Presenter: Garrick Vance, Senior Product Manager, ServiceNow

Session title: Transform Governance, Risk, and Compliance with Automation

Great session from Garrick Vance today on Transforming Governance, Risk, and Compliance with Automation.

The word is officially out; with the acquisition of Intreis, and the Fuji release, its clear ServiceNow is invested in providing a competitive, and incredibly flexible Governance, Risk and Compliance (GRC) solution. This flexibility allows businesses to take advantage of automated GRC regardless of their maturity level.

I know from experience that GRC process comes in all flavors, and having a strong GRC foundation in Fuji coupled with the ability to address your unique business requirements, means you can have a GRC solutions that meets your business objectives, without complicated and expensive customizations. Great stuff!

I ran into Kris Markham after this session (former CEO of Intreis and new Senior Product Manager for GRC), and I asked him what he was most excited about in Fuji, and he responded:

"I'm most excited about the new integration with the Unified Compliance Framework (UCF). The UCF is an industry vetted compliance database made up of more than 800 laws and standards from around the world. UCF helps organizations cross-map across multiple authoritative sources in order to get to a much smaller simplified set of controls. This boils down to a "test once, comply many" approach to control testing and audit, saving organizations a significant amount of time and money."

"I would also call out the new survey-based assessment capabilities that can automate manual attestation processes, and the greatly improved reporting tools which give you greater visibility into compliance activities and status."

Kris also offered up some suggestions for customers who want to implement GRC.

Start small…and then automate

• Start by uploading your internal controls and policies into the ServiceNow GRC application leveraging the UCF to understand compliance data overlap (cross-mapping) to simplify your controls environment and move towards a test-once-comply-many approach to control testing and audit.
• Next, identify the most basic level of control testing automation for your super controls in order to standardize and centralize your testing and remediation processes.
• Then, setup SLA's against time sensitive activities including Control Tests, Observations, and Remediation to automate follow-up and escalation.
• Finally, begin leveraging the Risk register to track, inventory, and classify risks across the enterprise. Leverage compliance data (controls, policies, etc.) and remediation to mitigate and respond to Risks.

Let's get the party started

Final question of the day for Kris, "If GRC were having a ServiceNow platform party, who would you invite?" His answer:

• Service Catalog - Request Management - Employee On-boarding & Off-Boarding
• Configuration Management (CMDB)
• Change Management
• Assessments to enable Vendor Risk Assessments
• Data Certification

Kris said, since I was such a close friend that I could invite some applications to the party as well. My guests are:

• Vendor Management
• PPM
• Release & SDLC

Product Management Shout Out

Big thanks to Garrick Vance and Kris Markham, Senior Manager, Product Management, for helping me get the word out on GRC today.

Want to know more?

ServiceNow Governance, Risk, and Compliance (GRC) enables organizations to integrate their controls framework into critical IT and business processes in order to automate control testing/audit and enable real-time risk based decision-making.