Governance, Risk and Compliance (GRC) is an important area of focus for several organizations. Companies want a robust GRC program in place to help manage compliance with regulations and internal policies, to enhance information security practices and to streamline audits and remediation activities.
If you are considering ServiceNow® as a potential tool for GRC and are researching its capabilities, you may have a few questions about the various ways in which the tool can be used. While our clients typically start with compliance management, they like to consider risk management and audit as well. However, most clients are surprised that they can leverage ServiceNow GRC for Vendor Risk Assessments and Business Continuity Planning/Disaster Recovery (BCP/DR).
In this perspectives article, we will describe how ServiceNow GRC can be leveraged to address all these common GRC use cases.
Use Case #1: Compliance Management
ServiceNow integrates with Unified Compliance Framework (UCF) and acts as a central repository for all your authority documents, whether they are regulations like SOX or PCI; industry frameworks like COBIT; or internal policies, standards and standard operating procedures.
This makes it easier to support and maintain publicly available control frameworks, manage the lifecycle of your internal policies, procedures and standard operating procedures, and enable alerts and notifications for periodic reviews of content. By creating relationships between multiple regulatory frameworks, internal controls, and policies you can take advantage of a “Test Once, Comply Many” philosophy.
The biggest differentiator between ServiceNow and other tools in the marketplace is its ability to automate evidence collection. It does this through automated control testing, attestations, surveys, data certification, and support policy exception processes. By integrating Compliance Management with Service Management, you can embed your IT general controls into IT service management activities within your organization.
Use Case #2: IT Risk Management
ServiceNow’s Risk Management application has evolved significantly over prior versions. It assists in the continuous monitoring of risks that can negatively impact business operations; and it provides structured workflows for the management of risk assessments, risk indicators, and risk issues.
ServiceNow’s Risk Management application provides ways to organize categories of risks to normalize risk scores across the organization, consistently assess risks using a best practice workflow, and reports on financial and statistical impacts of risk to the organization.
There are two built in risk scoring methods, qualitative (Impact / Likelihood) or quantitative: Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO) and Annualized Loss Expectancy (ALE). Depending on the maturity of your current risk management practices and the availability of metrics and data, you can choose either method for scoring.
Use Case #3: Audit Management
ServiceNow GRC application can be used by internal audit teams to document and track phases of the audit cycle; audit planning, audit risk assessment, audit project management, time management, issue tracking, audit work paper management, audit evidence management, and reporting.
Like Compliance Management, Audit Management also provides a centralized repository and process for Internal Audit teams to automate the complete audit life cycle. You can maintain all test templates and test plans in a single repository, connect your audit tasks to controls within the application and configure indicators to collect audit evidence. Issues can be automatically created from indicator results. Observations and deficiencies can be set up as tasks, assigned to people or groups, and tracked via workflows, SLAs, alerts and notifications.
An audit workbench provides a timeline view of all audit engagements from which you can select an audit engagement to view details or create a new engagement. Project driven audits allow auditors to quickly scope engagements, develop audit plans, conduct fieldwork, collect control evidence, and track audit observations. The My Audit Approvals feature enables supervisors to view audit documents awaiting approvals.
The application provides an executive view into audit results, engagement breakdowns by task, and allows areas of concern to be identified quickly. If you’ve previously spent hours building reports for management and leadership or been a leader frustrated by lack of granularity in your reports, you will appreciate the reporting and dashboard capabilities this tool provides.
To read more, download the full whitepaper.