Click here to Download the PDF or continue reading below.
The second step is to enable the Risk Management application in ServiceNow. The Risk Management plugin is typically included in your ServiceNow GRC licenses. The main focus in this step is to consolidate your risk register and KRIs and combine them into a central repository within ServiceNow.
All the information developed in Step 1, including your assessment process and the measurement approach are consolidated and migrated into ServiceNow. From here on, you have a minimal viable product where you can start using the tool to manage and maintain your Risks.
The key differentiation between ServiceNow GRC and the other tools out there is ServiceNow’s ability to automate risk management. If your risks have been mapped to your controls, you can now leverage ServiceNow’s Indicators. Indicators are used to collect data to monitor and measure compliance and risks; and are also used to collect audit evidence.
This enables consistency and real time vs. point in time measurement. By adding Indicators to Risk (think of them as Key Risk Indicators) they collect the metrics and allow you to aggregate and integrate results from various assessments. You can also leverage other data available in ServiceNow (Service Management or Asset Management or Vendor data) to measure and monitor risks.
Once all three of the above steps are complete, Risk Management can team up with Compliance; and configure Issues to continuously monitor risks and automate risk management activities.
In ServiceNow, Issues can be automatically created when:
While risk management is a strategic function, most of our clients note that it quickly devolves into an operational role. So much of a Risk Manager’s time is spent on collecting data; analyzing it; collating, aggregating and slicing and dicing it for senior leadership reports, that there really isn’t much room for generating insights or thinking strategically.
With ServiceNow, most of the routine data collection activities become automated. Alerts, SLAs and notifications can be used to track various activities and perform automatic escalations. This enables Risk Managers to more proactively and consistently assess risks and measure them; understand and provide real-time reports on financial and statistical impacts of risks to the organization; and assist in both qualitative and quantitative risk-based decision making.
So what does a successful implementation look like? It’s the point at which a high functioning Risk Management organization can: