Think of ServiceNow IRM as the umbrella with all of the other applications underneath it. Use IRM to establish governance for your entire company. To do this, (1) identify the regulations & frameworks that your company has to abide by, (2) figure out what applies specifically to your company & (3) publish documents that tie into those regulations/frameworks. The published documents [policy, process, procedure, standard, work instruction, template, etc] need to contain (4) control objectives with matching (5) risk statements that you then apply to your ‘environment’ [aka (6) ‘entities’] which creates (7) tasks that go out and collect evidence. This evidence is what you use to show your adherence to your published documents which line up to those regulations and frameworks, and what you allow auditors to look at (if, the scope fits) so disruptions to your team is minimized during an audit cycle and no one is frantically running around gathering evidence in prep for an audit cycle. Evidence can be gathered systemically or by sending a task to a competency owner. The evidence can come from any other application in your ServiceNow ecosystem. Literally, any… ITSM incidents or change tickets. SecOps finding a vulnerability or a threat. TPRM assessments that satisfy your vendor management policy. HR & any triggered onboarding or termination requirements. ESG and the air quality measurements. BCM and the tabletop exercises that were conducted or the BIA that was done. This list can go on forever because any data element that you have in the platform can be associated up to a requirement in a published document that satisfies a regulation or framework. A risk management program is the next evolutionary step that happens with maturity which is pretty awesome because at that point decisioning and focus is targeted based on risk.

ServiceNow IRM, or Integrated Risk Management, is a suite of applications designed to help organizations manage risk, compliance, policy, and audit processes in a unified and integrated manner. [from the ServiceNow site 3/27/23]

It is driven by your company policies and control objectives.  In your IT operations, you have a control objective that says, “Everyone will have a password that is hard to guess.” Your company decides the details that are good for your environment and creates a policy that says, “All passwords will be this big and this long and use letters, numbers, and special characters and it has to be changed every 90 days.” ServiceNow IRM allows this process and compliance to be automated in your IT management applications by verifying that employees are meeting these requirements, prompting them to change their password when it is time and even locking the account if they don’t comply after several prompts. The policy is in place because there is a risk if passwords are easy to guess and if you never change them.  This allows you to automatically control your risk.

In your HR department when onboarding a new employee there are several things that must be done to maintain best practices with hiring. Background check is complete, company email setup [HR works with IT to do this, and can be fully automatic], setting up access to company assets [sales data, marketing data, financial data, etc.] each employee will have different requirements.  Once again coordinated through IT and can be automated – for example, the hiring manager will receive a message from the ServiceNow app saying that a new employee, that you requested is coming on board please identify what resources they will need access to on the network, also what computer equipment and supplies will they need.  ServiceNow fully automates this and generates the request orders for the supplies and the network access and associates the employee with them.  The equipment is automatically tracked in the Hardware Assets application and any software entitlements assigned to the employee are tracked in the Software Asset application.  The configuration of their systems is tracked in the CMDB.

To identify if your customer is taking advantage of their IRM application, look at their control objectives and their policies.  Many companies do not have structured policies to drive IRM integration so this might be the best place to start.  So, what does that mean?

Try this, if the customer is doing business and takes credit cards there is an authority document from PCI/DSS that is 400+ pages of citations and control objectives that they need to be compliant with. Passwords, physical access to the network and servers, cameras monitoring access to secure areas, network documentation, etc. If they do any business with the government they will likely have to follow another authority document, the NIST cyber security framework that outlines similar security controls like PCI/DSS. Many other frameworks exist [COBIT, CMMC, ITOL, ISO 27001, etc.], and they integrate with nearly every aspect of the ServiceNow application.

Find out what controls your customer needs to have in place, and make sure they create policies that must be followed. The authority documents only provide a framework, many of the citations will not be applicable to your client so they don’t require a policy. For example, for a section on food processing, they would just make a note that says, “We don’t process food at our facility” since it doesn’t apply.

What I can think of :

A Security Incident Response ticket (SecOps) can be escalated as a Risk Event (IRM)

A Policy Exception request (IRM) can be raised from a Vulnerability Management ticket (SecOps)