What use for IT GRC?
Since its June 2011 release, ServiceNow proposes a dedicated “IT Governance, Risk and Compliance” plugin that helps organizations approach these domains in an integrated and consistent manner. However, you may not have had the chance to fully grasp how the plugin and accompanying functionalities may actually help your organization in these areas.
Luckily enough, this article may fill that particular gap for you. Let’s first have a look at those areas one by one:
- Governance: defines the overall management approach to direct and control an organisation, including the management information and hierarchical management control structures. The main objectives are to provide critical and sufficient management information for decision-making, and to control implementation of strategies, directions and instructions.
- Risk: encompasses the assessment and the responses to risks that may impact the business. Activities include identification of risks, their assessment, and the definition of mitigation strategy.
- Compliance: dictates the conformity requirements against e.g. laws, specific regulations, contracts, policies and/or strategies. The aims are to identify the applicable requirements, assess the risks and impacts of non-compliancy, track compliancy status, estimate effort to achieve compliance, and by the end, prioritize, fund and initiate corrective actions if required.
The problematic around these areas nowadays reside in the way each aspects are being managed in IT organizations today: policy documentation, risk management and follow-up on controls, although being interconnected processes, often relies on heterogeneous tools and processes, thus creating entropy within the IT organisations. It becomes therefore difficult for individuals to grasp the whole picture in an integrated manner.
But there are quite decisive added values in simplifying and integrating the overall approach within the ITSM suite:
– reduce cost by leveraging a unique tool and automate formerly manual controls
– reach better compliance by efficiently applying and monitoring policies
– reduce complexity by offering a unified view on risk, policies and related activities
– improve risk management with up-to-date data
– simplify reporting tasks.
And these actually are the benefits that ServiceNow IT GRC plugin may offer with its range of covered activities:
Document policies and procedures:
including those from authoritative sources and applicable regulations. ServiceNow provides dedicated tables to log and model the compliancy context of your organisation.
Register and assess risks with configurable impact and probability criterias, calculate recommended risk approach based on predefined mitigation matrix, and of course link risks to your defined authoritative sources.
Controls can be defined within ServiceNow in order to inventory all the measures meant for policy/procedure/authoritative source compliancies or for risk mitigations. The Control classification (e.g. preventative, corrective, detective) and attributes (e.g. purpose, frequency, applicable entities…) can of course be customized to match your organizational context.
Define Control definitions or Audit definitions:
Based on Controls, the IT GRC plugin allows to define activities or audits to be performed in order to assess the compliancy level for given controls, policies or procedures. These activities may be triggered at defined frequency and incorporate defined sample data from the ServiceNow database (e.g. elected Configuration Items, Change Requests, Incidents, …) so as to always feed the Control process with current data.
Execute Control tests or Audits and follow up
Once triggered, Control tests and audits can follow specific and customizable workflows that invite users to log results or audit observations in controlled and consistent manner, and trigger remediation actions as required based on sampled non-compliant records for example. And depending on the purpose, each execution may even include sample data directly extracted from your ServiceNow database!
Report back to management
All these activities, executed within ServiceNow, will allow a coherent reporting on the different statuses that may be of interest for the management to follow up on the applied policies via different gauges and reports.
By the end, having an integrated approach within ServiceNow allows you to run Control activities and audits in a really contextualized, controlled and up-to-date fashion. The plugin enabled you to model the whole chain of information and dependencies that supports the Governance, Risk and Compliance process, starting from the compliancy and risk context, down to the actual execution of controls or audits. Finally, the plugin being fully integrated within ServiceNow, it will be able to access all actual and relevant data within the platform, thus making it a remarkable and valuable add-on to your ServiceNow ITSM suite.
Don’t hesitate to contact us if you require any other information or would like to have a demo of this plugin.