Is anyone using JSM as an "operational risk hub" in the company?

Hi everyone,

I see many discussions about Jira Service Management (JSM) focused on "classic" ITSM: incidents, requests, changes, SLAs, and knowledge bases. That's great, but I wanted to bring up a topic I almost never see around here:

Is anyone using JSM as an "operational risk hub" in their company?

JSM is already very strong for:

IT Support,

Incident and problem management,

Changes and requests,

Integration with Confluence, CI/CD, etc.
(Overview:
https://support.atlassian.com/jira-service-management-cloud/docs/what-is-jira-service-management/)

But in practice, it also has everything it takes to be a day-to-day risk orchestrator, connecting:

IT / Operations,

Information Security (VRM, security incidents, vulnerabilities),

Compliance / Audit / Internal Controls,

Business areas that open requests with an impact on risk, contracts, sensitive data, etc.

"Non-traditional" use idea
I'd like to know if anyone is already doing something along these lines, for example:

Single operational risk portal

A single portal where:

IT incidents,

security incidents,

process violations,

supplier failures,

and even employee concerns (internal whistleblowing, for example)
arrive as different request types but follow workflows orchestrated by JSM.

JSM integration with supplier management and VRM

Using JSM to:

open third-party risk assessments,

track supplier pending issues,

record incidents involving partners,

link to a possible CMDB/Assets focused on suppliers, contracts, third-party systems.

Workflows combining Security + IT + Legal + Compliance

For example:
A security incident opens in JSM, triggering:

technical analysis (IT/SecOps),

regulatory impact assessment (Compliance/Legal),

communication to customers/authorities (when necessary).

Everything tracked in a single ticket (or set of related tickets).

Using Assets (CMDB) as a "risk map"

Associate:

services, systems, sensitive data,

process owners,

suppliers,

critical controls,
and use this to:

prioritize incidents,

classify change impact,

identify aggregate risk (e.g., multiple incidents with the same supplier or system).

Reports for risk and governance using JSM data

Dashboards that not only show:

response time,

SLAs met,
but also:

incident concentration by risk type,

most affected areas,

most critical suppliers,

most recurring failure types (process, human, technology, third-party).