There are many new and exciting enhancements in the latest release for risk, compliance, and operational resilience. I’d like to take you through the highlights:
Operational Resilience Management
Starting with our Operational Resilience Workspace, we are bringing you the Next Experience which uses a modern, new UI design and enhancements to global navigation. This enhancement improves visibility, drives efficiencies, and simplifies navigation to strengthen the overall risk or compliance posture of the organization. A new 360-degree view allows you to better visualize upstream and downstream interdependencies of your parent and child services, processes, technology, people, suppliers and facilities.
We’ve also added persona-driven, configurable workspaces to drive productivity and simplify navigation.
Paired with other enhancements in this release, you can more easily analyze importance and impact tolerance with survey-based assessments; run scenario analysis to simulate event impact before activities happen; and generate PDF reports based on pre-defined document templates for self-attestations.
Common Controls
Control testing to prove compliance or identify risks is one of the most time-consuming aspects of the job for a risk or compliance analyst, or control owner. In the Utah release the Policy and Compliance, Risk, and Audit applications now support common controls including sharing the results of the control test.
Let’s take an example. My company uses Okta so when the control for “managing access through single sign-on” is tested the Okta application owner can attest that single sign-on is in place. Miro, Teams, Workday, and Zoom use Okta for single sign-on. The IRM admin has set it up so the single sign-on control is a common control that the other 4 applications can inherit. Therefore, there is one control to test that can be used to help prove compliance, identify risk, or inform audit for 5 applications (instead of having 5 application owners attest to the same control). This is just 1 common control; these applications might have multiple common controls associated with them. Test once, comply to many across several controls saves significant time and effort, freeing GRC teams and application owners to focus on more strategic tasks or future planning.
Core Capabilities: Issues Management and Confidentiality
There are two primary core enhancements in Utah. The first is the ability to link a single issue to multiple sources. Managing issues can be one of the most time-consuming tasks. Risk and compliance teams, and control owners can struggle with not just the number of issues but the task of addressing duplicate issues. This release enhances the issue management capabilities to reduce the number and potential for duplication of issues, which could result in significant efficiency gains. For example, users can now create a single issue that links to a risk, control, and related entity (or more than 1 entity); or an issue that links to an audit engagement and the control that failed prompting the issue – instead of 2 or 3 separate but related issues. You can also tag an issue for multiple sources of failure, for example risk events or controls to improve risk tracking or analysis – seeing all the related controls that failed or risk events that were reported together can make identifying the root cause easier. Additionally, audits can be simplified when there are fewer issues and when they provide a holistic view of control failures, engagement problems, risks, etc. The issue record itself has been updated with a related list, which you can see in the screenshot below, to make filtering on all the objects linked to the issue easier. Simplifying issue management improves the efficiency and productivity of all stakeholders.
The second enhancement is confidentiality inheritance for related records. When a record is marked as confidential, related records will automatically inherit confidentiality. This relieves users of having to go through the tedious process of marking all related records as confidential. All inherited confidential records will have the allowed user and groups auto populated from the parent record increasing accuracy. And much like the issue management enhancements IRM admins can now configure and manage inheritance of confidentiality via the new framework.
Risk Management Enhancements
We continue to add valuable features to the Risk Management applications. The first enhancement is part of Advanced Risk Management and will help mature risk organizations enable risk-based decision making across the organization. Risk managers will now be able to tailor the risk appetite framework and configure it to their unique organizational needs and maturity level. They can define the risk appetite including documentation of qualitative risk appetite statements, amber and red thresholds for qualitative rating, and loss expectancy – linking it to the risk taxonomy. The risk appetite breach management workflow can be digitized to ensure subsequent actions are taken and risk is managed within the appetite – with alerts for non-adherence.
The second enhancement automatically suggests risk statements that should be linked to the risk using the Now AI engine. Doing so reduces the effort required by the first line to identify and search risk statements that should be linked to this local risk. This enables higher accuracy in risk aggregation and reporting and provides leadership true visibility into their organizational risk posture.
Learn more
If you’d like to see these new features in action please join us for our Live on ServiceNow What’s New webinars, at our Knowledge 2023 event, or connect with us on the GRC/IRM community.
2 Comments
