Risk assessment methodologies

  • Release version: Australia
  • Updated June 9, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk assessment methodologies

    The AI Risk and Compliance application in ServiceNow uses Risk Assessment Methodologies (RAMs) to define scoring frameworks and classification criteria for evaluating risks linked to AI assets. These methodologies are integral to intake screening, asset-level risk assessments, and bulk risk assessment projects. The application provides default RAMs, with the option for administrators to create custom methodologies tailored to organizational requirements.

    Show full answer Show less

    Key Features

    • Risk classification for AI systems: Classifies AI systems by regulatory risk level (High, Medium, Low, Unacceptable) based on intake or assessment data, primarily from the Use and Purpose section of AI use case requests.
    • Automated risk classification: Automatically assigns initial regulatory risk classifications during intake when enabled, streamlining early risk identification.
    • Risk assessment for AI inventory: Assesses individual risks (likelihood, impact, control effectiveness) for AI systems, models, and datasets, calculating inherent and residual risk scores. These scores aggregate and display on AI asset records and dashboards.
    • Model and dataset risk classification: Independently classifies AI models and datasets based on characteristics like data sensitivity and intended use, applied during specific governance evaluations.
    • Configuration flexibility: Administrators can configure default RAMs for various AI asset types and enable automated or advanced risk calculations via system properties.
    • Advanced Risk integration: Installing the Advanced Risk application enables risk score roll-up across AI assets and migrates assessments to an advanced framework, a permanent one-way transition.
    • Automated risk classification workflow: Connects intake screening, assessments, and risk evaluation into a seamless governance flow that reuses intake information to ensure consistent risk classification and assessment throughout the AI lifecycle.

    Practical Application for ServiceNow Customers

    ServiceNow customers can leverage RAMs to establish consistent and repeatable AI risk evaluations aligned with regulatory requirements. By configuring default RAMs and enabling automated classification, customers reduce manual effort and improve early risk detection during AI intake. The integration of quantitative scoring and automated post-assessment actions ensures comprehensive risk and control tracking mapped directly to AI assets.

    For organizations subject to regulations like the EU AI Act, specialized assessments can be incorporated to meet compliance needs. Customers should consider installing the Advanced Risk application to enable advanced risk roll-ups and enhanced governance capabilities.

    Overall, these methodologies support informed governance decisions, helping customers manage AI risks effectively throughout the AI asset lifecycle, from intake through deployment readiness.

    The AI Risk and Compliance application uses risk assessment methodologies (RAMs) to define the scoring frameworks and classification criteria used during risk assessments.

    Risk assessment methodologies overview

    RAMs define the scoring frameworks and classification criteria used during risk assessments.

    Risk assessment methodologies

    Risk assessment methodologies (RAMs) define the scoring frameworks, classification criteria, and contributing factors used to evaluate risks associated with AI assets.

    RAMs are used during intake, asset-level risk assessments, and bulk risk assessment projects. The content pack provides default RAMs, and administrators can create custom RAMs to meet organizational requirements.

    Table 1. Default risk assessment methodologies
    RAM Applies to Purpose When used
    Risk classification for AI system AI systems Classifies AI systems by regulatory risk level based on factors captured during intake or assessment. During intake screening or early assessment to determine initial regulatory risk classification.

    When configured and applied to the AI use case request form, this RAM evaluates responses in the Use and Purpose section and assigns a risk classification such as High, Medium, Low, or Unacceptable.

    If the AI Risk and Compliance admin doesn't complete the required configuration steps, the classification defaults to To Be Determined.
    Automated risk classification for AI system AI systems Automatically assigns an initial regulatory risk classification based on Use and Purpose responses. During intake when automated screening is enabled.
    Risk assessment for AI inventory AI systems, models, datasets Evaluates individual risks using likelihood, impact, and control effectiveness to calculate inherent and residual risk scores. During asset-level and bulk risk assessment projects.

    Individual risk scores roll up to form an aggregated risk score visible on the AI asset record and the Risk and Compliance dashboard.

    This RAM is the default for bulk risk assessment projects. You can also specify it as the default primary RAM for all risk assessments using the sn_grc_ai_gov.aisystem_primary_ram property.
    Risk classification for AI model or dataset AI models, datasets Classifies models and datasets by risk level based on characteristics, data sensitivity, and intended use. When models or datasets require independent governance evaluation.

    Unlike AI system classification RAMs, this RAM isn't applied through a global property.

    It's selected when initiating a risk assessment on an AI model or dataset and evaluates characteristics such as data sensitivity, intended use, and associated risk factors.

    For information about coordinating multiple risk assessments together, see Risk assessment project in AI Risk and Compliance.

    Important:
    Automated and advanced risk scoring behavior depends on RAM configuration. To enable risk score roll-up across AI assets, install the Advanced Risk application and migrate to Advanced Risk Assessments. This is a one-way configuration change.

    Risk assessment methodology configuration

    Administrators can configure which risk assessment methodologies (RAMs) are applied during intake, assessment, and risk evaluation workflows.

    Configuration options include specifying default RAMs for AI systems, models, and datasets, and enabling automated or advanced risk calculation behavior.

    To configure the default RAM for AI system risk classification at intake, set the sn_grc_ai_gov.ai_system_risk_classification_ram property.

    To configure automated risk classification during intake, specify the sn_grc_ai_gov.ai_system_automated_risk_classification_asmt_ram property.

    To define the default RAM used for risk assessments across AI systems, set the sn_grc_ai_gov.aisystem_primary_ram property.

    For more information, see Set up AI Risk and Compliance properties.

    Important:
    To enable risk score roll-up across AI assets, install the Advanced Risk application and set the Migrate to Advanced Risk Assessments property to Yes. This is a one-way configuration change that permanently transitions risk calculation and roll-up behavior to the Advanced Risk framework. See Set up Advanced Risk assessments properties.

    Automated risk classification workflow

    Automated Risk Classification connects intake screening, assessments, and risk evaluation into a single governance flow. Information captured during the intake request, specifically responses provided by the Product Owner in the Use and Purpose section, is reused across subsequent assessments and contributes directly to how AI systems are classified as High, Medium, or Low risk.

    Assessment templates, RAMs, and Post Assessment Actions work together to help ensure that qualitative context, regulatory impact, and quantitative risk scoring are consistently applied throughout the AI governance life cycle.

    A typical assessment sequence for an AI system demonstrates how these components are interconnected:

    1. During intake, the Automated risk classification for AI system RAM evaluates responses captured in the Use and Purpose section of the AI use case request and assigns an initial regulatory risk classification.
    2. During the Assess phase, the risk assessment captures information about the system's potential impact on privacy, fairness, and other fundamental rights. Responses from the Use and Purpose section are carried forward to provide continuity and reduce duplicate data entry.
    3. Post Assessment Actions evaluate the risk assessment responses and automatically associate applicable risk statements and control objectives with the assessment record based on configured automation rules.
    4. An AI Risk and Compliance analyst reviews the prescribed list of generated risks and control objectives to validate accuracy, relevance, and applicability before governance records are finalized.
    5. After the assessment is marked as closed complete, the system generates risk and control records and maps them to the AI asset. The Risk assessment for AI inventory RAM then evaluates each identified risk using quantitative scoring to calculate inherent and residual risk scores.
    6. For AI systems subject to the EU AI Act, additional assessments such as the EU AI Act Conformity Assessment and the Fundamental Rights Impact Assessment (FRIA) provide specialized regulatory evaluation.

    Throughout this progression, assessment outcomes and risk scores inform governance decisions about whether an AI system can advance to the next life-cycle phase. For an overview of how these activities align with life-cycle stages, see AI governance life cycle.

    Note:
    Automated risk classification provides early risk context only. It doesn't approve deployment, initiate life-cycle workflows, or replace downstream impact or risk assessments.