60%
Reduction in survey sizes due to vendor targeting
Increase in responsiveness to vendor onboarding requests
66%
Reduction in vendor risk survey response times
The city and county of Denver is committed to information security and wanted to automate its governance, risk, and compliance (GRC) to optimize processes and strengthen regulatory compliance. With ServiceNow Governance, Risk, and Compliance, Denver has now streamlined its processes, including simplifying and accelerating vendor risk management.
Information security is a key part of the city and county of Denver’s commitment to its citizens wellbeing
For the city and county of Denver, information security is critical. The organization deals with many different types of sensitive information, including the personal data of its citizens. This makes efficient and effective governance, risk, and compliance (GRC) a top priority—it’s part of the city and county’s deep commitment to Denverites, and it’s also essential for regulatory compliance.
Denver wanted to automate governance, risk, and compliance to strengthen information security
That’s why the organization decided to automate its GRC processes. According to Denver’s Information Security Manager Julie Sutton, “We had a comprehensive set of written policies, but because we relied on manual processes, they were hard to operationalize or keep up to date. We wanted to drive action, but when your policies are just sitting in a document library, people don’t know where to go. It was incredibly difficult to track, and things were forgotten. To make our policies a living, breathing part of the way we work, they needed to be current, accessible, and automated.”
Denver chose ServiceNow GRC to make its policies and associated processes dynamic and automated
Denver already used ServiceNow IT Service Management, which made ServiceNow Governance, Risk, and Compliance a natural choice. Julie says, “With ServiceNow GRC, we’ve made our policies dynamic. People can instantly find policy information on our ServiceNow service portal, along with automated approval processes, associated risks, and links to regulations. And, because the corresponding processes are embedded, everything is tracked and documented. We no longer have to remember things; the system pings you when it’s time to do something.”
City and County of Denver
CUSTOMER
City and County of Denver
HEADQUARTERS
Denver, Colorado
INDUSTRY
Government
EMPLOYEES
11,000
PRODUCTS
The results have been great. For example, we’ve been able to establish an annual review of all of our policies, ensuring they are current and accurate each year.
Julie Sutton
Information Security Manager
ServiceNow helps Denver accelerate and simplify vendor risk management
Denver also extended its ServiceNow GRC solution to include ServiceNow Vendor Risk Management. Julie explains, “ServiceNow Vendor Risk Management solved a real problem for us. Our existing process was long and drawn out, with a huge amount of paperwork. We sent vendors a spreadsheet with 300 questions. They hated filling it out, and it took them up to six weeks to respond—sometimes more. When we did get the answers back, we didn’t know what they meant. We would have to review them manually, which took huge amounts of time.”
With ServiceNow, vendor risk surveys take 66% less time
“ServiceNow Vendor Risk Management was up and running in just three months,” continues Julie. “Now, our vendors have a professional, interactive portal for filling out risk surveys. Using the portal, vendors can easily assign questions to different internal groups, so they can work on things in parallel. If there’s an issue, we can interact with them directly on the portal, which has significantly reduced back-and-forth emails and phone calls. If there’s a specific task to be done, ServiceNow automates and tracks the workflow, so nothing gets missed. And, we can easily choose just the relevant questions for each vendor, so they now only have to complete closer to 125 questions instead of 300.”
The results have been impressive. According to Julie, “We now get responses back in two weeks or less instead of six—one third of the time—and ServiceNow automatically scores them for us, so we’re not constantly buried in reviews. Choosing ServiceNow Vendor Risk Management is one of the best decisions we’ve made. Our internal clients get much faster turnaround when they need to onboard a new vendor, and our vendors are far happier as well.”
Denver continues to grow the value of its vendor risk management solution by leveraging the Now Platform
Looking forward, the city and county of Denver is continuing to enhance its GRC solution. For example, it is linking ServiceNow Vendor Risk Management with the ServiceNow® Demand Management module and adding a custom script to open the security review request directly from the module, as well as related fields. That way, the end users can document new product requirements and then automatically kick off a vendor risk assessment directly from the demand management module. The organization is also building out metrics on ServiceNow so it can measure and optimize its GRC processes.
Julie sums up the benefits, “I’m a huge advocate of the Now Platform. Here at the city and county of Denver, innovation is part of our DNA. ServiceNow flexibility means that we can continue to innovate and grow the value of our GRC solution even further.”
ServiceNow Governance, Risk, and Compliance
Learn how Denver meets information security requirements