We are very pleased to announce the Istanbul market release of Governance, Risk and Compliance. GRC is designed to enable customers extend their investments in Service Management to automate cross functional processes across business, IT, security, risk, audit and compliance silos and embed risk and compliance controls in these activities.

The Business & IT Challenge

Governance, Risk and Compliance (GRC) is an ongoing concern for many organizations. Enterprises must constantly keep up with changes in the global regulatory environment and industry standards. As the organization adopts new business models, establishes new partner relationships, and deploys new technologies, it must also be able to quickly assess the impact of these developments on its existing compliance obligations and risk posture. For critical processes, it must be able to monitor and detect for failing controls, update controls and related risk assessment, and audit protocols post risk assessment.

Enterprises operating in increasingly fluid environments require GRC solutions that deliver the following capabilities:

1. Share risk information and facilitate decision-making across the relevant stakeholders.
2. Accelerate business impact analysis and scope the exposure by showing the dependencies and relationships across assets, processes, security, and compliance controls.
3. Enable fine-grained analysis on the likelihood and financial impact of potential control failures.
4. Identify failing controls in between assessments. The ability to compress the time to monitor, detect, and assess changes to the risk and compliance posture is only one side of the equation. Once a decision is made, the enterprise must also be able to orchestrate the appropriate remediation and risk treatment actions across business and IT processes.

The ServiceNow Solution

ServiceNow ® Governance, Risk and Compliance (GRC) is designed to enable organizations extend their investment in Service Management best practices and technology into GRC programs by embedding compliance and risk controls into their business and IT processes. GRC runs on the Service Management platform. It takes advantage of the CMDB to provide the business context to controls, expose risk dependencies, and accelerate business impact analysis. Service Management offers organizations a single-system of records, collaboration and process design, workflow automation, and a platform for custom application development. GRC utilizes these capabilities to facilitate information sharing and decision making across GRC, security, and business stakeholders, and to automate remediation and risk treatment activities.

What's New in GRC?

The Istanbul version of GRC offers the following new features, which advances customer capabilities to enable continuous monitoring, model GRC dependencies across business assets (profiles), and realize process efficiencies during assessments.

Performance Analytics Integration

Customers have always taken advantage of the Service Management platform to minimize the integration risk and costs associated with automating controls assessments and evidence data collection of IT controls from applications such as vulnerability management, incident management, change management, asset management, cloud management, etc. As the Service Management portfolio expanded into Business and IT Operations Management, GRC also enabled customers to collect Performance Analytics (PA) KPIs on a periodic basis to support scheduled assessments.

Periodic and siloed risk assessments are unable to identity and provide an integrated view of critical changes in the risk posture, in between assessments, leading to material events (data breach, IP theft). In Istanbul, GRC delivered out of the box integration with PA. Customers are able to assign PA indicators and thresh holds to detect and monitor the risk posture continuously. The Service Management platform allows customers to select from a list of automated indicators and define thresh holds such as the number of critical vulnerabilities.

(Figure 1)

They can drill down on a specific indicator, for example, the average age of high priority vulnerabilities, to identify failing controls across by business services.

(Figure 2)

Since PA indicators are utilized to monitor the performance of critical applications and processes, customers using PA for continuous risk monitoring enhance their capability to detect failing critical controls in between assessments.

GRC Workbench and Dependencies Modeling

Risk, compliance and security professionals struggle with planning for and in building defensible remediation and response decisions due to their inability:

1. to understand dependencies across compliance, risk, security and operational requirements;
2. to view potential failures/threats in the context of historical trends; and
3. model future scenarios using multiple risk models.

GRC Workbench offers the compliance, risk management, and audit function a role-based dashboard that summarizes the various status updates, priorities, and tasks associated with their various GRC engagements.

(Figure 3)

The dependencies modeling feature utilizes the CMDB in combination with controls and policy statements information to show the upstream and downstream relationships across entities. GRC functions utilize this information to assess risk and compliance dependencies during business impact analysis and to plan the scope of a control. (Figure 4)