ServiceNow’s Integrated Risk Management (IRM) Suite of applications, otherwise known as Governance Risk and Compliance (GRC), is a suite of applications that help to support the effective management of risk and compliance for organisations. It supports both internal and external needs; alignment to regulations, compliance frameworks, policies and standards set both at an organisational level, industry level, or put in place by the government or regulatory bodies (i.e., APRA, ASIC).
When we consider GRC within an organisation and in the context of ServiceNow, we need to assess the challenges that face organisations today. Organisations need to have a close affinity with these challenges to help guide investment into the right tooling to best support the organisational processes, and how we respond to these challenges.
The IRM suite of applications in ServiceNow, helps to break down the siloes that exist in organisations and helps to bring context to the risk and compliance posture. The IRM capabilities centralise activities that may have previously been captured in spreadsheets or disparate tooling. It is an enabler to bring a risk-based approach across the organisation which has never been more critical.
When considering and implementing the broader IRM suite of applications, it can seem like a daunting task. AC3 sees the most success with our customers when they execute an incremental maturity journey – Crawl, Walk, Run. An example approach to enabling the IRM suite is detailed below.
One of the most critical foundational elements for enabling the GRC capabilities in ServiceNow is in defining the Entity structure. Entities are people, places, objects, or things that need to be monitored in order to manage risks, track control compliance, or review as part of audit engagements. They are logical groupings that help to provide insight across all GRC capabilities deployed.
The entity design underpins the entire IRM suite and helps to provide granular insight through reporting to help focus efforts.
The IRM suite enables organisations to subscribe and integrate to the Unified Compliance Framework (UCF), to allow organisations to ingest controls and authority documents aligned to compliance frameworks into their instance of ServiceNow that are relevant to them, i.e., ISO9001, ISO27001. The integration leverages the Common Controls Hub and reduces time in populating ServiceNow, assists in extracting value from the Policy & Compliance capabilities, and enables the Audit Management capabilities to aid in assessing compliance against deployed frameworks.
AC3 Recommendations:
-
Invest a lot of time in defining the right Entity Design structure to underpin the IRM portfolio of applications. This maps out the structure of activities, services and functions performed across the organisation to bring context to GRC activities.
-
Start small and iterate. Crawl, Walk, Run. We recommend spending time to nail the entity design, and then loading your risk register(s) into ServiceNow as a start.
-
Leverage the CMDB where possible to enrich the GRC applications with broader context and to aid in impact assessment.
-
Integrate to the Common Controls Hub via the Unified Compliance Framework. Identify 1-2 compliance frameworks to commence mapping the most critical elements for your organisation.
-
Invest in ongoing training and education to support GRC activities, as these processes continue to gain traction and buy in across the organisation.
-
If your organisation is starting from a low level of maturity or moving away from spreadsheets, adopt the lowest tier of licensing and start there. You can always uplift licensing to activate more products when your organisation is ready to take the next step in the maturity curve.
For more information on how we can help you improve your digital resiliency with ServiceNow, click here.