Xanadu |
- Managing Operational vulnerability
- Address operational vulnerabilities through reporting, assessing impact, evaluating criticality, managing issues, and planning treatments in Operational Resilience Workspace. Report operational vulnerabilities by using either Employee Center or Operational Resilience Workspace.
- Maintaining Digital resilience third-party registers
-
Comply with Digital Operational Resilience Act (DORA) regulation requirements by creating contractual arrangements between the financial entities and the ICT service providers in Digital resilience third-party registers. The ICT third-party service provider records are maintained in Digital resilience third-party registers for DORA compliance.
Add or modify the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements. Export the records to Microsoft Excel format for the European Union to streamline the auditing process as per the regulation. You have the option to import the records from external sources into the Digital resilience third-party registers application.
|
Yokohama |
- Measure resilience metrics using the CSDM model
-
Define the entity types and pillars in Operational Resilience and generate the entities. Establish relationships between CSDM objects, including business services, service offerings, business processes, and application services. Specify the type of main node configuration that you want to use by setting the
sn_oper_res.opres_csdm_main_node_config property.
After generating the entities and setting up the main node configurations, you can import CMDB data into Operational Resilience for reporting. CSDM and their dependencies are updated weekly while the red flags data is calculated daily. The outcome is displayed on the Homepage or in the related list of the CSDM objects.
- Specify the primary origin of an operational vulnerability
- Identify the primary origin of an operational vulnerability in its record. Once the primary origin is specified, its upstream dependencies are automatically included in the impacted areas, enabling you to view the
operational vulnerability from all affected perspectives.
- Using Digital resilience incident reporting
-
Assess whether any critical services are affected and classify the reported incident as a major incident if necessary. Notify regulators of major incidents, categorized by their severity and security ratings.
The Digital resilience incident reporting module, accessible from the Operational Resilience Workspace, is integrated with Incident Management and Security Incident Response to generate and share reports in the format that is specified by the regulators.
You can generate an initial report within 24 hours, an intermediate report within 72 hours, and a final report within 1 month. All of these reports are automatically triggered by the application from the time that the
incident is classified as a major incident.
|
Zurich |
- Use the interactive Node Map visualization
-
Navigate operational dependencies using the interactive Node map visualization. Configure node and edge settings in the Nexus map, then display Main node configurations directly within the Operational Resilience Workspace. The Resilience map action provides access to relationships for Business Services (BS), Application Services (AS), Supporting Offerings (SO), Business Processes (BP), and
Dependencies modules in the map view.
You can configure node dependency directions and enhance visual elements with improved colors and icons for clarity. Additionally, you can gain comprehensive insights from the summary panel and address missing 'red flags'
for a complete picture.
- Generate Word reports of action tasks
- Use the Document designer to set up Microsoft Word templates and download action task reports in Digital resilience incident reporting. This functionality enables you to customize predefined templates or create templates, incorporating specific data like tables and columns from records, to generate
intuitive, audit-ready reports. You can then save these reports within the ServiceNow® instance or as cloud documents in Microsoft SharePoint.
- Report incidents associated with multiple regulations for various legal entities
- Report incidents or security incidents associated with multiple regulations for various legal entities in Digital resilience incident reporting. Its automated workflow generates regulatory reporting assessment of IT incidents, DRI Initial report, DRI Intermediate report, and DRI Final report within regulatory
timelines, each with dedicated action tasks. You can complete these tasks and generate reports in Microsoft Word format required by regulatory authorities for analysis.
- Generate Register of Information (RoI) regulatory packages
-
Generate regulator-ready Register of Information (RoI) regulatory packages using the Plain-CSV Report Package option on the download page in Digital resilience third-party registers. The resulting ZIP file, structured to regulator specifications, includes metadata and report folders with file names containing LEI, entity ID, and release
version.
This format helps you to verify EU
DORA compliance and supports automated validation workflows. For suggested steps and permissions, refer to the user guide on the Download and Upload request page.
- Validate downloaded Register of Information regulatory packages
-
Validate downloaded Register of Information (RoI) regulatory packages against requirements using the Plain-CSV Report Package option on the Digital resilience third-party registers download page. This process verifies file format, structure, encoding, naming conventions, and field-level data across multiple tables.
If validation warnings are detected, an automated report is attached, mapping issues to regulator fields like Template Code, Row Code, and Column Code. These reports include real-world field labels, rule expressions, and
record identifiers. You can easily cross-reference validation errors using a downloadable Excel template that mirrors the CSV structure, simplifying issue location and resolution. Further enhancements include support for
'Not applicable' values, enforced file size limits, and clearer error messages for malformed data.
- Improve resilience metrics with the enhanced CSDM model
-
Leverage the enhanced fix scripts in the Common Service Data Model (CSDM) to enhance your Operational Resilience metrics. Each node in the hierarchy is now stored separately, with its class and parent nodes, to help you manage your data more efficiently.
The Update CSDM and other dependencies scheduled job script has been optimized to process the main node configurations in parallel, triggering a separate event for each node. Any node can be at the top
level. Additionally, you can store impacted objects, including all parents, in a single table, so that you can efficiently retrieve children nodes and improve your data retrieval.
Configure the sn_oper_res.top_class_name property to designate any class as the top class. You can view the downstream data and various dashboards based on the selected top class, such as the number of
application services that are under a business service.
- Analyze importance and impact tolerance of a service using Smart Assessment
- Analyze a service's importance and impact tolerance through flexible assessments by using one or multiple Smart Assessment templates. Role-based access controls and auto-assigned tasks help you to streamline the process. You can reopen and complete assessments as needed and send email notifications to relevant
users.
- Generate customized and flexible self-attestation reports using Smart Assessment
- Generate customized and flexible self-attestation reports by using Smart Assessment. Start with the default template, add relevant scopes and users, and generate a PDF report on completion of the self-attestation process. By creating custom templates with various data types,
you make the self-attestation process more efficient.
- Leverage enhanced DORA capabilities for contracts, supply chains, and assessments
- Use the enhanced Digital Operational Resilience Act (DORA) data model in Operational Resilience. You can configure contracts based on their supply chains and assessments, upload the contract records, and generate a detailed report in Microsoft Excel that provides information on the entities, third parties, and specific contract details.
- Track third-party risk assessments
- Track third-party risk assessments as red flags in Operational Resilience reports and overview pages for business services, service offerings, and business processes. Operational Resilience users, managers, and administrators can review these assessments in Operational Resilience Workspace. The sn_vdr_risk_asmt.vendor_assessment_reviewer role is now included in the sn_oper_res.user role, so that you can grant the necessary access to the assessments.
|
Australia |
- Export action task reports
- Export DRIR assessment action task reports in Microsoft Word, Microsoft Excel, or JSON format from a drop-down menu. Generate Microsoft Word documents for narrative reports, Microsoft Excel spreadsheets with structured question-answer layouts, or JSON files for system integrations.
- Create Reporting configurations
- Manage document outputs centrally with the Reporting Configurations module in Digital resilience incident reporting. Administrators can manage template configurations, content configurations, and data relationship configurations from one place.
- Convert and aggregate contractual expenses to regulator-required currencies
- Standardize annual expense values during Register of Information report generation by enabling optional currency conversion and third-party total expense aggregation. The application converts contract amounts to a base
currency using 32 European Central Bank (ECB) exchange rates based on the reference date. Administrators upload monthly rates into the system. When eligibility criteria are met, expenses across multiple contracts are
aggregated by third-party providers or engagements, generating consolidated reports that comply with DORA regulatory requirements.
- Validate Legal Entity Identifiers using GLEIF API
- Validate Legal Entity Identifiers (LEIs) in real time against the GLEIF API across all four record form types — Legal Entity, Branch, Third Party, and Third Party Engagement. Name and country fields are auto-populated or
cross-checked on create and update, with warnings shown on mismatch.
- During Microsoft Excel upload, a batch verification consolidates and validates all LEIs against GLEIF before processing, flagging warnings while allowing administrators to save flagged rows for later correction.
During CSV package download, a dedicated LEI validation report is generated.
- GLEIF API performance using system properties
- Configure GLEIF API behavior using the following system properties:
- sn_dora_accel.gleif_api_batch_size — Controls how many LEIs are sent per request.
- sn_dora_accel.gleif_api_timeout_ms — Sets the HTTP timeout per API call.
- sn_dora_accel.lei_save_on_gleif_error — Controls whether rows that fail GLEIF validation during Microsoft Excel upload are saved with warnings or rejected.
- Monetary values for DORA reporting
- Control monetary value precision in DORA reports using the sn_dora_accel.decimals_monetary system property. Set it to 0 to round to whole units, or a negative value (for example, -3) to
round to thousands, based on regulator requirements.
- Duplicate record detection and warnings in DORA reporting Create Microsoft Excel download and upload request
- Detect and prevent duplicate DORA records across key workflows. A business rule blocks saving on the Contractual Arrangement form when a duplicate record is detected. Warnings are displayed when
duplicate rows are found during CSV downloads.
- Run advanced scenario analysis using simulation
- Plan and run advanced scenario analysis on a dedicated Scenario Analysis record, capturing simulation method, dependencies, and assignee. Progress through a guided Playbook with stages for dependency scoping, scenario
testing, result review, impact assessment, and final completion.
- Execute statistical model profiles to evaluate severe-but-plausible scenarios across services and dependencies. The record is locked once the treatment decision and reason are recorded.
- Template versions
- Track Smart Assessment Engine (SAE) template versions across assessment flows. New assessments automatically use the latest published Smart Assessment template version, while existing records on older versions continue to function without disruption. Assessment questions and automation logic handle different template versions correctly
within the same flow.
|