CI Relationships in ServiceNow CAB Workflows | Virima
Inaccurate CI relationships — the dependency links between configuration items that show what a change will affect downstream — cause ServiceNow’s Change Advisory Board to approve high-risk changes as low-impact. When one mid-market company replaced 14 months of manually maintained CMDB data with discovery-sourced CI relationships from Virima, their CAB outcomes shifted measurably — without changing the workflow itself. Same process, better data: a 28% drop in same-day approvals for high-impact changes, and zero P1 incidents caused by approved changes in the 90 days following integration.
How accurate CI relationships changed CAB decision-making
ServiceNow’s CAB risk score reads from the CI relationship graph attached to each change record. If that graph is stale, the score is stale — and the CAB approves changes it shouldn’t.
What the CAB approved before discovery-sourced data
The CAB reviewed 80 standard changes per two-week sprint using ServiceNow’s built-in risk-scoring framework: change type, risk level, and the CI relationship graph attached to each change record. That relationship data was manually maintained — records created when a CI was first added to the CMDB and rarely touched afterward.
The gap in the data created a blind spot in the process. The CAB approved these as low-impact — zero or one downstream business service. 31% were actually touching two or more critical business services not visible in the ServiceNow graph. They approved based on incomplete topology information.
According to Gartner, up to 60% of their CMDB relationship records are inaccurate or outdated, largely because manual maintenance can’t keep pace with infrastructure changes. When the CAB reads a relationship graph that underrepresents downstream dependencies, risk scores drop artificially, and change approvals that should receive extended scrutiny get fast-tracked.
ITIL’s change management framework identifies stale CI data as one of the most common causes of failed standard changes — changes that passed CAB approval but disrupted production. The relationship between CMDB accuracy and CAB decision quality is not incidental; it’s structural.
The integration: discovery replaces manual relationship maintenance
Virima’s ServiceNow integration established a bidirectional sync between Virima’s ViVID™ service maps and ServiceNow’s CMDB. Virima integrates directly with ServiceNow to enrich your CMDB with discovery-sourced ground truth — not replacing the workflow, but improving the data it reads. The mechanism was straightforward: IT discovery scanned the production environment on a 48-hour cycle, identifying all CIs and their relationships. Those relationships — verified by what discovery actually found running in the environment — became the source of record in ServiceNow.
On the first sync, 2,800 relationship records were updated or added across 640 CIs. The relationship graph in ServiceNow shifted from reflecting 14 months of static, manually maintained data to reflecting the actual current topology of the infrastructure.
The critical point: the CAB workflow itself was not modified. No process changes. No new approval criteria. No training. The only variable that changed was the data the workflow was reading.
What changed in CAB outcomes
Approval rate shift: Before the integration, 89% of changes touching three or more business services were approved on the same day. After the integration, that rate dropped to 61%. The remaining 39% moved to extended CAB review with a detailed blast-radius diagram from the current ViVID™ service map — where the extended review uncovered real downstream dependencies the old CMDB data had missed.
Review time increase: Average CAB review time for high-impact changes increased from 12 minutes to 34 minutes — nearly three times longer. The CAB wasn’t approving changes faster anymore because they were now seeing the actual scope of impact.
Incident reduction: In the 90 days before the integration, three P1 incidents were caused by CAB-approved standard changes. In the 90 days following, zero. The three pre-integration incidents all involved changes the CAB had approved as “low-impact” because the manually maintained CMDB showed zero or one downstream business service. The actual infrastructure told a different story.
Seeing this in your own ServiceNow environment takes less than you think. See how the integration works →
When your blast-radius assessment is based on accurate topology, your risk decisions improve. When it’s based on stale data, you approve changes you shouldn’t.
Key outcomes from the integration (90-day window, no workflow changes made):
Same-day approval rate for high-impact changes dropped from 89% to 61%. Average review time nearly tripled, from 12 to 34 minutes. P1 incidents caused by CAB-approved changes: from three to zero.
Why accurate CI relationships matter for CAB decisions
The CAB isn’t broken when it approves risky changes — the data it’s reading is.
In the case above, the CAB team was competent. Their process was sound. The gap was entirely in the data layer. When the CMDB relationship graph showed a change touching zero downstream services, they approved it in 10 minutes. When the same topology is accurately represented and the graph shows five downstream services, they know to apply extended scrutiny, involve the right stakeholders, and make a more informed decision.
“In our implementations, the first sync almost always surfaces relationship gaps the customer didn’t know existed. The CAB starts seeing a very different picture.” — Virima implementation team
Understanding configuration item dependencies is foundational to change management. But understanding those dependencies through manual CMDB maintenance — where records are created once and rarely updated again — is fundamentally unreliable in dynamic infrastructure.
The alternative is discovery-sourced CI relationships: relationships built from what automated discovery actually finds in the live environment on a regular cycle. When that data syncs to ServiceNow, the CAB workflow reads topology that reflects reality, not a months-old snapshot.
CAB risk assessment: why the data layer is the control point
ServiceNow’s change risk scoring algorithm is only as accurate as the relationship graph it reads. Organizations with stale CMDB relationship data see higher change-related incident rates — not because their CAB process failed, but because risk scores reflected an outdated picture of infrastructure. CAB risk assessment performs correctly when the data layer is accurate. Fix the data; the process fixes itself.
What this requires on the CMDB and integration side
Running discovery-sourced CI relationship data through a ServiceNow CAB workflow requires three prerequisites:
- Service definitions come from you. Virima discovers relationships from what’s running; which CIs belong to which service is your call.
- The sync must cover the CI classes ServiceNow’s risk engine reads: Server, Application, Database, Network Device, and Business Service. Virima syncs all by default through the ServiceNow integration.
- Refresh frequency must match your pace of change. A 48-hour cycle works for most environments; continuous discovery is available for faster-moving infrastructure, or before change windows when accuracy is critical.
See CMDB best practices for change management accuracy for a deeper guide to building a reliable CMDB. If you’re evaluating a CMDB build-out with discovery-sourced relationships, that use-case walkthrough covers the full scope of deployment and integration.
Making change approval decisions based on what’s actually running
The shift from manual to discovery-sourced CI relationships is a data quality change. The workflow stays the same; what it reads changes. When your CAB reads a relationship graph that reflects current infrastructure topology instead of outdated manual records, approval outcomes improve naturally. Your team makes better risk decisions because they’re working with better information.
For teams running ServiceNow, integrating Virima’s discovery-sourced CI relationships means the CAB always knows the true blast radius of a change before approval. That visibility is what turns change management from reactive approval into risk-informed decision-making.
