Why Your Enterprise Can't -- and Shouldn't -- Spell "GRC" Without "ITSM"

Years ago no one thought computing mattered to any but computer people. (I know. I was there.) Today, almost every enterprise of every size and type depends on computing to do business.

Today, most businesspeople who are not specialists in governance, risk and compliance, or GRC, think that GRC only matters to GRC specialists. Hmm...

Here's the thing. Say you're an IT person, and you're puttering around your abode of a morning, perhaps enjoying some delicious chamomile tea and a bran muffin while watching the business news on your outlet and device of choice. When all of a sudden, you see your CEO doing the perp walk in one of those stylish orange jumpsuits. The odds are good that you probably will not enjoy the next phone call, e-mail or knock on your door that you receive. Because thanks to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley, if your CEO is under suspicion, he or she is likely to assert that his or her claims of innocence and veracity are based on information provided by you, your team and the technologies you manage.

I think you can already see where I'm going with this. But in case it's not yet crystal clear, let me put it another, perhaps broader way.

GRC is basically about accountability -- to regulators, your board of directors, your investors and to those who enforce compliance with best business practices (ITIL or COBIT, anyone?). Which presumably includes those who run your enterprise's business operations. And to the extent your business relies upon IT to do business, it must also rely upon IT to enable and support the accurate, timely reporting of what's going on in the business to deliver said accountability.

Sounds simple enough. But as is still too often true regarding IT folks and the rest of the business, IT people and GRC specialists are like the cast and the behind-the-scenes crew of a stage show. Having done a bit of theater in my time, I can assert with confidence that often, cast and crew can't stand each other. But each group comes to realize sooner or later that without some serious cooperation, there won't be a show. So they find ways to cooperate sufficiently to make the show happen.

At many enterprises, assuming there are dedicated GRC specialists, those people rarely if ever have deep IT skills, or deep relationships with those who run IT. And both the GRC folks and the IT folks are often too busy firefighting and playing catch-up to engage with each other, until and unless some crisis forces them to do so. Like the CEO doing that perp walk. And by then, it's often too late to do anything but scramble to respond to requests or demands from auditors, regulators and/or law enforcement.

KPMG, one of ServiceNow's Global System Integrator partners and "a ServiceNow strategic advisory partner," also does a lot of GRC-related consulting. In its document entitled "Governance, Risk and Compliance: Driving Value through Controls Monitoring," the company advises that strategic, tactical and operational GRC "controls monitoring tools" are essential to achieving a proactive, "big picture" view of and approach to GRC. Specifically KPMG recommends that the organization take three significant steps.

• "Assess the organization's current GRC maturity and identify its portfolio of key controls across the various compliance frameworks to which the business is subject.
• "Select a tool to help monitor performance of these key controls.
• "Build a 'dashboard' to provide transparent performance reporting to decision makers and embed it within the regular business processes."
  

KPMG and other enterprise consultancies and advisory services also recommend integration of GRC controls monitoring, management and reporting with enterprise resource planning (ERP) solutions. But I believe that truly successful, holistic GRC management and reporting efforts can also benefit greatly from integration with IT service management (ITSM) tool and processes at strategic, tactical and operational levels as well. Such integration is likely the only way to ensure that all of the relevant information about the IT infrastructure elements enabling business operations and GRC processes and controls is included in all GRC management efforts.

How best to integrate ITSM and GRC? ServiceNow IT GRC provides automation, integration and flexible reporting that can ease and speed consolidation of GRC management and ITSM efforts in helpful ways. And the single version of the truth enabled by the ServiceNow Service Automation Platform can help enterprises to extend effective IT GRC management efforts to other areas of the business -- notably change management. Such an evolution parallels how the ServiceNow Platform is helping enterprises to extend effective service management beyond IT.

But tools are only part of the solution. Effective relevant processes -- and promotion and enforcement of their adoption across the enterprise -- are at least as critical as any tools. And ServiceNow partners are helping enterprises to assess and optimize the processes needed to succeed with GRC. One such partner, Intréis, focuses specifically on what it calls "GRC-enabled ITSM," and offers numerous services designed to help ServiceNow customers improve their efforts in GRC, ITSM and integration of the two. I expect you'll see more ServiceNow partners paying more attention to GRC-ITSM integration as well, as demands and requirements for accountability and transparency ratchet up, within and beyond IT.

Whether or not your enterprise is in a highly regulated business or simply wants to be more consistent and transparent in its compliance with ITIL, COBIT or some industry-specific guidelines, GRC is now or will soon be critical to your enterprise's operations. Perhaps as critical as management and optimization of the IT infrastructure that enables those operations. So now is the time to start identifying the key GRC-focused people, processes and tools available to you, and to begin bringing them together with the people, processes and tools making ITSM work. That way, you'll avoid doing a "spit take" with your tea and muffin, should you in fact see your boss doing the perp walk on TV one day. Which should never happen, if you get GRC-ITSM integration right.