Over the last few weeks, we’ve been asking our mob members:
‘What advice would you give to anyone looking to implement the Integrated Risk Management application on the ServiceNow platform?’
This post will go into the key themes and messages that came from the teams who’ve successfully deployed IRM for our customers.
1. Review your data model
Ensure your data model is aligned with the latest version of the Common Services Data Model, this will ensure that IRM can align with business processes to reduce risk and assure compliance. This also ensures consistent and reliable information about your services and digital products are available for reporting purposes.
2. Cleanse your data
It might seem obvious but don’t underestimate the amount of time it will take to cleanse the data which will be uploaded into the IRM application. Ensuring you have cleansed data will ultimately increase productivity and assist in decision making.
Start by removing any duplicate or irrelevant data and ensure that data which is uploaded into ServiceNow has a purpose. In our experience delays to an IRM implementation are often related to data quality so the more prep that can be completed before we kick off the better.
3. Pick the low hanging fruit
When defining your roadmap, look for those early opportunities to reduce your risk exposure and remove administrative activities. A great place to start is by looking at those processes related to recent audit findings or control deficiencies.
4. Align with an industry best practice
Where appropriate align with an industry best practice such as ISO 270001, this allows you to baseline your citations/control objectives against those best practices and will bring down the time to value.
5. Identify common assets
Start to identify the assets which are related to an overall control objective / risk statement so that you can create that link directly in ServiceNow. One of the key advantages of ServiceNow is having that single system of record across your estate.
6. Focus your efforts
Ensure that controls are being created based on the company’s definition of what matters most. Otherwise, controls get applied to everything regardless of their importance. The result is mundane tasks which takes the focus away from the real risks that should be focussed on.
7. Rationalise your controls
Periodically review and rationalise the controls and ensure the following in considered:
· Does the control support the business’s objectives?
· Can we put in a better control that protects the business?
· Is the control preventing or detecting a risk?
· Can a simpler and more effective control be created to remove complexity?
· How can we automate the controls and remove manual tasks?
8. Consolidate your controls
Typically, organisations will have multiple regulatory bodies of which they have to adhere to, ServiceNow allows you to test your controls once whilst still proving compliance with all those regulations. This reduces the manual activity by not having to test multiple times and improves data quality through avoiding duplication of controls.
9. Define a Roadmap
We would always recommend starting small, large scale implementations will take months to implement and often won’t meet expectations from the business. Creating a roadmap that tackles challenges and pain points upfront ensures iterative releases of functionality which helps with adoption and delivers value faster.
Once you’ve defined that implementation roadmap start developing a plan for automating your controls over time and the requirements for automating those controls. This will significantly reduce manual testing against those controls and allow your teams to focus on continual improvement initiatives.
10. Never lose sight of the future vision
Last but by no means least focus on the end state goal for your implementation of IRM. This might be continuous monitoring in a way where you identify control deficiencies when they happen and can immediately work on remediation activities – You could take that one step further and include automation of some standard remediation activities too!
This will significantly reduce your overall risk, as well as the level of effort required remain compliant.
By James Morrisey