When embarking on a journey, knowledge of the territory between us and our destination is valuable. With an accurate understanding of the surrounding hills, valleys, mountains, and rivers, we can chart the best path forward and prepare for the expedition accordingly.
Thinking of risk as a landscape is simply the application of this concept to risk management. In this post, we will take the analogy a step further: leveraging core principles from traditional map-making to gain a better understanding the extent and characteristics of risk exposure.
Here is a four-step strategy for mapping out your risk landscape in ServiceNow:
#1) Select a Theme. When creating a map, we first need to identify a purpose or theme that will dictate how we approach the rest of the process. Are we looking at topography, demographics, or climate? Our selection will establish the lens through which we view the terrain. Similarly for risk management, we must determine a focus area like information technology risk, operational risk, or enterprise risk to guide us as we survey the operating environment.
Technical Note: ServiceNow’s risk management modules have the capacity to manage a single category of risk in isolation or multiple categories/frameworks simultaneously.
#2) Identify the Boundaries. After choosing a theme, we need to establish the scope or boundaries for our map. In the physical world, we would could set our focus on a global or national perspective, or even choose to look at a specific region. When it comes to risk management, the scoping exercise will have layers with complexity mirroring your organizational structure and operating environment. At the macro level, there may be different sub-entities and business units to single-out based on size, function, or other characteristics. Further down the hierarchy we may need to consider technical boundaries, such as whether to include a segregated PCI network for IT risk, or more broadly, how to address third-party risk.
Technical Note: ServiceNow’s organization hierarchy and ITSM modules can be connected to the Risk Management application; the shared data can been leveraged when modeling out the operating environment.
#3) Label Important Areas. After clear boundaries have been determined, we're ready to begin labeling the details. In a political map, this would involve defining countries, cities, and various jurisdictions. For risk management, labeling correlates to the classification of entities within the boundaries of our operating environment. It's imperative to utilize a level of granularity aligned with your program’s objectives. In some instances, we may only need to delineate between broader system types (e.g., an application vs. a network), whereas in others we may want to dive into the specific characteristics (e.g., on-prem vs. SaaS).
Furthermore, it is important to document the relationships between systems to gain an appreciation of risk in relation to the full technology stack for a particular application or the various components involved in a critical process. Populating this information will provide substance to our map, and ultimately the value we set out to achieve.
Technical Note: In ServiceNow, these important areas would be called Entities and can be thought of as any system/process/item we would like to risk assess or manage.
#4) Maintain Currency. Maps in the physical world can become out of date fairly quickly, yet they still move at a snail’s pace in comparison to the rapid changes experienced in business and technology. Accordingly, an on-going method for the continuous review, evaluation, and refinement of the organization’s risk landscape must be in place.
Technical Note: In ServiceNow, Entities are considered “ever-green”, live records that can be manually or automatically updated as needed to correspond with changes in the operating environment.
The four-step process above can be used to map out your risk landscape in ServiceNow, providing an in-depth view into the characteristics and extent of current risk exposures. In a future post we’ll put the map we built today to good use, discussing strategies for navigating the journey from where we are now to where we hope to be.
If you would like help identifying your risk landscape or modeling out your systems, processes, functions and related risks within ServiceNow’s Risk Management modules, please reach out to info@lionwarellc.com.
Your success is our mission.
Commentaires