8 Aspects of the ServiceNow Washington DC Release for IRM

ServiceNow’s latest release Washington DC is here, bringing a wave of exciting new features to the Integrated Risk Management (IRM) application. The new release introduces a range of innovations designed to streamline risk assessments, automate approvals, and gain deeper insights into IT sustainability. Let’s dive into some of the key features that will transform the way you manage risk and compliance within your organisation.

Policy & Compliance Management

Dynamic approval configuration on a policy record

This new feature allows you to set up a dynamic approval configuration on a policy record. You can define multiple approval levels based on factors like policy type, location, or owner. This eliminates manual configuration for each policy. The system automatically identifies the appropriate reviewers based on predefined rules, ensuring the right people are involved.

Key benefits:

• Reduction of the administrative overhead in comparison with the previous manual approach
• Multiple levels of approval for policy documents.
• Workflow-driven policy review/approval process.

The great thing is that the approval configurator is also used in other GRC records, e.g. Policy Exception, Risk Assessment Approval, enabling the admin to use the same tool across the whole module.

Policy as a document in Google Drive

Policy owners, reviewers, and approvers can work together on drafting, revising, and approving policies, all within the familiar environment of Google Drive. Google Drive automatically saves different versions of your policy documents, ensuring a clear history. There is no need to manually update policy text. You can simply link the latest version from Google Drive document with Policy record and policy text is updated automatically. It is also possible to use the same functionality with the Microsoft OneDrive (released in Vancouver).

Note: Integration with Google Drive for policy authoring and redlining is needed. First request an Integration Hub subscription, then activate the Google Drive spoke and finally set up a connection between ServiceNow and Google Drive.

Risk

Parallel Review and Feedback

A new feature – “Parallel Review and Feedback” that came with the Washington DC release exists as an independent store application which allows customers to ‘turn on’ a parallel review & feedback workflow across IRM for the 1st and the 2nd line collaboration. It allows providing feedback against any ServiceNow, as well as non-ServiceNow, records by 2nd line managers.

Risk management teams gain holistic documentation and reasons around why a score or action was defined by the 1st line. In addition, the business receives continued education on risk-based analysis.

The parallel review & feedback workflow is flexible in where it’s being used and who uses it. It is not mandatory but it can be added to a variety of IRM workflows. The user experience allows for a split-screen view of feedback and the record in evaluation.

Use Cases:

• As a 2nd line specialist (such as Risk Manager / Compliance Manager) you should be able to do the following:
  • Provide feedback against an entire record (both ServiceNow and Non-ServiceNow) or a specific field in the record (in a single feedback workflow it could also be both) and make suggestions around what can be improved. For Example, ask the record owner to capture additional loss entries for a risk event while for a single field, it could be around capturing the root cause of the same event.
  • Provide feedback at any point in the workflow and be able to send multiple such feedback.
  • Provide feedback directly from the source record through the side panel feature.
  • Check pre- and post-feedback changes in the source record from the history tab.
  • Move the feedback back to the draft state if the response from the respondent is unsatisfactory.
  • Monitor and report all the feedback provided by me, and proactively follow up with the record owners through a centralised dashboard.
  • Collaborate with respondents with a sidebar chat feature to provide clarifications and suggestions when needed.
  • Close feedback workflow with/without an outcome such as an issue etc.
• As a part of the ownership or owning group of the record (risk event owner, ARA assessor etc.), you should be able to do the following:
  • Ability to review the feedback, either accept them i.e. make those corresponding changes or reject them providing a justification from a sidebar panel or a record page.
  • Ability to collaborate with relevant stakeholders in case of guidance or clarifications.
  • Ability to see the change history of the record based on the feedback provided.
  • Ability to respond to the feedback from the task page.

Business Outcome

• Digitise the review process without creating a significant workload for the 2nd line users, thus helping the organisation scale ever-growing risk and compliance needs.
• Improve process efficiency and reduce red tapping associated with workflows, thus improving the confidence of the first line to manage their risk and compliance needs without significant reduction in the governance effectiveness. 
• Simplify and Automate – Save time by filtering the noise and helping 2nd line to quickly focus on areas that need their attention, improving 2nd line productivity. 

NOTE: The “Parallel Review and Feedback” feature is available to only IRM Enterprise and IRM Pro customers.

Advanced Risk: O365 Reporting Experience

This feature allows you to pull visualisations or data directly from ServiceNow into MS Word for executive report creation. 2nd line teams can avoid technical debt by pulling the data from the platform and using Microsoft Word to create reports to meet their unique requirements.

Business outcome

• This app allows 2^nd line managers to create reports in MS Word using ServiceNow records and share them with required stakeholders on a recurrent basis. 
• The report can contain components such as tables, charts, graphs or descriptive field text etc. In addition to that, users can define their own static content for additional justification or context as needed.
• It improves 2nd line efficiency while creating executive reports on a recurrent basis by updating the report data in a single click from the ServiceNow platform.

Licensing and packaging – A new scoped application called “Management Reporting for Risk” is available to all IRM customers.

Audit Management

Documents with Microsoft OneDrive

Audit Management now lets you connect with cloud storage provider Microsoft OneDrive, allowing you to manage documents and work papers as cloud files directly within Audit Workspace. This eliminates the need to attach them to individual records.

It supports both engagement and audit task records, enhancing document management specifically for these record types within the Audit Workspace.

What are the benefits for users?

• Connect to the existing documents on Microsoft OneDrive such as Excel, Microsoft PowerPoint presentations, and Microsoft Word documents.
• Tag a document as confidential​.
• Control access to the cloud files based on configurable permissions.​
• Edit and read the documents and work papers using Microsoft OneDrive
• Link the cloud files to any GRC record and share a single cloud file with multiple records.

Note: To enable cloud files with Microsoft OneDrive there is needed Microsoft OneDrive integration. The following applications are mandatory: 

• Document Management (com.snc.platform_document_management)
• Microsoft OneDrive Spoke for Document Service Framework (sn_docs_onedrive)

Compliance Case management

Compliance Case Management (CCM) application was released already back in Vancouver release and Washington DC brought us one major enhancement worth mentioning. 

Export to PDF

Now, you can create PDFs for compliance cases or requests from predefined templates, ensuring stakeholder access even without application logins. It allows sharing critical information instantly via email, enabling collaboration with audit teams, partners, and internal committees. Moreover, PDF reports also enable offline access for convenient review and reference. 

The key benefit for organisations is the fact that it allows the stakeholders who do not have access to the CCM to still access the data related to compliance case / request.

ESG

Sustainable IT dashboard – IT footprint

Washington DC release introduced a new “IT footprint” tab as a part of the Sustainable IT dashboard. It shows the carbon footprint of company data centres, offices, and buildings on a world map, and highlights the most energy-efficient facilities. When pointing out the entities on the map, you can see the most recent metric data and related information. It helps with managing and monitoring the emissions generated by your hardware assets.

<Source: https://store.servicenow.com>

What is the business outcome?

• Data-Driven Sustainability Decisions
• Proactive Cost Management

Note: Hardware assets tab and the Data centres tab on the dashboard, you must activate the Hardware Asset Management (sn_hamp) plugin. Additionally, to activate the IT footprint map tab, you must activate the Geo Map component (sn_geo_map) plugin.

Assessing ESG risks with Advanced risk assessment

Risk assessment methods give you the possibility to assess the ESG risks in the same way as you do in IRM. It is possible to use qualitative (rating style type, quick to perform), and quantitative (fact-based, measurable) types and the assessment can be configured for both: entities and material topics.

With the flexibility of an advanced risk assessment engine and the same UX for both ESG and IRM risks, this feature helps with the effective and quick identification of the most critical ESG risks.

Note: To use the risk assessment feature, you must install and activate the plugin:sn_esg_risk_mgmt plugin.

TPRM (Third-Party Risk Management)

TPRM: Event-Driven Assessments

Event-driven third-party risk assessment is a capability that will greatly benefit the third-party risk management team as they monitor their entire third-party ecosystem.

By defining events/changes in third-party-related events or actions across the platform, automation is critical in eliminating manual efforts by the third-party team. 

One-time bulk assessment initiation gives extra time for a third-party team to react to an external impactful event.

Business outcome

• Customers can define events that monitor changes to the metadata of a third party and automatically issue a risk assessment. 
• Third-party risk teams can work efficiently by automating when and what assessments are sent to third- parties based on defined events continuously monitored.
• The automated issuance of an assessment can be for a single third-party or a group of third-parties (bulk).

Enhance the due diligence process through automated event-driven assessment initiation:

• Event rules can be defined to monitor attributes of active third-parties. 
• Once an event/change in the attribute is detected, an IRQ or external risk assessment can be automatically issued to the defined third-party.
• When the event is defined as a one-time run, bulk issuance of assessments can be completed for a group of third-parties.

Key benefit:

This capability brings efficiencies to the third-party risk management team and be notified in real-time when there is a change or disruption impacting an engaged third-party.

Licensing and packaging – TPRM Standard

BCM

BCM: Notification of Enterprise Data Changes

With native integrations into enterprise data (CMDB/ platform tables), BCM teams must be aware of data changes made to dependencies or attributes to confirm the business continuity plan is still correct and accurate.

While critical to the operations of BCM, the team may have inflight assessments, plans, or exercises in which they want to determine when the updated enterprise data should be reflected in the BCM space.

• Continuity teams are now alerted of any source data changes on the platform impacting BIAs or BCPs.
• Continuity teams need the latest data structure across processes, services, IT assets, suppliers, and facilities. When attributes of these components are modified, BCM teams need to be alerted in real-time to ensure accuracy in BIAs and BCPs.
• To obtain data governance, upon the notification of source data changes the BCM team can decide when they feel it’s appropriate to accept the data changes. Native integrations to enterprise data allow for real-time notifications and timely planning.

 
What notifications, currently used in BCM, can be sent to the Continuity team when the source data of assets, services, suppliers, or facilities has been changed?

• Define the source tables to be monitored for BIA and BCP dependencies.
• Define the users who will get an email notification upon changes in the dependencies.
• BIA and Plan owners can review the updated dependencies via the snapshot that captures newly added, updated, and deleted dependencies.

Key benefit:

The addition of this capability strengthens the native connection to enterprise-wide data. BCM teams are alerted in real-time when updates or dependency changes have been made. They no longer have to wait until performing a new BIA or exercise to discover these changes.

Licensing and packaging – BCM Standard

Common platform features

Time-limited roles

This new feature allows you to grant a temporary role to the users for a specific period of time. It is important to say that the minimum role is user_admin to be able to use this functionality. It is definitely a step forward because previously admins had to add or revoke the role manually or use some custom automation scripts.

How to navigate to time-limited roles: User Administration > Time-Limited User Roles

——

Do not hesitate and contact us with any questions and/or desire to implement any of the above-mentioned features.