November Release: Read all about the new and exciting innovations released for GRC/Risk!

There are several exciting enhancements being released on the ServiceNow Store for November within Risk/GRC. Below are some of the new enhancements for DORA, bulk assessment, that are now available.

Check out these new demos of two of the latest features:

Risk Assessment demo  

https://players.brightcove.net/6062814548001/sMZGNTYmG_default/index.html?videoId=6364960614112

Audit Report Template demo (Document Designer)

https://players.brightcove.net/6062814548001/sMZGNTYmG_default/index.html?videoId=6364960615112

Risk Assessment Project

Risk assessments are an important part of a robust risk management program but managing them can be time consuming. Risk managers continue to look for ways to improve efficiency without sacrificing accuracy, and the ability to perform bulk assessments with an intuitive and seamless user experience will help teams considerably. 

To meet this need, we are releasing our Risk Assessment Project enhancement for Integrated Risk Management (IRM) which introduces a new workflow and object – a guided, interactive, seamless user experience which allows assessors to perform bulk assessments on multiple risks and controls simultaneously.  

This risk assessment project workflow enhancement lets assessors: 

• Define 
  • the context of the assessment project with name, risk assessment methodology, and other relevant information
  • relevant stakeholders 
  • reassessment justification 

• Scope risks (from upstream entities, risk statements or on an ad-hoc basis) that need to be evaluated as part of the project; 

• Assess the scoped risks based on selected risk assessment methodology; and  

• Review & approve or reject the assessment summary based on response satisfaction. 

This feature will help drive accuracy and reliability of assessment projects by incorporating a clear error handling and validation framework. Dynamic approvals and bulk approvals can be enabled by leveraging the approval configurator. 

Composite Entity Management 

Also, within Integrated Risk Management (IRM), we are introducing Composite Entity Management which allows customers to model entities with multiple dimensions – such as function, business process or location – for multi-faceted risk assessments.  

Composite entity enhancement allows: 

• organizations to manage risk and compliance workflows across a combination of entity dimensions and automates aggregation of risk and compliance posture across entity hierarchies. 

• GRC managers to create multi-dimensional entity classes with composite entity configurations (for example: company, department, or business process) and/or select additional entity classes (such as ServiceNow, HR, KYC) via an enhanced user experience.  

• the roll up risk scores to validate the composite entity hierarchy structure.  

• relevant stakeholders with configurable personas to be added to these entities.  

• risk users to map relevant risks and controls for these single or composite entities for further use within an assessment project. 

Author policies and create reports:   

• Added the ability to author or create policies on Google Drive (Word or Google Doc) within the IRM Policy & Compliance Management application.  

• Local files can be uploaded to Google Drive (in either format) edited, redlined, reviewed, collaborated on, and approved – all within the policy workflow.  

• Policies can be authored, uploaded and collaborated on in OneDrive, Google Drive and SharePoint using O365 capabilities. 

Document Designer 

We also introduced a new add-in for Word templates (the first use case being for Audit) called Document Designer. While many audit report templates are traditionally XML and HTML based and not business user friendly, with Document Designer users without much technical knowledge can now use a Word-based template.   

Document designer allows for variables such as number of high priority issues (or other related content, lists or variables from a table) to be added to a template to reduce the manual effort associated with creating an audit report. This information can be reused as content blocks, and the template can be applied to multiple audit engagements to generate audit reports in Word. These documents can be converted into a PDF for version control, and the reports can be uploaded to a pre-defined folder on SharePoint for collaboration or review. These features will save employees time by eliminating time consuming or repetitive work. Audit Managers and Auditors alike will save time, increase collaboration, and drive more accurate results with Document Designer. 

Digital Operational Resilience Management  

Our next set of enhancements are aimed primarily at our financial services and customers or those that need to comply with the EU Digital Operational Resilience Act – DORA or UK PRA Operational Resilience. We have released Digital Operational Resilience Management which encompasses a set of new features to help customers meet these regulatory requirements. 

Digital Resilience information registry 

The first component of this application is the Digital Resilience information registry. This registry helps customers better maintain up-to-date information on all third-party information and communication technology (ICT) products and services for DORA compliance. 

With the addition of the third-party information registry, customers can more easily comply with this regulation as they account for the legal entities and branch information, identify and maintain critical functions, enrich third-party profiles, engagement records and contract with DORA-specific information and maintain their supply chains. They can also upload or download this data easily via MS Excel. 

This feature set will be available for download to both IRM and Third-party Risk Management (TPRM) customers. 

Operational vulnerability management 

A second component is Operational vulnerability management which is now available within Operational Resilience Management. Many regulations provide clear rules around a company’s ability to identify, track and resolve both IT and non-IT vulnerabilities internally and across their network. This enhancement will enable customers to meet these regulatory demands by introducing a new operational vulnerabilities workflow.  

Employees can now identify and report vulnerabilities via the employee center. Vulnerabilities can then be triaged, assigned, analyzed, and actioned appropriately. Assessments, monitoring or treatment for the vulnerabilities are captured in the system and can be elevated or related to issues as needed. 

Finally for DORA, we have added a new reporting model with DORA specific fields that will help customers to synchronize existing data to meet these regulatory requirements. 

Cyber Risk Institute (CRI) Accelerator 

The final enhancement we wanted to call out in this release is that the Cyber Risk Institute (CRI) Accelerator, powered by the Smart Assessment Engine, has been expanded to allow compliance analysts, managers, and business users to trigger assessments and respond to CRI assessments. The CRI Accelerator was first released in Vancouver. 

Because there is a TON of value in this release, we are excited to share this news with you. If you have feedback, we’d love to hear it here. Or if you are interested in what’s coming next, take a look at our GRC Events Blog Post, sign up for a Quarterly Risk Roadmap Session with our team, or connect with others like you in our relaunched GRC Community Product Hub.