In our blog “The summer is heating up with new ServiceNow Risk and ESG enhancements”, we already shared some amazing new capabilities from our GRC portfolio of products: AI-powered recommendations to map incoming regulatory changes, the CRI Accelerator, and Cybersecurity Executive Dashboard in Integrated Risk Management (IRM). We discussed nested plans and task automation in Business Continuity Management (BCM), and the new Third-party Risk Management element sub-hierarchy and risk intelligence framework. And let’s not forget, personal data rights in Privacy Management and the Scope 3 Dashboard in the ESG product. But is there is so much more to talk about and see!
If you missed any of our What’s New community webinars – you can still catch them on-demand in the ServiceNow YouTube GRC playlist.
Now, let’s dive into some more of our hot enhancements in Xanadu:
Integrated Risk Management:
The Smart Assessment Engine offers exceptional flexibility and robust capabilities to perform a variety of assessments and keep you up to date on changes to your risk posture. In this release we have enhanced the risk response and approval processes.
You can now take advantage of a multi-level and dynamic approval workflow. There is a consistent workflow for all risk response strategies, Draft >Work in Progress >Awaiting Approval >Closed with approvals that can be tailored using the approval configurator. Built in intelligence will automatically move the risk response strategy back to Work in Progress if it is rejected.
Also new in Xanadu is the ability to integrate an issue and open risk response task within a risk response strategy. This added flexibility enables you to configure the creation of an issue as an outcome of the risk assessment and link existing issues or create new ones. It eliminates redundancy and saves you time by linking open risk response tasks from previous assessments with the current assessment. You can also copy risk response plans from previous assessments.
The final enhancement to the risk response process is the ability to manage a risk response strategy as a structured action plan with detailed tasks. Detailed action planning is now possible with the ability to create and assign tasks within each risk response plan. The owner and milestones for each action item can be defined for timely completion of the task and enhanced accountability. You can manage the complete workflow for each action item, Draft >Assigned >Work in Progress >Review >Closed. A new overview page for each risk response plan enables enhanced visibility and tracking of the action items.
The Smart Assessment Engine is also used to power the new interactive and intuitive user experience for the Risk Identification questionnaire. A contemporary experience that enhances employee engagement and the thoroughness of completing the Risk Identification questionnaire tasks. In Xanadu you have the ability to switch between the old assessment and new assessment user experience as desired. However, the new user experience does allow you to create your own Risk Identification questionnaires using the intuitive assessment designer. To make the change to the new experience as easy as possible you will find a built-in migration utility.
Other Risk Management enhancements include:
- The ability to reopen closed risk events to amend existing entries or document new losses identified after the event’s closure. This enhances the precision and thoroughness of the reporting of losses.
- Core capabilities have been enhanced with the ability to specify a static date for currency conversion in risk event entries for greater accuracy in financial loss reporting, ability to create metrics in an active state by default irrespective of the state of risks/controls, and out-of-the-box notifications for advanced risk assessment approvals.
The Regulatory Change Management application has been further enhanced to support automated regulatory alert triage. Reducing the manual effort to assign regulatory alerts to domain experts for review saves time and minimizes the potential for errors. Rule based routing could include keywords, specific regulations mentioned in the alert, or types of compliance issues flagged.
Also new in Regulatory Change Management and Compliance Case Management is the Next Experience Chat Collaboration, which streamlines communication and enhances collaboration among distributed risk and compliance teams working on regulatory change tasks. Managers can access multiple discussions at once using the docked windows feature.
Compliance Case Management has a new Agency Library feature that establishes a centralized repository containing various regulatory authorities that includes geographical jurisdictions (countries, regions) and classification based on regulatory focus or industry sector (e.g., banking, healthcare). It creates a point of communication and interaction between the agency and the entities it regulates and empowers compliance teams to organize and streamline the connection with regulators to manage the regulations and policies effectively.
Business Continuity Management:
Several new enhancements to BCM are now available to bolster your resilience and safeguard your assets during a crisis. With the introduction of nested plans, you can now engage in more advanced planning and task execution during emergencies. This feature allows you to view tasks from multiple perspectives, perform them more efficiently, and manage the recovery order of primary assets more effectively through multi-level plan nesting.
During the planning phase, you can also automate recovery and continuity tasks by defining the workflow to be triggered and including the necessary variables for execution. Additionally, you can designate backup owners for these automated tasks, who will manually trigger the tasks if automation fails during execution. It's also possible to specify the planned duration for both manual and automated tasks, ensuring that all aspects of your recovery and continuity plans are well-coordinated.
With this release, you can also more efficiently track dependencies and identify gaps in your plans using both hierarchical and list views. This feature allows you to automatically pull dependencies within the plan scope, ensuring a comprehensive overview of relationships between primary and related items. It enables you to monitor gaps in recovery objectives for these dependency items and configure additional details as needed. By integrating these tracking capabilities, you gain a clearer understanding of how dependencies impact your plans and can address any discrepancies or areas needing improvement more effectively.
Third-party Risk Management:
In TPRM, we’ve introduced a new third-party element sub-hierarchy to offer more detailed insights into the components that contribute to third-party risk. Initially, risk programs may evaluate vendors or third parties at the organizational level. This structure extends each engagement to a third level—known as elements—allowing for the assessment of individual components such as owners, facilities, data centers, or other user-defined elements requiring closer scrutiny.
The New Risk Intelligence framework and enhanced IRQ scoring logic improve usability, visibility, and transparency. The new Risk Intelligence framework increase the types of Risk Intelligence information and reports that are supported - for example sanctions screening, negative news and other content beyond scores and ratings, this information can be associated with DD information and linked to the engagement the information it is related to. The enhancement also allow for the ability to order reports (based on individual subscriptions and permissions) to be ordered from within the workspace.
Recent IRQ logic enhancements help to further streamline workflows by enabling combined scoring criteria or specific IRQ answers to trigger appropriate questionnaires or assessments to be sent. This can help reduce vendor fatigue as they only receive assessments related to the service they are providing or inherent risk results. Earlier this summer, we also released SIG 2024 support in TPRM.
Privacy Management:
You’ve read about our new Personal Data Rights capabilities that helps organizations streamline the management of Data Subject Access Requests (DSARs) in our previous blog. The new Personal Data Rights application offers greater visibility into data processing activities and more control of access request processes to expedite the completion of DSARs within the required timeframes. But there is so much more to talk about.
The new Processing Activity Hierarchy helps privacy teams visualize data lineages to quickly identify and locate all areas where personal data could reside. These lineages include relationship types between connections, what personal data is processed for each record, and what processing activities are considered critical and high-risk for increased data protection and risk management. This enhanced visibility into data lineages helps to speed data location and supports a quick DSAR time-to-resolution.
We've talked about the New chat capabilities that support Compliance Case and Regulatory Change Management - well it's also available for cross-functional collaboration on privacy-related matters. Users can initiate group discussions from compliance cases, subject requests, and regulatory change tasks; fill out preliminary information and context for the discussion; and add subject matter experts to help with the record. The chat also integrates with Microsoft Teams to speed response times, helping teams complete DSAR and compliance-related tasks within the regulatory timeframes.
There are many other enhancements that you can see for yourself on-demand in the ServiceNow YouTube GRC playlist or contact your ServiceNow representative to setup a meeting.
Bookmark our 2024 Risk & ESG Events blog to keep up with our events each month.
1 Comment
