Technology risk calculation

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Technology risk calculation

    This documentation explains how ServiceNow calculates technology risks for business applications by assessing risks at the software product and hardware model levels, then aggregating these to the business application level. Starting with the Xanadu release, the legacy Technology Portfolio Management (TPM) module is integrated into the Enterprise Architecture Workspace.

    Show full answer Show less

    Technology risk assessments consider lifecycle phases and aging both internally and externally, with risk categories ranging from none to very high. These risk values are configurable based on organizational requirements.

    Risk Calculation Parameters and Process

    • Software Model Risk: Calculated from four parameters—internal lifecycle stage, external lifecycle stage, internal aging, and external aging. Aging is categorized as high risk (0–90 days), moderate risk (90–180 days), or low risk (over 180 days).
    • Hardware Model Risk: Calculated similarly using internal stage risk, publisher stage risk, internal aging risk, and publisher aging risk.
    • Risk Evaluation Rules:
      • If any component is high risk, the overall model risk is high.
      • If any component is moderate risk and none are high, the model risk is moderate.
      • Only if all components are low risk is the model risk considered low.

    Risk Aggregation to Business Application Level

    The risk engine first calculates risks at the hardware and software model levels, then determines the application service risk based on these models. Finally, it calculates the business application risk from the risks of its production application services.

    • If any hardware or software model has high risk, the associated application service and business application are also considered high risk.
    • Medium risk on any software or hardware model results in a medium risk evaluation for the business application, unless a higher risk exists.
    • Low risk at the business application level requires all underlying hardware and software models to be low risk.

    Practical Implications for ServiceNow Customers

    • You can customize the risk calculation scripts to tailor risk assessment logic specific to your organization's needs.
    • Risk data is stored in dedicated tables for hardware and software models, enabling visibility and tracking through timelines and reports.
    • Understanding and managing these technology risks helps in proactive portfolio management, ensuring business applications are supported by reliable and secure technology components.
    • Running scheduled jobs regularly generates updated risk values to keep assessments current.

    Assess the technology risks of your business applications by calculating their risks at the software product (considering the model and full version) level and then at the business application level.

    Important:

    Starting with the Xanadu release, the legacy Technology Portfolio Management module is moved to the Enterprise Architecture Workspace. To learn more, see Managing the Technology Portfolio Management (TPM) in Enterprise Architecture Workspace.

    Technology risks are calculated at the hardware model and software product (considering the model and full version) levels to determine the risk at the business application level.

    Lifecycle stage - Internal and External

    The range set for a risk value at each level such as very high, late, moderate, low, and none vary from one organization to another. You can set the risk value for each lifecycle phase based on your organizational requirements. Use the software product lifecycle form to associate the lifecycle phase for each software model with a risk. Based on the selected risk the parameter risk is determined.

    The risk values in the lifecycle table are very high, high, moderate, low, and none. Accordingly the risk is also very high, high, moderate, low, or none.

    For lifecycle stage parameters, only the risk value is considered irrespective of the lifecycle phase.

    Aging - Internal and External

    Similarly, the aging internal and external has the following risk values:

    • 0–90 days is high risk.
    • 90–180 days is moderate risk.
    • More than 180 days is low risk.
    Based on the internal and publisher lifecycle stages and the internal and publisher aging stages, the risk of the hardware and software models are calculated as follows:
    • If there is a single High risk, then the risk of the software model is High.
    • If there is a single Moderate risk, then the risk of the software model is Moderate.
    • The risk of the software model is Low only if the risk of all the underlying components are Low.
    • If there is a single High risk, then the risk of the hardware model is High.
    • If there is a single Moderate risk, then the risk of the hardware model is Moderate.
    • The risk of the hardware model is Low only if the risk of all the underlying components are Low.
    Note:
    The engine first calculates the risk at the hardware and software models, it then calculates risk at the application service level, based on the risks of all the underlying hardware and software models. Finally it calculates the risk at the business application level based on the risk of the production instances which are nothing but production application service.

    The risk calculation for aging parameters are scripted and you can edit as required.

    Parameters to determine software product risk

    Figure 1. Parameters to determine risk at software model level
    An example showing how parameters are used in calculating risk at the software model level

    Risk on a software model is calculated based on four parameters, namely internal lifecycle stage, external lifecycle stage, internal aging, and external aging.

    Parameters to determine hardware model risk

    Figure 2. Parameters to determine risk at hardware model level
    Illustration showing how parameters are used in calculating risk at hardware model level

    Risk on a hardware model is calculated based on four parameters. The parameters are internal stage risk, publisher stage risk, internal aging risk, and publisher aging risk.

    Calculating technology risk at business application level

    A business application can run on many software models. The risk of a business application due to its underlying software models is derived from the risk of the individual software models.

    Figure 3. Calculating risk at the business application level
    Calculating technology risk at the business application level
    Risk at hardware model level
    Based on the four hardware risk parameters, the technology model suggestion engine calculates the risk of the hardware model and the highest risk value is assigned to the hardware model. If the risk of hardware is high, then the risk of the application service, which runs on the hardware, is evaluated to be high. The engine stores the risk data of the hardware model in the Hardware Model Risks [sn_apm_tpm_hardware_model_risk] table.
    Risk at software model level
    Based on the four software risk parameters, the technology model suggestion engine calculates the risk of the software model. If the risk of software is high, then the risk of the application service, which runs on the software, is evaluated to be high. The engine stores the risk data of the software model in the Software Model Risks [sn_apm_tpm_software_model_risk] table. This data is rendered on the software model timeline.
    Risk at application service level
    If any of the hardware or software models on which the application service runs is evaluated to be on high risk, then the application service is determined to be at a high risk.
    Risk at business application level

    If the application service is of high risk, then the business application which runs on the application service is also high.

    • If one of the software models is at High risk, then the business application is at High risk.
    • If one of the software models is at Medium risk, then the business application is at Medium risk.
    • The risk of the business application is Low only if all the underlying software models have a Low risk.
    • If one of the hardware models is at High risk, then the business application is at High risk.
    • If one of the hardware models is at Medium risk, then the business application is at Medium risk.
    • The risk of the business application is Low only if all the underlying hardware models have a Low risk.

    You can customize the script that is executed to calculate the risks at the product model risk level (hardware and software models), application service risk level, and business application risk level. For more information, see Configure risk bubble up logic.