- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Presenters: Morgan Hunter (Senior Product Marketing Manager, ServiceNow) and Andrew Wheatley (Internal Director of Internal Audit, ServiceNow).
Session title: A business view of Integrating GRC and Service Management
Running service management and risk & compliance in functional silos is outdated. With new regulatory demands emerging daily, and increasing public demand for effective risk management, the only logical answer is to integrate governance, risk, and compliance (GRC) directly into your business processes. Integrated GRC help you avoid unnecessary competition for resources, redundant processes, and gaps in visibility.
In today's session I had the privilege of having Andrew Wheatley, ServiceNow's Internal Director of Internal audit join me in my presentation. Andrew shared with attendees how ServiceNow is utilizing the platforms GRC capabilities to address the audit demands of one of the world's largest SaaS providers.
Q: Andrew, can you tell us a bit about you background before you came to ServiceNow?
A: I have 14 years of experience in Risk, Compliance, and Audit including 8 years in public accounting, and 6 years in executive positions in Internal Audit functions. I previously worked at PwC, NetApp, and VMware.
Q: What GRC tools have you used in the past?
A: While at PwC I had exposure to several different GRC tools such as Oracle, SAP GRC, MetricsStream, OpenPages, and Teammate.
While at NetApp and VMware a lack of resources, enterprise buy-in and coordination prevented us from implementing a formal GRC solution. One of the biggest barriers we faced was resistance to bringing on yet another stand-alone application that IT would have to support. As a result we had to resort to tools such as Excel and SharePoint for Audit management. These type of tools have major limitations and are essentially used to organize and store documents instead of providing any real value to the organization.
Q: What are some of the common challenges an organization might face when implementing a GRC solution?
A: There are several common challenges:
- The top challenge of implementing any GRC solution is creating a value case as compliance often times is a hard value sell.
- After that, directionally aligning the various functions, and the enterprises' overall risk and compliance roadmap, is often very challenging due to competing priorities and agendas.
- Finally, knowing where to start, how to start, and how much to do can be challenging. Any GRC program needs to have clear ownership and accountability. There needs to be a vision and end state for the program so that you start developing the program with the end in mind. The 2nd really important thing is to start small, build a foundation, and get quick wins.
Q: Can you tell us about the complexities of your GRC environment at the corporate level?
A: As a cloud company hosting our customer's environment compliance and security are a top priority for our company. On the cloud operations side of our business we have a security compliance team that manages our ISO 27001, SSAE 16 SOC 1 Type II, and SOC II Type II, and FedRamp certifications and audits. They also manage a host of customer audits and vendor management.
On the corporate side of the house, we have an Enterprise Risk Management program led by the Internal Audit organization. Internal Audit also manages SOX compliance, and core internal audit. As an international organization we are subject to the various international regulations.
Q: From your perspective, what is the Value of having all of these activities on one platform?
A: The value of a GRC program is visibility, transparency, risk based decision making, and increased coordination. With an effective GRC program and tool, organizations can see where their greatest risk exposure is, where they have sufficient mitigation, where they have the proper assurance coverage and oversight, and where they have gaps in their coverage that needs attention. This enables companies to ovoid overlap and duplication of efforts, and prioritize compliance initiatives.
Q: The theme of K15 is "Everything as a Service." What do you think about the concept of Compliance as a Service?
A: Our audit plan to the board is Internal Audit Service Delivery. We deliver several different value added services to our organizations. We use the Audit Service Delivery to drive our audit strategy and prioritize value creating activities.
Q: What business objectives influenced and informed your GRC automation roadmap?
A: We wanted to start small with a project that can build a foundation and get a quick win. We needed to take our financial internal controls program from Quickbase and automate it through the ServiceNow GRC solution. This will build a great foundation for policy and SOP management, Risk Assessment, Control Design, and Control Test and Audit Remediation. After creating this foundation, we'll seek to create efficiency in the program through continuous controls monitoring, more dynamic reporting, Audit Management, Project Management, and Enterprise Risk Assessment.
Q: What do you see as low hanging fruit for GRC automation?
A: Request management and evidence Gathering. Through the use of control test definitions, and automated rules, we can capture the evidence of control performance in an automated fashion, which is a huge savings and will increase the quality in our compliance efforts.
Q: What process are you using to Facilitate buy-in from other groups?
I'm in the process now of gaining buy-in across the enterprise — it is a continual process and a journey. The important thing is communication from the start. We have legal, Security Compliance, and Accounting Operations at the table. They understand what our plan is and where we are going. We shared our Business Requirements Document with these organizations, we involve them in GRC demos, and we seek their perspective on key decisions. This will ensure that as we are implementing the platform it has the potential to align to their needs.
Q: Any word of advice for Knowledge 15 attendees who are considering adopting ServiceNow GRC?
A:
- Integrate GRC into the rest of your ServiceNow environment and leverage data from other systems like ERP. This will enable the use of workflow and survey tools which is useful for compliance.
- Involve Your IT department. They are familiar with the platform and can help you make modification and changes as your GRC process broaden and mature.
- Take advantage of continuous controls monitoring. It is much more effective when your controls are performed as part of your daily operations within the service now platform.
I'm looking forward to Knowledge16 when we can get an update from Andrew on ServiceNow's GRC progress.
Let's get the party started
Final question of the day for Andrew, "If GRC were having a ServiceNow platform party, who would you invite?" His answer:
- Service Catalog - Request Management - Employee On-boarding & Off-Boarding
- Configuration Management (CMDB)
- Change Management
- Surveys and Assessments
- Data Certification
- Vendor Management
Want to know more?
ServiceNow Governance, Risk, and Compliance (GRC) enables organizations to integrate their controls framework into critical IT and business processes in order to automate control testing/audit and enable real-time risk based decision-making.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
