Click here to Download the PDF or continue reading below.
Risk Identification is an arduous process requiring organizations to consolidate and organize information from several sources. According to IMA’s “Enterprise Risk Management: Tools and Techniques for Effective Implementation, Institute of Management Accountants, 2007.”, organizations may use any or all of the following methods to collect information related to existing as well as emerging risks within their organization:
Creating a risk register is a crucial first step in ensuring the success of your ServiceNow Risk Management implementation. These risk registers, maintained in ServiceNow as frameworks and associated risk statements, play an important part in helping you with tracking risk scores, priorities and categories and mitigation and remediation activities. Risk statements can be imported into ServiceNow from an excel sheet or created manually.
Different authorities describe Risk Analysis activities differently. For the purposes of our approach, INRY describes Risk Analysis as the “Characterization and Categorization of Risks” – this implies classifying risks according to risk drivers, impact or any other collection of “buckets” that are the most relevant in the context of your Organizations Risk philosophy.
In addition, organizations also like to categorize Risks as High / Medium / Low. Sometimes this is done iteratively with the next step, “Measure”
According to Information Systems Audit and Control Association (ISACA), Risk Analysis can be performed by one of two methods: Quantitative Analysis or Qualitative Analysis.
Quantitative Risk Assessment involves quantification of all elements of the risk, including the asset value, determining an exposure factor (EF) for each threat, calculating a Single Loss Expectancy (SLE), calculating the potential Annual Rate of Occurrence (ARO) and deriving an Annual Loss Expectancy (ALE) by multiplying ARO with SLE.
The advantage of this approach is that it is based on assigning an actual financial value to the risk. The downside, obviously, is that you cannot always quantify the impact of the risk in terms of dollars.
Most organizations use a Qualitative Analysis or a non-financial analysis for Risk measurement. This is based on intuition and experience. The most common qualitative analysis used for Risk measurement is the simple Likelihood x Impact formula. The Risk is scored based on the probability that it might occur in a year (Likelihood) multiplied by the damage it can cause if unmitigated (impact). Scoring is typically performed on a scale of 1 to 5 or 1 to 10.
ServiceNow supports both methodologies and does not restrict you in any way if you cannot perform Quantitative scoring. You can still use the Qualitative method to effectively manage and track risk.
It is easy to configure business rules to assign a priority to the risk, as described in the Analysis section, based on the Risk Score.
ServiceNow has a fantastic underlying workflow engine and native ITSM capabilities which makes it a truly unique risk management platform.
According to The Forrester Wave: Governance, Risk and Compliance Platforms, Q1 2018, “ServiceNow’s GRC module leverages the information that the ITSM tool collects (including data for asset management, change management, incident management, and problem management), which makes a compelling driver for IT GRC use cases.
Customers of ServiceNow ITSM are finding ServiceNow GRC to be an easy transition that helps them take a risk-based approach to information security and IT operations.”
This means that the ability to manage and mitigate Risk is supported well by ServiceNow. If you have the ITSM product on ServiceNow; then the people that are most likely to use the platform for Risk Management are probably already using it for ITSM. ServiceNow’s workflow engine makes it easy to track the “states” of a risk – from “draft”, to “review” to “retire” and generate workflows for exception management and risk acceptance.
According to the Institute Of Internal Auditors (IIA), Risk Management is not a once-and-done thing. Truly effective risk management requires continuous monitoring, risk assessments, internal audit assessments, and an ongoing evaluation of an ever-changing and dynamic global business environment. In fact, this is the most daunting aspect of Risk Management.
ServiceNow makes this easier by providing an ability to create indicators for continuous monitoring; ticklers or notifications for key dates or action triggers; and setting automatic alerts/ notifications when Assessments or Risk Acceptances have been assigned to various individuals within an organization.
You can also monitor risks by mapping them to internal policies or controls, essentially flagging off a risk when a control is observed to be compromised or fails.
Out-of-the-box reports and dashboards make it easy to create an Inherent Risk Heatmap.
In conclusion, if you are evaluating ServiceNow for Risk Management, you are probably on to a viable solution. The ServiceNow platform is very feature-rich and can be an overwhelming experience initially if you are new to Risk Management within the platform.
INRY has a very simple and straightforward approach to implementing Risk Management, which can be enhanced over time as the maturity of your organization grows and evolves.