ServiceNow Tokyo release: Key takeaways from IRM application

The ServiceNow Integrated Risk Management (IRM) application is enhanced and improved with the Tokyo release. Here, we have listed the key takeaways and benefits of daily GRC operations and activities from both a business and technical perspective.

New features and enhancements at a glance

With the Tokyo release, new features and enhancements have been made within the areas of:

These enhancements enable: 

• Configurable confidentiality level for several GRC tables, allowing you to decide who can see what and when for specific business areas, entities, or even controls and risk statements
• Improved synchronization and overview by utilizing up-stream and down-stream functionalities to view related records, and clarify dependencies and inter-relationships across entities, risks, controls, engagements, issues, and tasks 
• Improved collaboration between the risk owner, the control owner, and the entity owner by enabling real-time functionalities within both risk management and operational resilience applications
• Enhanced Entity Class Rule Filter enabling you to configure multiple classes for the same table to improve overviews and showcase related lists and interdependencies
• Improved flexibility when managing the risk response and risk acceptance task flow, including from a risk owner and management perspective. 
• Improved Business Impact Analysis modelling and Business Continuity Management forms and tasks in real-time 
• Improved Operational Resilience functionality with a dedicated focus on Business Services, Event Planning and Scenario Analysis 
• Improved Policy & Compliance Workplace, and introduction of Policy as a Code Engine (PaCE) enabling auto-assessing compliance levels in real-time across the entire IT infrastructure.

Under the Spotlight – key features to look out for

If only having limited time or resources available to get a deeper understanding of what benefits and add-ons have been made with the Tokyo release, then these features really are the key ones to know about:

1. Asset Management: Enhanced synchronization and related record functionalities. 
2. Risk Management: Enhanced risk response task flow, risk metrics and risk trajectory. 
3. Operational Resilience: Enhanced monitoring and scenario analysis features.
4. Policy & Compliance: Enhanced policy exception handling and control monitoring features. 

Asset Management: Enhanced synchronization and real-time functionality

Managing critical assets requires real-time risk management to withstand risks. With the Tokyo release, additional real-time functionalities are introduced ensuring that the: risk owner, entity owner and control owner are always in sync, without making manual updates.

In addition, two new buttons have been added to the related lists of the entity form. One button shows the records directly related to the entity, and the other removes the additional filter to show all the upstream & downstream records. This improves your overview and highlights interdependencies by visualizing related records like:

• upstream and downstream entities,
• downstream risks,
• controls,
• engagements,
• issues and tasks, also known from risk bow-tie analysis.  

Furthermore, the enhanced Entity Class Rule Filter can be used to configure multiple classes in the same table to help improve the overview of asset interrelationships and potential spots for secondary risks, as entities created from such a configured table automatically will pick the class that matches the condition defined in the class rule filter, enabling you to e.g., create “buckets” of assets according to criticality or continuity classes. 

Risk Management: Enhanced response task flow, risk metrics and risk trajectory

To maximize progress and increase performance, users must make sure, that users are prioritizing the right things in the right order so that users act in due time and respond accordingly to risks as they occur. To help ensure this, changes have been made in the risk response task form enabling you to identify and track risks based on new data types and gained insights into the criticality of each risk along with its trajectory. 

More specifically, enhancements have been made that enable the risk owner to send an assessment back to draft and access “closed risks”. In addition, the assigned user can now access the “work in progress” status and request a review whenever needed or required. These functionalities improve the ongoing risk coordination efficiency and the overall trajectory of risks to the benefit of all involved stakeholders as it helps ensure that critical risks are being addressed before they can impact users’ business, which is key in today’s digitized businesses.

Furthermore, new risk metrics capabilities with the Tokyo release help users track Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) supporting users in identifying critical risks either through manual or automated metrics, or a hybrid thereof. Such metrics compliments the existing indicator functionality and help users in defining users risk landscape by generating risks based on a fail/pass auto-assessment of a defined set of conditions or controls that is configurable and hence flexible to use in practice.

Finally, a new risk heatmap functionality enables users to both prioritize risks and visualize the path or risk trajectory each risk is heading, allowing users to act and make appropriate decisions in due time in accordance with risk appetite levels. This allows users to prioritize efforts according to actual risk trends and tendencies.

As a core risk management report, the heatmap workbench proved to be a transformative feature in the last release. With the Tokyo release, ServiceNow has taken the risk workbench to a whole new level by adding the ability to:

• showcase risks for any specified entity,
• analyze risks movements,
• trace risk trends.

With the renovated filtration functionalities, risk/ entity owners will be able to explore their risks by selecting the related entities. Providing better visibility and tracking of related risks.

Moreover, with the risk movement feature, it provides the means to highlight the inherent and residual risk which enables users to analyze controls effectiveness in a sophisticated manner. 

This improves tracking of the effectiveness of the overall control which allows decision-makers to continuously improve controls to mitigate risks.

Uncovering more of Tokyo’s release impressive updates, risk trends come on top of the list as it powers risk users with the ability to trace risk status throughout their journey. 

Granting risk users an advanced view over the status of their risks over time which aids in risk treatment intelligence as well as provides executives and managers insight into the organization’s risks, resulting in more risk-informed decisions that reinforce desirable outcomes.

Other key enhancements within the area of risk management also include enhancements for:

• multi-level approvals,
• calculating the design and effectiveness of controls, 
• risk assessment simulations.

Operational Resilience: Enhanced monitoring and scenario analysis features

In short, the Operational Resilience application enables you to continue to provide business services in the face of adverse operational events, such as a pandemic, extreme weather, or cyber attacks. 

Operational Resilience was also enhanced in the Tokyo release. With the new Scenario Analysis feature, scenarios can be designed and simulated for your business services, and the findings and results can be reported for further attention and action. This enables you to: 

1. Identify specific interruption events that could impact your critical business services and ultimately harm your business if they materialize into a risk event, and 

2. Analyze relevant scenarios and events and determine if any service was breached. 

3. Analyze and conclude on the importance rating and impact tolerance duration of your business services through an Importance and Impact Tolerance assessment. 

4. Verify the specific resilience status of your business services by generating and signing self-attestation reports. 

Other specific enhancements in the Tokyo release include the ability to add business services to your Operational Resilience application and monitor their status on the dashboard. By using the related list functionality, you can also get an overview of the service dependencies and issues that are related to the processes, importance and impact assessments, scenario analysis, etc. that are central to managing operational resilience and business continuity.

By using these new features, you can resolve service disruptions before they become a business risk by monitoring and predicting impacts and disruption scenarios, and then plan and prepare for major incidents to occur before they occur. As seen recently, during Covid-19 and the war in Ukraine, in uncertain times, planning and testing multiple scenarios is key to being able to respond to and recover from a crisis. 

Policy and Compliance Management: Enhanced policy exception handling and control monitoring features

To ensure compliance and hence that you are in control, continuous monitoring of control efficiency, performance indicators and documentation, for both risk management and audit, is crucial. 

Conducting your Policy and Compliance Management activities in ServiceNow IRM provides you with a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. The Policy and Compliance Management application was also enhanced in the Tokyo release by introducing the Policy as a Code Engine (PaCE) accelerator and embedding policy exception handling into the development process to help ensure compliance issues are addressed without stopping development are some of the new key features. In addition, enhancements have also been made to control monitoring and control compliance capabilities to help continuously monitor controls for compliance and provide evidence for audit. 

With the integration of PaCE, you can now evaluate compliance of DevOps policies and control objectives, as the PaCE provides pre-mapping between control objectives from regulations, standards, and frameworks such as CIS controls, NIST 800-53, ISO 27002, and PCI DSS and DevOps policies. This provides you with a practical yet unique way of working when it comes to DevOps compared to other tools, as this will make you able to continue your DevOps without having to force a stop in your activities. 

In short, PaCE enables auto-assessing of compliance levels in real-time across the entire IT infrastructure. In addition, PaCE enables you to run DevOps and IT Compliance in parallel and in joint combination at the same time, which is a key determining factor for success in an environment or a market where “time to market” or “time to operate” is crucial. 

The Tokyo release also comes with an enhancement of the IT Compliance Workspace providing you with a view of your current IT compliance aspects around various business applications, business services, business processes, servers, assets, and CMDB CIs used in the organization. Furthermore, in the IT Compliance Workspace, you can navigate your way around to get a real-time overview of: 

• Compliance impact of entities in use, 
• State of compliance activities 
• State of remediation and exception activities 
• Audit activity and status

Finally, policy exception enhancements allow multiple policy exceptions on the same control and multiple extensions to the policy exception, and now you can also withdraw or cancel an exception request before it is approved making things a lot easier to manage from a Policy and Governance point of view.

How to upgrade?

This all sounds great but how do I get the latest update, you might ask? You can install the Governance, Risk, and Compliance applications by requesting them from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, you can also see the ServiceNow Store version history release notes. Enjoy! 

If you want to know more, do not hesitate and get in touch.

Eager to talk about this in more detail?

Join our webinar on November 7th, where we will explain key SecOps & IRM updates in the ServiceNow Tokyo release from both the business and technical sides.