Risk Assessment Methodology form

  • Release version: Australia
  • Updated March 12, 2026
  • 5 minutes to read

    • Use the Risk Assessment Methodology form in the Advanced Risk application to specify the types of risk assessments and the entities on which the risk assessment is performed.

    See the following table for a description of the field values.

    Table 1. Risk Assessment Methodology form
    Field Description
    Name Name of the risk assessment methodology (RAM). For example, Organizational risk assessment.
    Domain area Domain area of the RAM. This field is automatically set to IRM.
    State State of the RAM. This field is automatically set to Draft.
    Assessment Context
    Assess Assessment context that you can select:
    • Risk: Performs the assessment for an entity and the risk statement that is related to it.
    • Object: Performs an assessment on any ServiceNow record. For example, users can perform an Exception Risk Assessment or a Change Risk Assessment directly on those respective tables.
    Applicable entity classes All entity classes that the RAM applies to, such as the business services, assets, or business applications. This field appears only when Risk is selected from Assess.
    Applicable Record Types Tables on which you want to perform the assessment. You can select multiple tables and associate them to the RAM. This field appears only when Object is selected from Assess.
    Note:
    You can add multiple objects or tables to a published RAM, but can’t remove them after the RAM is published.
    Workflows
    Inherent risk Option for assessing an inherent risk.
    Control effectiveness Option for assessing the control effectiveness.
    Enable risk response Option to enable the Risk Response tab on the risk assessment. This option appears only when Risk is selected from Assess.
    Residual risk Option for assessing a residual risk.
    Target risk Option for assessing a target risk.
    Rollup Configurations
    This section appears only when Risk is selected from Assess.
    Calculate ALE based on Formula that you can select for calculating the annual loss expectancy (ALE):
    • Sum
    • Average
    • Maximum
    • Minimum
    Calculate score based on Formula that you can select for calculating the score:
    • Average
    • Maximum
    • Minimum
    Risk Response Configurations
    This section appears only when Risk is selected from Assess.
    Enable risk response task workflow Option to enable users to create, delete, remove, edit, and link risk response tasks within an assessment.
    Allow single risk response Option to make the risk response selection a single select in the risk assessment form. For example, the options could be "Accept," "Avoid," "Mitigate," or "Transfer." With a single select, assessors can choose only one of these options to indicate the risk response strategy.
    Note:
    This option can only be enabled when there are no ongoing assessments.
    Allow issue linking with risk assessment Option to create an issue or link an existing open issue with the risk assessment.
    Risk response is required Option to make a risk response as required:
    • None: No risk response is required.
    • Always: Mandate a risk response always.
    • On specific conditions: Mandate a risk response based on specific conditions using the condition builder.
    • On specific conditions defined using script: Mandate a risk response under specific conditions using a predefined script or set of instructions.
    Business Rules and Validations
    Final comment is required Option to make the final comments as required. Final comments provide better transparency and enable risk owners to communicate the action plan if there’s a breach of appetite or tolerance. The options are as follows:
    • None: No final comment is required.
    • Always: Mandate final comments always.
    • On breach of appetite: Mandate final comments on the breach of appetite.
    • On breach of tolerance: Mandate final comments on the breach of tolerance.
    This field appears only when Risk is selected from Assess.
    Automatically create issue Option to create issues automatically. This field appears only when Risk is selected from Assess.
    • None: Enables you not to create issues automatically.
    • On breach of appetite: Creates issues automatically on the breach of appetite.
    • On breach of tolerance: Creates issues automatically on the breach of tolerance.
    Note:
    The issues are created only after the risk assessment is approved and moved to the published state.
    Residual score is lower than inherent Option to validate that the qualitative residual score is lower than the inherent score.
    Note:
    This option appears only when the residual risk assessment is enabled.
    Reference Information
    This section appears only when Risk is selected from Assess. Enabling these options shows the reference information in the risk assessment instance.
    Show related risk events Option for showing the related risk events on the risk assessment.
    Show related risk indicators Option for showing the related risk indicators on the risk assessment.
    Show open issues Option for showing the open issues on the risk assessment.
    Show previous assessment Option for showing the previous assessment on the risk assessment. This option helps the risk assessor to refer to the previous assessment and analyze the details of that assessment before taking another assessment.
    Other Configurations
    Advanced reminder (days) Based on the due date of the risk assessment, this field is the number of days before a notification is sent to the assessor. For example, if you enter 3 in this field, then the assessor gets a reminder notification three days before the due date.
    Overdue reminder (days) Based on the due date of the risk assessment, this field is the number of days after this date that reminder emails are sent. For example, assume you enter 5 in this field. Then for five days after the due date is over, the assessor keeps receiving reminder emails that the due date is over. On the sixth day, an email notification is sent to the assessor and to the assessor's manager.
    Risk identification Method to identify risks in the risk assessment scope:
    • None
    • From Library: Identifies risks from the library on the risk assessment.
    • Ad-hoc: Identifies a risk that is not in the library.
    • From Library and Ad-hoc: Creates risks as well as adds risks from the library.
    Group factor comments Option to enable group factor comments in the risk assessment form.
    Copy previous responses Option to copy the factor responses and comments whenever a reassessment is performed.
    Allow override of results Option to override the computed scores and the ALE during risk assessment.
    Configure section terminology Option to configure section labels for inherent, control, residual, and target assessments. After you select this option, you can configure the title, score label, and annual loss expectancy label for each assessment type.
    Note:
    Section label renaming applies only to the advanced risk assessment interface while leaving the terminology used in reports, dashboards, heatmaps, and other areas unchanged.
    Update assessment results to source record Option to copy the assessment results to the source record on which the assessment is performed. You can define the assessment result mapping for the applicable record types in the individual assessment types. This field appears only when Object is selected from Assess.
    Schedule
    This section appears only when Object is selected from Assess.
    Reassessment frequency Option of how often the reassessment is performed:
    • None
    • Weekly
    • Monthly
    • Quarterly
    • Semi-annually
    • Annually
    Days to overdue Based on the due date of the risk assessment, this field is the number of days after which an assessment is considered overdue.