Governance, Risk, and Compliance (GRC) is a multiple and inter-reliant application that is aimed to strategically manage the regulatory requirements across the enterprise to ensure better scaling of business process to drive business efficiencies. It helps us assess the right assets, manage policies, identify risks, create controls, and conduct audits. Enterprise GRC working model is a group of silos working, thinking and structurally independent. ServiceNow comes with GRC module to enable organizations to automate and to provide broader understanding of all GRC activities in a single window with real time monitoring to handle risk in advance.
Understanding ServiceNow GRC Module
ServiceNow GRC module is a robust framework that automates the process among intra and inter-business groups, by keeping the dependencies in mind and by creating better management of flow of work vs time.
ServiceNow GRC solutions enable enterprises to modernize their legacy methods of managing corporate governance, risk, and compliance. The significance of ServiceNow GRC is it brings all the governance, risk and compliance management activities together in one place through a dashboard, thereby providing enterprises true visibility in GRC management.
The Forrester Total economic Impact study By ServiceNow reveals that, “ServiceNow GRC enables not only compliance experts to be more effective and well-organized, but it is playing a significant role in helping business leaders to speed up and to make improved strategic decisions with instant detailed views on risk and compliance activities.”
Figure: ServiceNow GRC Automation Process
Four Pillars of ServiceNow Governance, Risk and Compliance
1. Policy and Compliance Management: It helps organizations with a centralized process for policies, standards, and internal control procedures adhering to external regulations and best practices.
Figure: Admin View of Policy and Compliance
2. Risk Management: Helps organization with a centralized process to identify, access, monitor and respond to risks, which can cause potentially damage. Also, it helps manage assessments, indicators, and issues.
3. Audit Management: Helps organizations with internal audit, external audit, create and execute engagement, report back to committee and board of directors.
4. Vendor Risk Management: Vendor Risk Management manages the vendor portfolio, completes the vendor assessment, remediation life cycle, and integrates with other business applications.
Figure: Admin View of ServiceNow GRC Domains
Domain Separation In GRC
In GRC, domain separation isolates the data and administrative tasks into the logical groupings. Not all ServiceNow applications needs domain separation. Users always have access to data from domains and that access is explicitly granted by the domain visibility. Many types of records are automatically generated in GRC through user processes. Like, profiles, controls, risks, indicators and control tests are generated automatically. When working on GRC domain separation, users should be aware that they create records at the correct domain and visible to the right set of users.
For Example, you have domains that looks like:
- >Domain
- >TOP
- >Domain A
- >Domain B
- >TOP
Who Uses GRC?
- Managing Directors
- Audit Team
- Compliance Officer
- IT Team
- Reporting auditor
- Risk Officer
GRC users are classified in one of the below types of roles:
- Functional Roles
- Technical roles
How Does GRC Work in ServiceNow?
- GRC access to source data form real-time reporting.
- It has access to full assets, configuration, and IT data.
- In ServiceNow, knowledge base can be used to control test instructions.
- To gather the secured integration and report to outside the instances.
GRC Integration Plugins
To use GRC in ServiceNow, it is mandatory to activate the GRC plugins. Here is the list of plugins to be activated:
S.NO |
Plugin Name |
Application |
1 |
Vendor Risk Management (sn_vdr_risk_asmt) |
Vendor Risk Management |
2 |
GRC: Policy and Compliance Management (sn_compliance) |
Policy and Compliance |
3 |
GRC: Performance Analytics Premium Integration (sn_grc_pa) |
Performance Analytics Integration |
4 |
GRC: Audit Management (sn_audit) |
Audit Management |
-
S.NOPlugin NameApplication
-
1Vendor Risk Management (sn_vdr_risk_asmt)Vendor Risk Management
-
2 GRC: Policy and Compliance Management (sn_compliance)Policy and Compliance
-
3 GRC: Performance Analytics Premium Integration (sn_grc_pa)Performance Analytics Integration
-
4GRC: Audit Management (sn_audit)Audit Management
GRC Roles Matrix
To access the GRC module in ServiceNow, by default within a below roles are declared. Based the user hierarchy, the admin can assign roles to a user.
Figure: ServiceNow GRC Roles Matrix
Benefits of Using ServiceNow GRC Solution
- Real-time monitoring.
- Automate risk assessments and to create a risk register.
- Manage compliance which is confirming to a regulation/law/policy/standard.
- Describe the governance framework and test compliance controls.
- Manage risk by identifying and handling risks in advance, to avoid the potential negative impacts on the business.
- Asses vendor risks.
- Profile types and profiles are used by risk managers to screen risks and to achieve risk assessments. In similar the compliance managers create a structure of internal controls and monitor compliance activities.
- Risks are mitigated using controls to help minimize the impact or occurrence of risks.
- Attestations over controls are used to measure the controls performance.