Technology risk calculation - Legacy

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Technology risk calculation - Legacy

    This legacy technology risk calculation module enables ServiceNow customers to assess the technology risks associated with their business applications by evaluating risks at the software product and hardware model levels, then aggregating these to the business application level. The focus is on calculating risks based on lifecycle stages and aging parameters of software and hardware components.

    Show full answer Show less

    Note: Starting with the Xanadu release, this legacy module has been moved to the Enterprise Architecture Workspace.

    Risk Calculation Parameters and Process

    • Software Product Risk: Determined using four parameters—internal lifecycle stage, external lifecycle stage, internal aging, and external aging. Lifecycle stages and aging periods are assigned risk values (very high, high, moderate, low, none), which can be customized per organizational needs.
    • Hardware Model Risk: Calculated using internal stage risk, publisher stage risk, internal aging risk, and publisher aging risk with similar risk value assignments.
    • Risk Values by Aging: 0–90 days = high risk, 90–180 days = moderate risk, over 180 days = low risk.
    • Risk Aggregation Rules:
      • If any component has a High risk, the overall model risk is High.
      • If any component has Moderate risk and none are High, the overall model risk is Moderate.
      • Only if all components are Low does the model risk become Low.

    Risk Calculation Hierarchy

    • The engine first computes risks at hardware and software model levels.
    • It then calculates risk at the application service level based on the highest risks of underlying hardware and software models.
    • Finally, business application risk is derived from the risks of its production instances (application services).

    Practical Implications for Customers

    • High risk in any hardware or software model results in a High risk rating for the application service and business application.
    • Medium or Moderate risks propagate similarly but at a lower risk level.
    • Low risk ratings require all underlying components to be low risk.
    • The risk calculation scripts are customizable, allowing adjustment of logic and parameters to fit specific organizational requirements.
    • Risk data for hardware and software models are stored in dedicated tables, enabling visibility and reporting on model timelines and risk status.

    Next Steps

    • Customize risk calculation scripts if your organization requires tailored risk evaluation logic.
    • Run scheduled jobs to generate and update risk values regularly.

    Assess the technology risks of your business applications by calculating their risks at the software product (considering the model and full version) level and then at the business application level.

    Important:

    Starting with the Xanadu release, the legacy Technology Portfolio Management module is moved to the Enterprise Architecture Workspace. To learn more, see Manage the Technology Portfolio Management (TPM) in Enterprise Architecture Workspace.

    Technology risks are calculated at the hardware model and software product (considering the model and full version) levels to determine the risk at the business application level.

    Lifecycle stage - Internal and External

    The range set for a risk value at each level such as very high, late, moderate, low, and none vary from one organization to another. You can set the risk value for each lifecycle phase based on your organizational requirements. Use the software product lifecycle form to associate the lifecycle phase for each software model with a risk. Based on the selected risk the parameter risk is determined.

    The risk values in the lifecycle table are very high, high, moderate, low, and none. Accordingly the risk is also very high, high, moderate, low, or none.

    For lifecycle stage parameters, only the risk value is considered irrespective of the lifecycle phase.

    Aging - Internal and External

    Similarly, the aging internal and external has the following risk values:

    • 0–90 days is high risk.
    • 90–180 days is moderate risk.
    • More than 180 days is low risk.
    Based on the internal and publisher lifecycle stages and the internal and publisher aging stages, the risk of the hardware and software models are calculated as follows:
    • If there is a single High risk, then the risk of the software model is High.
    • If there is a single Moderate risk, then the risk of the software model is Moderate.
    • The risk of the software model is Low only if the risk of all the underlying components are Low.
    • If there is a single High risk, then the risk of the hardware model is High.
    • If there is a single Moderate risk, then the risk of the hardware model is Moderate.
    • The risk of the hardware model is Low only if the risk of all the underlying components are Low.
    Note:
    The engine first calculates the risk at the hardware and software models, it then calculates risk at the application service level, based on the risks of all the underlying hardware and software models. Finally it calculates the risk at the business application level based on the risk of the production instances which are nothing but production application service.

    The risk calculation for aging parameters are scripted and you can edit as required.

    Parameters to determine software product risk

    Risk on a software model is calculated based on four parameters, namely internal lifecycle stage, external lifecycle stage, internal aging, and external aging.

    Parameters to determine hardware model risk

    Risk on a hardware model is calculated based on four parameters. The parameters are internal stage risk, publisher stage risk, internal aging risk, and publisher aging risk.

    Calculating technology risk at business application level

    A business application can run on many software models. The risk of a business application due to its underlying software models is derived from the risk of the individual software models.

    Risk at hardware model level
    Based on the four hardware risk parameters, the technology model suggestion engine calculates the risk of the hardware model and the highest risk value is assigned to the hardware model. If the risk of hardware is high, then the risk of the application service, which runs on the hardware, is evaluated to be high. The engine stores the risk data of the hardware model in the Hardware Model Risks [sn_apm_tpm_hardware_model_risk] table.
    Risk at software model level
    Based on the four software risk parameters, the technology model suggestion engine calculates the risk of the software model. If the risk of software is high, then the risk of the application service, which runs on the software, is evaluated to be high. The engine stores the risk data of the software model in the Software Model Risks [sn_apm_tpm_software_model_risk] table. This data is rendered on the software model timeline.
    Risk at application service level
    If any of the hardware or software models on which the application service runs is evaluated to be on high risk, then the application service is determined to be at a high risk.
    Risk at business application level

    If the application service is of high risk, then the business application which runs on the application service is also high.

    • If one of the software models is at High risk, then the business application is at High risk.
    • If one of the software models is at Medium risk, then the business application is at Medium risk.
    • The risk of the business application is Low only if all the underlying software models have a Low risk.
    • If one of the hardware models is at High risk, then the business application is at High risk.
    • If one of the hardware models is at Medium risk, then the business application is at Medium risk.
    • The risk of the business application is Low only if all the underlying hardware models have a Low risk.

    You can customize the script that is executed to calculate the risks at the product model risk level (hardware and software models), application service risk level, and business application risk level. For more information, see Configure risk bubble up logic.