Several exciting enhancements were released today in the ServiceNow Store for our ESG product and GRC product portfolio: Integrated Risk Management, Business Continuity Management, Third-party Risk Management, and Privacy Management.
Register for What’s New webinars to see live demos of all the new enhancements on Live on ServiceNow.
Below are some hot highlights of what you’ll see in this new release:
Integrated Risk Management:
AI-powered recommendations to map incoming regulatory changes help organizations keep pace with regulatory change and reduce compliance risk. With potentially hundreds of alerts daily, compliance teams struggle to efficiently map incoming regulatory alerts with citations, leading to delays and potential compliance risks.
To keep up, an automated way to streamline the mapping process ensuring timely identification and alignment of relevant regulations with the internal business environment is needed. AI-driven regulatory compliance mapping provides the ability to smartly identify the closest match between citations and incoming alerts. This enables you to make informed decisions - associating AI/ML-powered recommendations that increase user engagement, improve discoverability, and save time. This functionality is available in IRM Professional and Enterprise.
The Cyber Risk Institute Accelerator powered by the Smart Assessment Engine drives efficiency and compliance: test once and comply with many! Manual compliance management processes can be a herculean effort and result in devastating financially and reputationally outcomes if there are errors or omissions - especially for heavily regulated financial institutions. Financial institutions need to improve efficiency of their compliance management processes, without sacrificing accuracy and accountability. The Cyber Risk Institute (CRI) Accelerator was developed to address this challenge.
The Cyber Risk Institute is focused on streamlining and standardizing risk management practices by collaborating with the financial sector and regulators. Through financial sector consensus, CRI provides a CRI Profile that aligns with the NIST CSF v2.0 and includes detailed diagnostic statements (control objectives) and maps to financial services regulatory references (FS Citations). The Profile also offers 4 tiers of applicability for different sizes of institutions. CRI assessments are automatically identified for you based on the results of the tiering assessment.
Both the tiering and CRI assessments are performed using the smart assessment engine. Controls are automatically created based on tiering. The compliance score is automatically calculated based on the responses to the CRI assessment (questions are mapped in the CRI assessment to controls) - the compliance score will roll up to the entity level. The CRI Accelerator enables financial service institutions to more easily implement the necessary controls, tailored for type and size of the institution, to drive standardization that improves efficiency and compliance, and reduces risk. This functionality is available in IRM Professional and Enterprise.
The Cybersecurity Executive Dashboard provides greater risk and security visibility to enable better decision making. To make the strategic decisions that affect the stability and success of a company, the chief information security officer (CISO) or cybersecurity executive needs the appropriate level of visibility and necessary detail. Distilling and consolidating the information for security and risk professionals is a challenge due to the number of teams and disparate systems required to gather the data.
The cybersecurity executive dashboard aims to improve visibility and enable proactive decision making by providing access to critical risk, compliance and security metrics in a single pane of glass. The cybersecurity and risk metrics are gathered from a variety of products within the Security Operations and Risk portfolios and include IT risks, compliance scores, privacy risks, crisis events and recovery plans, third party risk, upcoming and ongoing audit reports, vulnerabilities, operational technology (OT) vulnerabilities, security incidents, and major security incidents. Gain real-time risk and security visibility to enable better decision making with the cybersecurity executive dashboard.
Business Continuity Management:
There are several new enhancements to BCM that will help you strengthen your resilience and protect your assets during a crisis. By enabling nested plans, we are allowing for more sophisticated planning and execution of tasks during a crisis event. Tasks associated with an event can be viewed multiple ways, performed more efficiently, and the recovery order of primary assets can be controlled more effectively via this multi-level plan nesting. You can now set planned start and end date times for tasks and include an expected duration as well as validate any circular dependencies within tasks. We are also adding recovery task automation to improve how recovery tasks are executed within your IT DR plans. By creating and maintaining automated tasks in your recovery plans, you can execute the automated tasks in a pre-defined sequence during exercises and actual events. Additional BIA and plan enhancements allow you to view dependencies and their RTOs during BIA and planning and more easily configure the dependency fields in a BIA.
Third-party Risk Management:
Within TPRM, we added a new third-party element sub-hierarchy to provide deeper insight into the individual components comprising third-party risk. Early or immature risk programs will often assess vendors or third parties at the organizational level. As they mature their program or deepen their assessment strategy, they focus on individual engagements often aligned to an individual contract or service provided. As many of these engagements have multiple components or elements, it becomes increasingly necessary to embrace a multi-level or more granular approach – to assess individuals (owners/executives/board), facilities, data centers, products or some other user-determined element that needs more scrutiny. ServiceNow is introducing a new third-party sub-hierarchy to support “Elements.” This sub-hierarch structure extends each engagement to a third level (called elements) enabling you to assess individual components or elements of an engagement. You can now assess each element individually and generate scores – at the element level, the engagement level or an aggregate element score. By plotting these elements on a map, your third-party geographic footprint becomes clearer. These enhancements increase flexibility, use, and visibility.
In this release, we also introduced a New Risk Intelligence framework and enhanced IRQ scoring logic for TPRM to improve usability, visibility, and transparency. The new Risk Intelligence framework increase the types of Risk Intelligence information and reports that are supported– for example sanctions screening, negative news and other content beyond scores and ratings, this information can be associated with DD information and linked to the engagement the information it is related to. The framework enables administrators the ability to set up varied types of reports (based on their individual subscription or contract with the content provider) to be ordered from within the workspace, manage other aspects of these provider profiles and also normalize scores across their provider base.
Recent IRQ logic enhancements help to further streamline workflows by enabling combined scoring criteria or specific IRQ answers to trigger appropriate questionnaires or assessments to be sent. This can help reduce vendor fatigue as they only receive assessments related to the service they are providing or inherent risk results. Earlier this summer, we also released SIG 2024 support in TPRM.
Privacy Management:
Personal Data Rights helps organizations streamline the management of Data Subject Access Requests (DSARs). Roughly 70% of the world’s population falls under a patchwork of data privacy regulations that grant data subjects different rights based on where they reside. Businesses have roughly one calendar month, or 28 days, to respond, address, and complete the data request or risk heavy fines for non-compliance. Data lives in disparate sources across the enterprise, and manually searching through vast amounts of data to locate and extract the requestor’s data can take an insurmountable effort in the short amount of time dictated by each regulation.
The new Personal Data Rights application offers greater visibility into data processing activities and more control of access request processes to expedite the completion of DSARs within the required timeframes. Pre-defined, configurable workflows collect and correlate requests and automatically generate action tasks and notifications based on the request type. The dedicated personal data rights workspace serves as a centralized location to manage requests with operational reports and dashboards to track progress and monitor time-to-resolution. The result is a more efficient and effective personal data rights management program to preserve customer trust and ensure compliance.
ESG Management:
There are several enhancement to our ESG product such as metrics enhancements, content, and integrations - but what I would like to talk about today is the new Scope 3 dashboard.
The Scope 3 dashboard provides a robust solution for tracking your organization’s GHG emissions across Scope 1, 2, and 3. It offers customizable data categories and automated metric definitions to ensure efficient and accurate management. This tool effectively addresses the challenge of quantifying Scope 3 emissions, which are common but notoriously difficult to measure. By facilitating comprehensive and adaptable tracking, the dashboard aids in meeting ESG compliance requirements. Designed for ESG Program Managers, Directors of ESG, and Chief Sustainability Officers, it is included with the ESGM standard package, making it an asset for managing and reporting on emissions.
These are just some of the highlights - there is so much more to talk about including new user experience enhancements, SharePoint support for policy authoring, audit report templates, and OSCAL support just to name a few of the other updates.
We are committed to the continued development of our risk and ESG products and would love the opportunity to show you them in action through live demos. Register here for our What’s New webinars.
Bookmark our 2024 Risk & ESG Events blog to keep up with our events each month.
