getting the call record now thank you all for joining the call this is uh our normal standing office hours we do two of these per month based upon topics that u.s customers have submitted to us as success advocates to try to help you uh traverse some of the topic nature that you're uh interested in and using and leveraging within the servicenow platform my name is charles rayburn i'm a success advocate manager here and the goal of this office hour is to talk about application portfolio management from the parent kind of cover some of the uh paris functionality different types of capability sets um guest speaker um ammar who will definitely talk us through the first 15-20 minutes level setting and grounding us in the topic nature and then for the remaining portion of time it'll be questions related to anything and everything that you guys have on that topic so um hopefully the questions will be lively for that i am recording the session so for those who are not able to attend and only able to listen in on the recordings uh definitely shoot over any questions you may have about the topic nature to your success advocates and we'll do our best to point you in the right direction around best practice information or actually ask the subject matter expert if for some follow-up questions related to that so without further ado lamar the floor is yours thanks charles hi everybody i'm amar i've been handling the product management function for application portfolio management for the last three and a half years so let me quickly start sharing my screen and yeah so before we dive into the uh what we are delivering as part of paris and quebec family releases i just want to give you a two minute introduction to application portfolio management so that we have some context so application portfolio management is uh that that single place where uh organizations can store the list of all the business applications that they have in the enterprise before apm the list of all applications is spread across several spreadsheets in different systems and there is no single centralized inventory so with that organizations phase sedation phase a dilemma uh you know when it comes to decision making what apps to invest in and what apps to retire etc so with apm there is this one single central place where applications can store and manage their inventory so now talking about the use cases these are our primary use case in apm so we split all the users into four different portfolios application portfolio business portfolio take portfolio information portfolio and the last one is okay after analyzing the portfolio from all of these four angles what do i actually do right so application portfolio to start with is basically gathering the list of all your applications in one single central place right so once you have identified all the list of all the applications the next big question to ask is okay what part of the business do they relate to what capabilities are they providing right so that is the business portfolio that we have and the next question that we have is okay now that i haven't i have all the applications i've identified what part of the business do they relate to all right so the next question that we are answering that is the tech portfolio that is understanding the infrastructure what software and what hardware that each application is running on right are all the software that my application is running on is it still supported by the vendor is any software out of date out of support so you know so that i understand i analyze my portfolio from a technology perspective from a technologist perspective the next question here is what information assets do my applications use so for example is my application storing any pii data is my application storing any payment card data if yes then i become subject to pci dss compliance right so that is the next question that we answer what information that business application stores right and by by analyzing your portfolio from all of these four angles you identify opportunities and solutions for improvements so for example if i'm running an application uh that is running on oracle database server that is no longer supported by oracle then here is an opportunity for me to upgrade my oracle database to the latest version of oracle database or if my application is running uh is using say pii data then i am subject to so-and-so controls and if i'm not in compliance with those controls and here is an opportunity for me so you know i i identify what tasks i need to do to get in compliance with those controls right so basically this is an overview of apm all the four different portfolios that we that we manage application business technology and information so with that i will kind of jump into the uh next i will jump i'll kind of jump into what is coming up here in quebec let me stop sharing for a minute valuable of the right ppt hello i've started sharing my screen again hope you all can see it so these are the features that we are delivering as part of the paris release so first one is business application lifecycle management services uh and then uh the the three big features i would say i will not talk about the minor enhancement that we are making first one is business application lifecycle management services second one is business application similarity using predictive intelligence and the third one is reports queries using cmdb query builder to talk about the business application lifecycle management services we are introducing three basic services through service catalog register a business application request architecture review and retire business application so register a business application is we are kind of bringing in a governance process around onboarding a new business application if if an app owner wants to onboard a new business application uh app owner can no longer create a record directly into the business application table but the operator has to raise a request and that request goes through an approval process internally we kind of trigger a workflow and that workflow can be configured it can have like several steps in that workflow and it it needs to go through a bunch of approvals say information security approval or you know architecture review approval etc and once it goes through all of that approvals only then will the record be created in the business application table so basically we are trying to govern the entire life cycle of the business application through these three services the second service is the request architecture review that is whenever any change any significant change needs to be made through a business application the app owner has to request for an architecture review and then that goes through an approval process and once it is approved only then will the business application or owner be allowed to make the changes that are that are proposed the third service is retired business application so whenever a new application to whenever application needs to be retired or decommissioned again we are bringing up a process related to that so app owner has to raise a request which will again trigger a project internally the project will have several steps or several tasks that need to be completed as part of the retire or decommissioning of a business application right so to give you some screenshots in the service catalog once you click we have introduced a new category called business application lifecycle management where you can see all the three services so this is a registered business application form basic details uh we do not purposely we did not purposely create a big form but a basic form which contains details like name description etc and internally we trigger a workflow this is the basic default of the work out of the box workflow that is available which customers can configure and then uh yeah so this is the with this i i talk about the second feature which is business application similarity right so what we found on the field here is uh customers have like thousands of business applications three thousand four thousand business applications when they are onboarding a new business application how do i categorize it is it like okay a human resource management application or do i call it uh you know recruitment application or do i call it an onboarding application what is appropriate category that i put into so there we are using a business application similarity we are using the predictive intelligence that is all the machine learning artificial intelligence features of servicenow are bundled together as predictive intelligence so we are using some of the capabilities of the platform there to kind of predict what a category the application should go into right if you see my screenshot here the user types in the name and the description based on the name and the description we automatically populate the category of the business application saying okay this business application can fall into the category of workforce right it is dependent on the categories that the customer has already created say customer has created 50 categories of business application to categorize their portfolio 4000 applications so we look at though we look at similar business applications and then we suggest okay similar business applications you have categorized them as belonging to workforce category so this is our suggestion saying this application should also be categorized like that so this is this is a new feature that we are introducing called business application similarity and behind the hood we are making use of uh you know machine learning algorithms to kind of generate that similar business application category and then suggest to the user right and then the next service that we've introduced is request architecture review a praying simple form uh to request for architecture review and followed by uh workflow for that and then retired business application again like what business application we want to retire and then we have a workflow for that right yeah so with that i will quickly move on to the next feature i think i spoke about like two features business application lifecycle management services and then the application similarity and with that i'll talk about the cmdb query builder right so cmdb query builder is a reporting tool i i i think you all have heard about csdm common service data model which is kind of becoming that unifying data model which tries all of the servicenow products specifically the itx products together itsm item itvm item everything so cmdb query builder is kind of becoming the de facto reporting tool for csdm so we have kind of integrated with the cmdb query builder to brings uh to bring some out of the box reports right uh so here is a ui from the cmdb query builder and as you can see these are the left hand side these are the out of the box reports that we are providing business applications capabilities supported by business applications application services for a business application etc right and this is how the cmdb query builder i know you can configure and provide like different visualizations for each of this report but out of the box we are providing like seven or eight reports and each report with a visualization right so that is the next big feature that we are coming up in paris right with that i'll i'll quickly jump on to what is coming up in cubic release right so with cubic release we are actually like we have uh actually started releasing it through the store as you all know we have a service now store and many of our apps if you look at the trend over the last two years many of our new features applications products we are delivering it through the store so that you know the innovation come is available to all of our customers quickly so with paris is this the first time that apm is losing something to the store so far till pal till paris release all has been through the family's family store family route but from quebec onwards apm started releasing it through the store so the first set of apps are available on store they went live on october 15th and they're available for download and these two apps are related to the feature of business application risk assessment right so in these two apps we kind of integrate with the grc apps right so let me tell you the store app names uh yeah i'll come to the store app names in a minute so business problem that you are trying to solve here is the number of business applications is increasing on a day-to-day basis and management of management managing the risk on these business applications is becoming a tedious task for all of our customers uh what we get to understand is our customers are spending a significant amount of effort in managing the risks around all of these business applications so by integrating with grc we so our solution here is integration integrate apm product with grc product to manage the risk on the business application and a big part of this integration is grc uses the information objects i think earlier while introducing apm i spoke about the fourth pillar that is information portfolio wherein we said that for a business application we identify a list of all the information assets or information objects used by a business application right so grc uses this information portfolio to automatically kind of analyze the overall inherent risk rating of a business application and what all risk the business application is exposed to and what all controls the business application should be compliant with so information objects on the business application to information object mapping on the apm side is being used by grc to arrive at all of these things there is the controls right so the three key benefits of this solution here is first one is reduction in effort on it risk managers on the grc side uh as well as on the apm side on the apm side the app owners and on the grc side uh current process you know significant amount of time goes into analyzing the risk of the business application we expect that that effort will come down very significantly second one is improved information communication currently the process is oh there's a whole lot of offline communication over slack over email and all but now we are kind of putting all of that into the system and kind of uh driving an automatic process end to end so this significantly reduces the amount of offline communication that happens and real-time insights into business criticality anytime you want to see the status like what is the risk rating of a business application or where we are with respect to the compliance uh right so it is just like it is available on the platform so everything is now available on the platform so i'll quickly talk about the life cycle of the whole feature so first thing here is the feature starts with information gathering information gathering is when the risk manager on the grc site sends in a big questionnaire to the uh app owner and the app owner takes that assessment right so what we have seen is the questionnaire we have i think interviewed like about 10 customers and we have seen that the questionnaire uh in in today's process as well there's a questionnaire in that questionnaire can consist of anywhere between 50 to 100 questions and answering that questionnaire is like a tedious process so what we have done here is the first time the app owner has to answer the questionnaire from the second time onwards we automatically populate that questionnaire based on the previous responses the opener has already given so this significantly reduces a lot of time into the whole information gathering process second one is on the grc side they do an asset classification bia assessment bis business impact assessment and they run a job based on the uh and that job based on the answers provided by the app owner in the assessment and based on the business application to information object mapping they kind of evaluate the overall risk on the business application as part of that they also identify the risks and the controls right what all risk the business application is subject to and what all controls the business application should be compliant with so they identify all of these items and then automatically once we identify the risk we kind of create few tasks which tell okay to manage these three these are the risk mitigation tasks or to manage to become compliant with these controls right they we automatically say that okay you're subject to these ten controls and we see that you are not compliant with these six controls right and we automatically create issues for those six controls that we are not compliant with and then we create tasks in the system so that you know your app owner can work on those tasks and close those controls and this is kind of a uh you know repetitive process because the application assessment happens like quarterly or on a six monthly basis the same process repeats again and again right so whatever i have just described is like kind of detailed out here broad steps in the solution flow and then uh yeah here you know this slide talks about the key persona the it is minus an id application owner being the main people uh and then you know uh this is a detailed uh slide which explains i i can share all of this slides with you after this call which explains the entire flow whatever i just explained how the entire flow happens how the communication between the it app owner and the risk manager on the grc side happens right implementation of the controls and on and the same thing we have kind of the same picture we've kind of uh depicted here in a different way based on persona right and based on the process right from information gathering to the assessment to risk mapping right to the controls mapping right what each person is expected to do in each phase right and here is a walkthrough of all the screens that we have so here as you can see on the business application form once you install the plugins you will find a host of tabs on the business application form first one is the information object attributes this talks about all the information object and they qualify our properties whether whether the business application does a create read update delete on the information object and the second tab is a risk questionnaire tab here is a risk questionnaire the app owner has to click on the take assessment button out here to kind of take the assessment so this is a sample questionnaire and out of the box we are giving a sample questionnaire and then customers can edit that questionnaire to you know to suit their current to suit their organizational requirements and needs and then once the questionnaire is submitted we run a job behind the scenes and that job will come up with list of all the will come up with an overall risk rating for that business application in this case this business application has got a risk rating of high and then we automatically come up with a list of all the risk list of all the risks that the business application is subject to right this is the list of all there is and then against all the risk we again generate the tasks so for example in this case we are saying we have to integrate with sso right uh to so what are the risk response tasks and this is the list of all the controls the business application is subject to and then if if at all the application is not subject to any of these controls then we automatically raise issues saying right and then this is these are the grc issues and then we automatically again create tasks to kind of to kind of uh you know become compliant with those issues right so the app owner is expected to work on these tasks right so for example masks institute data on the form right so the app owner needs on this business application the app owner on the form needs to work on this task to become compliant with uh these controls and once the app owner finishes that it's the last step which is a manual step the app owner is expected to take the assessment assessment meaning it is just a confirmation from the app owner saying i have worked on this task here is the story number or the project number and hence i am now compliant with the controller it is kind of a self-assessment process that happens expected to take so only like answering the questionnaire and the control as attestations these are the only two manual steps remaining all uh generating the risk to you know identifying all the risk to this response to us control grc issues issue remediation task all of this is kind of automated right so yeah so that is kind of the end-to-end flow of the two store apps that we are delivering that we have already delivered as part of the uh cubic release right there there's one quick question that came into the chat window and it's from tia can you import data into the assessment module example via excel so based upon what you were just talking about there is that possible uh i guess so but i can confirm that because we are depending on the standard platform feature of assessments uh i guess it is possible to import questionnaire yeah you can import i was going to answer that one on this yeah let's let's chat or sorry the uh chat but um the the intent of assessments though they are intended to be like timely um surveys that you're sending out because you're gathering data or input from your application owners or your risk managers etc uh but if you wanted to bulk load the results you know because you collected them through some other mechanism um that that's a platform feature there would be configuration required but you could probably do that thanks al and and i started sharing my screen again so these are the two store apps that are available uh that are live on store.servicenow.com the first one is application portfolio management integration with risk management and customers who have got the grc advanced risk app can install this app and the second app is application portfolio management integration with policy and compliance so customers who have got grc policy and compliance app can uh install this app right the the the set of these two apps deal with the overall feature of gr or business application discussment and as i showed they'll populate all of those they'll you know you'll be able to see all of those tabs on the business application form once these two apps are installed right i know that was a quick uh overview into what is coming up in paris and cubic release all right um any questions now from the customers on do you guys have any um points of clarification you want to have with given what he had omar reviewed thank you all for adding some additional information for that no questions all right well i guess this will be a short office hour then um i greatly appreciate that amar are there any particular links to any additional information that we should be sending out to the customers after this call uh in addition to the deck that you kind of showcase to kind of help them get ready for or take advantage of what's in paris and then also to what's coming up you want to share so as always charles i'll add that our now learning is a great site for training content on any of the apm features we pretty much keep those up to date as we release new features uh some of the things you demoed and that amar's demoed for you for paris is definitely already updated on our now learning site um the other uh resource that you can use is um [Music] create now uh so we have a another site as well that has best practice content and how to hit implement not just the application portfolio management but other itbm and it workflow products so those are other resources that you can take advantage of for thank you so much for that out all right everyone well if there aren't any other questions i haven't seen any other questions pop up on the chat window this will be a very short office hour this time this was just really meant to kind of go over some of the functionalities coming out and take advantage of paris et cetera so i appreciate everyone's time uh thank you amar thank you albert for uh showing up for this call and uh everyone have a safe happy holiday season talk to you later thanks chancellor thanks everybody bye