Governance, Risk, and Compliance (GRC) is a multiple and inter-reliant application that is aimed to strategically manage the regulatory requirements across the enterprise to ensure better scaling of business process to drive business efficiencies. It helps us assess the right assets, manage policies, identify risks, create controls, and conduct audits. Enterprise GRC working model is a group of silos working, thinking and structurally independent. ServiceNow comes with GRC module to enable organizations to automate and to provide broader understanding of all GRC activities in a single window with real time monitoring to handle risk in advance.
ServiceNow GRC module is a robust framework that automates the process among intra and inter-business groups, by keeping the dependencies in mind and by creating better management of flow of work vs time.
ServiceNow GRC solutions enable enterprises to modernize their legacy methods of managing corporate governance, risk, and compliance. The significance of ServiceNow GRC is it brings all the governance, risk and compliance management activities together in one place through a dashboard, thereby providing enterprises true visibility in GRC management.
The Forrester Total economic Impact study By ServiceNow reveals that, “ServiceNow GRC enables not only compliance experts to be more effective and well-organized, but it is playing a significant role in helping business leaders to speed up and to make improved strategic decisions with instant detailed views on risk and compliance activities.”
Figure: ServiceNow GRC Automation Process
1. Policy and Compliance Management: It helps organizations with a centralized process for policies, standards, and internal control procedures adhering to external regulations and best practices.
Figure: Admin View of Policy and Compliance
2. Risk Management: Helps organization with a centralized process to identify, access, monitor and respond to risks, which can cause potentially damage. Also, it helps manage assessments, indicators, and issues.
3. Audit Management: Helps organizations with internal audit, external audit, create and execute engagement, report back to committee and board of directors.
4. Vendor Risk Management: Vendor Risk Management manages the vendor portfolio, completes the vendor assessment, remediation life cycle, and integrates with other business applications.
Figure: Admin View of ServiceNow GRC Domains
In GRC, domain separation isolates the data and administrative tasks into the logical groupings. Not all ServiceNow applications needs domain separation. Users always have access to data from domains and that access is explicitly granted by the domain visibility. Many types of records are automatically generated in GRC through user processes. Like, profiles, controls, risks, indicators and control tests are generated automatically. When working on GRC domain separation, users should be aware that they create records at the correct domain and visible to the right set of users.
For Example, you have domains that looks like:
>Domain
>TOP
>Domain A
>Domain B
GRC users are classified in one of the below types of roles:
To use GRC in ServiceNow, it is mandatory to activate the GRC plugins. Here is the list of plugins to be activated:
|
S.NO |
Plugin Name |
Application |
|
1 |
Vendor Risk Management (sn_vdr_risk_asmt) |
Vendor Risk Management |
|
2 |
GRC: Policy and Compliance Management (sn_compliance) |
Policy and Compliance |
|
3 |
GRC: Performance Analytics Premium Integration (sn_grc_pa) |
Performance Analytics Integration |
|
4 |
GRC: Audit Management (sn_audit) |
Audit Management |
To access the GRC module in ServiceNow, by default within a below roles are declared. Based the user hierarchy, the admin can assign roles to a user.
Figure: ServiceNow GRC Roles Matrix