The Total Economic Impact™ Of ServiceNow Integrated Risk Management

Accelerated Root Cause Analysis For Loss Events

Evidence and data. Interviewees said that before implementing ServiceNow IRM, RCA investigations for operational loss events were highly manual and time-intensive. Risk and compliance teams often gathered incident details, control information, and supporting evidence from multiple systems, spreadsheets, and email threads before they could determine the cause of an event. Several interviewees said RCA investigations involved coordination across numerous stakeholders, which slowed investigations and delayed reporting to governance teams.

Interviewees also reported that compiling RCA reports required significant manual effort. Analysts frequently assembled evidence packets, consolidated investigation notes, and prepared summaries for leadership using data exported from multiple tools. This process made it difficult to quickly identify recurring risks or systemic control issues.

Interviewees said that after implementing ServiceNow IRM, RCA investigations became more efficient because incidents, risks, and controls were connected within a single platform. Automated workflows guided investigators through RCA steps, while having direct access to connected incident, control, and operational data within the platform (rather than manually extracting from external systems) reduced the effort required to compile investigation results and share insights with leadership.

• The VP of risk and control management in financial services explained: “We’re running a loss event program on ServiceNow IRM that, for a bank of our size, would typically require 15 to 20 people in the second line and potentially hundreds in the first line. But we manage it with just three. The efficiency comes from IRM’s standardized workflows and system of record, amplified by a handful of targeted customizations we built on top.”
  The interviewee continued: “One of the benefits of moving to ServiceNow IRM is the loss events module; we’re basically hands-off at this point. I fully automated our external loss data program, so I don’t touch it anymore. We have reporting and decisioning through business rules and logic, and most of the process runs automatically. The only manual thing we really do is adjust the date. Everything else sits on top of the data with dashboards we review monthly and quarterly for root cause analysis. We now do about 95% of our reporting directly in the platform.”

• The director of product development in financial services shared: “We used to have a centralized issue management team handling all the coordination work. After moving to ServiceNow IRM, the system manages the workflow and automatically routes tasks, which allows our team to focus on analyzing incidents and compiling RCA reports instead of managing manual handoffs and status tracking.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

• The composite organization experiences 30 loss events per month that require formal RCA investigation.

• In the prior environment, teams spent 40 hours per loss event on RCA investigation activities (e.g., evidence collection, timeline reconstruction, control analysis).

• With IRM, the composite reduces the time spent on RCA investigation by 30% in Year 1, by 45% in Year 2, and by 50% in Year 3.

• Prior to IRM, risk and compliance analysts spent 4 hours per loss event on RCA reporting and data aggregation tasks (e.g., assembling evidence packets, compiling metrics, preparing summaries for governance stakeholders).

• With IRM, the composite reduces RCA reporting and aggregation time by 60% in Year 1, by 75% in Year 2, and by 80% in Year 3.

• The average fully burdened hourly rate for a risk manager or RCA analyst involved in investigation work is $67.

• The average fully burdened hourly rate for a risk and compliance analyst who performs reporting tasks is $60.

• For this benefit, the composite has a productivity recapture rate of 50%, which means resources spend half of the saved time on activities that generate business value, but not all reclaimed time is dedicated to value-added work.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

• The volume of loss events that require RCA.

• The time required to conduct RCA investigation and reporting activities in the prior environment.

• The degree of automation, workflow orchestration, and data integration achieved with IRM.

• Fully burdened hourly rates for risk managers, RCA analysts, and risk and compliance analysts.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.5 million.

Faster Control Lifecycle Management

Evidence and data. Interviewees explained that before using ServiceNow IRM, their organizations faced significant delays in executing, monitoring, and reporting on controls across business units and divisions. Control owners spent substantial time manually gathering evidence, performing assessments, and preparing reports, while senior leaders dedicated extensive effort to reviewing and attesting to controls. These delays created bottlenecks where controls were ready to be assessed but remained unverified, which slowed overall control lifecycles. In some cases, organizations struggled to complete assessments on schedule or had to defer attestations because of disconnected systems and time-consuming manual processes. Interviewees said these inefficiencies limited organizational visibility into compliance and audit readiness and delayed risk mitigation and remediation.

But they said with ServiceNow IRM, their organizations accelerated control assessments and reduced the time required for leadership review and attestation. Automation, centralized evidence, and standardized workflows allowed control owners to execute and report on controls more efficiently, while senior leaders gained the ability to review and attest to controls faster. This freed teams to focus on higher-value activities (e.g., risk analysis, process improvements, compliance strategy planning).

• The CISO in media explained: “Our organization is very widespread and complex. We wanted to take an asset-based approach without merging all our CMDBs (configuration management databases). ServiceNow allows us to manage business and technology contexts simultaneously, as it automatically assigns relevant controls based on the assets users provide. This lets our teams focus on building and maintaining inventories, running assessments, and following up on risk responses while the tool supports the process without burdening them.”
  This interviewee further noted that ServiceNow also transformed how their organization executes and verifies controls at scale: “We launched a large, organizationwide security initiative to help our entities understand how to protect their applications and cloud services and to verify that what they claim is implemented is actually in place. Because the approach is so systematic, we can follow up consistently across the entire organization, but this is only doable with ServiceNow. Without it, we would fall back to a much more blunt, inefficient, and likely ineffective approach.”

• The product owner of risk management in food and beverage shared: “We used to detect configuration and application control noncompliance in one system and then raise issues in another. A team reviewed results and created issues manually, which could take days, weeks, or even months. Now, when a control noncompliance is detected in the platform, an issue is created immediately and assigned to the right owner. The time from detection to remediation has dropped dramatically, and that’s a major benefit.” They continued: “We now perform far more control assessments in ServiceNow IRM than we ever did in our scattered tools, which gives us greater risk coverage. So, while the volume of issues has increased because we assess more controls, IRM gives us much better visibility and structure around managing them.”
  This interviewee also highlighted how consolidating control monitoring and issue management workflows further improved efficiency: “We previously used another tool and monitored controls across many systems. With IRM, we’re consolidating that footprint, and over time we expect it to decrease further. As integration tightens between control assessment and issue management, we anticipate needing fewer people to review controls because issues will be routed to the right owners the first time. … Now that the process moves faster, the team can focus on higher‑value work. They support operating companies and global functions to remediate issues, explain potential mitigating controls, and help close items more quickly. [This is] support they simply couldn’t provide before.”

• The VP of risk and control management in financial services said: “Manual attestations used to take two to three days because senior leaders had to wait for reports to be compiled before they could confirm the data. Now they can review the information directly in IRM and complete their attestations in minutes, which allows them to save several hours each month. Committees across the organization experience the same improvement. The information is always up to date, and the manual compilation work has been eliminated.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

• The composite organization manages 1,100 controls in Year 1, and this number grows 5% YoY.

• Control ownership is distributed across the organization, with each control owner responsible for three controls.

• In the prior environment, control owners spent 8 hours per month per control preparing, performing, and reporting on control assessments.

• With IRM, the composite reduces the time spent on control execution and reporting by 50% in Year 1, by 65% in Year 2, and by 70% in Year 3.

• Each year, 100 senior leaders are required to review and attest to a portion of controls. With IRM, the time they spend on this is reduced by 35% in Year 1, by 50% in Year 2, and by 55% in Year 3.

• The average fully burdened hourly rate for a control owners is $77.

• The average hourly rate for a senior leader who performs attestations is $120.

• For this benefit, the composite has a productivity recapture rate of 50%.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

• The number of controls in scope and the distribution of ownership across the organization.

• The time required to prepare, perform, and report on control assessments in the prior environment.

• The frequency and complexity of senior leader review and attestation activities.

• The degree of automation, workflow standardization, and evidence centralization achieved with IRM.

• Fully burdened hourly rates for control owners and senior leaders who perform assessment and attestation tasks.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.4 million.

Audit Preparation And Evidence Collection Savings

Evidence and data. Interviewees reported that IRM automated key audit preparation and evidence collection tasks, including gathering documentation from control owners, consolidating evidence from multiple systems, and preparing structured workpapers. Centralized evidence management, automated collection of control results, and standardized audit workpapers reduced the manual effort auditors previously spent preparing for audits. Interviewees said that as a result, internal auditors gained the ability to complete routine audit preparation faster and dedicate more time to higher-value audit activities (e.g., reviewing trends, validating control effectiveness, supporting risk analysis).

• The VP of risk and control management in financial services said: “We recently went through an extensive audit, and the difference with IRM was significant. We replaced all of our manual spreadsheets and checklists with a virtual task board, so auditors no longer ask us to upload files, email evidence, or track who signed what. Everything is captured in the platform, and the steps are embedded directly in the workflow. It’s a much cleaner audit trail, and the auditors called out how efficient it was compared to our old process.”
  This interviewee continued: “Before implementing ServiceNow IRM, our team spent a day or two each month on administrative tasks: downloading checklists, saving files to a repository, validating completion, and answering follow‑up questions. With the volume of work each month, this added up quickly. Now all of this work is automated through the task board, which provides auditors with complete, up-to-date evidence without chasing documents. This significantly reduces the time internal auditors need for audit preparation.”

• The director of product development in financial services reported that prior to implementing ServiceNow IRM, their organization hired approximately 400 contractors for six to seven months each year to support manual audit tasks. But they said with IRM, these activities are fully managed internally, which eliminated the need for external consultants: “We no longer bring in third‑party consultants to complete audit work. Now that everything is centralized, exportable, and easy to report on in IRM, our internal team handles it fully.”
  The director of product development in financial services also highlighted how ServiceNow IRM supports faster and more accurate audit preparation by providing a reliable system of record and built-in accountability. They noted: “We needed a proper workflow and a way to hold people accountable. Our previous system didn’t give us the checks and balances that IRM provides, especially around access, roles, and making sure people follow the right process. A lot of our prior work was offline and could be manipulated, so we didn’t have a reliable system of record. That created audit issues, and moving to IRM addressed those gaps.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

• The composite organization has 60 internal auditors.

• The composite completes four audit cycles annually.

• In the prior environment, internal auditors spent 160 hours per audit cycle preparing for audits and collecting evidence from systems, stakeholders, and control owners.

• With IRM, the composite reduces the time spent on audit preparation and evidence collection by 40% in Year 1, by 55% in Year 2, and by 60% in Year 3.

• The blended average fully burdened hourly rate for an internal auditor and internal audit engagement manager is $58.

• For this benefit, the composite has a productivity recapture rate of 50%.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

• The number of internal auditors and the frequency of audit activity across a year.

• The time spent on audit preparation and evidence collection in the prior environment.

• The degree of automation and evidence centralization achieved with IRM.

• Fully burdened hourly rates for internal auditors and audit engagement managers.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.3 million.

Legacy Environment Savings

Evidence and data. Interviewees said that prior to adopting ServiceNow IRM, their organizations maintained multiple legacy GRC tools, internally developed systems, and supporting on-premises infrastructure. They explained that this created significant software, infrastructure, and maintenance burdens. Teams spent considerable time maintaining systems; managing integrations between tools; and extracting, formatting, and reconciling risk data across disconnected platforms to maintain accurate and current views of risk posture.

After implementing IRM, interviewees’ organizations began consolidating these activities into a centralized platform and as risk, compliance, and control workflows were migrated to IRM, legacy tools and supporting infrastructure were gradually phased out. Interviewees said IRM’s centralized data model, built-in integrations, and standardized workflows eliminated much of the integration and reconciliation overhead required to manage risk across systems, which reduced the need for manual data movement and ongoing system maintenance.

Over time, as adoption expanded and historical data was migrated into IRM, the organizations progressively decommissioned legacy tools and retired on-premises infrastructure. Interviewees noted this transition reduced software licensing costs, eliminated infrastructure requirements associated with hosting legacy systems, and decreased the engineering and administrative effort required to maintain the prior environment. They also said that by removing the structural complexity of managing risk data across multiple systems, their organizations improved the timeliness and reliability of risk insights to enable faster, more informed decision-making. Resources previously responsible for maintaining legacy tools increasingly shifted their focus toward supporting IRM adoption, improving risk processes, and enhancing governance programs rather than sustaining multiple disconnected systems.

• The product owner of risk management in food and beverage explained: “We fully decommissioned our legacy tool after migrating the historical data into ServiceNow IRM. When we went live with risk assessments, we migrated the prior cycle’s results, so everything was in IRM immediately. We didn’t want to combine IRM results with legacy results, so we moved the history and cut over completely.”
  This interviewee continued: “Our internal tool required one full‑time resource to maintain it. Another legacy GRC platform required additional support, and we also relied on external assistance for a separate control monitoring system. Those internal resources have been repurposed; they no longer maintain systems. They’re now advanced IRM users focused on more strategic tasks.”

• The VP of risk and control management in financial services shared: “We plan to fully retire our legacy risk platform once we complete the current assessment and testing cycle. It’s been costly to maintain, especially because every new integration or report requires additional investment. IRM gives us the connectivity and workflows we need out of the box, which eliminates those add‑on costs and reduces the effort required to keep the environment running.”
  This interviewee continued: “Before we implemented the platform, we relied heavily on spreadsheets and a separate analytics tool to analyze our data. Now we’ve consolidated much of that work into the platform itself. Our teams can extract the data they need and build the reporting and analysis directly within the system, which has significantly reduced our reliance on external tools. … The manual integration work we used to manage — including downloading, formatting, staging, uploading, and validating data every quarter — simply goes away with IRM. Those activities used to tie up dedicated technical staff for months each year. With IRM’s automated integrations, that burden disappears, and the team can be reallocated to more meaningful work.”

• The director of product development in financial services said: “We’re definitely seeing savings on the system management side. Because of how IRM is built, our engineers can deliver changes much faster. Most of what we need is available out of the box or through simple configuration, so there’s far less customization compared to our prior system. Overall, the engineering effort required to support the platform has dropped significantly. We went from a team of about 50 engineers to roughly 20, all fully dedicated to ServiceNow. It’s a major efficiency gain.”

 Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

• In the prior environment, the composite spent $350,000 annually on point solutions used for governance, risk, and compliance activities.

• With IRM, the composite gradually decommissions these point solutions and eliminates 0% of spend in Year 1, 50% in Year 2, and 100% in Year 3.

• Each year, the composite incurs $200,000 in on‑premises infrastructure costs associated with hosting and maintaining legacy GRC systems.

• With IRM, the composite reduces its legacy infrastructure spend by 0% in Year 1, by 50% in Year 2, and by 100% in Year 3.

• Four resources dedicate 30% of their time to the ongoing management of the prior environment.

• With IRM, the time these resource spend managing the prior environment decreases by 0% in Year 1, by 50% in Year 2, and by 100% in Year 3.

• The average fully burdened annual salary for a management resource is $121,500.

Risks. Forrester recognizes that these results may not be representative of all experiences. The following factors may impact this benefit:

• The scale and complexity of the legacy GRC environment, including the number and type of point solutions in use.

• The degree of reliance on on‑premises infrastructure and the pace at which systems can be decommissioned.

• The level of effort and number of resources previously required to maintain legacy systems

• The timing and completeness of IRM adoption, migration, and data consolidation activities.

• Fully burdened salaries for resources responsible for managing the prior environment.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $755,000.

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

• Faster, more risk-informed decisions. Interviewees reported that IRM improved visibility into enterprise risk and compliance data, which enabled their leaders to make more timely and informed decisions. Previously, risk and control information was distributed across multiple systems and spreadsheets, which made it difficult to quickly understand overall risk exposure. But interviewees said with IRM, their organizations centralized risk registers, control data, and assessment results on a single platform supported by dashboards, reporting, and workflow automation. This allowed stakeholders to more quickly identify emerging risks, review control performance, and prioritize mitigation activities.
  The product owner of risk management in food and beverage shared: “We were previously working with risk and control information that was scattered and largely based on gut feeling. Now, with an integrated view and more data-driven risk assessments, we can make more informed decisions, which creates a virtuous loop of better risk management.”

• Standardized risk and compliance methodology across global operations. Interviewees noted that IRM enabled their organizations to standardize risk and compliance processes across regions, business units, and risk domains (e.g., enterprise risk, operational risk, compliance, and cyber risk). Prior to adopting the platform, teams often relied on different tools and locally defined processes for risk assessments, control documentation, and compliance activities. ServiceNow IRM provided standardized workflows, configurable assessment frameworks, and centralized control and policy libraries that helped interviewees’ organizations apply consistent methodologies enterprisewide. This ensured alignment in how different risk domains are assessed and managed while improving coordination, transparency, and governance.
  The product owner of risk management in food and beverage explained: “We looked at IRM to standardize, harmonize, and consolidate processes and systems. As an organization, we aligned on one risk assessment methodology that we now apply across multiple risk domains. Any new risk assessments must follow the same methodology, which we have built directly into ServiceNow IRM. For us, the focus is really on streamlining, harmonizing, and consolidating how these processes work.”

• Faster alignment of newly acquired entities. Interviewees noted that using IRM as a single enterprise framework enables newly acquired entities to be incorporated into risk and control processes more quickly. They said that because IRM supports global, template‑driven use cases (e.g., control self‑assessments, risk assessments, issue and remediation workflows), their organizations can apply a consistent methodology on day 1 to avoid phased rollouts and reduce time to align acquisitions to corporate standards.
  The product owner of risk management in food and beverage said: “When we deploy a use case, it’s global. All operating companies and global functions complete the same companywide control self‑assessments. When a new company is acquired, it follows the same process from day 1. We don’t do phased rollouts; adoption goes from zero to full coverage immediately.”

• Improved early detection of operational risks. Interviewees explained that IRM allows their organizations to detect emerging risks earlier by linking risks, controls, and preventative checks within a single workflow. Prior processes made it difficult to understand the customer and financial impact of operational changes, which in some cases led to significant downstream issues. But interviewees said that with IRM, their organizations can identify certain misconfigurations earlier, assess the associated risks more accurately, and minimize the financial impact.
  The director of product development in financial services shared: “We previously experienced a major issue related to card misclassification that had a significant financial impact. [If we had] IRM, we would have had the preventative controls, risk associations, and review routines needed to catch that change sooner. The way IRM links risks to controls and captures impact data would have helped us understand the exposure earlier and reduce the overall severity.”

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement ServiceNow IRM and later realize additional uses and business opportunities, including:

• Adapting to regulatory shifts. Interviewees noted that ServiceNow IRM helps their organizations stay ahead of a rapidly changing regulatory landscape because the platform is aligned with widely adopted frameworks (e.g., NIST AI Risk Management Framework [AI RMF], ISO/IEC 42001, GDPR, and SOX) and capable of absorbing new obligations with minimal rework. They said that as regulators introduce heightened expectations for operational resilience, incident reporting, and control standardization, IRM enables their organizations to update processes, remap controls, and demonstrate audit readiness without reengineering entire systems or relying on bespoke tooling.

• Preparing for AI governance and emerging AI‑related regulations. Interviewees highlighted there is mounting regulatory and internal pressure to govern AI across their organization. They said IRM is natively integrated to work with ServiceNow AI Control Tower (ServiceNow AICT), designed to help organizations inventory AI systems and use cases, map AI risks to relevant controls and frameworks (e.g., the EU AI Act, the NIST AI RMF, the Colorado AI Act, California’s automated decisionmaking technology [ADMT] regulations), and support continuous oversight across the full AI lifecycle. They said AICT embeds governance into operational workflows, which enables their organizations to assess risk, enforce controls, and produce audit-ready evidence without manual, point-in-time reviews. While these capabilities are still maturing, interviewees view them as positioning the platform to proactively meet today’s AI-focused regulatory requirements and adapt as expectations evolve.
  The VP of risk and control management in financial services shared: “IRM aligns extremely well with our broader goals around operational resilience and regulatory readiness. Everything we’ve built on the platform helps us meet our current regulatory obligations, and we see it putting us in a strong position for upcoming requirements as well. The newer capabilities, including the AI Control Tower, already map closely to frameworks like ISO and NIST, so we can adapt to evolving regulations without needing heavy customization.”

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).