Risk management for business applications

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Management for Business Applications

    This document outlines the integration of ServiceNow® Enterprise Architecture with Governance, Risk, and Compliance (GRC) to streamline the risk management process for business applications. It allows application owners and risk managers to identify and mitigate risks associated with business applications efficiently.

    Show full answer Show less

    Key Features

    • Risk Identification: Automatically detects new business applications and creates corresponding GRC entities.
    • Questionnaire Process: Facilitates communication between application managers and risk managers through a structured questionnaire to gather application details.
    • Control Management: Application owners manage the lifecycle of controls in collaboration with stakeholders to ensure compliance.
    • Recommendation Engine: Utilizes algorithms to recommend risks, policies, and controls based on information object mapping.

    Key Outcomes

    By leveraging this integration, customers can expect:

    • Reduced time and effort for risk managers and application owners in managing digital risks.
    • Improved communication and workflow efficiency between application owners and risk managers.
    • A comprehensive view of the digital risk posture of their business applications.

    Integrate Enterprise Architecture with Governance, Risk, and Compliance (GRC) to simplify the work of application owners and risk managers by identifying the risks associated with business applications and adding the controls necessary to mitigate the risks.

    ServiceNow® Enterprise Architecture integration with Risk Management enables you to determine the inherent and comprehensive risk on a business application and identify tasks to mitigate the risk.

    ServiceNow® Enterprise Architecture integration with Policy and Compliance enables you to view the controls determined on a business application, verify whether those controls are compliant, and determine the tasks required to make the business application compliant with the controls.

    The key benefits of this integration are:
    • Reduces the time spent by risk managers and application owners on digital risks.
    • Provides faster and efficient communication between the application owners and risk managers.
    • Provides an overview of the digital risk posture of business applications.

    High-level workflow of the GRC and Enterprise Architecture integration solution

    The high-level workflow of the GRC and Enterprise Architecture integration solution is as follows:

    1. A business application is created.
    2. Based on the GRC Profile Generation scheduled job that runs in the background, GRC detects a new business application and creates an entity in GRC.
    3. When the new application is created as a GRC entity, a new risk identification record is created.
    4. The risk manager can modify the configuration record and determine the workflow of the assessment. After a risk identification configuration is published, the risk manager can modify only some fields in the configuration record.
    5. A questionnaire is initiated to collect details about the application from the application manager.
    6. The application owner responds to the questionnaire.
    7. The risk manager reviews the responses and sends the questionnaire back if further information or clarification is needed.
      Note:
      The application owner's responses are retained when the questionnaire is sent back.
    8. When the risk manager is satisfied with the responses, the inherent assessment is initiated based on the risk assessment methodology configuration in GRC. For more information, see Configure inherent assessment.
    9. GRC maps the risks and compliance objects based on the entity types.
    10. The risk manager reviews the information object mapping.
    11. The system executes the recommendation engine based on the algorithm selected in the configuration.
    12. The risk manager reviews and maps the recommended risks, policies, and citations based on the associated information objects.
    13. The recommended controls based on associated citation policies and risks are associated.
    14. The application owner manages the control life cycle by working with relevant stakeholders to implement controls.