Risk appetite fields on the Risk form
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Risk appetite fields on the Risk form
The risk appetite fields on the Risk form in the Risk Management application allow organizations to define, evaluate, and set boundaries for acceptable and unacceptable risks. These fields help risk managers understand and manage risk appetite both qualitatively and quantitatively, aligning risk tolerance with organizational objectives. The availability of specific fields depends on advanced risk assessment settings configured by the risk administrator.
Show less
Key fields and their purposes
- Override qualitative risk appetite: Enables defining risk appetite values specific to the current risk, overriding the inherited values from the associated risk statement.
- Justification for override: Documents the business reason for overriding the qualitative risk appetite, aiding transparency and decision-making.
- Qualitative appetite: Represents risk appetite on a numerical scale (default 1 to 5 ranging from Averse to Hungry), used to compare against qualitative risk ratings for status calculation.
- Quantitative appetite: Defines risk appetite in monetary terms, such as acceptable financial loss, compared with annual loss expectancy (ALE) to determine quantitative appetite status.
- Qualitative tolerance: Indicates the acceptable deviation from the qualitative appetite, which must be greater than the appetite itself. It helps assess how far risk ratings can deviate before being considered outside tolerance.
- Quantitative tolerance: Specifies the allowable monetary deviation from the quantitative appetite, used to evaluate if risks exceed acceptable financial thresholds.
- Risk appetite statement: A narrative describing the types and levels of risk the organization is willing to accept, providing context to guide risk-informed decisions.
- Appetite statuses (Qualitative and Quantitative): Calculated by comparing risk ratings and ALE values to defined appetites and tolerances, indicating whether risks fall within acceptable boundaries.
- Overall appetite status: Reflects the worst-case status between qualitative and quantitative assessments, providing a consolidated risk appetite evaluation.
Practical implications for ServiceNow customers
These risk appetite fields enable organizations to:
- Customize risk appetite values per risk when necessary, supporting nuanced risk management.
- Maintain clear documentation and justification for risk appetite decisions.
- Use both qualitative scales and quantitative monetary values to assess risk appetite comprehensively.
- Evaluate risk exposures against defined appetite and tolerance levels, supporting informed decision-making and risk mitigation strategies.
- Leverage risk appetite statements to align risk management practices with organizational goals and risk culture.
By effectively using these fields, ServiceNow customers can establish clear boundaries for risk acceptance, monitor risk status accurately, and ensure that risk management efforts align with strategic objectives.
Learn about the risk appetite fields on the Risk form. Use these fields to define the risk appetite, evaluate all the possible risks, and set the boundaries for acceptable and unacceptable risks in the Risk Management application.
See the following table for a description of the field values.
Note:
The risk appetite fields that appear on the entity form depends on the advanced risk
assessment properties set by the risk administrator.
| Field | Description |
|---|---|
| Override qualitative risk appetite | Option to override the qualitative risk appetite of the risk statement. By
default, all risks inherit the risk appetite of the risk statement in the risk
form. When you select this option, you can define the risk appetite values for the
current risk separately. Note: This field appears only when there’s an associated
risk statement available for the current risk. |
| Justification for override | Reason to override the qualitative risk appetite values of the risk statement
in the current risk. This information helps the risk manager to understand the
business need for the override. Note: This field appears only when the
Override qualitative risk appetite option is
selected. |
| Qualitative appetite | Risk appetite in numerical scale and rating terms. The qualitative appetite
is compared with the qualitative risk rating to compute the qualitative appetite
status. You can define the qualitative appetite based on the appetite scale set by
the risk administrator. The default options are as follows:
A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale. Note: A risk
user and risk reader with the sn_risk_advanced.qualitative_risk_appetite_reader
role can only view the qualitative appetite and qualitative tolerance values on
the form and in other places. |
| Quantitative appetite | Risk appetite in quantitative terms. The quantitative risk appetite can be
measured and expressed in monetary values. The quantitative appetite is the amount
of loss that an organization is willing to risk. For example, an organization
decides to have $10,000 (US dollars) as the target non-performing asset (NPA) for
this year, which means that the organization defines $10,000 (US dollars) as the
quantitative risk appetite. The quantitative appetite is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status. Note: A risk user and risk reader with the
sn_risk_advanced.quantitative_risk_appetite_reader role can only view the
quantitative appetite and quantitative tolerance values on the form and in other
places. |
| Qualitative tolerance | Risk tolerance in numerical scale and rating terms. The risk tolerance is the
standard deviation from the defined risk appetite. The qualitative tolerance is
compared with the qualitative risk rating to compute the qualitative appetite
status. The qualitative tolerance should be greater than the defined qualitative
appetite. You can define the qualitative tolerance based on the appetite scale set
by the risk administrator. The default options are as follows:
A risk administrator can change or create the risk appetite scales based on the organization's requirement. For more information, see Set up a risk appetite scale. |
| Quantitative tolerance | Risk tolerance in quantitative terms. The risk tolerance is the standard
deviation from the defined risk appetite. The quantitative risk tolerance can be
measured and expressed in monetary values. For example, an organization decides to
have $15,000 (US dollars) as a target non-performing asset (NPA) for this year,
which means that the organization defines $15,000 (US dollars) as the quantitative
risk tolerance. The quantitative tolerance is compared with the annual loss expectancy (ALE) to compute the quantitative appetite status. Note: The
quantitative tolerance should be greater than the defined quantitative
appetite. |
| Risk appetite statement | Risk appetite statement that defines the amount and types of risk an organization is willing to accept to achieve its objectives. It documents what the organization considers as threats and its response strategies. These statements give additional context to understand the risk appetite and help the business to make risk-informed decisions. For example, "ACME Inc. has no appetite for unauthorized access to systems and confidential data and will maintain strong controls to mitigate external threats against its technology infrastructure. ACME Inc. has a low appetite for losing the continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. ACME Inc. has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology." |
| Risk appetite status | |
| Qualitative appetite status | Qualitative appetite status of the risk. The qualitative appetite status is
calculated by comparing the defined qualitative appetite with the qualitative
appetite that is mapped to the final risk rating. A risk administrator can map the
appetite scales to the risk rating criteria for the final assessment type in the
Risk assessment methodology (RAM). Note:
The primary RAM that is defined in the
associated entity is considered for status calculation. For example, if
you define the qualitative appetite as 2-Minimalist and the qualitative
tolerance as 4-Open, then the following statuses appear:
|
| Quantitative appetite status | Quantitative appetite status of the risk. The annual loss expectancy (ALE)
values are compared with the defined quantitative appetite to calculate this
appetite status. Note:
The risk assessment ALE value from the primary RAM that is
defined in the associated entity are considered for status
calculation. For example, if you define the quantitative appetite as
$1000 (US dollars) and the quantitative tolerance as $1500 (US dollars), then
the following statuses appear:
|
| Appetite status | Overall appetite status. The overall appetite status considers the worst-case scenario between the qualitative and quantitative status. For example, if the qualitative appetite status is within the appetite and the quantitative appetite status is outside the appetite, then the overall appetite status is outside the appetite. |