hello this is scott ferguson principal solution architect with our global grc in security practice and for the next few minutes i want to talk to you a little bit about our risk management application so as we start the risk conversation the first thing we want to do is is provide a portal right because in many organizations like yourself there are various risk owners throughout the organization and they need one place where they can go to see what are all of my risks what are all of my mitigating or compensating controls what are the risk assessments that i need to complete and you don't want to send them to different places to accomplish that so we start with our portal and as a risk manager right so grace abbott our our risk manager here can sign into the portal and the first thing that they're going to see here you know underneath the the banners across the top is their version of the risk register or the the my controls right they can also see assessments that they need to take so we're going to pick up a couple of these pieces and then we'll we'll switch roles into from an end user to an actual risk manager or someone within the risk team that's going to manage that risk and review that risk and look at the scoring of that risk so the first thing we see here is grace has the ability to complete a risk assessment right so in this case grace has been assigned a risk assessment right she's someone out in the organization and she's going to start this process and she's presented with a form right with a questionnaire and they're the typical types of questions that you would expect when assessing especially if you're looking at this from a qualitative perspective questions about reputational impact and right she's asked to answer these questions and she goes through and she's also asked about what's the expected frequency of this risk event which is a more of a quantitative type of question because we support both methods right and this is one that's going to drive to things like your annual rate of occurrence so how frequent does this is a risky vent likely right so in this case maybe it's more than once a year so we're looking at assessing this risk from an inherent perspective as she continues down the path she also is asked to assess this risk from a residual perspective right after you implement a series of mitigating or compensating controls ask to answer the same questions what's the expected frequency right we're going to put in controls to keep this from occurring so that expected frequency is going to be a longer period of time we answer these questions and we submit so this is a very easy and simple way for those people within the organization that need to complete these risk assessments to do that through the portal the other thing that grace sees here as part of this is she also has visibility into those sets that set of mitigating and compensating controls that are tied to those specific risks now the other thing that i want to point out here while we're on that portal and we're talking about grace's experience here is she also has the ability to see her risks and now that i've drilled into this specific risk grace can see the details of this from the state that it's in to you know the the category it's an operational risk which assessment had to be completed as well as the scoring that goes with this from a inherent in a residual perspective in either the qualitative or the quantitative methodology she has visibility into all of that information she also at the bottom of this form has visibility into well what are those mitigating controls what are the the the compensating controls what are the assessments that that had to be completed are there other related policy exceptions and we talked about this in the policy and compliance presentation that we've done but you've got policy exceptions that just because that exception was approved doesn't mean that the risk doesn't still exist and this is where that would manifest itself now we see all of this type of information from the service portal but now let's flip over and see this from someone that may be working risks for the entire organization right not just specific ones so the first thing that we're going to see here is we've got our risk overview dashboard and again you know you've got a set of inherent risk reports and you've got a set of residual risk reports and you would expect to see that you get better over time so when we load this particular dashboard the first thing that you'll see across the top of the dashboard is a very quick color-coded set of what are the risks that i have in my organization but we can also break that down in a couple of different ways if you adhere to a more qualitative approach to risk assessments you're going to see this inherent risk heat map that takes your impact and your likelihood and plots them over a heat map and a configurable heat map that has the red yellow and green tiers but we also you know give the ability to look at risks from a more quantitative perspective i can see things like well what was the single loss expectancy over the annual rate of occurrence that gives me that annualized loss expectancy and i can plot out those risks to my organization from a more quantitative perspective and all of this information is available to me on my dashboard i have those same sets of reports from a residual perspective and i can see here the risks mapped out on my heat map and the bubble charts from a residual perspective as well one of the things that i want to point out though is that these are all actionable we've got one click kind of reporting so in this case if i wanted to look at our financial application so in this case i look at my financial accounting app i filter that down my entire dashboard updates to reflect just that specific asset that i'm looking at so in this case because i filtered this by my financial application my financial accounting application it shows me that i only have three risks and it's actually a little scary because from a financial accounting perspective they're all pretty high so we may want to drill into this a little bit more so if we drill into that very high risk that we have to the organization it takes us into our dynamic risk register and the servicenow risk register is one of those it's not just a static spreadsheet right it's just not a static list that you have a list of all of those risks to the organization and and you just have to kind of sort through it manually and understand what your exposure is but the servicenow risk register is very dynamic and you can see here that i got to a filtered risk register based upon something that i clicked on with a dashboard now i absolutely could drop off other pieces of this and get into an entire risk register of all 489 risks that i have within the environment now just to demonstrate kind of some of that flexibility i see things like my inherent and my residual score you can do things like well you know let's filter out things that have a very low residual score or maybe even you know get only show things that are operational in in nature i can just show my operational risks maybe i want to right click and filter out those things that are in a draft state you can see that the number of risks this dynamic risk register starts to narrow in on just those things that i care about now from here right maybe we continue to eliminate some of the the smaller noise here and we're going to get down to that set of things that we really care about and there we also see that same one that we were looking at before so if we look at the loss of availability for our financial accounting app let's look at that very high risk one in a little bit more detail on that particular risk the first thing that i'll point out just like we saw in previous demonstrations around policy and compliance is there's an entire life cycle we have life cycles to risk we have life cycles to incidents or issues we have life cycles to all of the the other pieces that make up the grc suite and risk here is no different a risk gets first identified and it comes in at a draft state and then you assess it and we saw an example of what that assessment looked like when we were on the portal grace had to go through and answer a series of questions now from a risk manager perspective if i wanted to see the answers to grace's questions they're right here at the bottom of this form so i still have the ability to go back in and look at the details of what may have been responded or or how that was responded to then we get to the point where we have to decide how are we going to respond to this risk what is our response so if we look here in the middle section of this particular risk the risk response is where we're going to determine do we want to mitigate this risk do we want to avoid this risk do we want to transfer this risk or do we want to accept this risk and there's really four different risk responses that are a part of the servicenow platform based upon the fact that this one was listed to mitigate right now we could go down the accept path and the workflow is going to take us through a series of approvals and someone needs to evaluate that and is this the right thing to accept and right we're going to have that acceptance that comes with that the one that we're looking at here is going down the mitigate path so the first thing that you're going to do when you mitigate a risk is someone has to develop that risk mitigation plan so the workflow that's behind driving that through the risk platform automatically created this risk response task and in this case it's the mitigation task it's a and this you can see here where grace was the owner of this particular task it came in a draft state she has to put together this plan and the plan is to implement some mitigating controls and at this point she's going to go ahead and it has to be reviewed and we're probably waiting on someone to and she lists those additional mitigating controls here and then someone has to review that and approve it and move it forward within the process if we go back to the risk itself right it's in this review state and in that review state is where we're going to see someone within the organization that has to approve the fact that these are the right mitigating or compensating controls so you can see in this case there are nine controls that have been associated to this risk as compensating controls now here's where it gets interesting when you start to put policy and compliance together with risk into a single consolidated platform you're going to see a couple of things notice here and again this is covered in the policy and compliance application but i have a set of these controls some of them are compliant and some of them are non-compliant well one could argue that if a mitigating control that was put in place to make sure that this risk was not exploited is a non-effective control that i'm probably not actually achieving my residual risk score so this is how that's going to manifest itself when we look at the scoring of a risk and you've seen various pieces of this as we've walked through the risk application thus far but we started with this inherent risk score the impact was very high the likelihood was extremely likely we went through an assessment and we went through you know a risk mitigation plan and we put in some mitigating controls and the idea there or the outcome of that activity was that over here on the right you see that the residual impact was low the residual likelihood was extremely unlikely and that drove us to a residual risk score of very low and that's fabulous but what we realize is that we actually have ineffective mitigating controls so what servicenow is doing for you here right and this this risk scoring is is what we're going to use to help automatically assign right for easy prioritization of who needs to do what but it's also allowing us through this calculation we're able to spot new high risks or emerging threats in real time that's going to help you control your actual risk exposure you see that right here with this calculated risk score service servicenow is actually calculating a risk score for you based upon really two things one the first one is the effectiveness of your controls and we've already seen that the controls that were associated to this risk are halfway right only half of them are actually effective if i select the monitoring section here in the middle of this risk you actually see that right there was nine controls four five of them were non-compliant so i've got a control failure factor of 44. half of my risk indicators are failing and because of that i'm calculating a risk score we're able to spot those high risks those emerging threats to your organization in real time and actually help control risk exposure to the organization and this is what shows up on that dashboard so if we go back to our risk dashboard what we're going to see is those things that show up on this dashboard that are now very high risk right this information is going to be updated automatically based upon my control effectiveness based upon my risk assessments based upon risk indicators and now i can manage my business through the risk indicators or through the risk dashboards in the servicenow platform so this wraps up our conversation around risk management and if you'd like some additional information don't hesitate to check out the servicenow website for that additional information and that wraps up our conversation on risk management [Music]