6 Things You Need to Know About ServiceNow Vancouver Release for IRM

With the Vancouver release, new features and enhancements have been made within the following areas:

1. Risk Management

Target Risk Assessment

Target risk refers to the future/ideal condition of a risk after the implementation of additional controls and remediation measures, which should align with the organisation’s risk appetite. To effectively bring the risk within appetite, a risk mitigation plan is devised, typically entailing associated costs. To assess whether these costs are justified by the expected benefits, organisations often conduct a target risk assessment. This process helps evaluate the potential outcomes and trade-offs associated with risk management strategies, ensuring that decisions align with the organisation’s overall objectives and tolerance for risk.

ServiceNow Target Risk Assessment allows:

• flexibility in tailoring target risk assessment methodology as per unique needs,
• defining rules to make target risk assessment conditionally mandatory,
• assessing target risk similar to inherent and residual as part of the RCSA,
• analysing the future risk appetite status once the target risk state is reached,
• aggregating target risk across a risk statement, an entity or a combination of both,
• reporting and visualising target risk on the heatmap visualisation,
• analysing the risk trend and movement from inherent to residual to target.

Similar to inherent and residual risk assessments, assessors can analyse the anticipated state of risk based on the defined assessment methodology factors, scoring logic, and rating criteria. In addition to this, the system calculates the future risk appetite status according to the target risk profile. This allows assessors to evaluate whether the target risk aligns with the organisation’s risk appetite. Risk approvers can efficiently review the target risk rating and the future appetite status, providing them with the information needed to assess and approve the risk effectively. It’s worth noting that target risk assessments can be conducted for both risk-based and object-based assessment methodologies. However, when using an object-based approach, the “Future appetite status” will not be computed or displayed.

Note: If target assessment is enabled for a methodology, that risk can only be assessed using the next experience.

Once the risk assessment is published, the system also consolidates the target risk rating across the risk statement, entity, or a combination of both. On the heatmap visualisation, users can examine the target risk profile to gain a comprehensive understanding of the risk, allowing them to analyse the initial (inherent), current (residual), and future (target) states of the risk. If the risk assessment criteria are shared across inherent, residual, and target risk, then users can also assess the risk’s transition from inherent to residual to target. Through the risk trend capability, users can further scrutinise how the risk has evolved over the previous five periods and whether it is progressing in the desired direction.

Note: Overview and home page widgets have not been modified for target risk assessment and will be enhanced in future releases.

Before this new feature was introduced, customers had limited visibility into quantifying how far their current risk score was from their target risk score based on appetite. Now, customers can see and prioritise mitigating activities to achieve the desired level of risk.

2. Compliance Case Management

Compliance Case Management (CCM) is a new application that came with the ServiceNow Vancouver release. It enables to report, investigate, and resolve compliance cases, such as complaints and breaches, policy modification, clarification, or inquiry, and have it addressed by the compliance team. It comes with new terms:

• Compliance case: to report any violation of the organisation’s policies
• Compliance request: to look for advice or guidance on the organisation’s policies

As a real-life example of the compliance case/request:

• manipulation of confidential business information by an employee (C),
• duplicate payment of supplier invoices and cleaning of supplier master files (C),
• unauthorised removal of corporate information (C),
• the employee raised a request about her/his engagement in an external consulting activity (R),
• inquiry on the policy-related data retention (R).

CCM brings the next step to the Compliance office open-door: a simple & safe channel for every stakeholder to contact the compliance office on a policy or regulatory enquiry/violation. Secondly, by reporting a case, you reduce the adverse regulatory actions that could impact the company’s financials, reputation, and growth.

Key features:

• Reporting a case from Employee Center or Compliance Workspace – Employees can raise compliance case/request and reach out to the compliance team from a common portal page “Employee Center”. The same can be done from the Compliance workspace.
• Get operational insights into the current state of the compliance cases and requests – The compliance team analyses the case/request and performs needed investigations & assessments by collaborating with various teams by creating and assigning case tasks. Also, the compliance team identifies related policies and controls, regarding the request and obtains additional approvals if needed.

• 360-degree compliance case view – it provides valuable insights into how related objects (regulations, citations, impacted areas, related areas, entities, and case tasks) interact and relate to each other within the compliance case. You can take action on the displayed records. For example, when you select the Policy option, it enables you to explore the list of policies that are related to the compliance case.
• Case tasks that support investigation – Compliance case analysts can create case tasks and assign the tasks to the relevant person. Each case can have multiple case tasks and there are multiple case task types, eg.: investigation, and assessment (including out-of-the-box assessment templates with predefined questions). This way, the compliance case analyst can collaborate with various teams to investigate, assess, and capture observations that are related to the case.
• Admin features – They configure behaviour by managing case/request types. For each case type, it is possible to configure specific workflow (state transitions, approvals), form view, and assignment rules/templates. Additionally, the workspace is customisable.

You can simply install it as the plugin: “GRC: Compliance Case Management (sn_comp_case)”. Compliance Case management is available in IRM Standard, IRM Professional, and IRM Enterprise. IRM lite operator has access to Compliance Case Management tasks.

3. Policy & Compliance, common GRC features

Employee Center Enhancements

In the ServiceNow Vancouver release, several enhancements were added to the Employee Center to provide an excellent user experience. Continued improvements in the user experience allow you to adopt products faster and provide an outstanding user experience.

Specifically these features were added: 

• ability to view all policies and all requests in one place and sort by either KB article or request filter,
• ability to view quick links to report issues, request exceptions, report risk events etc.

Policy Authoring Enhancements

Thanks to the release, customers can now change the document linked to the policy record without generating a new policy record. Additionally, there is a new scheduled job which automatically sets user permissions based on policy reviewer, approver, owner and contributor for MS OneDrive policy files. 

Previous releases introduced integration with Microsoft OneDrive – users could create a new document on OneDrive by providing the name and folder location. The new auto-refresh functionality establishes the connection with the new document and creates it on OneDrive. Before, policy authoring required refresh “clicks” to update the data. 

*Please note that the integration with MS OneDrive requires additional configuration on both platforms – ServiceNow and Microsoft tenant.

Grouping attestations in the Workspace

The feature of grouped attestations already exists but in the Vancouver release, it is added into the Compliance workspace – same response or different response for each assessment, both in one UI.

Licensing and IRM Lite Operator role

IRM Lite Operator (GRC Business User – Lite) role is updated and new activities can be performed. If you are a lite operator and do not have an operator license, you can still approve policy exceptions, evidence requests, advanced risk assessments, report and read issues, and many others. If you are an indicator task owner, you can respond to indicator tasks with the lite operator license. You can also do similar tasks in the Employee Service Center. All enhancements are available in IRM Standard / Professional / Enterprise.

4. Third-party Risk Management

The vision of Vendor Risk management has changed and expanded to address all potential risks from an organisation’s entire third-party ecosystem. Therefore, the name of the application is changed from Vendor Risk Management to Third-party Risk Management.

Due Diligence Workflow

Vancouver release presents a new framework for TPRM processes. The aim is to have a consolidated workflow for onboarding, due diligence, and offboarding of third parties. Users can now request due diligence for a new or existing third-party engagement and respond to IRQs (inherent risk questionnaires) assigned to them.

The lifecycle has several steps:

Due diligence helps with reducing risk and enhancing organisational resilience and compliance across the whole third-party ecosystem. It provides a holistic approach to managing all domains of third-party risks.

Risk Concentration Map

ServiceNow Vancouver release also brings new features to the Vendor Management Workspace, e.g. risk concentration map which allows to visualise third-party entities and engagements on the map. It brings additional capability to prioritise tasks and remediations based on geographical location. Please note that additional licensing for the Google Maps API key is required.

5. Business Continuity Management

Business Continuity Management Workspace 

Persona-based workspace tailored for BCM managers enhancements to home pages and dashboards across business impact analysis, planning, exercises, communication, crisis management, and loss and recovery to improve visibility, drive efficiencies with tailored experience.

Business Outcomes:

• Increases team’s productivity by reducing the number of clicks, inline reference data, comprehensive reports and visualisations.
• Ability to configure the workspace and tailor the workspace to customer’s business needs and yet avoid customisations.
• Enables better common cases by using integrations with other application workspaces.
• Improves productivity and ease of use with new modern design, improved UX, and configurable, persona-based workspaces.
• Leverages new dashboards for crisis management, business impact analysis, program planning and exercises, and tasks.

Moreover, it creates situational awareness by seamlessly connecting to other ServiceNow applications to monitor impacted assets, communicate with impacted people and drive recovery actions in the event of a crisis:

• track threat alerts from multiple sources, 
• layer in the asset information from the Now platform,
• monitor impacted assets based on threat radius,
• communicate via multiple channels with the impacted people,
• initiate recovery actions and track progress from the dashboard.

Previously, BCM offered a workspace experience for the Continuity and Crisis management teams. However, this workspace was not built on the UI builder and therefore, inflexible and not consistent with the platform experience. Now, the BCM workspaces are built on the UI builder allowing easy and upgrade-safe configurations.

6. ESG Management

The ESG Management introduces a key new capability designed for the IT team responsible for improving the environmental impact of IT infrastructure – specifically hardware assets and data centres. 

ESG Management works with ServiceNow Hardware Asset Management to estimate information about the carbon or greenhouse gas emissions, water usage, and energy usage of the systems you use to run your business. These insights become part of the carbon accounting and report workstream that many companies are building out.  The data in the dashboard comes through the HAM integration to track the asset lifecycle through to disposition, e.g. Did that laptop go to another employee, a donation centre, or a landfill?  A new dashboard within ESG Management pulls the information together to make it easier to understand what’s working, fulfil increasing oversight from stakeholders, and drive improvement over time.

It also allows integrations with:

• Microsoft Word to improve reporting,
• SAP Concur to capture travel and expense-related ESG data,
• content packs for the top international frameworks and standards.

Sustainable IT dashboard

• View the organisation’s IT carbon footprint from hardware assets and data centres.
• Customers can track efficiency metrics for data centres, like Power Use Efficiency (PUE) and Water Use Efficiency (WUE).
• Customers can complete their hardware asset lifecycle by tracking e-waste disposition.

Microsoft Office 365 Integration 

Streamline reporting and data management through reviews by embedding secure, auditable, and refreshable ESG data directly from ServiceNow ESGM into Microsoft Word documents:

• Access metrics, material topics, and custom report data from within the ServiceNow ESG panel.
• View a complete list of all embedded data and when it was most recently updated, with hyperlinks to view each field inline within the created document or within ServiceNow.
• Add auditable data in bulk with tables and configured reports, or choose individual metrics to add inline within document text.

SAP Concur Integration

This integration addresses the common challenge of reporting business travel-related greenhouse gas emissions that are part of a company’s carbon footprint. More specifically, business travel-related emissions are part of Scope 3 emissions, which occur in a company’s supply chain and the use of its products by customers. Companies can automatically pull business travel-related greenhouse gas emissions into their ESG reports:

• automate the collection of employee business travel data for Scope 3 emission calculations,
• minimise the risk of data entry errors, 
• streamline data collection efforts.

ESG Content Accelerator

The content accelerator helps users get started quickly with their ESG reporting requirements by auto-populating sets of metric definitions (required indicators) for which users must provide data to report in alignment with voluntary ESG frameworks. The content packs accelerate time to value by eliminating the need to manually create dozens, potentially hundreds, of metric definitions to allow users to begin collecting data using ESG management. The content packs provided in this release are for GRI (Global Reporting /Initiative), SASB (Sustainability Accounting Standards Board), UN SDGs (United Nations Sustainable Development Goals) and TCFD (Task Force for Climate-Related Financial Disclosures). 

Get started quickly with reporting against GRI, SASB, TCFD, and United Nations Sustainable Development Goals:

• preload metric definitions for the most common ESG reporting frameworks,
• save time in implementation by using the provided metric content packs,
• accelerate time to value for the ESG reporting tool.

Companies have to do ESG reporting – the content packs help automate this reporting where possible, saving time, effort, and associated costs, and helping to ensure accuracy and completeness.