Get Started
When the technology that’s all around just works, the world works.

Q&A | February 25, 2022

How using AI can remake human resources

ServiceNow’s chief audit executive on risk in the era of digital transformation, ESG, and other operational needs

The unprecedented rate of economic change in the last two years has influenced strategy, brought about rapid operational changes, and created new global risks.

That risk management is now an even bigger priority for boards of directors, CEOs, and security/risk teams is no surprise. Workflow spoke with Brian Foster, ServiceNow’s head of internal audit and enterprise risk management, about the importance, pace, and new developments in risk management in 2022.

The interview below has been condensed and edited for clarity.

 Workflow Guide

Cyberthreat control & management

Read guide

A company can’t grow without taking risks, but it can be smart about considering these risks as part of the strategic planning process. Risk management starts with a company’s goals and objectives, and with strategies to achieve these objectives. Execution of these strategies involve various levels of risk, and organizations must determine the risk tolerance the company is willing to accept to drive growth. That requires having transparent conversations with senior leadership and the board of directors, who can assign oversight and management of risks to an acceptable level within the organization.

Digital business models are more efficient than traditional ones, but they often also increase an organization’s risk profile because of the expanded online connectivity. For example, in the last decade, employee and customer expectations of data privacy and security have increased in the US and the EU. And as cybersecurity threats grow more sophisticated, protecting customer and employee data becomes more important. What’s important is proactively mitigating operational risk.

Two words: organizational complexity, which is influenced by several factors, including cross-functional execution, operational maturity, and company growth rate.

The solution is a clear accountability model for risk ownership across functions, and that bridges silos. This works if teams have confidence that other teams are following through and resources are aligned. Our senior leadership team cuts through the organizational complexity by embedding risk management throughout the organization, and by assigning accountability.

For example, our chief information security officer [CISO] doesn’t have a direct line of authority over all employees, but he has clear accountability for cybersecurity risk regardless of where processes are executed. He has authority over the matrix to properly manage the risk.

Anti-corruption presents another interesting example. Our chief legal officer is accountable for anti-corruption policies and programs, but sales, customer success, partner management, and other teams play key roles in managing that risk. We created lines of accountability up to legal with senior-level support. In this way, risk management doesn’t impede our growth, it supports it.

ESG is an emerging area with many stakeholders. Many customers and employees expect environmental and social obligations to be mainstays of a company’s mission and values, and increasingly investors expect companies to formally account for ESG goals. The SEC is considering how to make ESG part of corporate reporting requirements.

ServiceNow has embedded ESG into its governance, risk, and compliance program. We use an ESG management framework with controls and workflows to collect data, monitor progress, and compile all our global impact efforts in one, shareable report.

If you haven’t already started thinking about these things, now is the time to start.

Hiring and retaining talent is a key factor when considering the tradeoff between growth and risk, especially in the tech industry. The pandemic has intensified the competition for talent. Organizations may not be able to meet their objectives absent the right talent.

I don’t think of third-party risk as a risk on its own. Rather, I think of it as a risk lens that is pervasive across many other risks. But either way, it can impact our ability to grow. We closely track dependencies with our partners, vendors, and other third parties so we are prepared to act if a cybersecurity, data privacy, or anti-corruption issue emerges.

Trending articles

Related

 Facilitate Collaboration Between IT Operations Management and Security Operations with AIOps

Get eBook

Related articles

Companies are playing catch-up on cybersecurity
ARTICLE
Companies are playing catch-up on cybersecurity

For many organizations, investing ahead of the breach is a hard sell

Navigating the future of data privacy
ARTICLE
Navigating the future of data privacy

How AI and design thinking could help keep data safe

​​When Dev meets Sec
ARTICLE
​​When Dev meets Sec

Bringing developers and security teams together doesn’t have to put speed at odds with safety. DevSecOps ultimately improves culture and products.

Securing hospitals against cyberattack
ARTICLE
Securing hospitals against cyberattack

The healthcare industry is a soft target for nation-state and terrorist hacking groups. Waiting for the next attack is not the answer.