Combined Advanced Risk release notes for upgrades from Vancouver to Yokohama

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Advanced Risk release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Vancouver to Yokohama.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Advanced Risk to Yokohama

Before you upgrade to Yokohama, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

New features

Between your current release family and Yokohama, new features were introduced for Advanced Risk.


Release	Release notes
Vancouver	Target risk assessment in Advanced Risk Do a target risk assessment to determine the desired risk level that you want to achieve. By evaluating the desired level of likelihood and impact of the identified risks, you can allocate a target risk level for each risk and assess your target risk posture and monitor its progress. For example, when assessing a risk, you consider the inherent risk, the effectiveness of controls, and the residual risks. However, you can also capture the desired risk level that you want to attain after your risk response is implemented. The target risk is the optimum risk level that you want to achieve after your action plan is successfully executed. By determining the target risk level, you can measure the benefits that your organization gets in relation to the cost of implementing those actions. Enhanced configurability of the Advanced risk assessment form Modify the Advanced risk assessment forms based on the unique organizational requirements without requiring customization of the interface in the ServiceNow Next Experience. The latest enhancements enable you to do the following tasks: Assess the control environment without adding controls, and override the computed scores on the assessment form. This enhanced workflow provides your assessors with greater flexibility when assessing the overall control environment. For more information, see Perform advanced risk assessment in the Risk Workspace. Rename the section title, score label, and annual loss expectancy label for each assessment type in the Risk assessment methodology (RAM) form. This customization improves clarity, consistency, and understanding during risk assessments by aligning with familiar terminology that reflects the risk management practices of an organization. For more information, see Configure a risk assessment methodology. Note: Section label renaming applies only to the Advanced Risk Assessment interface while the terminology in the reports, dashboards, heatmaps, and other areas are unchanged. Modify the messages and text that are displayed on the Risk assessment form. For more information, see Modify Advanced Risk messages. Configure the RAM form to restrict assessors from selecting multiple risk responses while performing an assessment, so that only a single risk response is allowed. For more information, see Configure a risk assessment methodology. Note: This option can be enabled only when there are no ongoing assessments. Write scripts to calculate the residual score that is based on the inherent risk and control effectiveness. You can create a customized calculation method that aligns with the unique requirements of your organization. For more information, see Configure a residual assessment. Note: You can write or modify scripts only for assessment types that aren’t published. Define the conditions to make the risk response as required on the assessment form by using a conditional builder and scripts. For more information, see Configure a risk assessment methodology. Playbook integration with risk assessment scope and risk assessment scheduler Create a risk assessment scope and schedule risk assessments with a guided experience by the playbook integration. Each stage within the playbook includes one or more activities that must be completed, providing a structured approach to the risk assessment scope and risk assessment scheduler. The playbook guides you through each stage, recommending the necessary activities, and ensuring comprehensive coverage of the workflow. Stages can also include automated activities, such as auto-sending an email to the assessor when you initiate an assessment. By using a playbook, you can visualize the entire life cycle of the Risk assessment scope and Risk assessment scheduler workflow. For more information, see Create a risk assessment scope in the Risk Workspace and Schedule risk assessments in the Risk Workspace. Risk heatmap enhancements The latest risk heatmap enhancements enable an operational risk manager to visualize the risk details and gain a better understanding of the entity risk posture. The following enhancements have been made: The heatmap includes the display of color names or risk severity information for individual heatmap cells. The color names or risk severity information is derived from the Risk color style field. This field is configured in the assessment type for the selected methodology. The heatmap automatically adjusts its size to fit in the available space, which reduces the need for additional scrolling. Bulk response and approval of metric data tasks Use the grid interface to respond to the multiple metric data tasks that are assigned to you from the Risk Workspace and Employee Center. Approvers can use this interface to review and approve the metric data tasks in bulk. By using the grid interface, you not only save time but also elevate the overall satisfaction of users when responding to and approving the metric data tasks.
Washington DC	Parallel Review and Feedback in Advanced Risk Enable your second and third-line managers to become active participants in first-line activities by digitizing the review and feedback workflows. They can provide feedback on a record or fields in a record to recommend improvements that are related to data integrity, compliance, operational procedures, and other areas such as disposition and accountability. For example, a risk manager can provide feedback by requesting a root cause analysis task from the first-line risk user and also ask them to capture additional loss entries for the same risk event. With parallel review and feedback, your managers can perform the following actions: Provide feedback at any stage of the workflow. Update the feedback responses directly from the source record by using the side-panel feature. View and manage the feedback workflows that are raised against the records from a centralized dashboard. View the change history, which enables a quick comparison of the pre-feedback and post-feedback. Reopen the feedback if the responses are deemed unsatisfactory. Monitor the feedback and follow up with the record owners through an intuitive dashboard. Collaborate effectively with the reviewer, respondent, and other stakeholders through a sidebar discussion chat. Initiate and link further actions as outcomes of the feedback, such as creating an issue or linking to an existing one. Configure a feedback integration setup for any record type, including the custom tables where you can define the table or record type to create feedback from. Important: The Parallel review and feedback feature is only available in Next Experience. Generating a report in Microsoft Word Use the Management Reporting of Risk application to create reports in Microsoft Word that are based on the information that is available in the ServiceNow AI Platform. Risk managers can create reports independently, using real-time data, without relying on administrators. Also, report generation is enabled by one-click updates of the report data directly from the ServiceNow AI Platform. Exporting risk heatmap information Download or copy the risk heatmap information to include in reports or share with relevant stakeholders as needed. Important: The copy and download of heatmap information is only available in Next Experience. Enhanced object-based assessment Configure a risk assessment methodology (RAM) for multiple objects without having to select only one assessment object. You can reduce the additional effort to manage multiple methodologies for different objects. You can compare and report the data to promote enhanced data accessibility and coherence. Risk administrators can also add multiple RAMs for a single object. For example, a compliance case table can be assessed using separate criteria for IT and corporate compliance, which enables a comprehensive understanding of risks across different domains. Auto save feature in the risk and control assessment form Improve the experience of performing advanced risk assessment with auto-save. When assessors respond, the application saves their responses and calculates the overall risk score. It significantly reduces the number of clicks required, which improves efficiency and the overall employee engagement. Important: The auto-save feature is only available in Next Experience. Bulk approval and reassignment of risk assessments Approve multiple risk assessments simultaneously, which significantly reduces the time that your team spends on individual approvals. Workflow efficiency is enhanced, especially when you're dealing with a high volume of assessments. An approver or an assessor can easily reassign multiple risk assessments to different stakeholders or team members. Adding risks and controls from the library Create and manage the risks and controls within the designated workflows by eliminating unnecessary navigation. Your team can do the following tasks: Add controls from a control taxonomy by using the Create from control objective option during control assessment. Identify and create ad-hoc controls by using the Create control option when responding to risk mitigation tasks. Add the controls from control taxonomy by using the Create from control objective option when responding to risk mitigation tasks. Identify and map the risks from risk taxonomy by using the Create from risk statement option while defining the risk assessment scope. Enhanced user experience in Advanced Risk Streamline your processes with the following enhancements: Use the Comments field to provide a brief response for the group factors in Risk Workspace. You can configure the comments from the group factors in the RAM form. Eliminate the need for assessors to navigate manually through the entire page to locate the areas that require attention. When moving to the next assessment stage on the risk assessment form, the application automatically scrolls to the unresponded factors. Reassign the in-progress assessments in bulk to new assessors in the absence of the current assessor. This feature helps to redistribute assignments, especially in cases of restructuring or emergency medical leave, and enables bulk reassignment as needed. Initiate a sidebar discussion for the risk event and issue record types. Your team gets a dedicated space to discuss events or issues. This space enhances the clarity and efficiency in the risk management processes. Use the Reviewer field on the risk response task page to inform the assessor about the reviewer's details. Use drop-down options for factor choices on the risk assessment form to enhance readability. Enable a horizontal layout for factor choices on the risk assessment form to minimize scrolling. Use a simplified navigation with a single breadcrumb trail from the advanced risk assessment homepage to the main page. Your team doesn't need to open multiple tabs. Use a vertical list view that is grouped by the related list for a manual, automated, and calculated metrics definition record. Collapse section headers within the advanced risk assessment to reduce scrolling on the advanced risk assessment page and optimize the screen space for accommodating more content.
Xanadu	Create multidimensional entities Create multidimensional entities by combining two or more entities from different entity classes using the Composite Entity Management application. You can create multidimensional entity classes with a composite entity structure, such as Company \| Department \| Business Process. After defining the composite entity class, you can create composite entity that operates as a standalone entity. This feature enables you to manage risk and compliance workflows at the composite entity level, providing visibility into the combined risk and compliance posture. Note: Composite entity classes can be created in both the classic UI and the Risk Workspace. The creation of composite entities is supported only in Risk Workspace. Assess multiple risks and controls simultaneously Create a risk assessment project to perform bulk assessments on multiple risks and controls, enabling assessors to evaluate them in a single project. This approach reduces time and effort, confirms consistency across multiple assessments, and provides a more comprehensive view of risks and controls within the same project. You can scope multiple risks related to the assessable entity within the project and perform assessments. Note: Assessment of multiple risks and controls is supported only in Risk Workspace. Addition of new roles The following roles related to risk assessment project were added: Risk assessment project reader [sn_risk_advanced.risk_asmt_project_reader]: Provides read only access to the risk assessment projects. Risk assessment project user [sn_risk_advanced.risk_asmt_project_user]: Provides the ability to create risk assessment projects and update or delete only the projects created by the user. Risk assessment project manager [sn_risk_advanced.risk_asmt_project_manager]: Provides the ability to create, update, and delete any risk assessment projects. Enhanced risk response workflow Streamline your risk response workflow with the following enhancements: Use a uniform workflow for all types of risk response tasks. A standardized workflow for risk response tasks enhances the management of all types of risk response tasks, promotes consistency, and reduces the need for customization. Configure multiple levels of approvals for the risk response tasks using the approval configurator. By default, a single level of approval is enabled for all types of risk response tasks, where the risk owner can approve the tasks. These approvals can be configured based on requirements. Reject a risk response task and move it to the work in progress state without closing it. This feature helps the risk response task owner to modify the response strategy if the approver is unsatisfied with the response. Create action items with an independent workflow and link them to the risk response tasks when they are in the Draft or Work in progress state. Note: You can create risk response action items for all types of risk responses except for Risk acceptance tasks. Copy risk response plans from the previous risk assessment to the current risk assessment while reassessing. Link an open risk response task from the previous assessment to the current risk assessment while reassessing. You can also edit or remove an existing risk response task. Issue linking with risk assessments Streamline your risk assessments with the following enhancements: Enable the issue linking option on the Risk Assessment Methodology (RAM) form to create an issue or link an existing open issue with the risk assessment. View issue details from the configurable issue card available on the risk assessment. Identify newly created issues from existing linked issues with a visual differentiator on the issue card. Edit or remove issues. Enhanced risk event task workflow Streamline your risk event workflow with the following enhancements: Use a uniform and enhanced workflow for the risk event tasks. A standardized workflow enhances the management of risk event tasks. Configure multiple levels of approvals for the risk event tasks using the approval configurator. Reject a risk event task and move it to the work in progress state without closing it. This feature helps the risk event task owner to modify the risk event if the approver is unsatisfied. Improved user experience for risk identification questionnaire using Smart Assessment Engine Respond to the risk identification questionnaires from the Assessment Workspace with an interactive and intuitive user experience. Risk admin can select between classic and smart assessment questionnaire in the risk identification configuration without making it a forced behavior. You can migrate an existing risk identification template to the Smart Assessment Engine application. You can also create risk identification templates in the Assessment Workspace. Note: Only published assessment templates with a Risk Identification category are available for selection on the Risk Identification Configuration form. Configuring currency conversion dates Define currency conversion dates for the risk event entries in the system properties. This feature enhances the accuracy of net loss calculations by enabling you to select specific dates for currency conversion rather than relying solely on the date of impact. You can select a currency conversion date at the system property level from the following options: Risk event entry date First loss entry date Last loss entry date First recovery entry date Last recovery entry date Custom date Note: You can also override the defined currency conversion dates in the risk response template configuration. These changes apply to both new and ongoing risk event workflows. Reopen closed risk events Reopen closed risk events to update existing risk events with new discoveries, losses, or relevant information without creating new risk events. This feature saves time and effort, offering flexibility and boosting efficiency in managing risk events. You can reopen a risk event individually or in bulk. Miscellaneous enhancements and improvements Streamline your processes with the following enhancements: Notify the risk assessor with a notification email when a risk assessment is approved or rejected. Define a specific group as the respondent type in the Feedback Integration Configuration form when the target record doesn't have a user or group. For more information, see Configure a feedback integration. Configure a single currency mode for advanced risk assessments. This feature displays all financial values in the selected single currency, confirming consistency and clarity in all fields. For more information, see Single-currency mode. View the completion date of the most recent risk identification in the new field Last completed date, added to the Risk Identification form. For more information, see Set up risk identification integration.
Yokohama	Generative AI risk assessment summarization Generate a risk assessment summary from your inherent, residual, target risks, and control effectiveness data using the Now Assist for IRM application. The summary highlights key insights to help your approvers quickly understand the context before approving the risk assessments. You can also analyze details such as open issues, risk response tasks, action items, and calculated risk scores to support your approval decision. Check your entitlements to confirm whether you have access to risk assessment summarization. Reassess a risk assessment project Review completed risk assessment projects to reflect new insights or changing conditions. All previously assessed risks in this project are automatically carried over and reassigned to the designated assessor. Confirm continuity, minimize manual effort, and enhance efficiency in your risk management process. Copy risk responses from the previous assessment Copy responses from a previous risk assessment during the reassessment of a risk assessment project to streamline the assessment process. All prior responses are automatically copied, saving time and maintaining consistency. Remove risks from assessment As a risk assessor, you can remove risks from the risk assessment project while performing the assessment, which also removes all responses associated with that risk. Removed scoped risks remain part of the project but are marked as not applicable for reporting purposes. However, removed ad hoc risks are completely deleted. Manage risk response task workflow Manage and enable the risk response task workflow from the RAM form to enable users to create, delete, remove, edit, and link risk response tasks within an assessment. Reassign assessor for a risk assessment project Reassign assessors for multiple in-progress risk assessment projects simultaneously to minimize disruptions during stakeholder transitions. Configure risk color styles for the Next Experience Define and preview colors for the risk and advanced risk components in the Next Experience through a configurable system rather than having to use hex codes. The transition has been made from a hex code color management system to a configurable system that supports the highlighted value component colors. This feature addresses theming and accessibility issues. You can define the color and variant, and preview them using the Next Experience color styles tab on the Risk color style form. Note: The default color for the customized risk color style is set to Critical, with the variant set to Primary. You can manually change the color and variant based on the requirement.

Changes

Between your current release family and Yokohama, some changes were made to existing Advanced Risk features.


Release	Release notes
Vancouver	RAM form changes The Mandate risk response field has been removed from the Business Validations tab and made available on the Risk Response Configurations tab on the RAM form. Integrated Risk Management Lite Operator changes In response to customer feedback and to align with customer expectations, significant improvements were made to the Integrated Risk Management Lite Operator entitlement. Lite Operators have the following expanded capabilities, enabling them to perform additional risk and compliance operations: Approve advanced risk assessments Note: To enable lite operators to approve advanced risk assessments, the administrator must manually add the sn_risk_advanced.ara_approver role to GRC: Business User Lite. Create and respond to risk response tasks Approve risk response tasks Review, approve, or reject a risk event Respond to a risk identification questionnaire Update any assigned risk event task Review and respond to the metrics data tasks Workspace record page template upgrade Streamline page creation, simplify maintenance, and minimize the cost of page ownership using the new record page template. If you’re upgrading and have customizations to workspace record pages, see Revert the record page templates to the pre-17.x version.
Washington DC	Risk identification configuration enhancement In the Risk identification configuration, risk administrators can add multiple tables and map them to the respective RAMs. Migration of content from GRC Workspace to the ARA Workspace All risk assessment workspace content has been re-created in the new ARA Workspace. With this change, the risk assessment content can be referenced from the ARA workspace instead of the GRC Workspace. All customizations that were made in the GRC Workspace aren’t carried forward to the ARA Workspace. You must reapply those customizations to the available default pages in the ARA Workspace to see them during the risk assessment. Migrating classic dashboards to the Next Experience Starting with version 18.1.0 of the Advanced Risk and Risk Management applications, the following dashboards are available in the Next Experience: Risk Overview Note: Risk Overview PA Premium dashboard is migrated from classic to the Next Experience and renamed as Risk Overview dashboard. Operational Risk Management Basel Dashboard Continuous Risk Monitoring Overview My Assessment Overview Risk Event Overview Risk Identification Overview Risk Event Overview by Risk Class Risk Event Overview by Entity Domain separation in Risk Management The following changes have been made to the domain assignment process to manage data segregation by the Managed Service Providers related to entities, and other related objects, such as risks, controls, and control objectives: Profile generation job uses a domain iterator to generate entities and other related objects into the correct domains. Revised domain inheritance and assignment logic by adding new business rules to assign the correct domain when creating entities, risks, controls, and related objects.
Xanadu	No updates for this release.
Yokohama	Yokohama Patch 11 Changes to Now Assist usage measurement

Removed

Between your current release family and Yokohama, some Advanced Risk features or functionality were removed.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	The Save button on the risk assessment form has been removed. The risk assessment form is automatically saved. The stepper component was removed from the Approvals tab in the risk assessment form when there’s no approval configured within the assessment scope. This removal simplifies the user experience and declutters the interface, making it more intuitive.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Deprecations

Between your current release family and Yokohama, some Advanced Risk features or functionality were deprecated.


Release	Release notes
Vancouver	The options to mandate a risk response for a breach of appetite or a breach of tolerance were removed from the RAM form. Users on legacy releases can continue to use these options, but they're no longer supported in the Vancouver release. Note: By using condition builder or scripts, you have the flexibility to configure the risk response as required if there's a breach of appetite or tolerance.
Washington DC	Starting with version 18.1.0 of the Advanced Risk and Risk Management applications, the following dashboards are deprecated: Advanced Risk Assessment Overview Exposure by Entity Exposure by Risk Statement Risk Overview Risk Register Project Risk Overview Dashboard If you're on a legacy release or already using these dashboards, you can continue to use them.
Xanadu	The Risk portal has been deprecated, and a navigation link has been added to access the new Risk portal.
Yokohama	No updates for this release.

Activation information

Review information on how to activate Advanced Risk.


Release	Release notes
Vancouver	Install Advanced Risk by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Washington DC	Install Advanced Risk by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Xanadu	Install Advanced Risk by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Yokohama	Install Advanced Risk by requesting it from the ServiceNow Store.

Additional requirements

If any additional requirements were introduced or changed for Advanced Risk we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Advanced Risk we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Accessibility information

Review details on accessibility information for Advanced Risk, such as specific requirements or compliance levels.


Release	Release notes
Vancouver	Forced colors The Advanced risk assessment and heatmap component was updated to support the use of Forced Colors, a mechanism that is most commonly activated through an operating system setting for Forced Colors/High Contrast Themes. This enhancement enables users to customize the colors of their user interface and web content to meet their individual visual needs. For example, users with low vision might enable Forced Colors to help them successfully view the user interface.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Localization information

If there are specific localization considerations for Advanced Risk we have noted them here.


Release	Release notes
Vancouver	No updates for this release.
Washington DC	No updates for this release.
Xanadu	No updates for this release.
Yokohama	No updates for this release.

Highlight information

If there are specific highlight considerations for Advanced Risk we have noted them here.


Release	Release notes
Vancouver	Conduct a target risk assessment to define your desired future risk level. Create risk assessment scopes and schedule assessments with a guided experience by the playbook integration. Provide more flexibility to the risk administrators to configure the advanced risk assessment forms. Use the grid interface to initiate bulk responses and approvals for metric data tasks effortlessly. Empower Integrated Risk Management Lite Operators with enhanced capabilities to perform additional risk and compliance operations. See Advanced Risk Assessment for more information.
Washington DC	Implement a parallel review and feedback workflow where second and third-line risk users can review records, provide feedback, and monitor closures. Create management reports directly in Microsoft Word by using the information that is available in the records through the Management reporting of Risk application. Use auto-save to reduce the number of clicks that a user has to make. Improve the maintenance and flexibility for object-based risk assessment methodologies. You can enable one methodology to assess multiple record types or multiple methodologies to assess the same record type. Approve and reassign multiple risk assessments in bulk. See Advanced Risk Assessment for more information.
Xanadu	Create multidimensional entities by combining two or more entities from different entity classes and manage risks and controls for such composite entities. Perform assessment on multiple risks and controls by creating a risk assessment project. Use a uniform workflow for all types of risk response strategies, enable dynamic approvals using GRC: Approver Configurator, and create multiple strategies with various action items for each risk response plan. Link the open risk response tasks or copy the tasks along with the risk response strategy from the previous assessment when reassessing the risk. Create an issue or link an existing open issue as an outcome of the risk assessment. Respond to risk identification questionnaires with an improved user experience using Smart Assessment Engine. Reopen closed risk events to identify and address overlooked or underestimated risks, updating existing risk events instead of creating new risk events. See Advanced Risk Assessment for more information.
Yokohama	Some Now Assist skills, agents, and agentic workflows are now turned on by default The skills are automatically available to appropriate role users for the application, such as ITIL roles on incident forms or change forms. This change simply activates the skill and does not touch the roles that may be needed to use the skill. The new default behavior works as follows: New customers: When you install a Now Assist product, designated skills and agentic workflows are turned on automatically. Existing customers who are upgrading (starting with Yokohama Patch 11): Any previously unconfigured skill, agent, or agentic workflow is turned on automatically (the AI asset was never configured and turned on, then turned off again). Previously configured skills and agentic workflows that were turned on, then off, remain inactive. Use generative AI to generate risk assessment summaries and highlight key insights for better context. Reassess completed risk assessment projects to evaluate risks based on new insights or changing conditions. Copy risk responses from a previous risk assessment during reassessment of a risk assessment project. Reassign assessors for multiple risk assessment projects to optimize resource allocation. Remove risks from a risk assessment project during the assessment to streamline focus on relevant risks. Enable and manage the risk response task workflow from the Risk Assessment Methodology (RAM) form. See Advanced Risk Assessment for more information.