classification: RAMs use factors such as likelihood, impact, control effectiveness, data sensitivity, and intended use to derive inherent and residual risk scores as well as regulatory risk levels (e.g., High, Medium, Low, Unacceptable).
- Automation and Advanced Scoring: Automated risk classification is available during AI asset intake when enabled, speeding up initial risk determination. Advanced risk scoring features require installation of the Advanced Risk application and enabling a one-way migration property.
- Risk Score Roll-up: Individual risk scores from assessments roll up to aggregated risk scores, which are visible on AI asset records and the Risk and Compliance dashboard, supporting consolidated risk management.
- Inactive by Default: RAMs are initially inactive; implementers should carefully review and configure each methodology before activation to ensure alignment with governance requirements.
Practical Use Cases
- AI System Classification: Used during intake or early assessment to classify AI systems by regulatory risk level based on use case responses.
- Automated Classification: Automatically assigns regulatory risk classifications during intake when automated screening is enabled.
- Risk Assessment for AI Inventory: Supports asset-level and bulk risk assessments of AI systems, models, and datasets by calculating detailed risk scores.
- Model and Dataset Classification: Enables independent governance evaluations of AI models and datasets based on their characteristics and data sensitivity.
Key Outcomes
ServiceNow customers can leverage these RAMs to:
- Implement consistent and repeatable risk assessment processes for AI assets.
- Ensure regulatory and governance compliance by classifying AI systems, models, and datasets appropriately.
- Gain visibility into aggregated risk scores for informed decision-making and risk mitigation.
- Automate initial risk classification to streamline AI asset intake workflows.
- Customize risk assessment methodologies to reflect unique organizational risk frameworks and compliance mandates.
Reference table listing the default risk assessment methodologies (RAMs) installed with AI Risk and Compliance. RAMs define the scoring frameworks, classification criteria, and contributing factors used to evaluate risks associated with AI assets.
Risk assessment methodologies
The following table lists the default risk assessment methodologies (RAMs) installed with AI Risk and Compliance. RAMs define the scoring frameworks, classification criteria, and contributing factors used to evaluate risks associated with AI assets. Administrators can create custom RAMs to meet organizational requirements.
Important:
Automated and advanced risk scoring behavior depends on RAM configuration. To enable risk score roll-up across AI assets, install the Advanced Risk application and enable the Migrate to Advanced Risk Assessments property. This is a one-way configuration change. RAMs are inactive by default. Implementers should review
each RAM before activating it to confirm it meets organizational requirements. For more information, see Set up Advanced Risk assessments properties and Risk assessment methodologies.
| RAM | Applies to | Purpose | When used |
|---|---|---|---|
| Risk classification for AI system | AI systems | Classifies AI systems by regulatory risk level based on factors captured during intake or assessment. | During intake screening or early assessment to determine initial regulatory risk classification. When configured and applied to the AI use case request form, this RAM evaluates responses in the Use and Purpose section and assigns a risk classification such as High, Medium, Low, or Unacceptable. If the AI Risk and Compliance admin doesn't complete the required configuration steps, the classification defaults to To Be Determined. |
| Automated risk classification for AI system | AI systems | Automatically assigns an initial regulatory risk classification based on Use and Purpose responses. | During intake when automated screening is enabled. |
| Risk assessment for AI inventory | AI systems, models, datasets | Evaluates individual risks using likelihood, impact, and control effectiveness to calculate inherent and residual risk scores. | During asset-level and bulk risk assessment projects. Individual risk scores roll up to form an aggregated risk score visible on the AI asset record and the Risk and Compliance dashboard. This RAM is the default for bulk
risk assessment projects. You can specify it as the default primary RAM using the sn_grc_ai_gov.aisystem_primary_ram property. |
| Risk classification for AI model or dataset | AI models, datasets | Classifies models and datasets by risk level based on characteristics, data sensitivity, and intended use. | When models or datasets require independent governance evaluation. Unlike AI system classification RAMs, this RAM is not applied through a global property — it is selected when initiating a risk assessment on an AI model or dataset. |