Integrated Risk Management Release Notes | August 2022

The Integrated Risk Management (IRM) suite of applications manages releases through the ServiceNow Store rather than through platform family upgrades. This allows more frequent releases - typically, on a quarterly basis - of both enhancements and big fixes. With more frequent updates, it can be hard to determine what is and is not important; and, if you should upgrade all of your IRM applications every time. To simplify the decision-making, we've paired ServiceNow’s most noteworthy IRM release notes with in-depth insight ("What it Means for You"):

• Policy and Compliance Management (v15.0.1)
• Risk Management and Advanced Risk
• Vendor Risk Management (v15.0.7)
• Operational Resilience (v15.0.3)
• Business Continuity Management - no major updates/fixes in this release
• Audit Management - no major updates/fixes in this release

Stay tuned for more information on updates/fixes pertaining to the Security Operations suite of applications!

Policy and Compliance Management (v15.0.1)

New Item | Introduction of Functional Domains within Compliance Workspace

What it Means for You

ServiceNow has been emphasizing Workspaces in recent years, and the Tokyo release continues to build on functionality within the compliance workspace. Specifically, this release adds a new field, Functional Domain, to the settings tab on records in the Compliance Workspace. This new feature allows for records to be classified in different areas (IT Risk and Compliance is the focus in this release), which in turn grants distinct teams the ability to see items related to their domain within the workspace (i.e. IT teams can see tailored views of Controls, Issues, etc. within the IT Risk and Compliance domain).

New Item | Integration of Advanced Risk Assessment with Exceptions

What it Means for You

Continuing the trend of Policy Exception enhancements, the Tokyo release introduces OOB functionality enabling customer to leverage advanced risk assessment functionality to assess the riskiness of a Policy Exception. To enable this, a new Method field is added to Policy exceptions, so users can choose which option to exercise.

Enhanced Item | Policy as Code Engine (PaCE) & New DevOps Accelerator for Control Compliance

What it Means for You

An under the radar feature introduced in San Diego was the new compliance Policy as Code Engine, or PaCE. This feature allows for writing policies with executable code, which can then be associated with various items in the GRC space, allowing for increased automation in the compliance space (specifically around code deployment).

The Tokyo release builds on this functionality by adding in a new accelerator to this space, specifically geared towards DevOps compliance. This plugin loads some initial PaCE policies, which come linked to some key control objectives across regulations like CIS, NIST 800-53, ISO 27002, & PCI DSS.

Enhanced Item | Confidentiality Enhancements- Record Level Access Limitations for GRC Tables

What it Means for You

With the new San Diego release, ServiceNow introduced functionality allowing for greater record separation/access within the GRC modules. Now in Tokyo, ServiceNow has built on that functionality. In addition to some default confidentiality flag functionality on key records (i.e. Issues, Policy Exceptions, Evidence Requests), customers can now use confidentiality configuration records to add this functionality to any table in the GRC space.

Enhanced Item | Evidence Request Enhancements – Reuse Evidence

What it Means for You

Loaded with the latest versions of the IRM applications, is a change to existing role inheritance and system Access Controls. GRC Business Users will no longer inherit the GRC Reader role, and thus will have slightly less read access in the space.

Enhanced Item | Policy Exception Enhancement – Multiple Extensions to Exception

What it Means for You

After adding some enhancements to Policy Exceptions in San Diego (specifically the ability to have single exceptions against multiple controls), the Tokyo release continues the trend. In this release customers are able to increase the number of times a user can request an extension against a Policy Exception from once to a number of their choosing. For these extensions, justification can be updated, and reason can be adjusted

Enhanced Item | Policy Exception Enhancement – New Expired Substate

What it Means for You

Expired substate on the Policy exception record will help users quickly identify which policy exceptions had been approved, but now have passed their validity date.

Enhanced Item | Policy Exception Enhancement – Verification Approvals

What it Means for You

Policy exceptions submitted from will now have the option of going through an initial approval, called verification approval, if an approval rule for this has been set. These types of approval rules can be easily configured through the application’s existing approval rule configuration table.

Risk Management and Advanced Risk

New Item | Multi-level Approvals for Advanced Risk Assessments

What it Means for You

Starting in Tokyo, users of Advanced Risk Management can set-up more advanced approval workflows for their assessments, code-free. This will allow multi-level, or staggered approvals, which would only be triggered if the first wave of approval passes. This helps with escalation, and streamlining higher stakeholder approvals.

New Item | Assess Controls Using Group Factors in Advanced Assessment

What it Means for You

In addition to the approval changes above, another update to Advanced Risk assessment is the ability to support grouped questions pertaining to controls and control data. Specifically, this adds better support for things like Control Design and Effectiveness testing as part of an Advanced Risk Assessment.

New Item | Ability to Simulate Advanced Risk Assessments

What it Means for You

Also new in Tokyo, is the ability to simulate a Risk Assessment. Now, instead of needing to send out an assessment and return it to see how questions looks, feel, and are scored, the platform supports the ability to simulate responses/workflow. This makes designed, and tweaking, advanced risk assessment workflow and scoring simpler and much more efficient.

New Item | Risk Event Recommendations

What it Means for You

Continuing the trend of efficiency in Tokyo release, new functionality has also been added to help associate similar risk events together. New AI will help learn about reported Risk Events at a customer’s organization, and can then assist in linking those similar records together. This ensure similar events are being managed in the same ways, and helps in solutioning the mitigation of inciting events.

Enhanced Item | Risk Heatmap Workbench

What it Means for You

Starting in San Diego, the Risk Workspace contained a Risk Heatmap Workbench for more advanced heat map functionality. Tokyo builds on this functionality, specifically adding in upstream/downstream risk visibility, trend data (how risk have moved on the heatmap), and more risk details when interacting. This is yet another element of valuable data extractable from the Risk Workspace.

Enhanced Item | Confidentiality Enhancements- Record Level Access Limitations for GRC Tables

What it Means for You

With the new San Diego release, ServiceNow introduced functionality allowing for greater record separation/access within the GRC modules. Now in Tokyo, ServiceNow has built on that functionality. In addition to some default confidentiality flag functionality on key records (i.e. Risk Events, Issues, Evidence Requests), customers can now use confidentiality configuration records to add this functionality to any table in the GRC space.

Specific to Risk, records found to have this confidentiality functionality enabled are:

• Risk Events
• Issues
• Remediation tasks
• Policy Exceptions
• Evidence Request tasks

Vendor Risk Management (v15.0.7)

New Item | Vendor Portal UI Change

What it Means for You

With the Tokyo release, ServiceNow has also introduced a new version of the Vendor Risk Management application (15.0.7). In addition to the new functionality around 4th party Risk, the latest version of VRM brings about a new-look Vendor Portal. This portal will more closely align to the new Employee Center, and new system UI. However, for existing customers, keep in mind that updating to this version of Vendor Risk Management will alter the display of your vendor risk portal and re-branding may be required.

New Item | Third Party Score Roll-Up

What it Means for You

With the latest version of the Vendor Risk Management application, the option to have third-party vendor scores roll-up has been introduced. This give users more ability to leverage third-party scores, and see how that factors into the overall compliance scores of vendors and their parent vendors.

Enhanced Item | Enhancements to Provider-Based Submission Rules

What it Means for You

With the Tokyo release, and the new version of the Vendor Risk Management application, ServiceNow has added new enhancements to the Provider Based Submission rules in the platform. These submission rules help kick off tasks, assessments, or issues, based on scoring provided by a Third-Party integration. The enhancements specifically expand the options you can take when a Third-Party integration informs you a Vendor’s score has changed.

Operational Resilience (v15.0.3)

New Item | Perform Scenario Analysis

What it Means for You

With the new Tokyo release, ServiceNow has introduced functionality allowing for users of the Operational Resilience module to analyze how different scenarios would affect business services at the organization. Scenario analysis is a new table, equipped with a workflow, fields, and related lists which all facilitate the ability to define a scenario and determine impact to services of your choosing by selecting those services, participants, and scenario events.

New Item | Business Services and Related Lists 

What it Means for You

The Tokyo release of operational resilience also emphasizes the importance of tracking business services to maximize value of this application. This new functionality relies on relationships in the CMDB to help define services and relationships in the Operational Resilience application. This data is then used, in combination with entity data from other GRC/Security Applications, to help define and drive resilience data, like the above scenario analysis and reporting functionality

New Item | Analyze Importance and Impact Tolerance of Business Services 

What it Means for You

Tied to the above introduction of Business Service data to Operational Resilience, Tokyo brings about the ability to use questionnaires/assessments to help determine Importance and Impact Tolerance for an asset. These questionnaire templates contain scoring to determine a rating, and do have approval processes included.

New Item | Self-Attest Business Services

What it Means for You

Similar to the above Importance and Impact Tolerance assessment, Tokyo also introduces Business Service self-assessments to the Operational Resilience application. These assessments can be used to gather current state details of a business services from the appropriate service owner. With this functionality, Service Owners can verify the status of their business services, determine if any service was breached, and self-attest the current status through generation of a self-attestation report which can be uploaded to the system.

Next Steps

Interested in more details? Concerned about the potential ramifications to your current environment? Curious about prior release notes? Feel prepared and confident before your next upgrade by talking to a certified ServiceNow expert.