Solutions

  • Products
  • Use Cases
  • Industries
  • WHITE PAPER
  • HR and IT better together
  • Boost productivity and attract quality talent with great employee experiences.
  • EBOOK
  • 5 steps to transformation
  • A proactive, connected client experience is essential for financial services.

Platform

  • ANALYST REPORT
  • The value of digital workflows
  • Get apps to market in half the time at a third of cost with higher satisfaction.

Customers

  • SUCCESS NAVIGATOR
  • Your prescription for success
  • Accelerate outcomes with a step-by-step action plan of proven best practices.

Explore

  • VALUE CALCULATOR
  • Live up to your potential
  • Determine the untapped value across your entire business in just 60 seconds.

Reporting on risk to the board of directors: Finding the right altitude


Two ServiceNow leaders explore the approach of giving board members the right level of information when reporting on risk

The regulatory and compliance landscape has been an ever-moving target, and growing in complexity. Organizations are dealing with cybersecurity, data privacy (General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), third-party risk, and government contracts to name a few. The complexity of providing governance over these critical areas has drastically expanded as organizations extend the boundaries of their environment to areas outside of their direct control.

This heightens overall corporate risk and exposure and has become a persistent topic among executive staffs and board of directors. Take cybersecurity. A cyberthreat can happen anywhere within or outside the organization. As we’ve seen in recent news headlines, a single attack or breach can wreak havoc, resulting in the loss of revenue and goodwill, regulatory inquiries and fines, and stock price declines. Board members are asking what measures the organization is taking to prevent, detect, and respond to attacks and how they are abiding by regulatory and compliance requirements.

Ben de Bont, Chief Information Security Officer (CISO), and Andrew Wheatley, ServiceNow’s VP, Audit, Risk, and Compliance, talk about their approaches to reporting to the board of directors recently as they prepare for an upcoming Now on Now webinar, “Threading the needle - Presenting risk to the board of directors,” on Thurs., Sept. 19, 9 am PT/noon ET.

Ben and Andrew share insights
Ben joined ServiceNow as CISO in July; Andrew has been regularly reporting on audit and compliance to the board during his five years working at ServiceNow.

Andrew: Ben, on your second day at ServiceNow, you attended the board of directors meeting and saw our security, risk, and compliance update to the board. What did you think? Anything you would do differently?

Ben: The presentation had key elements necessary for a successful narrative: messaging was concise and relevant, structured to a common framework, and supported by the right level of data. When you can communicate risk consistently to a board, the narrative is more likely to be meaningful and resonate with the audience. This was very much the case in my first board meeting at ServiceNow.

Andrew: It’s easy to go deep into the weeds. We love data, so we like to talk about how many vulnerabilities we identified and how fast we resolved them or our compliance using controls. But the board really wants to hear about outcomes and trends so they can see the program maturing over time.

Ben: Andrew, I agree. When possible, the conversation should be kept at a high-level to avoid us tumbling down a rabbit hole and dwelling on a single issue that eats up precious time. It’s important to stick to the key narrative, but have details ready in your hip pocket if needed. Introducing new initiatives or data can be tricky, so always ensure you have a consistent format, and understand your audience.

Andrew: I like that adage: know your audience. Our board members bring a remarkable business acumen. They look at risk and compliance from the business perspective. We need to show them how issues impact the business as a whole and how we are protecting against risks. I want them to understand and validate our compliance strategy, raise their concerns, and, then buy into our vision of success. We all want the same thing: for ServiceNow to be successful in managing risk.

Ben: I find that the most interesting comments often come from board members that serve on other boards. They bring those experiences that we can learn from. Security is an evolving landscape. We have to be ready to learn and adjust. I learn from board members as much as they learn from us.

Andrew: Dating back 5 years, reporting to the board was a heavy lift. We had to engage multiple stakeholders, align on data, determine what was relevant, and then prepare our presentation. It was a quarterly marathon, and always had a few last-minute sprint efforts. Ben, what has been your experience in preparing for the board in the past?

Ben: I learned the hard way that you need to find the right altitude for the presentation, then stick with it. Since board members come from other companies and bring broader experience, it's important to set the board content in a context that is applicable to our company.

Andrew: We have been working extremely hard to make our presentations clear, relevant, and timely. We also have the most success when we use a common vocabulary, common control framework, and common controls that address risk, security, and compliance. This is important regardless of whether we are talking about security, privacy, financial, or regulatory risk.

When we began using ServiceNow GRC and Security Operations, our preparation process changed dramatically. They give us that common platform for a consistent process and standardized reporting. We can share data that we view every day in our dashboards. Over time, we’ve seen the board’s confidence increase because the data is consistent and timely.

Ben: Having that common reporting platform makes preparing for the next board meeting much easier for me as a newcomer to ServiceNow. I want to be able to communicate the key narrative of our current state and our desired state and how these align with the company's business objectives. Reports that focus on outcomes are a much better way to reflect our progress and our successes and keep us out of those rabbit holes. Any other tips for the next meeting?

Andrew: Transparency is key. They don't want to hear that everything is rosy. They want an honest assessment of the progress we are making against critical priorities. They want to hear where we fell short as much as where we did well. Our data holds us accountable to that.

To hear more from Ben and Andrew, register for “Threading the needle - Presenting risk to the board of directors,” on Thurs., Sept. 19 at 10 am PT/1 pm ET. Register for this Now on Now webinar: Threading the needle - Presenting Risk to the board of directors..

Learn more about GRC at www.servicenow.com/grc

Topics

Featured

  • Whyaye partners implementing ITSM
    Partners
    Implementing ITSM quickly – 3 women who made “Why, yes” their motto
    11-03-2019 Five years ago, Maureen Robson, Anna Bisset, and Lisa Jones were thrown together on an important project at a UK-based bank. Their goal: to implement ServiceNow ITSM platform as quickly as possible. The trio worked together so successfully (completing what would normally be a two-year-project in just 10 months) that they continued their journey together at a further two companies working with ServiceNow, and have now decided to start their own company. Today, through their startup, Why Aye, they’ve built new careers as full-time ServiceNow contractors. The name comes from a slang term used in Newcastle (where Robson is from) meaning Why Yes!—as in, why, yes we can.¬¬¬
  • Strategy
    Five tips to kick digital workflows into high gear
    10-24-2019 How can CIOs reshape the future of work? Based on in-depth interviews and a survey of 516 CIOs, we asked technology leaders to identify the top strategies for transforming their organizations through digital workflows.
  • Digital Workflows
    Are You Innovation Experienced?
    10-23-2019 ServiceNow showcased the Innovation Experience at Now at Work London 2019. This immersive and contextual experience technology hub was an opportunity for customers to physically walk into a special zone and experience a workspace that truly represents the office of the future, today.
  • Implementing agile IT service management on a cutting-edge platform
    10-16-2019 ServiceNow customer, Danske Bank, adopted a strategic approach in their service management team. As the largest bank in Denmark and a major retail bank in the Nordics region, they serve 3.5 million retail customers. They have seen tangible evidence of the positive impact of digital workflows and the seamless experiences.

Trends & Research

Soft skills matter in the age of AI
Rethink your workspace
DevOps comes to the enterprise

Year