ServiceNow GRC is an emerging platform, recently identified by Forrester as a significant contender in the GRC space. Several organizations have been able to successfully adopt this platform, and with over 100+ implementations under the belt, INRY has observed a few common factors that have resulted in successful ServiceNow GRC implementation and adoption.
We have also noticed that organizations that have not been successful are typically overwhelmed by the ‘Art of the possible’, but what business leaders really need to think about is what matters most to them and how they can simplify.
This article is designed to for clients who are considering migrating from excel sheets and manual processes to ServiceNow and are still working their way around the platform and learning its capabilities.
One of the key success factors that INRY has identified is to “keep it simple.” This article describes three ways in which the implementation can be simple yet effective at the same time.
Get data into the system, don’t worry about what things will look like 2 years from now.
Consolidate the compliance frameworks, documents and controls that apply to your organization and upload that control structure into ServiceNow. It is easy to get seduced by the fact that you can import multiple authority documents, map citations, etc. and get to a “Test Once, Comply Many” state, yet very few organizations have the maturity for this when they are starting out.
The biggest boost you can give your implementation is to start small and to begin with what you have currently. Leverage the platform to consolidate all your compliance and policy information into a central repository versus trying to achieve an “Art of the possible” when you are first starting out.
To automate, bring on just a few controls, test it out and then build out over time.
The crawl, walk, run strategy may be a cliché but applies in this scenario. When you are first introduced to the platform, it is easy to get excited by its potential and to start loading everything under the sun into the platform. Yet organizations that are most successful adopt the crawl, walk, run strategy.
Build automation for a handful of key controls and then decide which ones are appropriate to begin with. Work with these controls for a few months to truly understand how the organization’s maturity maps with the platform’s capability.
The best controls that are easy to start with are:
- Controls that are automated through self-assessments
- Controls that use a task-based evidence collection process
- If you are comfortable with the reliability and accuracy of the CMDB data, you can build indicators. However, be prepared for this to be a starting point since most auditors do not rely on the CMDB for final evidence or working papers.
Get the team that’s using the platform comfortable with it.
This seems obvious, but the most common reason for failure of any software implementation is lack of user adoption. The most important, yet the easiest way, to enable the success of your ServiceNow GRC platform is to get the teams comfortable with using the platform. This will ensure that they are excited about the benefits and gains that they are accomplishing and will find ways to enhance and evolve the platform over time.
When someone starting out with the GRC platform is overwhelmed, they start using the platform more as a Sharepoint site, just to manage content. However, the power of the platform is building out the ITSM or GRC integration over time and embedding controls into your Service Management processes such as change management and release management.
This is only possible when the team is comfortable with the platform. INRY has observed that when clients spend time on enablement and end user training, projects are more successful and easily adopted. They also have long run times and subsequently better ROI (Return on Investments).
INRY has observed many clients become overwhelmed by the “Art of the Possible” and neglect to build a strong foundation for their ServiceNow GRC platform. It is easy to get lost with defining profiles and profile types and other features which are daunting and lead to “analysis paralysis” and an overall failure to adopt.
We have developed approaches for clients at all stages of maturity, and this is the one that is the simplest and most essential approach.
For more information about how you can make your GRC implementation more successful, please contact us at Info@IntegRhythm.com