Q&A | February 25, 2022
ServiceNow’s chief audit executive on risk in the era of digital transformation, ESG, and other operational needs
The unprecedented rate of economic change in the last two years has influenced strategy, brought about rapid operational changes, and created new global risks.
That risk management is now an even bigger priority for boards of directors, CEOs, and security/risk teams is no surprise. Workflow spoke with Brian Foster, ServiceNow’s head of internal audit and enterprise risk management, about the importance, pace, and new developments in risk management in 2022.
The interview below has been condensed and edited for clarity.
A company can’t grow without taking risks, but it can be smart about considering these risks as part of the strategic planning process. Risk management starts with a company’s goals and objectives, and with strategies to achieve these objectives. Execution of these strategies involve various levels of risk, and organizations must determine the risk tolerance the company is willing to accept to drive growth. That requires having transparent conversations with senior leadership and the board of directors, who can assign oversight and management of risks to an acceptable level within the organization.
Digital business models are more efficient than traditional ones, but they often also increase an organization’s risk profile because of the expanded online connectivity. For example, in the last decade, employee and customer expectations of data privacy and security have increased in the US and the EU. And as cybersecurity threats grow more sophisticated, protecting customer and employee data becomes more important. What’s important is proactively mitigating operational risk.
Two words: organizational complexity, which is influenced by several factors, including cross-functional execution, operational maturity, and company growth rate.
The solution is a clear accountability model for risk ownership across functions, and that bridges silos. This works if teams have confidence that other teams are following through and resources are aligned. Our senior leadership team cuts through the organizational complexity by embedding risk management throughout the organization, and by assigning accountability.
For example, our chief information security officer [CISO] doesn’t have a direct line of authority over all employees, but he has clear accountability for cybersecurity risk regardless of where processes are executed. He has authority over the matrix to properly manage the risk.
Anti-corruption presents another interesting example. Our chief legal officer is accountable for anti-corruption policies and programs, but sales, customer success, partner management, and other teams play key roles in managing that risk. We created lines of accountability up to legal with senior-level support. In this way, risk management doesn’t impede our growth, it supports it.
ESG is an emerging area with many stakeholders. Many customers and employees expect environmental and social obligations to be mainstays of a company’s mission and values, and increasingly investors expect companies to formally account for ESG goals. The SEC is considering how to make ESG part of corporate reporting requirements.
ServiceNow has embedded ESG into its governance, risk, and compliance program. We use an ESG management framework with controls and workflows to collect data, monitor progress, and compile all our global impact efforts in one, shareable report.
If you haven’t already started thinking about these things, now is the time to start.
Hiring and retaining talent is a key factor when considering the tradeoff between growth and risk, especially in the tech industry. The pandemic has intensified the competition for talent. Organizations may not be able to meet their objectives absent the right talent.
I don’t think of third-party risk as a risk on its own. Rather, I think of it as a risk lens that is pervasive across many other risks. But either way, it can impact our ability to grow. We closely track dependencies with our partners, vendors, and other third parties so we are prepared to act if a cybersecurity, data privacy, or anti-corruption issue emerges.