Ever since the (partial) renaming rebranding of GRC to IRM, it has bugged me that the focus is so heavily put on the Risk solution. The P&C module is so much more versatile and fits a lot of use cases which can form the entry into the IRM concept for immature SN customers. In addition, the Risk module - especially Advanced - is really dependent on the Control part being solid.
With the new Workspace coming in few days, I think that the appeal of P&C will only increase.
First advantage of P&C is that each of its components can work for itself to solve pain points - to the point of justifying an implementation.
- Policy Management for Management Systems: using the Policy lifecycle to secure version control and approval matrices, and publishing the result in a KB article. This is a huge step forward from Word file being emailed and printed as PDF. KB articles open up the entire Knowledge module (including Portals, Search Engine, Feedbacks, Subscriptions, etc) which is once again far better than Sharepoint / Intranet for those PDF files.
- SN does not simplify the process of defining clear processes but makes it more efficient both in the writing, reviewing, publishing and updating/improving stages.
- Using Parent-Child relationships and Types, a hierarchy can also be put in place. This contributes to moving away from those Procedures which are 20-50 pages with large table of contents that no one ends up reading. Instead we can build precise to-the-point KB articles that can answer exactly what the end-user is looking for.
- Acknowledgement Campaigns are the icing on the cake to ensure that "This process is relevant for all Project Managers" is actually Read & Understood by all Project Managers.
2. Policy Management for Surveys: Using Surveys & Questionnaires, the user can gather metric values. This is probably fine for simply cases. However, by defining Control Objectives as being the Questions and Attestation Designer for gathering answers, the Client can send out questions (Controls) where given answers (Attestations) will generate Issues.
- Attestations are a manifestation of the "Attest" State for Controls, making it easy to track the completion of the Surveys when the State changes f.ex. to Pending Review - or even by tracking the Attestation records themselves (just remember not to trust the completion rate due to dependent questions).
- Issues are new Records (unlike Metric values) which can easily be tracked for improvement and compliance purposes.
- Grouped Attestations enables the user to send one long questionnaire to end-users (and with some scripting even combine different Attestation Types).
- Since users reply to one question/attestation per Control, they can attach files per question/control - and not against the entire Survey.
- Using Entity Types being maintained via Entity Filters makes it really easy to scope the submission of those "Surveys".
Those two use cases can be done as complete stand-alones but they open the door to the development of Portal, Mobile app, Dashboards, Workspaces, Notifications and Flows, etc. Those cases go through key concepts of the ServiceNow IRM module like Entities but in an easier introduction than Risk where the Entity structure is crucial for things to work.
Once Policies are in place, you can easily promote linking to Authority Documents as part of a Gap Analysis process
- "What internal processes have no anchoring in laws & regulations?" and is there therefore an actual need for them to exist in the first place?
- "What external standard and best practices are not covered by our internal process?" and how can we implement them into our current practice.
Once Surveys are in place, you can easily promote linking the Control Objectives to Policies
- If we say that this is a requirement that all store owners must follow, where is it written in our internal process?
- Now we know how compliant each region is against those processes based on the Compliance Score!
- And since we linked Policies to Authority Documents earlier, we now even know how compliant we are against the FDA laws - without any additional work!
It is now an easy place to bind everything together with Risks. Risks which are mitigated by a strong Control environment (design and operation) i.e. with "no" gaps against Laws & Regulations and with end-users contributing to the improvement of the processes.
More and more, ServiceNow is being geared towards non-IT industries meaning that the Client on the other side of the table may not know what backend or CMDB means. It is therefore our job to promote easy OOTB use cases like writing a Policy or sending customer satisfaction surveys - and show them in the collaborative implementation process that ServiceNow is not that scary.
The Client will only grow as far as we make them mature.
