ServiceNow, Inc. (NOW) Earnings Call Transcript & Summary

Hello, everybody. Good morning, good afternoon, good evening. We appreciate you tuning today as we talk about Now on Now, the ServiceNow risk journey, focus on our current journey but also looking ahead into 2024. My name is Hassan Javed, I'm the Senior Director with the Audit & Risk Operations team here at ServiceNow. I've been in security and audit field for about 20 years and ServiceNow for 9 years. The best way to think about my role is I help and enable and empower the various risks and compliance teams and the company to adopt and use IRM. I'm also joined by my two rockstars Ronnie and Vaishali. Ronnie, do you want to do your own intro?

Sure. Thanks Hassan. Hey, everyone. My name is Ronnie Tung. I'm a Senior Manager on the Audit, Risk and Control Assurance Operations team here at ServiceNow. I've been here for a little over 7 years, and my team and I are responsible for digitally transforming our audit, risk and compliance functions. And a big part of that is implementing our integrated risk management products. But yes -- basically, spent my whole career within audit and risk, and I'm really excited to be here. Vaishali?

Yes. Hi, everyone. This is Vaishali Jain. I'm a Senior Manager for Business Continuity Management. I oversee our crisis management, disaster recovery and also emergency response in business continuity planning. As Ronnie mentioned and Hassan mentioned, I also use our own BCM application to run our programs. So I'm looking forward to presenting our programmings case and what we do at here at ServiceNow for BCM. Thank you, Ronnie, and back to you, Hassan.

Thanks, Vaishali. So let's jump into our agenda today. So we have a little bit of the old -- for those who've seen our prior IRM webcast. We have a lot of new to share. To help set the foundation, I'll walk you through our internal IRM journey and will show the different various functions that have adopted IRM across the enterprise and how we roll it on internally. From there, I'll hand it to Ronnie to talk about and show you some of the things we've done actually in FY '23. But I'm going to share some of the challenges that we had doing this at an enterprise scale. From there, Vaishali will talk to you about the work she's been doing around digitally transforming BCM and from the governance level, and also onboarding new programs. And lastly, we'll take a sneak peek into what we're doing for 2024 and then close with Q&A. So as many of you probably in the webinar right now, enterprises have a lot on their plate when it comes to dealing with risk. They're both diverse and they're continually evolving -- that can arise from different sources such as economic fluctuations, cybersecurity, natural disasters, regulatory changes and more, disruptions can manifest as financial losses, reputational damage, loss of customers or even have legal consequences. And one of the biggest challenges in the risk management is that tendency to handle risk mitigation and compliance in separate silos, and when risk and compliance functions operate in silos or independently, it can lead to a lot of inefficiencies and missed opportunities for synergy. In the silent approach, risk also have -- they have a chance to fall through the cracks and the organization may struggle to see the holistic view of risk around its landscape. So let's tell you how we broke down this silo walls and have an integrated risk management approach within ServiceNow. So we have multiple functions within ServiceNow using IRM. I think the count right now is about 14-plus. You can see there's 6 different departments and the functions above that have adopted IRM across ServiceNow. You can see all the functions in departments that spend across all the different C-levels such as the CFO, CIO and General Counsel. Each of the different departments have adopted specific IRM modules that are relevant to their program, if you can see on the bottom of the slide here. And as I progress through the slide, you'll start to see that a lot of the teams here and the functions here start using IRM in the similar areas to build out their programs and share the same space. This slide really leans into the I of IRM, the integrated part. Being integrated is a big focus for us here, a north star to connect those dots, and we really wanted to have that connected via risk across enterprise. And I know by looking at the slide, it looks chaotic, it is organized. And I think -- if you're wondering how we keep all these things in order, don't worry we got you covered. When I hand it up to Ronnie later in the conversation to walk us through the governance model. So how do we integrate technology with people and process? Regardless of the different areas such as domains as privacy, finance security, all these risk domains are pretty similar, they -- needing policies, controls, risk assessments, control monitoring, tracking [ business ] remediation. It's all the same language and there is a way to standardize this. Internally, we've been on this journey I think for almost 6 to 7 years now. We'll have a timeline slide after this to show you. And we had from a people and process and technology -- and we've had obstacles to overcome. For us, we had multiple sources of control initiatives, there were also different methodologies on assessing risks and issues in environments, our reporting to the Board was inconsistent, some of these domains were manual and not driven by systems. So getting the data was really difficult. So about 5 years ago, we sat down with the CIO, CFO and General Counsel, and we aligned our strategy of enterprise IRM. Then we really need to have that tone on the top set with them and we need to have a shared goal to have one process, one taxonomy, one system of record, and we're all going to lean in to make this happen. So we established that common integrated management framework with all these teams. One example I can point to is issue management process that we standardized across enterprise, across all these functions. So what that really means is across internal audit, security compliance, SOX, legal, whoever has to open an issue. It's the same form, same workflow, same SLA, same rating scale that we can be consistent in our reportings to our bosses internally, but also back to the Audit Committee and Board. So now we have the first, second and third lines all working together with the same information and sharing responsibility for managing risk. And we're all using the same information and the power of the platform allows us to do this. So let's actually get into the timeline of how actually we rolled this out internally. And before I dive into timeline, I just want to note that this is a pace that we moved comfortably with about 6 years ago, every company will have their own timeline and their own journey. We feel to use ours for inspiration and as a guide. We truly leaned into the crawl-walk-run mentality of rolling IRM out. We purposely did not want to boil the ocean with this. As you can see at the start of our journey, our first boarding use case was Sarbanes-Oxley, SOX. We built that foundation out with SOX by using the out-of-box capabilities, which are on the bottom left of the screen here, with self-service being on top of mind. And a big mantra of us internally is we strive not to customize and we focus on configuration. And what that really means from a configuration standpoint is adding deals, modifying workloads, low code, no code, which not only accelerate the speed of implementation, but the time to value we got with implementing IRM. It also enables us to adopt the features with every [indiscernible] we release, with little to no issues. From SOX, you can start seeing we onboarded the different risk domain areas such as internal audit, we got enterprise policy management in place, third-party risk -- vendor risk management, legal, business company management and security. Since we only rolled out the core capability to SOX, it was easier to onboard all these other functions and programs within IRM and demonstrate the value. By having these risk domains within IRM, this also gave us on one view of risk, on view of controls and one view of issues across enterprise, really focusing on that single source of truth. And from 2021 and beyond, we continue to roll out new out-of-box features, focus on automating controls monitoring and focus on automate control monitoring, new features and onboarding other areas of risk in the company. I'm not going to steal Ronnie's thunder and now I hand it over his way to show you what we've been focused on in 2023.

Thanks, Hassan. So as Hassan shared, we embarked on our digital transformation journey, all the way back in 2016 with really just one use case, and that was SOX as Hassan mentioned. But even back then, we had aspirations that one day, could we provide a real-time visualization of our enterprise landscape of key risk performance indicators for all of our GRC programs at ServiceNow. This has really always been our north star and something we've always strived to achieve. And I'm really excited and proud to say that this is no longer an aspiration, but a reality for us today. One of the fundamental challenges that we encountered before and during our digital transmission journey was the ability to deliver important risk and compliance data to our management teams so that they can make better informed decisions. Things like accessibility, timeliness and accuracy of our risk and compliance data were key areas that we wanted to solve. And prior to digitally transforming and being on one platform, if our Chief Audit executive or Risk Officer, any C-level for that matter, needed information regarding any of these programs. It required a lot of collaboration and overhead in the form of meetings, you bring PowerPoint, spreadsheets and just to get that timely, accurate, up-to-date information to that individual. So there's just a lot of overhead overall, just to aggregate this information together. Diving a little bit deeper. So as shown here from one view, I can see the current state of affairs in real time. So whether we want to know more about how our enterprise risk and the issues program is moving along, and key data like are trending and emerging risk and issues to maybe how internal audit is performing against our annual audit plan. But let's say I wanted to pivot to know how our SOX testing is progressing throughout the year. From here maybe I have questions around the health of our BCM program. This view is really only made possible because we utilize the integrated risk management products, leaning on the integrated, so the I, which is on a single platform that is shared by the enterprise so no traditional integration needed. So on a similar note, this is actually our CISO dashboard, but being an enterprise software company, of course, security is always top of mind for us. So similar to the Chief Audit Executive and Chief Risk Officer dashboard, who wanted to provide that same experience for our CISO as well. So our CISO can easily now access data that provides insight into top risk indicators on the health of the security organization, these dashboards are made possible through the data that we mine and the different teams that use not just our integrated risk management product, but also our security operations products as well to manage risk security, and this really highlights the value we get when we use the products together. What we like to call at ServiceNow, better together. And another really important feature, just looking at this further is the whole accessibility piece I was talking about earlier is considering the audience of these dashboards are meant for, we know our C-level management teams are always on the go so accessibility is very important, and we have also enabled the ability to access this information from not just our laptops also from our phone via mobile. So whether they're at the airport, on the way to an important meeting, this data is available at their fingertips literally. And I'm sure some of you are asking, "This looks great, Ronnie, but let's be honest here, how big of an effort did it take to get to this point?" So as Hassan mentioned, we've been on this journey since 2016, so that is 7-plus years. But our journey was really based off of our people and our processes and ultimately the programs. And when they were ready to digitally transform, by no means does it take 7 years to get to this point, and everyone has kind of their own appetite. But maybe it's not so much how long it took, but rather how we're doing it. And one thing I want to share is kind of how did we build scale? How do we think about sale? And what does our structure look like today to support this vision. So this is our integrated risk management governance model. So I'll kind of walk through this model as a whole and then talk about the individual pieces to highlight the importance and the offer and the value that they bring. So one of the most important takeaways this year that we experienced was a need for enterprise governance and alignment as well as partnering intimately with our digital technology function, which I'm sure some of our customers, it's called IT [indiscernible] own company. And there are only so many resources that we have and frankly we're always drinking out of a fire hose just because we have so many different stakeholders to support. So it's really important for us if we wanted to digitally transform and make sure that we're supporting a global enterprise program approach, to established steering advisory committees, which were critical to providing that layer of governance so that we can effectively share the platform and get the most out of the different capabilities that each product allows. So whether we're talking about things like control lifecycle management to risk assessment methodologies to issue management or even consistent reporting. The model you see here is a culmination of just 7 years of experience and just also the different customer engagements that we have and learning together and benchmarking with one another. So starting from the top, we have our executive sponsors at the top. So Chief Audit Executive and Chief Risk Officer and Chief Compliance Officers are executive sponsors and I really can't stress enough the importance of having an executive sponsor to help drive and facilitate on at the top. Change always has a lot of resistance. And what we've realized is that when you want to build a global program, a lot of it is actually cultural. There's a lot of cultural changes that need to occur. So I'm being really intentional about that. So having that support is critical for momentum for honestly, any enterprise transformation, overall adoption and just new technology processes and adaptations. Next, we kind of move downwards. We have our Steering Committee, which is made up of executive leadership of our IRM stakeholders to drive strategy and vision at an enterprise level. This committee really set a direction and destination for the overall road map for the year. And we also then have the Business Advisory Board, which is what we call the BAD and they're really responsible for taking the guidance at the Steering Committee level and evaluating use cases and problem statements to address. One of the important functions that this BAD serves is that it gets all of our cross-functional business leaders together to prioritize the right projects and initiatives to work on based on an agreed-upon prioritization framework among all parties. So really depend heavily on this advisory board to help us determine what development efforts provide the best ROI for ServiceNow as a company. And lastly, but certainly not least, is the operations interlock with Digital Technology and Technical Advisory Board or what we call the TAB. And this advisory board is a sponsor for the [indiscernible] grooming, [ SPM ] prioritization and the nitty gritty development operations that are required. I would be remiss to not mentioned the importance of the changes we engaged for engagement with DT or digital technology. We really wouldn't be able to make any of these efforts come to life without their partnership. And even though we sit in different organizations, we really see each other as one team, and that's what we always call ourselves. So one of the biggest changes that we made was the way we partnered with them. So what we did before was we -- really like from the DT when we had a technology need. But what we've been doing lately and something we have established full committee this year for embedding them in the planning process. So helping them understand what are our business objectives, what are the key results that we're measuring. The partnership with them is fundamental and it enables DT to be more effective as advocates for funding and support for things that we do. If you really think about it, DT or IT has already a connected thread across enterprise that we're trying to strive for a global enterprise program, embedding them so that they can kind of support us from the bottoms up and for us to drive down from the -- valuation top down, allows us to meet in the middle and being more effective as an enterprise. So everyone is probably wanting to know what have we done this year? And I'm happy to share and wanted to kind of talk about how we decide to [ close ] that. So I'm sure a lot of us are being like, "Okay, it's all technology oriented," but I really wanted to call out kind of like two main areas. So the first one is around our global IRM program. And how we're set up, right? We just talked about the governance model. But then there's also a couple of other communities that were set up to help guide us in making sure that we're standardizing, making sure that we have a [ economic ] taxonomy to make sure that we are really cohesive and harmonized across enterprise. So we really set up two governance committees this year. The first one is the Enterprise Risk and Issue Management Governance Committee. And what they do is help provide coverage and governance around all the different amazing activities that are happening from the different risk assessments to how the risks are rated and also from the issue side. And what it means you categorize a particular issue. So this really brings all cross-functional leaders together so that when we say one thing, we all mean the same thing. And this has been crucial. Something that we really learned and maybe our customers aren't necessarily there yet, but we're starting to have 14-plus functions and eventually, it's going to be the whole enterprise. So it's really important to be able to make sure that everyone is kind of on the same page for us how we use the platform. We also established an Entity Governance, which is super crucial to make sure that we don't have redundant information out there. So one thing that we ran to you is before this committee, I mean everyone is trying to do the best that they can. And when you go into to look at what are our different entities and processes and applications we could easily see something like 10 human resources entities and it makes it really hard to understanding like so what's the difference? Why we have different ones? But this allows us to be able to streamline and help everyone understand the kind of the rules of engagement on when to [ recruit ] an entity and make sure that we have very thoughtful energy structures, which will help us with our scale since it's the backbone of how integrated everything becomes. Also wanted to mention kind of the new and mature use cases that are kind of on board. So we onboarded the ESG risk and controls management. So this is going to help them be able to manage ESG risks around like their disclosures and being able to get a better assurance around the controls and mitigate those risks. We also have DT GRC, who have been using it so far, but we're going to continue to expand and more particularly in the continuous controls monitoring area. So how do we enable them to be able to leverage technology to provide real-time assurance and not just settle for that point-in-time assurance that we've all just kind of accepted as a norm. We're also working with the legal ethics and compliance where they're having a hard time getting a grasp of all the regulatory requirements and changes that are happening. So how do we help them to be able to do [indiscernible] for many to be able to scale and also leverage the amazing audit work that's happening across the different functions that might be in scope for legal. And then securities, you'll see they use everything, but we're continuing expanding out those use cases and building our automations to help streamline all the certification and audit work to be able to provide assurance for our controls. Coming to the technology side. We talked about it, the Chief Audit Executive, Chief Risk officer and CISO enterprise dashboards was a big win for us as far as visually and being able to get that information into our management's hands. We also overhauled our IRM commissions. So then I just want to touch really quickly on -- we do this once every couple of years. And one thing that is -- it actually is something that is a benefit that what we learned is that the platform grows with you. It's a very different orientation of nature compared to like a point solution you potentially buy because it's not a one size fits all, meaning the needs of today may not be the needs for tomorrow. So we have a platform that can actually grow with us and that's why we look at permissions because we have more functions. We want to maintain least privilege but also be very intentional about that. So we don't end up creating [indiscernible] silos. We also enable compliance risk and auto workspaces. So really moving closer to a consumer-grade experience, right? Something I talked about earlier is we want to help with the adoption of the different capabilities and what we learned is to not overlook the user experience, which often happens when it comes to enterprise software. So really working on that. And then we enable advanced risk assessments. This is going to allow us to be able to streamline a lot of the risk assessments that are happening with RCSAs and being able to tie all of that back into our enterprise risk and our enterprise issues. So we also reworked our issue management as well, which allows us to be able to, again, define a common language and make sure that we can house all of the issues that are self-identified so the ones that we find with an audit and then ultimately be able to find issue categories, which if you look at them standalone, they might not mean anything, but when you aggregate them together, they tell a different story. And then lastly but not least, and I'll spotlight this kind of in the next slide is our approach to control test automation, something that we really wanted to really dive deeper and leverage technology to see is there a way to be able to streamline the tediousness around control test automation. Yes. So this one is kind of the spotlight project for this webinar. And what I wanted to just share is kind of like a little bit of our story and where we're at today. So control testing is something that we have to do across the enterprise every single year, is very repetitive, it's tedious, you have to work with the business to get evidence. And a lot of the time, most of the work isn't around auditing, it's actually just work -- different construction. So today, at ServiceNow, we have a total of 84 RPA bots. So for those who don't know, RPA, it's a Robotics Process automation, it allows us to be able to leverage bots to basically work on things that are repetitive, that have a structure and isn't likely to the change, which is perfect for control testing. So despite the misconception that RPA is typically more playable within like the financial organization or the finance organization and also financial processes, that's actually not the case here at ServiceNow. So audit, risk and control transaction is a total of 36 bots of the 84 that represents 42% of all bots deployed at ServiceNow. And the split is really 20 IT control, 16 finance controls, and we're continuing to expand every single year with another 15 that we plan to deploy this year -- or sorry, in FY '24. So in total, we saved 1,551 hours since the inception of this program and there's been a lot of really key benefits. So I think the first one is just employee satisfaction and retention, something that we actually didn't think would be that big of a deal, but it actually was because what we realized is that our auditors spend a lot of time just dealing with menial task, an overhead around getting work with the [indiscernible] together, asking for evidence all the time, following up with those things. And it was just a big overhead when we had the test control so when -- we use bots to actually automate all of that now. The bot can basically work overnight when the auditors are sleep. They can go into different systems, pull all the screen shots and evidence, create a workbook and a cover page, fill and document those things, and establish the criteria there and then be able to have that ready for the auditors when they come into work. So it really removes a lot of the overheads so that it enables auditors to audit, what we hire them to do, to use their expertise. Those other two areas that we really want to address was the aggressive deadlines that we've always had and just the pressure that came with control testing and meeting those deadlines. So this allowed us to be able to really work around the clock. So the auditors can work in their working hours, but the bots can do their thing when they're sleeping. And bots are -- operate error free so the things that humans might not be good at, which is a repetitive task because we always just try to find shortcuts just naturally, bots don't do that, you tell it what to do, and it goes and executes. So these are just some of the highlight examples that I have for RPA. And I'm going to hand out to Vaishali to talk about the BCM program and the digital transformation there. But before that, Vaishali, I think you have a polling question for the audience. Is that correct?

I do and thank you, Ronnie and Hassan. Such a great presentation, giving an overview of IRM. And I know that we work together and we implement these solutions. But every time I see this presentation, I know that how long -- what a long way we have come. So thank you for the presentation. I am going to pick up the polling question. I'm trying to -- do you see the polling question on your screen? All right, looks like -- Ronnie, do you mind, clicking -- Okay, looks like it's on. Hi, again. This is Vaishali. I manage ServiceNow Business Continuity Management program. Before we begin, I would like to understand which area of residency of business continuity management, do you oversea or work with? Is it business continuity planning, IT disaster recovery, crisis management or everything under the umbrella? And I did see a question pop up saying what is business continuity doing in governance, risk and compliance but answer as we go in the presentation. [Voting]

All right. As you're answering the poll, if you have any questions, again, during today's webinar, [Operator Instructions] if we don't answer your question live, we'll answer them after the webinar. You can access and download resources from the panel at the bottom of your screen. Also, we'd appreciate if you could please submit the survey at the end of the webinar. All right, let's see the poll results. So it looks like, we do have a lot of people from the business continuity planning pillar. So that's good news, we will be covering that in the upcoming slides. All right. Ron, do you mind moving to Slide 23 for me? Looks like I'm not able to do it live. Thank you. All right. So today, I'll be talking about the ServiceNow's Business Continuity Management program, or BCM as we fondly call it here at ServiceNow and how we have built it to enhance the [indiscernible] posture. Ronnie covered IRM and dashboards and here at ServiceNow, BCM is an integral part of IRM and risk management. As BCM is an incredibly important topic, especially for a public company. Time and again, the business interruptions are highlighted as the most significant global risk and our BCM program is strategically built to manage disruption risk and provide a seamless service experience to our customers as they rely on us for different business requirements. Our [indiscernible] framework consists of four pillars, as you see from right to left, emergency response, crisis management, business continuity planning and disaster recovery. I do see that we have a lot of people here from business continuity planning pillar, and we do a lot of work in under that pillar, I will cover that. And these pillars are essential for our planning response and recovery process and form the basis of our BCM program activities. For example, the emergency response is all about managing the safety and security of our people and locations, which is our most important asset. Crisis management is a strategic response to incidents of global events that could impact the ServiceNow's people, customers, location of [indiscernible] of brand -- this continuity planning is all about identifying and planning for our critical functions, responsive and recovery and what keeps the lights on. So we do a lot of business impact analysis, planning and exercises under this pillar. Disaster recovery is planning and managing the recovery of a critical technical asset that is [ viewed ] our infrastructure, service and applications supporting the critical functions in operating. Again, this term is very commonly used in an industry where sometimes we just call it business continuity, we just call it disaster recovery or everything under the umbrella might be called business continuity planning. Here at ServiceNow, as I showed you that we have four pillars where the response can be end-to-end, we can cover the strategic part of it, the technology part of it, the business function part of it and most importantly, the people part of it. In most of our organization, these aspects are either managed by the security IT groups or risk and sometimes communications, especially the crisis management pillar. Here at ServiceNow, we have streamlined it under one unified BCM program office for a standard enterprise process. So once we align the BCM framework, we build out the processes that we needed to support the program such as business impact analysis, plans, testing and exercising for recovering strategy. So plans testing, exercising is common for crisis management or disaster recovery or emergency response. BI is unique, our business impact analysis is unique for business continuity planning. Getting to the next slide, given the scale of these activities, our next organic step was to digitize these processes into a single BCM tool. And fortunately, we didn't have to look far because we were able to use our own platform for the automation. And as Hassan mentioned on his slide that integration is the north star for us, that stands true for every part of business which we do and similar for business continuity management. Let me briefly walk you through our journey. Before we implemented a centralized program and tool, we faced so many challenges. Our business continuity response was reactive and inconsistent. For example, prior to the program or technology being in place, we had activated for a hurricane response in Florida. And it took us significant time to zero down on the response strategy, identify the recovery procedures and communicate to the right team. We were building the response as the event unfolded and that resulted in confusion and communication delays. We were using shared folders, word documents and e-mails for the response, which was both time consuming and created uncertainty during the event coordination. And on top of that, most of our business functions were managing their version of plans and response documentation in their own silos. It was extremely hard to track these plans during the activation and again, during the release cycle because we did not know whether they are posting it, how they're updating it, what is the standard [indiscernible] or the required documentation or section in the plans. So it was chaos. To say the least, we were feeling the [ strain ] of the manual process and realized that it was time to transform and automate our BCM program. It was a 2-part process. First, defining the BCM program framework and processes that we just reviewed, the 4 pillars and the processes under those. Second, most important, automating them using single BCM rule running on our platform. So on the next slide, you will see how we digitally transformed our approach. So I shared the previous confusing state of our program and how everything was disconnected and resulted in a slow response and recovery. But once we built out our program framework and initiated our digital transformation, we saw the benefits instantly. One of the biggest advantages of using our own platform was that we were able to integrate and bring in the planning data from different validated sources, which ensures that people planning against the right parameters, most important, even short consistency and accuracy in our process, which reduced the response, confusion and communication delays. For example, now if there is a hurricane, now we get a lot of hurricanes not just from the East Coast, we get it from the West coast too. And there are complications like hurricane creating a wild fire in Hawaii. But before I digress to the crisis and global events in the world, let me come back to the example. Now if there is a hurricane, we activate one standard plan using our BCM application, which infuse valuated recovery procedures, current team rosters and other relevant asset plans. We are not referring to multiple sources of figuring out our response on the go, finally. Now we are able to manage the business continuity events more proactively at the enterprise level, and automation also helped us in building real-time dashboards and reporting for business units and our leadership. I will talk about it more in detail in our upcoming slides as we go on the next slides for the lessons learned and tips to begin the journey. This slide is all about what we learned when we were building the program, when we were building the technology, going on that digitization road map. So first of all, we mapped our BCM processes on a maturity scale of 1 to 5 to understand the current and future automation requirements. We were not going to boil the ocean. Prioritizing the use case was important for us as we didn't need to boil the ocean and wanted to focus on the most important use cases to begin with. We also opted for configurations instead of customization. As Hassan mentioned during his slides that these trials for configurations, we don't strive -- we don't want to create any solution, we wanted to use most of the out-of-box features instead of building a brand-new tool or solution. I can't emphasize on this much, but having a single source of truth for consistency and clarity was super important for building reliable recovery plans. For example, if you're calling out a critical application dependency in your business impact analysis or plan, I -- we should build the recovery plan for the same application. For that the two plans need to refer to the same record in the system, not two different sources, it brings consistency in the process. The last point about working with our cross-function stakeholders is also very important because you don't want multiple instance of the same tool to be in place. For example, IT might be developing a similar tool for hosting the recovery plans, which can be easily hosted in 1 BCM application. And you will hear me talking -- saying unified, one, integrated a lot because that really heads our process. So yes, plans -- IT might be saying or might be working on a similar instance of the application, that can be easily hosted in 1 BCM in application alongside the business continuity plan, maybe all it means is a simple template update or more, but that needs to be discussed first. All right, let's go to the next slide, and let's see some results now. As a retail program owner, the dashboard feature is probably my favorite, and this helps in getting a real-time high-level view of the program activities. We were also able to update the dashboard by personas, which was helpful for the business function and leader. And we were able to see a summarized view of the planning activities such as business impact analysis status, recovery gaps, spending review. And we could filter the dashboard by different personas. So whatever amount of information, however summarized you want to see it, that can be configured in the dashboard. We are also featured in our Chief Risk Officer, dashboard, which Ronnie flashed when he was talking about it, so that our leadership have a better visibility into our program activity. So on the next side, you'll see our chief -- our featuring of the continuity on the Chief Risk Officer dashboard. And since BCM is under risk and it is an integral part of risk, we want to each try to provide all the end-to-end information to our leadership to make that risk-based decision. Our Board and Audit Committee expect us to stay on top of our -- top enterprise risk and issues because all of our data is in one shared platform, I am able to see a view for the BCM program office and present it to my leadership. The beauty is I can also drill down into the BCM [ stack of ] items on the dashboard. For example, I can drill down into how many plans are in compliance or how many exercises should we perform in that quarter, all reflecting on the effectiveness of the program. The last slide, on this slide, you will see -- on the next slide, you will see the quantified value outcome. This is one of my favorite slides. If you can go to the previous slide, please, for the BCM program. Thank you -- the metric slide, the quantified value outcomes for my program. Let's talk numbers because we all know that it is one of the most impactful way to showcase the intense work we do in our program. So we were able to move away from shared folders, Word documents and Excel sheets to automate 85% of manual program tasks. We relied heavily on consulting firms to help us with that. Since we were relying on the consulting firms that -- they don't come in cheap, they're expensive. We have to do the project. But then -- so we were doing a lot of BCM projects as they were manual and time consuming. By digitizing the process using our platform, we were able to automate a lot of these activities and perform them quickly and more frequently. So you'll see the numbers claiming that for us, at least internally. We use the documentation from the tool to address around 31 customer-related audits and proposal requests so far in the year. So we host all of our business continuity plans, BIA exercises in our tool and we make sure that we have [ audit trail ], we are updated them in time with the cadence which aligns with the policy. And we use those documentation to present to our customers and to provide an evidence so that they know that we have all this in place. We have also performed around 4 disaster recovery drills for our platform recovery and conducted 38 site risk assessments for our critical facilities. So that was the highlights for our BCM program and I'm happy to answer any questions you might have at the end of the session. Ronnie, back to you.

Thanks, Vaishali. So I'm going to just talk really quickly about these 4 tiles here, which is kind of a -- our key performance indicators or our top benefits that we've realized since we've been on this digital transformation journey. So the first one on the top left is really our common control framework. So one thing that we're struggling with before being on this journey is getting our arms around just all the different individual citations from the numerous regulations and frameworks that we align to. So we have over 35 regulations that are currently in scope today for ServiceNow because we do business globally, and that has a total of over 5,000 different individual citations. So managing just the 5,000 was quite a task. And what we've done is been able to really follow the mantra of view once and count for many, which allowed us to be able to take these 5,000 plus individual citations and make them into 130-plus common controls. So that's where -- this is how we scale, this is how we are able to understand the different adaptations that may need to happen when there is a regulation change. But it makes it much more scalable. Moving on to the right-hand side. We also are really looking at how do we really build a more resilient enterprise and something I mentioned earlier was about just kind of the norm of accepting just point-in-time assurance, and we've been able to leverage indicators and RPA to be able to provide us real-time assurance. So leveraging the platform, we're able to actually single out event-based alerts and continuously monitor the performance of a control, whether it's something like configuration or access management, it's just allowed to be able to monitor these things and utilize technology to be our eyes and ears on the floor. One thing that has also been like a huge efficiency gain is around the control testing aspect, right? So we've automated the evidence gathering of over 300 controls, and this has allowed us to be able to achieve 50% faster control testing because of that. And what I really mean by that is a lot of the work is around looking at the control, asking for a source documentation, following up when there are questions, that takes time and you have to keep a list. So what we do now is we also leverage our indicators to go out and collect that evidence for us. So now it's really just when an auditor is ready to test the control, they can self-serve and pull the evidence that they need to be able to test that control, which has really reduced just the overhead around control testing. And then lastly, but definitely not least, is just the overall dollar state. So since we've been on this journey, we continue to update this. But with the real-time dashboard, the monitoring and the different workflows that really brought harmony across the enterprise, it's really streamlined our processes and eliminated a lot of unnecessary overhead, resulting in $2.6 million of money saved annually and 36,500 hours per year. So this is just kind of a -- we have a lot more metrics as well that we can share. So yes, I wanted to also just jump in really quickly to talk about looking ahead into IRM for 2024, what's top of mind for us? So we're still in the planning but I want to be transparent. So we haven't solidified this time. But what I can talk about are the themes. So at the very -- from going left to right. So integrating generative AI, this is something top of mind for us. This is an extremely powerful technology here that -- and we have some dire use cases where we feel like Gen AI can really bring all of that information together and get it to you with the agility that we're looking for and the effectiveness that what we're looking for. So one of the top use cases around enterprise risk assessment. So we conduct over 600 plus risk assessments every single year. It requires a team of people to look through all of that information and be able to gather themes, insights and summarize information. And it's a tedious task. I mean it is a team that literally does this. So we can leverage Gen AI to actually be able to look at -- look through Zoom recordings, being able look at notes and be able to actually view the [ inside ] summarizations for us. So that's top of mind for us on what we want to tackle for next year. We also want to look at things like control modifications. So there's a lot of regulations out there. There's a lot of internal control requirements. But if you look at the end of the day, the core data is, it's the same thing. It's just different flavors. So how do we -- or how are we able to manage our con control framework and look at control modifications and the downstream and upstream impacts of that. And we think that Gen AI will actually help us move the needle on being able to manage that better. And then last but not least, we also want to focus on audit activity summarization, whether we're talking about generating an audit report from all the work that we do within the engagements to maybe either proposing issue recommendations on issues that we have identified with an audit. We want to leverage Gen AI to be able to help us start off not just from scratch, but from an actual foundational perspective. Moving to RPA. We'll continue to expand RPA and integrate that even further into IRM. What we're really looking at this is within audit management flow, right? So where we kick off control test, how we bring in the outputs from RPA into those control tests so that we have a seamless end-to-end experience for our auditors. With BCM, we're looking at automating the entire value stream of recovery costs, not just looking at just different applications. So what we are working on this year is we're working on embedding Microsoft Azure, but we're going to be looking at it in its whole totality. And how do we be able to deal with all the complexity of the different recovery tasks in the chronological order of things. Control monitoring, we'll also continue to expand to continuous control monitoring and lean further into looking at real-time assurance and being able to manage risk real time. And then last but not least is GRC. So we'll continue to enable and onboard our different GRC programs to build a true global enterprise risk and compliance program, and we'll continue to assure insights in our journey with all of you. But Yes, that's the presentation for today for our webinar. And I just want to just talk about our Now on Now program. So for those that are not familiar with our Now on Now program, it is a program where we internally at ServiceNow, the teams connect with our customers. So it's really a session for our customers where they can meet intimately and understand the different [indiscernible] case questions that they have and then helping them out with their digital transformation journey. We do hundreds of these every single year. And it's really a great session where we can benchmark and share ideas and share our challenges and help each other together kind of in locked arms to get the most out of the platform, so if you have any interest in leaning further, you can come with literally any questions at all, feel free to reach out to your account exec and request an Now on Now session for us. But with that, I'm going to move into the Q&A portion of this presentation.

Great. Thanks, Ronnie. Thanks, Vaishali. So yes, thanks, everyone for -- in attendance who are sending over the questions. So we'll take some of those lives actually now. One of the questions that was asked early on was -- and I'll just start with these and then Ronnie, Vaishali if want to add in. But in what order did you stand up these various governance committees? So again, we've been on this risk journey and within IRM for the past 6, 7 years now. And at first, it wasn't too bad because it really just was internal audit and SOX really using the system. And then as we onboarded other domains, they saw the need for more governance as we mentioned that. I mean, just in this past year from last year to this year, we had 80% growth on functions we onboarded, such as IT governance and disaster recovery -- corporate disaster recovery. ESG is one of the new players in the field that and they have risk and controls they want to onboard as well. So we're onboarding continuously new risk domains. But I would say the governance slide that you saw, Ronnie, pop up earlier, that was really established about last year, I would say. And then we saw the writing on the wall. We were like, "Okay, we know where this is going. We're going to have a lot of teams onboarded. We need to build something in place to keep sort of all this in order, right?" While we can share the house together in IRM. We want to make sure everyone plays nicely together, right? That somebody is on going off and maybe modifying a workflow or control form or issue form that may impact all these other teams. So that got us to have that governance structure. But behind that structure, which Ronnie also mentioned was, we have other subcommittees. So we have an Enterprise Risk, Enterprise Issue Management Committee that meets every two weeks. And that goes through the process of issue management, risk management, and I joined that meeting, and there's also some technology aspects they need. And that's where we join that meeting and then we know doing that talk that all those functional leaders across security, IT, legal, internal audit and so on, they agreed on the process change, which also means they agreed on the technical changes and that's where Ronnie and team will go work to -- work with IT to get that deployed. We also have a committee where actually onboarding is pretty soon about controls framework. So we have a lot of controls around SOX, ESG, common control, the security, legal compliance. We're starting -- this is something for next year that we want to also start bringing together all of the functional leaders to talk about controls and how we can connect all this together and not have overlap. So Ronnie, sorry if I missed -- did I miss anything there?

Yes. I think -- so there isn't necessarily like a chronological order, but what we really wanted to address was just a couple of things. If I had to summarize. So the first one is just around making sure that we are working together and we're playing nicely within the same platform. I think everyone, when it comes to growth, oftentimes structure and alignment is compromised, and this really just allows us to be able to make sure that we're doing things and not at all costs but with the right mindset. So we establish like the very top at the exec sponsor level, and that really drove out some of the other things that we're looking for. So we need an executive sponsor but also talking about things like how do we prioritize things because there's always a compelling reason to work on things every single year, but how do we drive those right priorities. But then also, how do we drive that integration with the actual technical team who make it happen, right? So it was a little bit in parallel, but I think establishing kind of the tone of the top and the need really drove what committees need to come first. And they all kind of came around the same time. I think in the beginning, we continue to expand on then add a little bit more -- add more committees just to be able to flesh it out just a little more. But yes, I think it really starts with the executive sponsors, the Business Advisory Board and the Technical Advisory Board.

And I just wanted to add to that from BCM perspective, that's all true, it all starts from the strategic level. We refer these committees whatever you mentioned. But for our program, we also have a BCM Steering Committee, where we discuss on a high level and strategic inputs from these people and also around technology like what to prioritize as we've been seeing the team not to boil the ocean, let's prioritize what is important and focus on that. And we also integrate with some of these committees from our program, yes.

Yes, exactly. I think the messaging here is always be communicating and talking to each other. And then, of course, that inherently will translate over to the platform in IRM and getting everything you need to focus on running your program. So one of the questions also -- we have a couple of questions come in around RPA, Ronnie, around -- a good example, what is a use case? We can maybe talk in more detail about RPA that we deployed and also the indicator functionality and working in coordination with bots.

Sure. Yes. No, that's a really good question. So I think I can talk about the differences between the two and how we use them, and then I can talk about the actual example -- the RPA bot examples. So yes, really good call out. There are indicators in the RPA. And even when we looked at both of these different technology approaches, there is some overlap. But I think there's a big difference between the indicators as well and RPA -- with RPA as well, right? So from an indicator level, how we use indicators is really more for continuous controls monitoring so making sure that, let's say, we have a control around configurations, we can leverage indicators to monitor that those configurations are still intact. And if any changes happen, it will notify the control owner. So that's much more of a kind of a schedule-based alert system. So it really -- and we're really looking at it to not just gather evidence, that's kind of like the crawl step. But really, the run step would be -- this will actually change the landscape of the control. So instead of just looking at something when an event happens, we can actually say, we leverage an indicator to actually be the control itself to make sure that we're mitigating those risks. So that's how we're using indicators and we tie it back to the control. So it's really around like control performance and evidence gathering. On the RPA side, what we've been using this primarily for is actually creating the work papers when it comes to testing and control, going in and gathering the evidence, being able to create that cover page, build a document, what you're testing and all the attributes of the testing. And then being able to like redline things and draw even conclusions, right? So it really puts all of the overhead around control testing, so I get -- the tedious nature of that. And the bot does it for you. So all the auditor really has to do is come in and review the work. This is very graphically different than their experience now, which is you have to go in, they have to talk to the business, they have to actually create a workbook, they have to create cover pages from scratch. There could be errors, they're having a hard time getting into systems to get screenshots. So there's just a lot of back and forth that we've been able to eliminate by purely just using RPA to be able to streamline this, and we'll continue to expand on that. But yes, there is a valid use case for indicators and there's a valid use case for RPA. But I think it's important to acknowledge that there is some minor overlaps, but the advantages of both really separate those two out.

Great. Thanks, Ronnie. So I mean, just -- I think we have time for one more question. But one of the questions was around how much of these features that we talked about today are in the current risk use but also which are upcoming at Washington and beyond. So I can start, and Ronnie, Vaishali, if you want to maybe chime in from your side. But a lot of what you saw today actually is already out. Its current functionality across the workspaces, advanced risk management and all of the work that Vaishali talked about, BCM. These are kind of functionality within the current SKUs. One of the things I wanted to plug was the Chief Risk Officer, Audit Executive dashboard and also the CISO dashboard, that's also available. So if you go to the ServiceNow App Store and just type in Chief Risk Officer dashboard in the search, it'll pop up, it's actually part of our Innovation Lab. And you actually -- if you have IRM implemented in your company, you can actually install that dashboard to configure it your view. But you're probably going to have different metrics you want to track. The CISO dashboard is also available for you to download there. And I would love for you to download it and love to get feedback from you all, what you think about it and how we can make -- possibly enhance it as well. But I know we have a lot of cool features coming out in Washington as well that we didn't talk about today, but I don't know, Ronnie, did I say everything correctly there?

Yes. Nothing to add.

Sounds good. So I think at this point, we have run out of time. So we're going to continue to move on and do the close out. And of course, we're always here to reach out if you have any additional questions, we'll get those answered offline as well. We also can do -- another plug as we do a lot of Now on Now sessions for customers. So we're happy to sit down with you all and do a deep dive into any particular topics from enterprise to business continuity management, security compliance, legal compliance, anything in risk, what -- we'll have to talk to you more about.

Thank you, everyone.

Yes. I believe I have two more slides to cover just to close out. Yes. So thanks everyone, for joining today. If you have been able to join us in the Knowledge conference in 2023, this year. We do have all the current recordings that you can go on and register and get that experience. And if you want to join us next year, with the next slide I want to plug in that Knowledge '24 is also in Vegas if you want to join us live, it is around May 7 to 9 in Vegas. So we would love for you to join us. I will be there, too. If you want to -- again, maybe you want to talk about -- live about risk from Now on Now standpoint, we'll be there as well. And lastly, the last slide, all the webinars you saw just -- the one today and several other ones we have put in place, gives a direct link to them to go, rewatch the recordings. I think we've got a couple of questions in before we're able to see the recording as I share the link out. You can go to this and get our recording from there. But again, thank you so much for joining us today. I really appreciate it. Reach out if you have any questions, and have a good rest of your day.