Skip to content

ServiceNow Rome GRC: new features and improvements

#cybersecurity#IRM#privacy#Rome release#ServiceNow
ServiceNow Rome GRC: new features and improvements

In September, ServiceNow announced its new release, codenamed “Rome”, and as usual, we wanted to give our readers a brief overview of the new features that grabbed our attention. The ServiceNow GRC domain which this article focuses on has been significantly improved in the following areas:

  • User Experience with workspaces, allowing a single-pane view
  • Privacy Management, a new application 
  • Business Continuity Management, enhancing a visualization approach to crisis management

New User Experience with Workspaces

In the Rome release, ServiceNow brings an important upgrade to the GRC User Experience with workspaces for Compliance, Risk, Audit, Privacy and Vendor Risk professionals. 

A workspace is a graphical user interface which shows all the tools, forms, dashboards and related lists tailored to your unique role. Workspace allows a consolidated view, making it easier to track status, prioritize and respond to GRC tasks such as a risk assessment or a control execution. The main day-to-day activities are now consolidated into one homepage, reducing the need to navigate between your modules, forms, list and dashboards.

4 workspaces are available Out Of the Box and tailored for GRC users:

  • Risk Workspace is tailored for risk professionals such as IT Risk Managers or Operational Risk Managers
  • Compliance Workspace designed for compliance managers and analysts
  • Vendor Risk Workspace for users engaged in assessing the risk of third parties, such as Vendor Risk analyst
  • Privacy Workspace making easier for you to manage your private impact assessment and track your sensitive data
  • Audit Workspace so auditors can easily navigate through their audit tasks
Figure 1: With everything in your workspace it’s easy to get an overview of the risk and compliance posture of the organization. Here the Risk Management workspace helps risk professionals to see what they need in one place.

Additionally, ServiceNow released a new First Line Experience called “Risk Portal” based on Service Portal functionality. First Line Experience available for all employees involved in the execution of controls and/or remediation of issues. Risk Portal will simplify the interface for business users and allow them to report risk events and issues as well as respond to other tasks like risk assessment, audit evidence requests, control execution tasks etc.

Rome comes with a UI Builder meaning that workspaces are fully configurable and can be easily tailored to specific roles and business needs. It is fast to build, easy to change and to upgrade.

Figure 2: On the Risk Portal business users can in one click access their pending tasks, and their groups’ tasks, view their requests (for example, issues, policy exceptions, remediation tasks) and Report a risk event.

ServiceNow also released a new feature related to user interface called the “360° View of Relationship”. This relationship view helps to visualize complex and interconnected GRC data. From a given record, you will be able to visualize all the related data. For example, you can access all indicators, issues, risks, controls and policies which apply to a given GRC entity from a single view. 

Figure 3: another example of possibilities given by the 360° View: by clicking on a risk, you can quickly see to which entities it applies, which controls are implemented, and what are the status of the current risk response tasks.

Privacy Management

In the Rome release, ServiceNow strengthens its positioning in the area of GRC by introducing an application called “Privacy Management”. 

Today, organizations must maintain compliance with a group of local and international legislation aimed at protecting individual data rights. Concerns about privacy protection are rising, and governments & regulatory authorities are taking initiatives to regulate the use of private data. In order to protect their customers, companies must establish a culture of privacy within all their units which operate with personal information. They need to keep control of the type of data they process and make sure that the storage and processing of it are secure. Employees, customers and partners trust you to keep their data safe. This makes accurately assessing privacy posture difficult as regulations are continually evolving, data is siloed and processes are often manual. 

ServiceNow Privacy Management is a new extension to the IRM suite of applications using the same platform and data model to prioritize and manage risk.  It will help organizations to unify enterprise-wide data privacy governance on a single platform, to gain visibility on privacy risks and break down siloed data. 

Concretely Privacy Management allows organizations to discover where sensitive information is stored and understand how it is used. Data discovery can be done manually or automatically thanks to integration with BigID.

Organizations can trigger and automatically score privacy assessments. When a new activity, such as a changed process or application, involves personal information, it triggers a Privacy Impact Assessment (PIA) which is assigned to business owners and automatically calculates the risk score based on results gathered in the PIA. You can then apply specific controls related to policies and authority documents and send control attestations to business users. Same as for the other modules of GRC, if there are any failed controls based on responses to the control attestations, privacy issues are automatically created for further remediation.

Figure 4: Privacy Management comes with an OOB workspace designed for privacy managers.
collect their responses. The responses help you to understand how personal information (PI) is being used or stored in a processing activity.

Business Continuity Management

ServiceNow brings 2 new enhancements to its business continuity management application. 

  • A GRC Crisis Map 
  • Crisis Management integration with Everbridge Notification

The new GRC Crisis map was designed to make disaster information easy to find, use and share. It will allow organizations to visualize crisis impact on their perimeter to simplify coordination and improve response. This is particularly useful for organizations with multiple sites in different locations. 

The crisis map includes the latest satellite imagery and available information:

  • storm paths,
  • flood zones,
  • evacuation routes,
  • shelter locations,
  • earthquakes,
  • and power outages.

All this available information will help to prepare better recovery plans and to prioritize crisis resources to where they will have the greatest impact. All to protect organizations’ customers, employees, products and services.

Concretely, the crisis map provides a collection of alerts related to weather, hazards, and emergency preparedness response. This includes data sourced from providers including weather.gov, earthquake.usgs.gov, tsunami.gov, and other official agencies. 

In a nutshell, the GRC crisis map:

  • fulfils the need to visualize the impact on your organization,
  • simplifies coordination and improves response,
  • adjusts work based on evolving and expanding needs on the ground.
Figure 6: As a BCM administrator, you can enable or disable threat feed integrations provided by the base system. You can also configure additional threat feeds into the Crisis Management application. The integration and configurations that you set up alert the crisis manager of the threats and aid to take appropriate action on time.

The second enhancement focuses on the integration of ServiceNow BCM Crisis Management with Everbridge Notification. It enables organizations to send notifications to crisis team members or any individuals and groups using: lists, locations & visual intelligence. Notifications keep stakeholders informed before, during and after crises by leveraging a single access point to notify contacts and manage contact data across multiple distributed data stores. Stakeholders will gain awareness and information relating to crisis events and business disruptions impacting their operations. 

Figure 7: you can define a template for emergency notification, create contacts & a notification contact group, and monitor the workflow status of the emergency notification in the dedicated workspace. 

ServiceNow Rome GRC: Closing notes

Undoubtedly, this release brings key improvements to GRC with this set of announcements, especially when it comes to User Experience. ServiceNow tackled the need for an improved user interface. Thanks to the new persona-based workspaces and new Risk Portal, will change the day-to-day ways of working with GRC applications. Moreover, it will definitely increase user adoption across organizations. 

Don’t hesitate to contact us to receive the most up-to-date information regarding ServiceNow and its products. Please reach out to us if you are interested in a demo or other professional services.

Disclaimer: Information and screenshots used in this article are coming from official ServiceNow documentation released for the Rome upgrade.