Integrated Risk Management

The ServiceNow Integrated Risk Management (IRM) solution set (see Figure 1) now supports a broad range of GRC requirements that are common across many types of organisation. Its product delivery domains are:

• Enterprise risk management
• Policy and compliance management
• Operational risk management
• Cyber and tech risk management
• Regulatory change management
• Internal audit
• Operational resilience management

Within ServiceNow’s broader portfolio of ‘risk solutions’, the company addresses requirements for: Third-party risk management; Environmental, social, and governance; Privacy management; and Business continuity management.

Functionality to support organisational AI governance is planned for an upcoming ServiceNow release. Such releases are dropped biannually.

The capabilities within IRM are underpinned by platform applications that directly support GRC use cases, including issue and case management, continuous monitoring, configurable risk assessment, an evidence repository, metrics for key risk/compliance indicators (KRIs/KCIs), scenario analysis, and content and threat data feeds.

Many of the generic, platform-delivered ServiceNow capabilities can also be used to support agile GRC functions, including workflow definition and orchestration, service catalog, service portal, an integration hub which supports pre-built custom integration with third-party systems, inbuilt standards-compliant security, support for service subscription and notification, contextual collaboration, visual task boards, predictive analytics functions, a knowledge base, developer tools with an app studio environment, support for mobile-based user experience, dashboard and reporting tools, AI, and supervised ML.

Customer Quotes

“As we move towards a world where risk and compliance is necessary for us to have competitive edge, ServiceNow’s products help us move the needle.”
Anirban De, Head of Technical Assurance and Automation. Uber

“We chose ServiceNow because it is a top-tier solution that gives us transparency and efficiency around risk and compliance management.”
Bjørn Rasmussen, ServiceNow Security Architect, Topdanmark

The user experience of ServiceNow products is of inherently integrated processes, with a consistent approach to design, look and feel. This can help users minimise costly delays or confusion caused by difficulties using potentially complex business processes such as those around GRC functions. IRM, and other ServiceNow products, are appropriate for any size of organisation, from the largest multi-nationals to mid-sized enterprises. Around 75% of ServiceNow customers pay less than $1 million annually in subscriptions, illustrating this diversity in its user base.

Other ServiceNow process areas (e.g. customer service, service desk, HR, IT security, and financial operations) can readily integrate with GRC processes, increasing the value gained from investments in risk and compliance insight. An example would be to invoke a risk assessment process during a generic business process such as customer onboarding. Similarly, risk data can be embedded within processes and decision-making, which can reduce costs (e.g. of compliance) – and ServiceNow provides pre-built integrations of risk-related information for many critical use cases such as security incident investigation, and application risk assessment.

AI is already incorporated within operational GRC processes, helping to streamline tasks. Examples of its use include categorisation of risk, identifying trends relating to loss events, suggesting remediation plans that might helpfully be reused, and providing predictive help for selecting appropriate ownership of risk.

ServiceNow is one of only two major players in the GRC space that also provide other solution types. All the dozens of others are pure-play GRC vendors. That may change as the market continues growth towards greater maturity, but currently most ServiceNow customers enjoy a unique benefit – all the base data that enables GRC solutions to deliver organisation-specific insight and value can be leveraged by many other enterprise solutions, via ServiceNow’s platform approach. Evidently, with around 1400 customers using IRM and related risk solutions, the multiplying advantage (and ongoing cost-saving) of only making that investment once makes sense to many organisations.

Prominent executives from competing, pure-play GRC vendors have moved to senior positions, and subsequently stayed, with ServiceNow in recent years. In this period, the functional scope of the Integrated Risk Management offerings has increased considerably. This suggests that ServiceNow is appropriately and strongly invested in this market area, at a time when GRC is becoming a more important priority for enterprises globally.

My question of the company over a number of years has been whether it is only existing ServiceNow customers who would find the best advantage from implementing IRM as their GRC solution of choice. The answer from the company is now very clear – that for some customers, IRM is the initial attraction to ServiceNow, and the first functional area in which they adopt ServiceNow solutions. Part of that attraction may well be the depth of integration between IRM and other ServiceNow offerings, which provides the easiest way to foster a standard risk taxonomy coming into use across the enterprise. The major advantage of that is to smooth and improve the overall integration of risk management across organisational areas, with fewer mistakes and lower cost likely.