Control Assessment form

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment form

    The Control Assessment form within the Advanced Risk application enables ServiceNow customers to evaluate how effectively controls mitigate identified risks. This form supports both high-level assessment of the overall control environment and detailed assessment of individual controls, aiding comprehensive risk management.

    Show full answer Show less

    Key Features

    • Risk assessment methodology: Automatically set based on the selected Risk Assessment Methodology (RAM), defining the framework for control evaluation.
    • State and Assessment contribution: State is preset to Draft; contribution type is set to Qualitative contribution, indicating the nature of the evaluation.
    • Calculate based on: Offers two options:
      • Control environment assessment: Assess overall environment effectiveness without individual controls.
      • Individual assessment of controls: Assess each control's effectiveness separately; requires the Policy and Compliance Management plugin.
    • Control identification: Defines how controls are selected during risk assessment (None, From Library, Ad-hoc, or both library and ad-hoc). This option appears only when assessing individual controls.
    • Factor for overall effectiveness: Allows selection of manual, automated, or group factors for control assessment, shown only for individual control assessments and limited to qualitative or transformable factors.
    • Qualitative scoring logic: Provides multiple formula options to calculate control effectiveness scores, including sum, minimum, maximum, average, product, weighted average (using control weights), or custom scripts (requires sngrc.developer role).
    • Qualitative script variables and script: Supports user-defined scripts for advanced scoring logic customization, enhancing flexibility in score computation.
    • Section Labels: Enables renaming of section titles and score labels within the assessment interface for terminology customization; changes apply only to the advanced risk assessment interface and do not affect reports or dashboards.

    Practical Application

    ServiceNow customers can use the Control Assessment form to tailor their control evaluations based on organizational needs—whether assessing the broad control environment or drilling down into individual controls. The configurable scoring logic and customizable terminology allow organizations to align assessments with internal frameworks and reporting preferences. Activation of the Policy and Compliance Management plugin expands capabilities to detailed control-level assessments.

    Use the Control Assessment form in the Advanced Risk application to assess the effectiveness of controls in mitigating risks.

    See the following table for a description of the field values.
    Table 1. Control Assessment form
    Field Description
    Risk assessment methodology Name of the risk assessment methodology used for control assessment. This field is automatically set based on your RAM.
    State State of the RAM. This field is automatically set to Draft.
    Assessment contribution Type of factor contribution. This field is automatically set to Qualitative contribution.
    Calculate based on Option to assess the types of control. Choices are the following:
    • Control environment assessment: Select this option if you don’t want to assess individual controls, but instead want to assess the overall effectiveness of the control environment.
    • Individual assessment of controls: Select this option if you want to perform assessment for individual controls. For example, you can select the risk of employees accepting bribes and then assess each existing control to mitigate the risk of bribery. This option is available only when the Policy and Compliance Management (com.sn_compliance) plugin is activated.
    Control identification Option to decide how to identify the controls in the risk assessment instance. The choices are the following:
    • None
    • From Library: Use this option when you want to identify controls from the library on the risk assessment instance.
    • Ad-hoc: Use this option when you want to identify new controls on the risk assessment instance.
    • From Library and Ad-hoc: Use this option when you want to identify controls from the library as well as identify new controls.

    This field appears only when the Calculate based on field has the value Individual assessment of controls.
    Factor for overall effectiveness Manual, automated, or group factors to assess controls. This field appears only when the option Individual assessment of controls is selected from the Calculate based on field. Only qualitative factors or factors with the option to transform the qualitative score will be displayed in this field.
    Qualitative scoring logic Formula for calculating the scoring logic. Choices are the following:
    • Sum: Sum of the factor responses.
    • Minimum: Minimum value of the factor responses.
    • Maximum: Maximum value of the factor responses.
    • Average: Average value of the factor responses.
    • Product: Value derived by multiplying the factor responses.
    • Weighted average: Average value of the weighting of factors. This value is then classified as low, medium, or high. When this option is selected, the control weight is fetched from the control form.
    • Script: User-defined formula to calculate the score. This option is available only to users with the sn_grc.developer role.
    Qualitative script variables Format of the script and the variables used in the script. This field is available only when Script is selected from the Qualitative scoring logic field.
    Qualitative script User-defined script to compute the scoring logic. This field enables you to have more control over the score computation.
    Section Labels

    This section appears only when Configure section terminology is selected in the RAM form.

    Note:
    Section label renaming applies only to the advanced risk assessment interface while leaving the terminology used in reports, dashboards, heatmaps, and other areas unchanged.
    Title Option to rename the section title of the assessment type. For example, if you rename Control assessment as Preventive assessment, the new title will be displayed in all sections where the Control assessment was previously referred.
    Score label Option to rename the qualitative score label in the Scoring section of the assessment form. For example, if you rename Control risk as Preventive risk, the new score label will be displayed in the scoring section where Control risk was previously referred.