DORA CSDM Implementation Guide - DRAFT version

KristineNaess · ‎11-14-2024

Hi all,

The introduction of the DORA regulation is approaching, and we have launched the DORA Accelerator on Store. But many have asked us if we have more instructions on how to make use of the CSDM for better and more automated reporting. In this draft version of a DORA ITS Reporting Framework implementation guide, we try do just that: provide tips and tricks that will make your reporting so much better.

The Digital Resilience Third-party Information Register app is now available in the ServiceNow store.

It takes time to get this finalised and approved internally, and we could not let you wait any longer. So please report back to me if you find anything that doesn't make sense, is very hard to understand or is wrong in the guide.

Have a good time reading through the material!

Cheers,

Kristine

ivangulta · ‎11-20-2024

Thank you Kristine for the detailed response 😍

This helped me better understand the use case for Business Function.

With this in mind, would it be possible to apply the Regulatory Policy and GRC Profile Entity to Value Streams (green arrow):

This would enable designing (and governing) resilience at component (Process, Capability, People, etc) and Rolled up (Function, Value stream) levels.

View solution in original post

Stuart Tucker · ‎01-31-2025

This is a great document and I keep referring to it for all the insight it provides. One thing I am a little confused about is the use of Business Capabilities and Business Processes. In one diagram Business Capability is linked to the Business Application and in another diagram the Business Process is linked to the Business Application. What is the perceived difference between Business Capability and Business Process and how should they be applied?

KristineNaess · ‎02-03-2025

Hi Stuart,

Thank you for your feedback. And a good question, this is an important, yet somewhat difficult distinction.

The business capabilities are strictly outcome oriented. They care about what you are able to achieve, not how or by whom. That's why they work well when you need to summarize all people, tools, processes and responsibilities that are involved in achieving them.
The business processes are all about how you step by step do things. They are normative, which means that you often have to follow internal and/or regulatory requirements on how you do certain activities within these. That’s why they’re very usefull for measuring compliance.

Since what you want to achieve, your business capabilities, often are regardless of the geography you want your achievements in, you would usually not need to add a geographical context to them. Of course, some companies don’t provide all outcomes everywhere, but this can be described in you service offerings. So you can have one single, overarching list of business capabilities.

With business processes it’s often different. You may have one set of regulations in one country/region, and different or additional set in another. These are usually industry specific. That’s why you would sometimes need to have a set of business process records that answer to these regulations. An good example is the IT Change process. Though it’s a best practise standard that all companies should have in place, it’s mandatory according to many industry regulations, such as ICT and DORA for social critical banking services. The good thing about our platform is that it’s easy to set up control objectives and controls to measure compliance to these, and have them measure on records that are related to each process. By relating the business processes to service offerings (or business services) you can measure and report on compliance within a set of activities (normally tasks, but can also be statuses and other indicators) for each region your offerings are within.

The interesting thing about DORA is that it demands that you have a list of critical and important "business functions", which by some have been interpreted as a) business services, others as b) business processes and others again as c) business capabilities. This depends on what you are have decided to “encapsulate” within those terms I guess, hence what you are able to report back on. The business functions are described in such a way that in my opinion, they are an aggregation of services (in plural), organisations, processes, facilities and tools. Which is eaxctly what the business capabilities in CSDM are as well. For those who have already interpreted them as either a) or b), we allow reporting on this in the DORA Digital resilience third-party registers plugin. For those in favour of c), you can ensure you have activated to Digital Portfolio plugin and done dependency mapping to show back all related records in your Business Continuity Management workspace to really be able to act on the statuses you see on your business capabilities there. It’s an amazingly powerful tool to work with, and great fun to harvest the fruits of you mapping efforts.

I hope this clarifies it, but please let me know if it doesn’t, as I will add a part on this in the next version of the guide.

Have a great day!

Kristine

KristineNaess · ‎07-31-2025

Make sure you read the updated CSDM 5 DORA ITS Implementation Guide: https://www.servicenow.com/community/common-service-data-model-forum/csdm-5-opsres-and-dora-its-impl...