to continue reading.
Click here to Download the PDF or continue reading below.
Step 2: No Looking Back – Consolidate
The second step is to enable the Risk Management application in ServiceNow. The Risk Management plugin is typically included in your ServiceNow GRC licenses. The main focus in this step is to consolidate your risk register and KRIs and combine them into a central repository within ServiceNow.
All the information developed in Step 1, including your assessment process and the measurement approach are consolidated and migrated into ServiceNow. From here on, you have a minimal viable product where you can start using the tool to manage and maintain your Risks.
Step 3: The Only Way Is Up – Integrate
The key differentiation between ServiceNow GRC and the other tools out there is ServiceNow’s ability to automate risk management. If your risks have been mapped to your controls, you can now leverage ServiceNow’s Indicators. Indicators are used to collect data to monitor and measure compliance and risks; and are also used to collect audit evidence.
This enables consistency and real time vs. point in time measurement. By adding Indicators to Risk (think of them as Key Risk Indicators) they collect the metrics and allow you to aggregate and integrate results from various assessments. You can also leverage other data available in ServiceNow (Service Management or Asset Management or Vendor data) to measure and monitor risks.
Step 4: Teamwork – Automate
Once all three of the above steps are complete, Risk Management can team up with Compliance; and configure Issues to continuously monitor risks and automate risk management activities.
In ServiceNow, Issues can be automatically created when:
- An indicator result is Failed or Not Passed
- An attestation result is Not Implemented
- Control test effectiveness is marked “Ineffective” and the state of the test is Closed Complete
Step 5: Become a leader – Influence
While risk management is a strategic function, most of our clients note that it quickly devolves into an operational role. So much of a Risk Manager’s time is spent on collecting data; analyzing it; collating, aggregating and slicing and dicing it for senior leadership reports, that there really isn’t much room for generating insights or thinking strategically.
With ServiceNow, most of the routine data collection activities become automated. Alerts, SLAs and notifications can be used to track various activities and perform automatic escalations. This enables Risk Managers to more proactively and consistently assess risks and measure them; understand and provide real-time reports on financial and statistical impacts of risks to the organization; and assist in both qualitative and quantitative risk-based decision making.
Step 6: Success – Sustain
So what does a successful implementation look like? It’s the point at which a high functioning Risk Management organization can:
- Continuously improve risk management practices
- Use KRIs to drive organizational behaviors
- Help the enterprise rapidly adapt to changing conditions by having visibility not just into the risks themselves; but the inter-relationships between the risks which are fully embedded into your compliance framework