How CNA unified risk and scaled assessment from 50 to 900+ apps Before considering agentic AI, CNA had to solve a harder problem: seeing enterprise risk across 900 applications. Here's how they did it.
18X Increase in application risk assessment capacity (from 50 to 900+) 5+ Fragmented GRC tools replaced

The blind spot: 850 unseen applications

“Trust is not a feeling,” says Jackson Munuo, Global VP of Technology Risk & Control, CNA Insurance. “It’s a promise made at a person’s most vulnerable moment.”

In commercial property and casualty insurance, vulnerability takes many forms: a catastrophic storm that triggers thousands of claims, or a claim that determines whether a business survives, for example. When CNA’s policyholders pay premiums, they’re exchanging money for the trust that CNA will be there when the worst happens. That they’ll investigate fairly, respond quickly, and make things right.

Keeping that promise in a highly regulated industry requires flawless integration of customer portals, rating engines, compliance tracking, and core insurance systems across claims, servicing, and underwriting. For CNA, a 125-year-old industry leader who manages policies across multiple states and jurisdictions, processes need to be in sync: policies applied consistently across state lines, regulator changes reflected immediately, and audit trails that hold up under scrutiny from state insurance departments. But behind the scenes, manual processes and disconnected systems were making that harder than it should be.

CNA’s governance, risk, and compliance (GRC) operations were scattered across disconnected point solutions. One tool managed controls in the claims processing system, another handled risk assessments for policy underwriting, and a third tracked compliance requirements across state regulators. But the policy administration system had its own compliance view. The rating engine had another. The result was a fragmented picture of risk, and no unified way to demonstrate compliance across the business.

Its 900-application portfolio spans everything from policy administration and claims processing to underwriting, rating engines and customer portals. Each touches policyholders or regulatory requirements. But manual spreadsheets only gave the team capacity to assess 50 systems per year.

The manual work was challenging: “Every time there was a change in the environment—like new SOX (Sarbanes-Oxley) Act requirements—we had to go and manually update those. It was a very heavy lift,” Jackson explains. “We’d have to go to five different places to make sure we were current. We wanted a single source of truth.”
We breathed a sigh of relief that we no longer have to do that manual work anymore. We can go into a single system and see everything. Jackson Munuo Global VP of Technology Risk & Control, CNA Insurance

Why fragmented systems prevent risk visibility

Fragmentation created another problem: inefficiency. Risk, audit, and compliance teams operating on different systems meant asking the same business units for the same data multiple times.

“We were asking people for the same data multiple times a year across different requests,” notes Jackson. “It created a duplication of effort that caused people to question the efficiency of the process.” When four different teams ask the same business unit for the same data, the message is clear: your governance isn’t coordinated. And uncoordinated governance limits what's possible with AI. "AI-assisted control testing is allowing us to do more with less," Jackson notes—but only once the data lives in one place.

CNA brought its risk operations together on the ServiceNow AI Platform, using Integrated Risk Management (IRM), IT Service Management (ITSM), and a shared CMDB. That changed everything.

Scaling from 50 to 900: How unified governance revealed the full risk landscape

What started as consolidating risk and compliance expanded into a full platform transformation. Over three years, CNA unified incident management, change control, infrastructure operations, and GRC into one operational core. 

The infrastructure team built a complete, accurate view of the IT landscape. "When the data source is the same single source of truth, it makes it easier for the teams to compare the data and get real-time analysis," explains Kalyan Srinivasan, VP of Global IT Infrastructure.

For Jackson’s risk and compliance teams, the shift was seismic. They moved from managing updates across multiple disconnected systems to managing them on one AI platform. Manual work disappeared. Audit trails became complete and immutable.

But the real win was scale. Now, with unified governance and automation, Jackson's team can test controls across their entire 900-application portfolio. AI-driven risk scoring surfaces issues automatically through CMDB integration, without needing manual assessment or back-and-forth with other business units. They identify risks before auditors do and can respond to regulatory changes in hours instead of days.

Complete visibility meant they could deliver on the promise Jackson opened with: gaining customer trust in what is likely a difficult time in their lives.

"We breathed a sigh of relief that we no longer have to do that manual work anymore," he reflects. "We can go into a single system and see everything." 

There’s also a new sense of independence among the members of Kalyan's infrastructure teams. "My team is now able to get into ServiceNow and search for a particular asset and get all the information about it," he says. "They don't have to wait for someone else to pull it together. They can get the data themselves, understand what's going on, and take action in a timely manner."
Progress is no longer just about responding to a crisis—it's about using intelligence to stay ahead of it. Kalyan Srinivasan VP of Global IT Infrastructure, CNA Insurance

AI-driven risk management: from reacting to crises to anticipating them

With unified governance in place, CNA is now preparing for the next phase: agentic AI for controls testing and risk analysis. That’s only possible because the foundation is solid—a single AI control tower that knows every policy, every control, and every permission boundary.

The shift is profound. “Resilience used to be about recovery," Jackson reflects. "Now it's adaptability. With AI workflows, we can anticipate things much faster, react more accurately."

For CNA, agentic AI means being able to test controls across policy systems, claims workflows, and underwriting platforms—the exact systems that touch customers when crisis hits.

The result: CNA’s history is now a competitive advantage, not a burden. The business multiplied its assessment capacity by a factor of 18 and can now move as fast as modern risk demands.

Kalyan agrees but describes it differently: "Progress is no longer just about responding to a crisis—it's about using intelligence to stay ahead of it." 

For CNA, this shift means the company is prepared, compliant, and thinking ahead. 
Share this story Products Used Integrated Risk Management IT Service Management Customer Details Customer CNA Insurance Location Chicago, Illinois Industry Insurance Employees 6,000+
About CNA Insurance CNA Insurance is one of the largest U.S. commercial property and casualty insurance companies. Backed by more than 125 years of experience, CNA provides a broad range of standard and specialized insurance products and services for businesses and professionals in the U.S., Canada, and Europe.
Integrated Risk Management Explore the solution that helps CNA Insurance unify risk and scale assessment from 50 to 900+ apps. Watch Demo Connect with an expert Whether you need to streamline a process or develop apps fast, we're here to help. Contact Us
Recommended Stories View All Stories ProAssurance recasts insurance to insurtech with passion and persistence Video CTA Read Story Blackhawk Network expands customer loyalty with the ServiceNow AI Platform Video CTA Read Story PIC creates a digital workplace with an enterprise platform for the future Video CTA Read Story Votorantim uses ServiceNow Impact to accelerate ROI Video CTA Read Story