Loading
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Create a Risk Evaluation for IT Compliance

            You are here:

            1. Salesforce Help
            2. Docs
            3. Agentforce IT Service

            Create a Risk Evaluation for IT Compliance

            Assess the severity of a registered risk by creating a risk evaluation. Gather structured feedback from stakeholders on a threat's potential impact and likelihood to automatically calculate your inherent and residual risk scores.

            Required Editions

            Available in: Lightning Experience
            Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service.
            User Permissions Needed
            To create risk evaluations: Compliance Admin permission set

            A risk evaluation anchors a structured review of a single risk. It captures who's responsible for the review, when input is needed, and the impact and likelihood scores once stakeholders weigh in. The active scoring expression set uses those scores to calculate the inherent risk score, and recalculates the residual score as you map mitigating controls to the risk.

            Create evaluations manually for initial baseline reviews, periodic re-assessments, or ad-hoc reviews triggered by a business event. When Continuous Evaluation is turned on, the background agent also creates evaluations autonomously when it detects changes to mapped policy clauses, controls, or scopes.

            1. From App Launcher, go to the IT Compliance app and select Risks. Open the risk record you want to evaluate and go to the Evaluations tab.
            2. Click New and fill in the evaluation details:
              • Name. Like Q1 Initial Posture Analysis or Q2 Re-Assessment after Policy Update.
              • Subject to describe what's being evaluated and why, especially if the evaluation was triggered by a specific event.
              • For Assigned To, select the user responsible for running the evaluation, usually the risk owner or a security lead.
              • For Due Date, select the date by which the assessment must be completed.
              • Select a Status. New evaluations typically start in In Progress.
            3. Save your changes.

              The evaluation appears on the Evaluations tab of the risk record. From here, your team sends Risk Assessment surveys to gather impact and likelihood input from stakeholders. Once those scores are entered, the active scoring expression set calculates the inherent risk score on the evaluation, and the residual score updates as mitigating controls get mapped to the risk.

            Example: Q1 evaluation for the North America Sales phishing risk
            Example: Q1 evaluation for the North America Sales phishing risk

            Suppose your compliance team has just registered a Phishing Attack risk for the North America Sales business unit and wants to establish a baseline posture. They kick off the first evaluation:

            • Name: Q1 Initial Posture Analysis — Phishing NA Sales
            • Subject: First evaluation of phishing posture for the North America Sales tenant.
            • Assigned To: Jordan Kim, CISO for North America
            • Due Date: Mar 31, 2026
            • Status: In Progress

            After save, the evaluation appears under the Evaluations tab on the risk record. Your team then sends Risk Assessment surveys to relevant stakeholders to gather Likelihood and Impact input. Once those scores come in, the active scoring expression set calculates the inherent risk score on the evaluation.

             
            Loading
            Salesforce Help | Article