Control Assessment form

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment form

    The Control Assessment form in the Advanced Risk application is designed to help ServiceNow customers evaluate how effectively controls mitigate risks. It integrates with risk assessment methodologies and offers flexible options to assess either the overall control environment or individual controls, supporting compliance and risk management efforts.

    Show full answer Show less

    Key Features

    • Risk assessment methodology: Automatically sets the methodology based on the associated Risk Assessment Methodology (RAM).
    • State and Assessment contribution: Automatically set to “Draft” state and “Qualitative contribution” type.
    • Calculate based on: Choose between assessing the entire control environment or individual controls. The individual controls option is available when the Policy and Compliance Management plugin is activated, enabling detailed control-level risk mitigation assessments.
    • Control identification: Options to identify controls from a library, ad-hoc creation, or both. This field appears only when assessing individual controls.
    • Factor for overall effectiveness: Allows selection of manual, automated, or group factors to assess controls, shown only for individual control assessments and supports qualitative factors or those convertible to qualitative scores.
    • Qualitative scoring logic: Multiple formula options for calculating scores, including sum, minimum, maximum, average, product, weighted average (which uses control weight from the control form), and custom user-defined scripts (available to users with the sngrc.developer role).
    • Qualitative script variables and script: Enables advanced users to define custom scoring logic using scripts, providing greater control over assessment calculations.
    • Section Labels: Allows renaming of section titles and qualitative score labels in the assessment interface for customization, without affecting reports, dashboards, or other displays.

    Practical Use for ServiceNow Customers

    This form enables customers to systematically assess control effectiveness within risk assessments, tailor scoring methodologies to their organizational needs, and customize terminology to align with internal language. By leveraging options to assess individual controls or the whole control environment, customers can deepen risk insight and compliance tracking. Integration with policy and compliance management enhances the granularity of risk mitigation efforts.

    Use the Control Assessment form in the Advanced Risk application to assess the effectiveness of controls in mitigating risks.

    See the following table for a description of the field values.
    Table 1. Control Assessment form
    Field Description
    Risk assessment methodology Name of the risk assessment methodology used for control assessment. This field is automatically set based on your RAM.
    State State of the RAM. This field is automatically set to Draft.
    Assessment contribution Type of factor contribution. This field is automatically set to Qualitative contribution.
    Calculate based on Option to assess the types of control. Choices are the following:
    • Control environment assessment: Select this option if you don’t want to assess individual controls, but instead want to assess the overall effectiveness of the control environment.
    • Individual assessment of controls: Select this option if you want to perform assessment for individual controls. For example, you can select the risk of employees accepting bribes and then assess each existing control to mitigate the risk of bribery. This option is available only when the Policy and Compliance Management (com.sn_compliance) plugin is activated.
    Control identification Option to decide how to identify the controls in the risk assessment instance. The choices are the following:
    • None
    • From Library: Use this option when you want to identify controls from the library on the risk assessment instance.
    • Ad-hoc: Use this option when you want to identify new controls on the risk assessment instance.
    • From Library and Ad-hoc: Use this option when you want to identify controls from the library as well as identify new controls.

    This field appears only when the Calculate based on field has the value Individual assessment of controls.
    Factor for overall effectiveness Manual, automated, or group factors to assess controls. This field appears only when the option Individual assessment of controls is selected from the Calculate based on field. Only qualitative factors or factors with the option to transform the qualitative score will be displayed in this field.
    Qualitative scoring logic Formula for calculating the scoring logic. Choices are the following:
    • Sum: Sum of the factor responses.
    • Minimum: Minimum value of the factor responses.
    • Maximum: Maximum value of the factor responses.
    • Average: Average value of the factor responses.
    • Product: Value derived by multiplying the factor responses.
    • Weighted average: Average value of the weighting of factors. This value is then classified as low, medium, or high. When this option is selected, the control weight is fetched from the control form.
    • Script: User-defined formula to calculate the score. This option is available only to users with the sn_grc.developer role.
    Qualitative script variables Format of the script and the variables used in the script. This field is available only when Script is selected from the Qualitative scoring logic field.
    Qualitative script User-defined script to compute the scoring logic. This field enables you to have more control over the score computation.
    Section Labels

    This section appears only when Configure section terminology is selected in the RAM form.

    Note:
    Section label renaming applies only to the advanced risk assessment interface while leaving the terminology used in reports, dashboards, heatmaps, and other areas unchanged.
    Title Option to rename the section title of the assessment type. For example, if you rename Control assessment as Preventive assessment, the new title will be displayed in all sections where the Control assessment was previously referred.
    Score label Option to rename the qualitative score label in the Scoring section of the assessment form. For example, if you rename Control risk as Preventive risk, the new score label will be displayed in the scoring section where Control risk was previously referred.