Risk management for business applications

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk management for business applications

    ServiceNow’s Enterprise Architecture integration with Governance, Risk, and Compliance (GRC) streamlines risk management for business applications. It helps application owners and risk managers identify risks tied to applications and assign controls to mitigate those risks effectively. This integration enables the assessment of both inherent and comprehensive risks, and supports compliance verification through Policy and Compliance integration.

    Show full answer Show less

    Key Features

    • Risk Identification and Assessment: Automated detection of new business applications triggers creation of risk identification records, allowing risk managers to configure and oversee assessment workflows.
    • Collaborative Questionnaire Process: Application owners provide detailed information via questionnaires, which risk managers review and can return for clarification while preserving responses.
    • Automated Risk and Compliance Mapping: Risks, policies, and controls are mapped to applications automatically based on entity types and associated information objects.
    • Recommendation Engine: Based on configured algorithms, the system suggests relevant risks, policies, and controls for review and association by risk managers.
    • Control Lifecycle Management: Application owners collaborate with stakeholders to implement and manage controls, ensuring ongoing compliance and risk mitigation.

    Key Outcomes

    • Significant reduction in time spent by risk managers and application owners managing digital risks.
    • Improved and faster communication between application owners and risk managers.
    • A consolidated overview of the digital risk posture across business applications.
    • Enhanced ability to verify compliance and prioritize risk mitigation tasks efficiently.

    Integrate Enterprise Architecture with Governance, Risk, and Compliance (GRC) to simplify the work of application owners and risk managers by identifying the risks associated with business applications and adding the controls necessary to mitigate the risks.

    ServiceNow® Enterprise Architecture integration with Risk Management enables you to determine the inherent and comprehensive risk on a business application and identify tasks to mitigate the risk.

    ServiceNow® Enterprise Architecture integration with Policy and Compliance enables you to view the controls determined on a business application, verify whether those controls are compliant, and determine the tasks required to make the business application compliant with the controls.

    The key benefits of this integration are:
    • Reduces the time spent by risk managers and application owners on digital risks.
    • Provides faster and efficient communication between the application owners and risk managers.
    • Provides an overview of the digital risk posture of business applications.

    High-level workflow of the GRC and Enterprise Architecture integration solution

    The high-level workflow of the GRC and Enterprise Architecture integration solution is as follows:

    1. A business application is created.
    2. Based on the GRC Profile Generation scheduled job that runs in the background, GRC detects a new business application and creates an entity in GRC.
    3. When the new application is created as a GRC entity, a new risk identification record is created.
    4. The risk manager can modify the configuration record and determine the workflow of the assessment. After a risk identification configuration is published, the risk manager can modify only some fields in the configuration record.
    5. A questionnaire is initiated to collect details about the application from the application manager.
    6. The application owner responds to the questionnaire.
    7. The risk manager reviews the responses and sends the questionnaire back if further information or clarification is needed.
      Note:
      The application owner's responses are retained when the questionnaire is sent back.
    8. When the risk manager is satisfied with the responses, the inherent assessment is initiated based on the risk assessment methodology configuration in GRC. For more information, see Configure inherent assessment.
    9. GRC maps the risks and compliance objects based on the entity types.
    10. The risk manager reviews the information object mapping.
    11. The system executes the recommendation engine based on the algorithm selected in the configuration.
    12. The risk manager reviews and maps the recommended risks, policies, and citations based on the associated information objects.
    13. The recommended controls based on associated citation policies and risks are associated.
    14. The application owner manages the control life cycle by working with relevant stakeholders to implement controls.