Risk Product Portfolio: Yokohama Q&A

Gen AI

 

Is Now Assist only accessible in the Workspace?

All of our new capabilities, including Now Assist, are offered through the Workspace.

 

Can individual clients disable some or all of the Now Assist features?

Customers can define which Now Assist features they want to enable or disable in their instance using the platform’s standard configurations. They can also control which users have access to these capabilities and determine which skills to activate or deactivate in their environment.

 

Is the Now Assist summarization feature limited to issues only? 

In our Yokohama release, Now Assist includes a use case specifically for Issue Summarization within IRM.

 

Can we narrow the scope and enable field-level AI summarization for a specific field in Loss Events?

You can configure specific fields for Issue Summarization, but currently, this capability is available only for Issue fields.

 

Is "Not enough context" an error or the summary?

That is the summary. It indicates that the relevant context may be missing to generate a summary for the specified field.

 

Is the ServiceNow AI model based on OpenAI?

ServiceNow has its own large language model (LLM). We also support other major LLMs, such as OpenAI and Llama. Customers can choose the most suitable LLM for their needs. The issue summarization prompt is specifically tested with Now Assist to ensure optimal performance.

 

For Incidents, there is a limitation where this feature only works if the incident contains more than 200 words. Is the same true for issue summarization?

Yes, the same limitation applies. This is a constraint of Gen AI technology.

 

Am I entitled to use Now Assist – Issue Summarization if I already have an IRM enterprise license, or do I need to subscribe to it separately?

Now Assist is an add-on capability and requires a separate license. Please reach out to your sales representative for more information on licensing.

 

Can the risk team edit and modify the Issue Summarization AI feature to suit business needs?

The out-of-the-box (OOTB) prompts that support issue summarization can be modified to add or remove fields during implementation. For more information, refer to this Community article: Modifying Prompts for OOTB Shipped Gen AI Skills.

 

Will the Issue Summarization feature work when users identify issues via the portal as well?

Any issue can be summarized using this feature, regardless of how it is identified, including through the portal.

 

Does the new AI capability allow for the configuration of certain data elements to be excluded from its AI engine?

It is possible to configure specific fields for the model. For example, you can configure the fields for Issue Summarization. This feature is available only for issue-related fields.

 

How will Risk Identification play a role in AI-generated control recommendations based on regulatory changes?

The Risk Identification workflow detects risks for each entity as they are created. The recommendation for regulatory changes occurs when an alert is triggered, indicating which controls need to be mapped and updated. The system will not automatically amend the control/entity mapping. That process will still require manual input to assess the impact of the alert.

 

Risk Management

 

What does "bulk assessment" in risk mean? Does it address the challenge of bulk importing legacy data for risk assessments in IRM and Third-Party Risk Management (TPRM)?

Bulk assessment allows you to send risk assessments for multiple entities or composite entities at once, enabling large-scale review rather than assessing each one individually. This functionality significantly enhances the scalability of risk assessments. A similar feature is available in TPRM, where you can send assessments to bulk assess third parties based on specific events, streamlining the risk management process and reducing the need for manual handling of each individual assessment.

 

Do bulk risk assessments cover assessments with the same Risk Assessment Matrix (RAMs, or does it apply regardless of RAMs?

Bulk risk assessments are created for a specific RAM and entity combination. This feature is not a utility for random bulk actions but rather a workflow designed to help customers manage their RCSA workshops efficiently. It allows assessments to be sent to multiple entities within the same RAM framework.

 

Regulatory Change Management

 

Do I need a separate subscription for the third-party content providers?

Currently, access to third-party content providers requires separate subscriptions.

To access external content, an end-user license is required to authorize the credentials granted by the technology partner. For more details, please reach out to your account executive.

 

Where can I find more on the RSS feed publications?

For detailed guidelines on RSS feeds in Regulatory Change Management you can refer to the Product Documentation article.

 

Policy and Compliance Change Management

 

Can you elaborate on state-specific citations? For more clarity, each of the 50 states can have very similar laws and regulations. Currently, we go through a manual process of harmonizing these laws and aligning the appropriate controls to these harmonized citations.

The control harmonization model can be configured to learn from the citation table, allowing it to create a unified citation across state laws that can be linked to your controls. This will involve some configuration, but is upgrade safe.

 

Can the redlining and review process be added for control objectives, similar to policies? We require an annual review of all our control objectives, in addition to standards and policies.

Currently, this capability is available for policies only.

 

Will minor or major changes to control objectives trigger a return to the draft state?

Minor changes will not move controls back to the Draft stage. Controls will only revert to Draft for major changes.

 

Will the newly de-duplicated control objectives be linked to the citations from the original control objectives?

The rationalization process involves steps to de-duplicate control objectives, ensuring that citations and other associated objects are mapped to the retained control objectives. A thorough review process is in place to ensure these associations are accurately maintained.

 

Is the Risk and Control Matrix available only in the Workspace?

The Risk and Control Matrix framework is available in any Workspace or record.

 

Can we map existing citations to a policy? 

Yes, citations can be linked to a policy through control objectives.

 

Is the Compliance Score roll-up for Tech and Cyber Risk on the entity hierarchy feature also available for other applications that use entities, such as Audit and Risk?

Yes, this feature is applicable across all entity hierarchies.

 

What is DORM?

The Digital Operational Resilience Management or DORM app is integrated into Integrated Risk Management and requires an IRM Pro or Enterprise license.  It enables organizations to capture and manage data to comply with digital operational resilience regulations such as the Digital Operational Resilience Act in the EU. Certain components, like the Third- Party information register, are available within TPRM.

 

ESG

 

What is ESG?

ESG stands for Environmental, Social, and Governance, which is a key module within the Risk Business Unit. These three factors are central in evaluating a company’s sustainability, ethical practices, and social impact. While ESG factors aren’t always financial, they significantly influence a company's long-term risk and potential return on investment.

 

Is the ESGM product included with the IRM license, or is it an add-on?

The ESG module requires a separate subscription.

 

Third-Party Risk Management

 

Have we built an integration with Duns & Bradstreet content for TPRM?

The D&B integration is now available. You can use it to build out their integration with Third-Party Risk Management.

 

Do we need a separate content subscription for the Dun & Bradstreet integration in Third-Party Risk Management?

Yes, a separate content subscription for D&B is required.

 

Where can I find the Implementation Guide for TPRM?

You can find the TPRM Implementation Guide here.

 

Smart Assessment Engine

 

What are the main benefits of Smart Assessments? Also, can assessments now be assigned to multiple respondents?

Smart Assessment Engine (SAE) puts assessment development in the hands of the responsible risk teams, thus giving them complete control over the assessment’s questions and scope. This eliminates the need for developers to handle any assessment changes, thus reducing technical debt. Multiple respondents are available in this capability.

 

We have a one-hour webinar on Smart Assessments and its capabilities, complete with a demo to give you a thorough understanding of the feature.

 

Is there documentation and examples of how to use Smart Assessments in the Yokohama release? 

Yes, the Product Documentation site has been updated with the latest capabilities for Smart Assessment Engine.

 

Who has access to the Smart Assessment Engine? 

SAE was released in Xanadu as part of the Risk Common Core. It is available to users of any of the Risk products that use the capability.

 

Are we able to add a button to create a feedback record outside of the attestation component itself? What will the implications be for upgrades?

SAE natively allows comments to be added. Adding a button to create a record is an upgrade-safe configuration so this feature should not break during upgrades.

 

Is there a feature in SAE to allow grouping and answering assessments in bulk from different templates (attestation types)?

This functionality is part of the Yokohama release. Please check Product Documentation for more details. As of Yokohama, the combined assessment and response copy features only support combining assessments from the same template.

 

Where can I currently view the results of the assessment scoring in SAE?

The scoring data for sections, subsections, and assessment levels is stored in the sn_smart_scoring_metric_instance table. Each section or assessment level has an associated metric record linked through a metric_mapping record. Each of these metrics has a corresponding metric_instance that stores the scores. You’ll need to use these in combination to access the full scoring information.

 

Can you clarify is SAE requires a Pro license?

The Smart Assessment Engine is available for all SKU levels: Standard, Pro, and Enterprise.

 

General Questions

 

Can you please define the term "indicator" (like KPI)?

 

Indicators are useful when you want to know if your organization is compliant before you do an audit. If certain controls are non-compliant, indicators help you identify them and enable you to correct them.

 

There are three different types of indicators:

• KPI (Key Performance Indicator): Measures how well risk exposure is managed against objectives. This option allows you to add entities and additional entities to the metric definition.
• KRI (Key Risk Indicator): Indicates the level of exposure to a specific risk or set of risks. This option allows you to add risks and risk statements to the metric definition. It’s available if the Advanced Risk plugin is activated.
• KCI (Key Control Indicator): Measures the effectiveness of controls implemented to reduce or mitigate a given risk exposure. This option allows you to add controls and control objectives to the metric definition. It’s available if the Policy and Compliance Management plugin is activated.

 

These indicators are associated to metrics as seen here in docs: https://www.servicenow.com/docs/bundle/yokohama-governance-risk-compliance/page/product/grc-metrics-...

 

While the technical capability of each indicator is the same, their intended use and the type of data they collect are different. Here is a list of those included with GRC: Risk Management applications.

 

What does NIST stand for?

NIST stands for the National Institute of Standards and Technology, a federal agency within the U.S. Department of Commerce. NIST’s primary mission is to develop and promote measurement standards, guidelines, and best practices to ensure consistency, reliability, and quality across various industries. It plays a critical role in advancing technology, improving the U.S. economy, and supporting innovation.

 

Our risk product portfolio supports the NIST Cybersecurity (CSF) and Risk Management (RMF) frameworks. Visit Product Documentation for more information.

 

Is the Risk Domain Guidance a concept or does it involve significant changes to the entity structure?

The Risk Domain Guidance is a framework designed to help customers maximize the value of ServiceNow's risk products through a maturity model. It serves as a guide for planning implementation and maturing risk practices.

 

A Cyber Risk Domain Guidance kit is now available on the Community, with more to follow.

 

Additionally, if you need assistance with entity modeling, we’ve released prescriptive guidance that’s also available in the Community.

 

What is the Innovation Lab and what does it mean for customers awaiting the release of those modules?

The Innovation Lab is a space where we release and test new capabilities with our customers before they are fully launched. Access to these features depends on your SKU entitlement and applies to sub-production environments only.

 

Will all upcoming features be available in the Workspaces?

Yes, all future enhancements to the Risk portfolio will be compatible with the Next Experience, which includes Workspaces.