hello everyone Scott Ferguson director outbound product management with our risk solutions I want to spend just a couple minutes today giving you a quick overview of our GRC suite of products so we're gonna start with a business stakeholder in this case James who's part of our finance organization and we've given him a service portal to give him access and this is a slightly configured service portal but it's just to give quick access to some of the capabilities that our stakeholders would want to have access to so for example from a policy and compliance perspective we have access to the policy library where he has access to the standards the procedures any policies that may be published that he may have to have access to or to understand or even attest to and in this case he can quickly drill into one of those and see the details that may be behind that particular policy as well as have access and visibility into the requirements when we've brought data in from an external source like the unified compliance framework where we meet maybe bringing in regulation standards frameworks and we can tie that information back to these individual policies so that someone has understanding of what it is that they need to do and more importantly why it is that they need to do it from here we also have the ability to submit things like a risk event or a policy exception so what we see here is in the ability to report a risk event we're gonna give James a form to fill out where he can kick off the process or the work flows around responding to this event that has occurred how was it discovered what's the impact of that what needs to be done and he can submit this through a Service Catalog item within the service portal he also has the ability to do this through the virtual agent so in this case as we start having a conversation with the virtual agent we can quickly see things like well we wanted to submit a risk event or we want to submit a policy exception and we can do that through a virtual agent James also has the ability to respond to control at a stations and risk assessments through the service portal where he can provide the evidence that he needs to say that yes this control is in place or respond to a risks assessment and provide the information that we need to properly score a risk those scores are used when it comes into understanding a risk framework or a risk library so in this case James has access to all the risks that's been assigned to him he can view his dynamic risk register he can do things like filter and and apply different filters to this information to get to just the individual records that he's looking for he can export this out into multiple forms so that if he needs to send it to a third party or whatever that may be he has access to do that from within the service portal finally he's also has access to things like his controls from policy compliance or audit tasks that have been assigned to him from an audit perspective or any of the response tasks or mediations that have been assigned to him through the various aspects through issues and tasks now quickly as we switch personas we start with our risk overview dashboard and this gives that risk manager that compliance manager access to see the entire exposure to the organization through a heat map as well as integrations to things like risk lens where they can bring in and supplement things within ServiceNow with this additional information or as we look at things like risk tolerance based upon the risk appetite of an organization and they set the thresholds around tolerance we can see risks roll up risk scores by risk statement where what's the average the men and the max of those scores as well as the sum so as an organization we can see the greatest area of exposure from a risk perspective as we drill into this and touch on this a little bit further our risk manager has the ability to filter the dashboards as well and as we drill into this using the same example that our stakeholder used we can look at this set of risks around you know that are maybe high and our risk manager wants to focus on just some of those and as we take a look at the risk and I won't go into all of the details here but there's an entire life cycle we assess where we take the assessments we respond and we've got the response tasks and and how we're going to activate that but then we've also have the ability to monitor in this case we've got a couple of different ways we can tie these two controls and using continuous controls monitoring within policy compliance we can actively look at compliant and non-compliance and have that affect our risk scores automatically we can use risk indicators and case any of these whether it's continuous controls monitoring and policy compliance or the automated risk indicators within risk they're gonna leverage data from anywhere in the platform so in this example I'm going to look at a security incident and because that security incident exists I can use that to automatically elevate the risk so that it shows up on that dashboard and because this indicator has failed we have a control failure factor and in the end we're calculating a new risk score of high based upon these various methods whether it was policy compliance or it was the risk indicator this would manifest itself on that dashboard and if we jump back to our dashboards we can see that same information then as it's moved up in our heat map as we move into our audit management application we have visibility into bringing all of this information from a policy compliance and a risk perspective into one area it's that trust but verify we can know that the controls are in place we can know that the policies in place we can know that risk assessments are occurring but we need to validate that through test plans and control tests we're gonna evaluate the evidence that's been gathered in the policy and compliance application we're gonna evaluate information that may be available from a risk perspective and we're gonna understand from my asset centric view of GRC how those different departments and business services or vendors or applications are doing from an audit perspective finally the last thing that I'll talk about is to just give you a quick overview from a third-party risk or a vendor risk perspective as we look at this vendor dashboard our vendor manager has the ability to see what that portfolio is we can do our risk tearing assessments to understand the criticality of a particular vendor and put them in the proper tier then kick off a series of assessments whether it's using the cig or a data center questionnaire or a cloud security questionnaire we can do document requests like ask for a sock to survey or and then the vendor can interact with us and provide this information back through the vendor portal respond to those assessments respond to tasks and have this dialogue going back and forth so I appreciate your time today is we've done a quick walkthrough of our risk suite of products within ServiceNow thank you for your time today