Now on Now: How we transformed our own GRC processes

Increasing scalability, lowering risk, and slashing costs by $2.6m 
When your business is growing more than 20% a year, it’s hard to keep up. Processes that used to work perfectly well are now breaking under increased strain. Running a business with 17,000+ employees—and doing it well—is very different from spinning up a start-up. Spreadsheets and emails just won’t cut it anymore, especially if you’re looking to automate and accelerate every corner of the enterprise. 

That’s what we found at ServiceNow when we first looked at our own GRC process.   

The bottom line: the manual processes we were using just wouldn’t scale.  

Let's delve into the ServiceNow GRC journey and how we’ve moved from tedious manual work to integrated and automated processes that engage employees and encourage productivity in their work. Along the way, we’ll share our experiences and insights, including our challenges, how we approached them, the ServiceNow solutions we used, and the benefits we’ve seen. 

Inefficient manual processes and lack of visibility 
We’ll start with the pain of one of our biggest challenges, which was proving compliance to Sarbanes-Oxley (SOX). We had people spending 90% of their time on SOX. Everything was driven by emails and spreadsheets—requests, tests, reviews, status—everything. Yes, we stored some information, such as quarterly attestations, in databases, but there was no easy way to track progress. We ended up downloading data and running massive pivot tables just to get basic reports. We struggled with visibility and transparency, all of which were blocking our way forward. And, because no one else could access this documentation, the audit team had to update all the controls. 

Drowning in documentation 
We knew we had to get out of the documentation business. The only way we were going to support growth was to spend 30% to 40% of our time on SOX—not 90%. Compliance is everyone’s responsibility, but unless we could drive automated workflows and give our business process owners self-service access, nothing was going to change.  

Police, not business partners 
There was another problem: business perception. Process owners saw the audit team as cops—policing processes rather than adding value. We wanted to push ownership and accountability to the people who owned and ran these processes. But to do that, we knew we had to give a little back. We needed to make it easy by seamlessly integrating compliance into their everyday work. Then, we needed to actually help them run their business and manage risk, and that meant delivering real-time visibility into what their teams were doing, not just performing historical audits.  

Our approach to a successful GRC transformation 
So, how did we go about transforming GRC at ServiceNow into what many call Integrated Risk Management (IRM)? What were the steps we took? How did we approach them? How did we use the ServiceNow GRC portfolio of applications and the Now Platform^® to cost effectively scale and create a better control environment? 

Clear goals, laser focus 
First, we established clear goals to establish the outcomes that would define success. GRC implementations fail without a clear vision up front. Without them, we knew we’d be wasting time heading off in the wrong direction, and that it would be nearly impossible to get organizational buy-in. 

Second, we decided to focus on SOX rather than taking on other areas such as ISO 27001, SANS, or GDPR at the same time. We picked one area with low-hanging fruit and high business visibility. Otherwise, the business was going to run out of patience before we could deliver meaningful progress. 

Unified solution, iterative approach 
By choosing SOX, we were also able to cover all the core GRC capabilities, including policy and compliance, risk, and audit. That was important, because all these processes need to work together. For example, by automatically collecting compliance evidence, we could dramatically simplify auditing. Similarly, risk management builds on compliance by continuously monitoring critical controls. 

We also took an iterative approach, delivering a minimum viable product as the first step. That allowed us to go live in just four months with a useful solution—even if it didn’t have indicators and dashboards. And it meant that we could get critical feedback earlier rather than rolling out a fully-featured offering later on that might not meet our business needs. 

Enterprise-wide transformation 
Another key reason why GRC initiatives fail? They’re often treated as “backroom projects.” To succeed, GRC instead needs to be treated like any other transformation initiative. In our case, our CFO was the project’s executive sponsor and approved the implementation budget. It’s important to understand and communicate the full business value, which, for a company like ours, can easily be millions of dollars. 

A comprehensive plan to drive adoption 
This enterprise-wide approach didn’t stop at ROI. Our team engaged up front with business process owners to get them on board and followed this up with a comprehensive plan to drive adoption. For example, there were mandatory learnings that covered everything from ownership and accountability to hands-on training on controls, attestations, and so on. And the team also created further awareness through webinars, all-hands sessions, and other regular communications. 

Planning for the future 
Lastly, we understood that this was only the first part of our GRC journey. That meant we needed to keep planning, and implementing, for the future. For instance, we implemented SOX first, but wanted to use it more broadly. We kept the design generic so we could reuse it. Where we did make SOX-specific enhancements, we made sure we could disable them easily. For example, we’ve been able to reuse our original policy and control forms for enterprise policy management, security compliance, and privacy, by simply reconfiguring the backend workflows. 

The benefits we’re seeing 
Since we started our GRC transformation, we’ve achieved significant results. We now have a full GRC implementation for SOX financial controls, including policy and compliance, risk, and audit. We’ve also successfully tackled other areas, such as GDPR and cybersecurity concerns as part of ISO 27001, SSAE 16, NIST 800-53, and FedRAMP. 

Empowering business process owners 
Now, our business process owners are full partners in the compliance process using our ServiceNow service portal to manage their own policies and controls. With ServiceNow Performance Analytics dashboards, they can also track audit activities, monitor compliance, and get real-time insights into the status of their control and risk landscape. 

And we’re using the same Now Platform that our customers and business owners use for their day-to-day work. There’s no need to open a separate GRC system. It’s right there along with their other business tools. That makes GRC a part of our DNA. We’ve also integrated GRC directly into our business processes. For example, our finance team uses the Now Platform to manage their monthly reconciliation. We’ve built controls around that, and as the reconciliation progresses, it automatically generates indicators linked back to these controls. It’s now basically zero-touch. 

Real-time visibility into compliance and risk 
Monthly accounting reconciliation is just one example of how we’re using ServiceNow GRC to give us near real-time visibility into our control and risk status. Currently, we’re automatically monitoring more than 150 indicators tied to controls. We’re also monitoring a complete set of SOX financial risks, as well as 50 other key risk indicators across our business. 

Combined with event-based alerts, that gives us 24/7 assurance. We can also point to our SAP system as an example. ServiceNow GRC automatically monitors our SAP configuration tables. When there’s a significant change, it alerts the relevant business owner and asks them to confirm that the change was approved. If it wasn’t, we know it right away and can roll back the change. Without ServiceNow GRC, we might never have discovered the issue.  

Dramatically increased efficiency 
Back to our original problem: slow manual processes that just wouldn’t scale. How has GRC helped to transform the landscape, giving us the bandwidth we needed to support our business growth? 

Here are some examples: 

• 66% reduction in quarterly control certification due to continuous control monitoring, as well as automated surveys, which are built into the Now Platform
• 85% reduction in the time needed to track status, thanks to real-time reporting and dashboards
• 90% reduction in coordination efforts with external auditors now using ServiceNow GRC to gain direct, transparent access to all our GRC data 

Where to next? 
By freeing up our GRC resources, we’ve been able to take on other increasingly critical areas. The more we automate, the more capacity we have to automate, creating a positive snowball effect. 

However, it’s not just about taking on new compliance areas. We’re also driving further fundamental improvements in our GRC processes like expanding our automated monitoring capabilities. And there are a huge number of other opportunities. For example, ServiceNow GRC lets us rationalize controls across multiple overlapping authority documents, streamlining compliance even further. We’re also creating controls to monitor risk posed by third parties and business continuity plans or activities as part of our integrated risk and compliance program.  

The bottom line 
With ServiceNow GRC, we’ve saved $2.6M a year through process automation. That’s freed up resources to broaden our GRC coverage and keep pace with business growth. 

We’ve made GRC or IRM far stronger by turning it into a living, breathing discipline. Before, GRC was a slow, historical process that didn’t add value for stakeholders. Now, our business owners have real-time visibility into their controls and risks, so they can take immediate action to address issues before those issues become major problems.  

By giving them ownership and accountability, we’re empowering our teams with an integrated view across the enterprise and have repositioned our GRC team as a trusted business partner.