more minutes you never know maybe people are getting off of lunch or starting lunch or they're excited to have you all here today yeah we get we get people from all over so they could be anywhere that's right and again we we are going to be recording this so you'll be able to watch it again and that will be placed on the community link that i'll be providing shortly are we going to take the whole hour theresa i don't think so i don't think we will okay then we'll just wait a few more moments for our attendees to roll in today we've had some really big releases in the last couple of months so um i think jorge is going to show us the newest stuff but i don't think it's going to quite take the whole hour okay all right yeah there's a few more kind of lining in there we go all right we just don't want to miss out on anyone who wants to join today i might have some really great questions we've had some great questions over the last few asked the experts it's been really really uh really engaging really interesting to hear what people are thinking and what they're what they're asking yeah i love i love the interaction so everybody out there make sure you you please ask questions so we wanna we wanna make this interactive okay well just also make sure that we're keeping everybody else's on schedule i say hey let's go ahead and take it away sounds perfect well thank you everybody for joining us and as you continue to join i want to go over just a few things about what we've been doing in the last couple of months and and what you can find on our ask the experts channel and what's coming up right today we're going to be talking about vendorous management but we're really excited and the reason we're having this series is because we've been introducing a ton of new enhancements and new applications in the last couple of months on the servicenow store so in october we actually introduced a couple of new applications one of them was business continuity management and continuous authorization and monitoring and we had a couple of ask the experts at the end of october to showcase them so you can go out and find those out on the ask the expert playlist but this is actually part of a series so in november we've already talked about our advanced risk assessments and the enhancements there around application project risk and our new operational risk dashboard which is really exciting and interesting and we had a very very engaging jam-packed hour last week with industry who covered our policy and compliance and audit enhancements including our new cyber security accelerator to take advantage of the the cis controls and today we're going to be talking to jorge who's going to be talking to us about enhancements for vendor risk management now if you remember we had another jam-packed hour of vendor risk management in june where we introduced new vendor hierarchies vendor engagement and vendor risk areas well in october we introduced some more enhancements around external monitoring framework our new vendor portal guidance so making it easy for you guys to navigate the vendor portal and issue creation enhancements so jorge is actually going to be demoing those for you all today but there is more because in tomorrow actually i'm going to say very shortly but tomorrow we will be having a new release which will introduce two new applications for our grc product an rm portfolio and that's regulatory change management and that's to include a whole bunch of stuff including an out-of-the-box integration with thompson reuters and operational risk brazil i'm sorry operational resilience management which we'll be also releasing tomorrow we've got a couple of ask the experts after the holiday in december that we're actually going to be demoing those so please please mark your calendars for the upcoming ask the experts and please check out the ask the experts channel which lisa is updating in our chat now to show you the links to those to see a fabulous collection of demos of all the new features that have come out in october and this month in november on that in that ask the expert channel you can also find demos of the capabilities that came out in june so with that i'm going to let jorge steal the screen from me and go ahead and start introducing you all to the new enhancements for vendor risk management all right thank you teresa so as theresa said my name is jorge garcia and before i get started um you know with some of the new functionality that we introduced in october i'd just like to point out that everything that you see in the screen here comes from customer feedback and so um you know we try to um go through the community um you know feel free to send an email send a note for those that you have my contact information but also feel free to go into the ideas portal because when we um introduced the features in june um we were we had a lot of things that were in our backlog and so customer feedback customer interaction really helps us prioritize those things that are going to move the needle from our customers perspective right so please feel free to engage with us and share those ideas and share those even gaps that you may find in vendor risk management so that said let's kind of jump into it i will do a mix of both slides in demo so i'm not gonna bore you with a bunch of slides i only have two um but i'll kind of flip back and forth right so the first thing that um we introduced amongst you know kind of the a lot of the things that we that we released but these are the three major ones was around the first one is are on issue enhancements and so again from customer feedback we received a lot of things that could make the overall experience better and so there's two things that i'll touch on today the first one deals with vendor risk analysts looking at responses and marking questions incorrect responses as issues but it was something that there was not a whole lot of visibility and and there was kind of a user experience gap there that existed uh which i'll walk you through it and then the second one and i'll go into a little bit more details when i show you is around how a vendor remediating issues can now become a factor in to how the risk rating is calculated so let's start with the first one i'm going to shift here's here to my screen here and what we're looking at is a vendor risk assessment in this case it has been sent out to vast corporation and if i scroll down to the questionnaire section i've noticed that i have received that questionnaire back right 17 completed but i have received those responses and so you know this is just a demo record but i'll go ahead and i'll click on view responses and the first thing that i'll point out is we have already created an issue for this question right so as part of vrm there are rules that you can specify where where if there is an incorrect response tied to a question you can automatically generate issues and prior to this release we did not include this little flag here that will show you that this question was tied to one of those rules and what ended up happening was that we would have duplicate issues being created additionally we have customers that go through all of these responses and manually create an issue and they also type in both internal comments as well as external comments that are visible to the vendor and these comments would get lost whenever an issue was generated and what we heard was the comments that were entered here and that back and forth that you had with your vendors provided a lot of context and insight into a why that issue was first created what's what some of the comments were when that issue was created and maybe some comments from the vendor right so when i go ahead and i include this question in creating an issue all of these comments are going to be generated so if i hit create an issue and i scroll down then i'll notice that i see the flag now here which prevents me from generating an issue and again more importantly these internal comments and external comments are now visible and exposed in the issue record itself so that none of the communication that happened during that first touch point with the vendor gets lost whenever you go into that issue and remediation mode so that's one aspect of how we are making it easy right and it's we're in this journey to make it as easy as possible whenever you go into issue remediation the second thing deals with what happens if you have two vendors they both generate 50 issues but vendor a goes in and puts the time and effort to resolve the majority of those 50 issues and vendor b on the other hand does not put any time or effort into resolving those prior to this release we did not have this issue risk rating and what this does it goes in looks at the priority of an issue it looks at the resolution of that issue and it looks at the status of the issue right so whenever something is closed complete rather than closed incomplete or still a work in progress and based against the priority once those issues start getting remediated and resolved by your vendor we now show you an issue risk rating and again the idea is that very quickly your stakeholders can see that this vendor has put that conscious effort of resolving the majority of those issues so that they bring in that issue risk rating down by doing so right and then you make a final determination to say you know what they've not fixed any of my issues so i'm actually going to increase the risk rating you know from those responses to something higher because they've not uh responded to issues that i really care about or if they have responded to those issues then we can say well you know what they have consciously resolved these they are trying to resolve the ones that are still outstanding so i'm going to decrease the risk rating so in this first pass we show you an issue risk rating we have plans to then make it a configurable setting that allows you to introduce this issue risk reading into this factor right and again with hopefully your help and feedback we can understand how that gets performed right but in this first version we just show you which issues have been resolved and then based on priority and how they were resolved we calculate this issue risk rating so that's kind of the first two things that i want to touch on the issue enhancements um don't see any questions so i'll go ahead and move on second thing is around vendor portal guidance and so again from customer feedback we kept hearing you know you guys have this great tailor-made vendor portal right so it was specifically made for vendor risk management specifically made so that vendor contacts could log in invite additional stakeholders to participate in the risk assessment assign specific questionnaires to stakeholders have to respond to issues but the feedback we received is that these vendors often interact with hundreds of customers and each one of those customers may have a technology that is different to us or a spreadsheet with its own formatting its own rules its own kind of directions and instructions and so despite again the the vendor portal being this custom tailor-made experience for vendor contacts they would often um stumble their way into the into the portal excuse me just out of a lack of of going in there in a regular basis so what i'm going to do now is i'm going to impersonate alex newson and i'm going to go into the vendor portal as alex newson i have a couple of things that i can do right i've logged in as alex newsome before but i can initiate what we call a guided tour and the important thing to note is this is servicenow platform functionality so if you want to change some of the messaging you want to add additional steps based on things that you have configured differently if you want to add um you know another step uh because you start noticing that vendors are stumbling through one very specific thing that is not accounted for then this is configurable from your end it works much like as if you were kind of creating a workflow in flow designer we call it the guided tour setup where you can easily add another step you point out where you want the flag to um to go um or the box to go and what it needs to go after you do that so as a vendor contact i am going to go ahead and begin my tour um there's an explanation of what primary contacts are i'm not going to go through all of these 16 different steps that the guided tour walks a vendor contact through but the idea again is that there is instruction there are instructions and guidance so that even if these vendor contacts only log in on a semi-regular basis or an annual basis that they have the ability to learn without having to reach out to you without having to you know kind of get frustrated and just not respond to the assessment they have the ability to now navigate and learn how to do things by them on their own the other thing that we have is we have an faq page where we put in some of the most frequently asked questions and it works very similar using the same technology where if i wanna invite additional users it's not just a text information what it does it creates a guided tour specifically to help that end user navigate through the tool right so there are um you know we thought this was probably the easiest rather than posting you know kind of a large chunk of text that walks through kind of okay um you know go here because it's servicenow terminology and how we sometimes wear things out but the guided tour is a very easy method in which these vendor contacts that are not familiar with the vendor portal that are not familiar with servicenow can navigate and make sure that they can perform all of their um tasks that they have to perform so jorge we have a question um does um is there a difference between a questionnaire and an assessment can you describe what an assessment is and what it's made up of sure so an assessment is you can think of it as a container for one or more questionnaires so there is a workflow associated with the assessment the assessment can have multiple requests so let me go ahead and click on this particular assessment and i have multiple objects or requests here i can have more or one questionnaire i can have more or one one or more document request what the assessment allows allows you to do is to have a life cycle associated to it allows you to calculate it a certain way allows you to send it to particular stakeholders but that assessment may be an annual assessment that has a security questionnaire a privacy questionnaire and a couple of um document requests that are um um you know kind of forcing or not forcing but requesting a particular evidence like the stock 1 or stock 2 reports and so that is kind of the difference the assessment is a container from one or more questionnaires or one or more document requests yeah i know that can be kind of confusing for people sometimes another question on on the vendor portal assistants so a lot of customers will will brand you know their own the portal so that it looks like it's it's theirs and not servicenow so the question is does any of the content reference service now um we call we brand our vendor portal so it looks like our company not servicenow so wondering if we'll need to update the assistance content no so we try to make it agnostic of you know service now and so you know if there are opportunities where you do want to include some of that branding in the guided tour um like i said we use the platform functionality um does this guided tour set up that is highly configurable allows you to change the text allow you to change the placement of where that little pop-up is going to come up allows you to change the action of what needs to happen um and so yeah for for this purposes we try to make it agnostic but if you do want to include different wording or branding even within those instructions you can but they shouldn't need to right we don't we don't have anything that's servicenow ish it should be able to be used by anybody and it could be considered to be anybody's guidance yep yeah perfect thank you all right so if there are no more questions let me quickly um go out of the vendor portal and end my impersonation of alex newson before i move on to today's last feature enhancement that we're talking about right so this is around external monitoring and so um historically servicenow vrm has been dealing with security risk and so when you looked at our servicenow store and you looked at some of the existing integrations they were with bid site security scorecard we have things coming up with recorded future but as our customers mature and as we continue to mature we kept hearing from customers that they also wanted to evaluate and assess their vendors for different types of risk and so for us the first step happened back in june when we introduced vendor risk areas that allow you to tie in questionnaires and assessments and document requests to a specific than the risk area so you could do a financial liability questionnaire you could do a security questionnaire you could do a legal questionnaire and then all of those scores would get rolled up and aggregated at the assessment level as well as at the vendor level what we then um did for this phase right phase two is well it's all good that you can go out and ask those questions from your vendor but there is um there are third third-party providers that give you that intel right so um things like rapid ratings can give you a financial score um just like don and bradstreet they can give there's other providers that can give you reputational scores legal scores we keep hearing a lot about diversity scores now being something that is top of mind and get getting a lot of mind share from uh vendor risk management programs and so what we've introduced is we've introduced a framework that allows you to integrate with any type of provider coming in from you know whatever providers you use and we have the ability to now integrate with both scores and ratings right and for me those are two different things right so um typically cyber security providers give you a score right to range from zero to 1000 to 350 to 900 whatever the case may be but there may also be situations where that provider gives you a qualitative score as of low medium high and so what we had was we had a framework that allowed us to ingest security scores we've expanded the use so that it can be more than just security and now we can also ingest qualitative scores and once we've ingested those thing then there's a couple of things that we can do and i'll focus on the rules themselves right so prior to this we could send out vendor risk assessments so if we noticed that there was a drop of 20 percent in that risk score we could automatically trigger a risk assessment but again feedback from customers was we don't want to necessarily send out an entire risk assessment just because our score dropped by 20 let's just create an issue or let me just get an email notification right so those are the types of things that we've incorporated in this and then the final thing that you can see here on the left hand side is that the more and i think it's the more important one is the fact that all of those scores and ratings coming from these external providers can now be a factor into your risk rating calculation right so before they were there for display purposes and from a contextual inside type of visibility that we provided but we can now say that scores that come from external providers have a weight of 20 against my calculation or 50 against my calculation right and that those risk rating calculations can differ from vendor to vendor right so if you have a tier three vendor that you don't want to assess directly you can say that external monitoring is going to be 80 of your score right because you typically ingest these types of scores from them um or you know vice versa right but that's really up to um to you as a customer and these are highly configurable so what i'm going to spend on just a couple next couple of minutes now is walking through what that looks like so let me start with this record first um and what i'll show you in this record um is the first thing is these third-party scores right so i have a variety of third-party scores actually let me change my record here i am i want to use a different vendor um seems like i used the wrong one here so let me choose bas corporation yes so i can see here i have a variety of different third-party scores uh from different types of providers right so we have things coming in from bedside from a security perspective and then i have financial reputational and legal scores right now important thing to notice whether the score is numeric in nature or rating qualitative in nature what we do now is we transform it into this qualitative risk rating later on i'll show you how we also preserve that original score right but if you start playing with a bunch of providers um then it no longer makes sense to see 800 from one provider moderate from another provider what we do is we normalize those scores so that they all look and feel the same way to those business users what we also do is we now introduce that external monitoring as a component right and so in this case for the rule that is applicable to this vendor which is the strategic partner rule i specified that external monitoring should have a weight of 10. so despite the risk rating being moderate at the end of the day it's a weighted average based on the risk rating and the weight that we've specified for that component and then the one final thing that we do is if i click here on external monitoring um sorry if i click here on external monitoring and then i can get that visibility of not where my um you know which provider that risk rating is coming from but broken down by those four vendor risk areas and so in here i see my security risk is moderate and then also weight against those security risk vendors risk areas so that in this case financial has the highest weight but i can double click on my external monitoring and now say okay it seems like from my providers my financial risk is moderate and legal risk is actually the one thing that i should be worried about and then the final thing that we do is that we roll all of those up so whether these risk areas are being assessed at the child vendor level whether they're being assessed at the engagement level or whether they're being assessed directly through a vendor risk assessment or now with this new feature coming in from a third party provider we roll over those scores up and show them to you here and so what i've done here just for the demo uh purpose is legal risk is a risk that is not being assessed in any of my child vendors in any of my engagements in any of my assessments but rather this legal risk is being fed from the fact that a third party provider is telling me that my legal risk is critical and so we now provide you that visibility to double click onto a you know a vendor and view where your risk is coming from you have the ability to define those weights as i said but also look at a vendor and say well for this vendor my reputational risk and legal risk are the ones that i you know have to be aware of and it allows you to make better risk informed decisions right not just knowing that your risk rating for this vendor is moderate but knowing where it comes from and as well as you know what it looks like from a vendor risk aerial risk domain perspective well jorge we do have a question um you were talking about the new external feeds that external sources that we have the question is do we offer integration with real-time vendor risk intel feeds um so the the way that we that we are doing things is that we allow those servicenow partners to integrate with us via the store each one of those integrations has their own kind of property or configuration where you specify how often you want that api to kind of get called and then pull in that information into servicenow so i think it depends on a the criticality of the data that you're receiving and b you know what the configuration has been set up for if there is a requirement where you do need real-time data right so we are exploring for instance integrations with um kind of like disaster type of feeds um where they tell you that there's a tornado that may have impacted your vendor um covet 19 is a perfect example of you know how one of your vendors may have been impacted and that may actually um you know affect you um and so those tend to be kind of real-time pools and so that capability is in the product however we do not manage those integrations right now we provide this framework so that our partners can integrate with us and it is up to them to determine kind of the frequency of how often they push data into service now so if we had a partner they could conceivably set it up for real time and this is something i think the customers can also help influence i mean if they have particular feeds that they're interested in i mean i think we wouldn't be interested in hearing about that and also you know customers talking to those particular companies if they have a relationship with them um to talk about how important it would be to get that into their vendor portal yep excellent all right um and so then the last thing that i'll touch on uh for today's demo is the actual rule um and how they what they look like um so this rule will be tied specifically to bitsight in their security risk score and what i'm looking at is if the score decreases by 50 percent what am i going to do right and the first thing that i'll do is i'm going to go ahead and create an assessment a new security assessment i'm going to create an issue create a task and send email notifications right but and and by the way i'll automatically submit those to the vendor so there's no touch point there's no manual intervention necessary to do that however i don't have to do all of these for right i can uncheck these and simply send out an email to certain individuals or i can you know kind of um you know select one two or all of them based on the who the provider is and based on kind of the level of impact that i'm foreseeing happening because of this rule being violated so a couple of questions um we get back to the integrations people are really interested in those it's great um so a couple of was wondering here which of the integrations were actually looking at so is is risk recon ky 3p and or truesight available to integrate with vrm so out of the box integrations they are not but they can be configured through integration hub which is a relatively simple uh task to do however we are in conversations with um true sites we are in conversations with a risk recon um and we have heard from ky 3p right so um the way that again our integrations work is that our partners build them um and so you know you can reach out to them but if you wanted to create it yourself you would do so through integration hub which allows you to kind of create that that integration and then drive action from that i will put a link in the chat to our servicenow store because that's really where you can find all of our integrations um and we've got a lot of them and we've got more and more and more that are that are coming so i'll even i'll even uh filter this a little bit so you just get the vendorist integrations that we've got here awesome all right jorge anything else you wanted to to show folks no that's it for me all right well let me just i'm going to steal the screen here really quick and again remind you of the upcoming events that we have coming in the next month and also how you can connect with us and i will put that link in the chat here but you know you can visit our grc site where you can learn more about vendor risk in addition to our other solutions jorge did mention bitsight we will be having and ask the experts coming up here in the near future showcasing the new application that bitsite has introduced and how it integrates with vendor risk management there's some cool new things that we're doing to make it easier for you to see the impact of the security performance for vendors in assessments so you're not having to go to multiple screens you can hit the vendor risk management application page directly we really want to hear from you so please connect with us through the community and there are of course other ask the experts out on the youtube channel that we have out there so i don't want to check the questions really quick make sure we've got all those answered i don't see any more questions up so um thank you all for joining us i'll post that link in the chat real quick to the servicenow store and we really appreciate it and hope you mark your calendars and join us for future ask the experts you know and also drop us a line on any of those links to let us know what you want uh coming in the new year is there anything that specifically jumps out or just yeah post your question there whether even if it's a specific product or a specific problem or interest interest in let us know so that you know we can bring that information to you okay all right thank you did you get that link theresa um now let me out thank you all right thanks so much oh yeah yeah you got it yep i did thank you guys wonderful thank you