Advanced Risk Assessment

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Advanced Risk Assessment

    The ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature provides an integrated platform for managing various risk assessment methodologies. This tool supports your decision-making processes by digitizing the complete risk management lifecycle, including identification, analysis, evaluation, treatment, and monitoring of risks.

    Show full answer Show less

    Key Features

    • Customizable Processes: Tailor the risk assessment process to fit your organization's unique needs, including assessment criteria and scoring logic.
    • Qualitative and Quantitative Methods: Utilize both qualitative and quantitative approaches for risk assessment.
    • Automated Aggregation: Automatically compile bottom-up risk assessment scores for comprehensive insights.
    • Embedded Tools: Integrate risk assessment directly into user workspaces to facilitate informed decision-making.
    • Risk Assessment Steps: Follow the structured steps of risk identification, analysis, evaluation, treatment, and monitoring.
    • Delegate Assessments: Allow risk assessors to appoint delegates if they are unavailable.
    • Target Risk Assessments: Define and monitor desired future risk levels.

    Key Outcomes

    By implementing Advanced Risk Assessment, organizations can expect to effectively manage their risk posture, enabling informed decision-making that aligns with business objectives. This feature not only enhances risk visibility but also facilitates structured risk management processes across various ServiceNow records or objects, even without a complete GRC setup. Users can also define risk appetite and tolerance, ensuring that acceptable risk boundaries are established and monitored.

    Use the ServiceNow® Governance, Risk, and Compliance (GRC) Advanced Risk Assessment feature to create an integrated risk platform. This integrated platform supports various kinds of risk assessment methodologies. It enables you to integrate risk assessment as part of your overall decision-making process.

    Advanced Risk Assessment offers the following benefits:
    • Digitizes the complete risk management life cycle, including risk identification, risk analysis, risk evaluation, risk treatment, and monitoring.
    • Customizes the risk assessment process based on the unique needs of your organization. This customization includes configuring the assessment criteria, the context, and the overall risk scoring logic.
    • Supports both qualitative and quantitative risk assessment methods.
    • Automatically aggregates the bottom-up risk assessment scores across the risk.
    • Embeds the risk assessment process in the workspace for first-line users. This embedding helps users make informed decisions based on risks that are associated with actions.
    Note:
    To know if your current license entitles you to Advanced Risk Assessments, contact ServiceNow.

    Steps of risk assessment

    Before understanding Advanced Risk Assessment in detail, it is important to understand the key steps of risk management:
    1. Risk identification: Find an uncertainty or risk that might prevent your organization from achieving its objectives​.
    2. Risk analysis: Understand the cause and consequence of the risk.
    3. Risk evaluation: To determine if additional action is required, compare the results of the risk analysis with the established risk criteria.
    4. Risk treatment: Define an action plan​ to address the risk.
    5. Risk monitoring: Track the risk posture of the organization and communicate it to relevant stakeholders.
    Figure 1. Steps of risk management
    Steps of risk management.
    Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk assessment is performed based on factors or questions and their responses. It can be performed for an entity such as an organization. To use advanced risk assessment, you must enable the Migrate to Advanced Risk Assessments property located under the Administration module. The assessor and approver for the risk assessment must have the sn_grc.business_user role. Advanced risk assessment enables you to do a detailed assessment of the risks where the inherent risks, mitigating controls, and residual risks are assessed. If you don't have the complete GRC setup for entities, risk statements, controls, and so on, then you can still assess the risks on any ServiceNow record or object. An example of object assessment is assessing change management. During risk assessment, the following risks are assessed.
    • Inherent risks: Inherent risks are risks that don't have controls. For example, driving at a high speed on a highway is inherently more of a risk than driving at a moderate speed. The score of this inherent risk is derived by multiplying the impact of the risk and the likelihood of the risk.
    • Control effectiveness: Controls can mitigate the impact or likelihood of a risk. For example, highways have speed limit monitors. If a risk materializes, the controls mitigate the impact. Controls can be preventive, detective, or corrective.
      • Preventive controls are designed to prevent errors, inaccuracies, or fraud before these issues occur.
      • Detective controls are intended to discover the existence of errors, inaccuracies, or fraud.
      • Corrective controls are designed to correct errors or irregularities that have been detected.
    • Residual risks: Residual risks are the leftover risks that remain after the implementation of controls. For example, despite the safety measures in place, if there’s still an accident, then the damage caused by the accident is a residual risk. A residual risk score can be calculated using any of the following methods:
      • A matrix between inherent and residual effectiveness.
      • A mathematical formula such as the inherent score minus the control score.
      • Answers to factors.
    • Target risks: Target risks are the desired risk an organization want to achieve in the future. By evaluating the desired level of likelihood and impact of identified risks, organizations can establish target risk levels for each risk. For example, when assessing a risk, you consider various aspects such as inherent risk, the effectiveness of controls, and residual risks. However, it's equally important to capture the desired risk level that will be attained after your risk response is implemented. The target risk represents the optimum level of risk that you aim to achieve after your action plan is successfully executed. It enables you to measure the benefits your organization gets in relation to the cost of implementing those actions.