What is GRC?
GRC is an acronym for Governance, Risk, and Compliance. Per ServiceNow’s definitions,
Governance: The frameworks of an organization’s activities and whether they are aligned with business objectives. Activities include processes, structures, and policies that are meant to manage and monitor company activities.
Risk: A sustained process of addressing risks, mitigating risks through controls, and providing assurance that the stakes are managed according to policies. This includes measurement of risk, assessment, retention, monitoring, and identification.
Compliance: Ensuring that activities within an organization operate in a way that is aligned with laws and regulations.
Problem Statement: The Business and IT Challenge
Managing risk and compliance with a manual, siloed, and reactive work model is no longer effective as the global regulatory environment continues to evolve, forcing changes across your organization. Changes are driven by the need to: adopt new business models, establish new partner relationships, deploy new technologies, and address the increasing number of threats and cyber risks. Many enterprises have discovered that without an integrated view of risk, it is virtually impossible to quickly assess the impact on their existing compliance obligations and risk posture of these changes.
Why ServiceNow GRC?
ServiceNow is named a Leader in the Forrester Wave™: Governance, Risk, And Compliance Platforms, Q3 2021, and a Leader in the Gartner 2021 Magic Quadrant for IT Risk Management and IT Vendor Risk Management. The recognitions validate ServiceNow’s leadership in helping businesses successfully navigate a challenging landscape, build resilience, and manage risk.
ServiceNow GRC helps transform inefficient processes across your extended enterprise into an integrated risk program. Through continuous monitoring and automation, ServiceNow delivers a real-time view of compliance and risk, improves decision-making, and increases performance across your organization and with vendors. Only ServiceNow can connect the business, security, and IT with an integrated risk framework that transforms manual, siloed, and inefficient processes into a unified program built on a single platform.
Applications of ServiceNow GRC Product
ServiceNow offers the following GRC applications and associated modules:
Risk management – Detect and assess the likelihood as well as the business impact of an
event based on data aggregated across your extended enterprise and respond to critical changes in risk posture.
Policy and compliance management – Automate best practice lifecycles, unify compliance processes, and ensure their effectiveness.
Audit management – Scope and prioritize audit engagements using risk and profile information to eliminate recurring audit findings, enhance audit assurance, and optimize resources around audits.
Vendor risk management – Institute a standardized and transparent process to manage the lifecycle for risk assessments, due diligence, and risk response with business partners and vendors.
What are Business Benefits ServiceNow GRC provides?
Identify risks in real-time: Configure real-time business and IT service performance data and identify vendor requirements to enable automated controls testing. Define thresholds as indicators for continuous monitoring of your extended enterprise
Increase performance: The Now platform CMDB, process designer, service mapping, and consistent and cross-functional workflow automation simplify GRC processes and eliminate errors
Optimize internal audit productivity: Use of risk data and issues management enables effective audit project scoping, planning, and reporting while optimizing internal audit and compliance resources
Improve strategic planning and decision-making: Fine-grained business impact analysis, task management, and contextual alignment with the CMDB on a single platform provide cross-functional visibility to identify, prioritize, and appropriately respond to risks.
Automate third-party risk: Formalized vendor risk assessment and tiering process, improved visibility and transparency, saved time, and reduced vendor risk.
Extend your ServiceNow investment: The single platform of engagement offers orchestration, easy integration, and data ingest and publication capabilities.
How do I start the ServiceNow GRC Journey?
ServiceNow GRC product adoption depends on the maturity level at which ServiceNow ITSM and ITOM capabilities (i.e., the CMDB and its health status) are used by the organization. Before launching a project, the following pre-project discovery – strategy and roadmap will help the GRC adoption journey easier:
Executive Enablement: Critical inputs for the GRC project pre-flight check:
- Current State: people/process/technology, pain points
- Future State: Vision & Value (business goals/objectives/outcomes, and key use cases)
- Governance (Key sponsors, Business owner, COEI, Product/Platform owner, PM, Stakeholders Roles & Responsibilities)
- GRC Demos
- Initial Project visioning – Identify scope, Key Performance Indicator (KPIs)/Key Success Factors (KSFs), timeline, milestones, resources, quality, key deliveries, and budget
- Deliverables – Draft (v 0.1) of Business Case and Project Charter
Discovery Workshop: Interview critical stakeholders and conduct discovery workshops:
- Interview key stakeholders from different lines of business and levels
- Conduct workshops as needed
- Discovery readouts deliverables– Key pain points, key business, requirements, findings, and observations
- Refined version 0.2 of Business Case and Project Charter
Readiness Assessment: Maximize the value of GRC capabilities and project:
- Identify gaps
- Identify constraints and risks
- Identify major dependencies
- Identify risks and responses
- Assessment reports, including current GRC maturity level
- Refined version 0.3 of Business Case and Project Charter
Strategy and Roadmap: Maximize the value of GRC capabilities and projects. Consider strategy:
- Program or project?
- What is in the MVP?
- Configuration vs. Customization
- Insourcing or outsourcing
- Team capacity planning
- Roadmap: phased approach or big band
- Roadmap: in-scope and out of scope
- Roadmap: Admin and user training and enablement
- Deliverables: strategy and roadmap
- Deliverables: Refined version 0.4 of Business Case and Project Charter