There are many new and exciting enhancements in the Tokyo release for risk, compliance, business continuity, and operational resilience.  The long list is at the end, but I’d like to highlight just a few: 

DevOps Accelerator 

For companies that have successfully completed the first wave of transformation initiatives, the emphasis is shifting from digital reengineering to innovation. Simplifying and speeding the application development process enables innovation. But when new software applications are being developed there are IT controls that need to be implemented and validated to ensure compliance with standard IT frameworks such as ISO, NIST, and PCI, and to mitigate technology risk. Additionally, when audits are performed software developers are diverted from developing code to providing evidence for auditors.  While ensuring compliance is key, these extra activities are manual, time-consuming, and error prone.  

The DevOps Accelerator integrates IRM Policy & Compliance and DevOps Config providing automated preventative controls to enable policy checking and support audit activities through continuous monitoring for compliance and evidence collection, without developer intervention. Integration of governance into the development process also enables exception handling so developers can meet compliance obligations and support audit requirements without sacrificing productivity and slowing innovation. 

Metrics and Risk Heatmap 

To ensure critical risks are identified and addressed before they can impact your business is critical.  To do that you need visibility into emerging risks, the ability to assess the criticality of the risk, and knowledge of the trajectory of the risk.  Risk can exist for any entity including applications, vendors, processes, assets, and more.  With the new Metrics capability, you can track KRIs (Key Risk Indicators) and KCIs (Key Control Indicators) to identify risks on all these data types either through manual or automated metrics, or a composite of both. Metrics compliment existing indicator functionality that generates risks based on a pass/fail of a set of conditions or controls.  

New Risk Heatmap functionality provides not only a risk score to prioritize the criticality of the risk but also the trajectory the risk is heading.  This allows you to make the appropriate decisions to ensure your risk posture stays strong.  For example, if you had several risks with a medium score knowing some were becoming riskier would allow you to prioritize your teams’ efforts to mitigate them first before addressing the others. 

Scenario Analysis for Operational Resilience 

While there is always the possibility for an unexpected event to occur, planning for and testing multiple scenarios – and having an understanding of their measured impact to the business is critical for Operational Resilience. With Scenario Analysis, users can design and simulate events as well as record and report on these findings. It allows you to identify the different ways that critical business services could be interrupted and the point at which the disruption may become a risk. 

By conducting this analysis teams can plan ahead and bounce back more quickly from any disruption. 

But there are more enhancements: 

For Risk Management we’ve added: 

• AI assisted risk management 
• Multi-level approvals 

• Enhancements for calculating Design & Operational Effectiveness of controls 
• Assessment simulations 

Policy and Compliance has added: 

• Policy exception – risk assessment integration 
• Evidence reuse 

Business Continuity released several automation enhancements: 

• Auto-populate: 

• The CMDB data to BIAs 
• Dependences from BIAs to plans 
• Related plans to master plans 

• The secondary impacts in an event 

Operational Resilience updates include: 

• Create & maintain business services 
• Importance & Tolerance assessments 
• Self-attestations 

• Track BCM profiles based on pillars 

Vendor Risk Management now has a: 

• New 3rd party vendor portal 
• 3rd party score framework 

And some new common capabilities include: 

• Inheritance of Confidentiality 
• Sync with entity owner 
• Entity class rule filters 

If you’d like to learn more about IRM please join us at the Tokyo broadcast, view Live on ServiceNow webinars, or connect with us on the GRC/IRM community  

_________________________________________________________________________________________ 

© 2022 ServiceNow Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated. 

servicenow.com