hello everybody i'm matt mays senior technical consultant for surna solutions today we are going to explore the risk management application part of the integrated risk management program on the servicenow platform servicenow's integrated risk management program is made up of five applications policy and compliance management risk management audit management vendor risk management and business continuity management these five applications can be used together or stand alone depending on the needs of your organization let's take a look at an overview of risk management risk management on the servicenow platform enables organizations to continuously monitor and to identify high impact risks improve their risk based decision making and to reduce reaction time from days to minutes servicenow helps organizations accomplish this by identifying risk to key processes and business objectives defining those risks and performing risk analysis and assessment on them to determine the risk response and create mitigation plans and to actively monitor risks if the organization is also leveraging the servicenow policy and compliance application then controls and policies can be defined to mitigate risk control failures will automatically generate issues and inform the risk score in real time those issues are able to be analyzed in work to closure or generate policy exceptions for more information on the policy compliance application please see our video on policy and compliance management in the servicenow platform so what can servicenow do for your risk management program well our goal is to get you here to the risk overview dashboard where your organization is able to show a roll-up of the inherent and residual risk impacting your organization we've got our risk scoring across the top and then we can see a visualization of our risk via the inherent risk heat map and our risks by category on the residual tab we see our leftover risk after we've implemented our mitigating controls we have our scoring across the top again our visualization of a heat map and our risk by category we're also able to filter on both the inherent and residual tabs by the various states of our risks for example if we just want to see our risks that are in the assess phase we can uncheck the all box and check the assess box now we only see our risks that are in the assessed state so how are we going to get you here we're going to start off with identifying the risks your organization faces and storing them in the system as risk statements risk statements are essentially templates of the risk we face just by doing business once we have imported our risk statements we're going to apply them as risks using our scoping mechanism here we see the risk of loss of availability applied to the sap financial accounting entity entities are records that aggregate compliance and risk data for any organizational items such as departments locations applications services etc entities can be related to each other to show how their control and risk posture impact the organization back to our risk of loss of availability for the sap financial accounting entity if we look at the top of the screen we see the chevrons indicating the life cycle of our risk our risk starts off in a draft state and then moves to assess where our risk owner completes a risk assessment for our risk once our risk owner has completed their risk assessment our risk moves to respond where our risk analysts determine how to respond and score our risk once we have determined the appropriate response for our risk it moves to a review state and our risk managers validate the response as appropriate after our risk managers have completed their review our wrist moves to the monitor stage and we begin active monitoring finally at the end of the risk's life it moves to a retired state since our risk is in the assessed state let's take a look at the risk assessment assigned to our risk owner james vitillo from the servicenow service portal the risk owner james batullo comes to the grc menu item and picks my risk assessments he then selects take risk assessment and clicks get started from here james completes the survey to provide his input on the inherent impact and likelihood of the risk of loss of availability occurring for sap financial accounting as james completes the survey he marks values on impact being higher and likelihood being more frequent because mitigating controls have not been implemented yet after completing the inherent portion of the risk assessment james completes the residual portion he must consider how the mitigating controls the organization is going to put in place will lower the impact and likelihood of this risk occurring after completing the survey james clicks the submit button after the risk owner completes the risk assessment the risk analyst returns to find the risk in the response state the risk analyst is able to come down and view the risk owner responses this helps the risk analyst inform the appropriate risk response which includes accept avoid mitigate or transfer and for the risk analyst to determine the appropriate risk scoring of inherent sle inherent aro residual sle and residual aro once the analyst is satisfied with the inherent residual risk scoring the analyst selects the response tab and then selects the appropriate risk response in this case the analyst will select mitigate and then select save from the menu now that we've determined a risk response we can come down to the risk response task related list and select the risk response that was generated the risk response task provides us a workflow to capture and document our risk response in this case we'll capture the risk mitigation plan we'll quickly move through the workflow when we return to the risk of loss of availability for sap financial accounting we see that the risk is now in review and that the risk mitigation plan has been copied to the risk record after reviewing the risk if our risk managers agree with our risk response plan they can click monitor and our risk will be moved to a monitor state now that our risk is in a monitor state we can click the monitoring tab and click the controls related list and if we scroll down and look at our list of controls we'll see that their statuses roll up to the control compliance percentage which results in a control failure factor of 64. our control failure factor directly informs our risk scoring when we click on the risk scoring tab we see that our risk has a calculated score of 3 moderate this is in between our inherent score of 4 high and our target residual score of 2 low the calculated score happens automatically in real time as our control compliance changes this enables us to see the impact that the control compliance of our mitigating controls has on the risk in real time finally we want to look at our risk register our risk register is a rollup of all of our risks across our organization the servicenow list view is how we look at our risk register and it's also how we work with bulk data in the system from the list view we can do many things for example we can create reports on demand and we can export data to things like excel or csv from the list view we can also quickly filter on data we can right click on sap financial accounting click show matching and now we're only seeing risks that apply to the sap financial accounting entity thank you for watching risk management in the servicenow platform presented by cerna like this video and subscribe to our channel for more great integrated risk management content for more information or to contact us see the information on the screen