Now on Now: How ServiceNow has transformed its own GRC processes

Similar documents
Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

LEADING WITH GRC. Common Controls Framework. Sundar Venkat, Sr. Director Technology Compliance Salesforce

INTELLIGENCE DRIVEN GRC FOR SECURITY

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Modern Database Architectures Demand Modern Data Security Measures

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

THE JOURNEY OVERVIEW THREE PHASES TO A SUCCESSFUL MIGRATION ADOPTION ACCENTURE IS 80% IN THE CLOUD

Achieving effective risk management and continuous compliance with Deloitte and SAP

Governance for the Public Sector Cloud

Micro Focus Partner Program. For Resellers

ING DIRECT turns ideas into revenue faster with Cisco UCS.

Next Generation Policy & Compliance

ServiceNow Indicator Based Continuous Control Management

Oracle Buys Automated Applications Controls Leader LogicalApps

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Saving Time Amanda McPherson, CCBIA Vice President/Internal Audit Manager Colorado East Bank & Trust

Optimizing your network for the cloud-first world

OVERVIEW BROCHURE GRC. When you have to be right

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Day in the Life of an SAP Consultant using IntelliCorp s LiveCompare Software

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Data Governance. Mark Plessinger / Julie Evans December /7/2017

Cisco SAN Analytics and SAN Telemetry Streaming

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

Lenovo Data Center Group. Define a different future

Why Enterprises Need to Optimize Their Data Centers

locuz.com SOC Services

TRANSFORMING WEST MIDLANDS POLICE A BOLD NEW MODEL FOR POLICING

Smart Data Center From Hitachi Vantara: Transform to an Agile, Learning Data Center

I D C T E C H N O L O G Y S P O T L I G H T

MODERNIZE INFRASTRUCTURE

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Service Delivery Platform

OPTIMIZATION MAXIMIZING TELECOM AND NETWORK. The current state of enterprise optimization, best practices and considerations for improvement

The 7 Habits of Highly Effective API and Service Management

How to Evaluate a Next Generation Mobile Platform

BUSTED! 5 COMMON MYTHS OF MODERN INFRASTRUCTURE. These Common Misconceptions Could Be Holding You Back

MITIGATE CYBER ATTACK RISK

For Performance and Scalability, Amadeus Chooses Data Center

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Intermedia s Private Cloud Exchange

MOBIUS + ARKIVY the enterprise solution for MIFID2 record keeping

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

SIEMLESS THREAT MANAGEMENT

Virtualizing the SAP Infrastructure through Grid Technology. WHITE PAPER March 2007

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

VMware Cloud Operations Management Technology Consulting Services

Maximize your move to Microsoft in the cloud

RSA Advanced Cyber Defence Summit

Preparing your network for the next wave of innovation

CASE STUDY GLOBAL CONSUMER GOODS MANUFACTURER ACHIEVES SIGNIFICANT SAVINGS AND FLEXIBILITY THE CUSTOMER THE CHALLENGE

THE CUSTOMER SITUATION. The Customer Background

The State of SD-WAN Adoption in 2017

British Gas Smart Meter roll out and the Value Obtained from OSIsoft's Enterprise Agreement (EA) Programme. Copyri g h t 2013 OSIso f t, LLC.

How To Reduce the IT Budget and Still Keep the Lights On

Demystifying GRC. Abstract

Embedding Privacy by Design

The Data Explosion. A Guide to Oracle s Data-Management Cloud Services

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

Sustainable Security Operations

Grow Your Services Business

WEBMETHODS AGILITY FOR THE DIGITAL ENTERPRISE WEBMETHODS. What you can expect from webmethods

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

10 Considerations for a Cloud Procurement. March 2017

Next Generation Authentication

WHITE PAPER. The truth about data MASTER DATA IS YOUR KEY TO SUCCESS

Making the case for SD-WAN

ISO/ IEC (ITSM) Certification Roadmap

Cisco Collaboration Optimization Services: Tune-Up for Peak Performance

GRC TOOL IMPLEMENTATION RAEF MEEUWISSE CISA, FUNCTIONAL ARCHITECT, ADAPTIVEGRC

Cisco Network Assurance Engine with ServiceNow Cisco Network Assurance Engine, the industry s first SDN-ready intent assurance suite, integrates with

RF Code Delivers Millions of Dollars in Annual Power & Cooling Savings for CenturyLink

The SD-WAN security guide

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Data Governance: Data Usage Labeling and Enforcement in Adobe Cloud Platform

Smartsheet for Jira Visibility is the Key to Velocity

Session ID: CISO-W22 Session Classification: General Interest

Data Governance Quick Start

Six Sigma in the datacenter drives a zero-defects culture

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

GOVERNANCE, RISK & COMPLIANCE CPD FOR MEMBERS IN COMMERCE & INDUSTRY AUGUST 2018

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

HPE ALM Standardization as a Precursor for Data Warehousing March 7, 2017

How DocuSign brought product planning to the cloud

How to Accelerate Merger and Acquisition Synergies

Hitachi Data Systems and Veritas Empower smarter decisions

THE API DEVELOPER EXPERIENCE ENABLING RAPID INTEGRATION

The Essential Guide to Preparing Your Network for the Cloud. How to meet your network requirements at every step of your cloud transformation.

FOR FINANCIAL SERVICES ORGANIZATIONS

Welcome ControlCase Conference. Kishor Vaswani, CEO

G Suite: Enabling the connected workspace with a cloud communications system. Google

SAP: Speeding GRC Control Testing by 90% with SAP Solutions for GRC

Review of Microsoft MyAnalytics privacy, security, and compliance. Technical white paper

PERFORM FOR HPE CONTENT MANAGER

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Decoding security frameworks for effective cyber defense. David Allott McAfee

Optimisation drives digital transformation

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Transcription:

Now on Now: How ServiceNow has transformed its own GRC processes Increasing scalability, lowering risk, and slashing costs by $30,000 START 1

Introduction When your business is growing at 0% a year, it s hard to keep up. Processes that worked before are now breaking under the strain. Running a business with over 7,000 employees and doing it well is very different from being a start-up. Spreadsheets and emails don t cut it any more, not if you want to automate and accelerate every corner of the enterprise. That s what Andrew Wheatley discovered when he first looked at ServiceNow s own governance, risk, and compliance (GRC) processes. Andrew heads up our internal audit team, and found himself at the sharp end of manual processes that just wouldn t scale. This ebook delves into ServiceNow s GRC journey and how we ve moved from time-consuming, siloed manual work to connected, automated processes that support our growth. Along the way, Andrew shares his experience and insights, including our challenges, how we approached them, our solutions, and the benefits we ve seen. Andrew Wheatley Head of Internal Audit, ServiceNow 2

Inefficient manual processes and lack of visibility Andrew starts by recalling the pain: We had people spending 90% of their time on SOX. Everything was driven by emails and spreadsheets requests, tests, reviews, status everything. Yes, we stored some information, such as quarterly attestations, in databases, but there was no way to track progress. We ended up downloading data and running massive pivot tables just to get basic reports. We struggled with visibility and transparency, and that was blocking our way forward. And, because no one else could access this documentation, Andrew s team had to update all the controls. Governance, risk, and compliance touches nearly every area of our business. To manage risk effectively, you need real-time visibility. That's what ServiceNow GRC gives us 2/7 automated assurance that we're operating our business to the highest standards. Chris Bedi CIO, ServiceNow Chris Bedi CIO, ServiceNow 3

Drowning in documentation We had to get out of the documentation business. The only way we were going to support growth was to spend 30% to 0% of our time on SOX not 90%. Compliance is everyone s responsibility, but unless we could drive automated workflows and give our business process owners self-service access, nothing was going to change, said Andrew. Police, not business partners There was also another problem: business perception. Process owners saw the audit team as cops policing processes rather than adding value. We wanted to push ownership and accountability to the people who actually ran these processes. But to do that, we knew we had to give back. First, we had to make it easy by integrating compliance seamlessly into their everyday work. Second, we needed to actually help them run their business and manage risk, and that meant delivering real-time visibility of what their teams were doing, not just historical audits.

Our GRCGoals Our approach to a successful GRC transformation Visibility and transparency End-to-end workflows Self-service portal Integration into everyday work Continuous control monitoring Automated evidence collection Real-time reports and dashboards So, how did we go about transforming GRC at ServiceNow? What were the steps we took? How did we approach them? How did we use the ServiceNow GRC app and the Now Platform to scale cost effectively and create a better control environment? Clear goals, laser focus First, we established clear goals the outcomes that defined success. GRC implementations fail when you don t have a clear vision up front. You waste time heading off in the wrong direction, and it s impossible to get organizational buy-in, said Andrew. Second, we decided to focus on SOX rather than taking on other areas such as ISO 27001, SANS, or GDPR at the same time. You need to pick one area with low-hanging fruit and high business visibility. Otherwise, the business is going to run out of patience before you deliver, stated Andrew. 5

Unified solution, iterative approach By choosing SOX, we were also able to cover all the core GRC capabilities, including policy and compliance, risk, and audit. That s important, because all of these processes need to work together. For example, by automatically collecting compliance evidence, we could dramatically simplify auditing. Similarly, risk management builds on compliance by continuously monitoring critical controls. At the same time, we took an iterative approach, delivering a minimum viable product as the first step. That allowed us to go live in just four months with a useful solution even if it didn t have indicators and dashboards. And it meant that we could get feedback earlier rather than rolling out a fully-featured offering that didn t meet business needs, said Andrew. Enterprise-wide transformation Another key reason why GRC initiatives fail is because they are treated as backroom projects. To succeed, GRC instead needs to be treated like any other transformation initiative. In our case, our CFO was the executive sponsor and approved the implementation budget. It s important to understand and communicate the full business value. You may save $350,000 within your GRC team and we did but the total business impact can be millions of dollars, said Andrew. 6

A comprehensive plan to drive adoption This enterprise-wide approach didn t stop at ROI. Our team engaged up front with business process owners to get them on board and followed this up with a comprehensive plan to drive adoption. For example, there was mandatory training that covered everything from ownership and accountability to hands-on training on controls, attestations, and so on. And, the team also created further awareness through webinars all-hands sessions, and other regular communications. Planning for the future Finally, we understood that this was only the first part of our GRC journey. That meant we needed to plan for the future. For instance, we implemented SOX first, but wanted to use it more broadly. We kept the design generic so we could reuse it. Where we did make SOX-specific enhancements, we made sure we could disable them easily. For example, we ve been able to reuse policy management flowcharts and narratives as is, just reconfiguring the backend workflows, said Andrew. 7

110 CORPORATE POLICIES MANAGED AND PUBLISHED AUTOMATICALLY THROUGH SERVICE PORTAL The benefits we have reaped Since we started our GRC transformation, we ve achieved significant results. We now have a full GRC implementation for SOX financial controls, including policy and compliance, risk, and audit. We ve also successfully tackled other areas, such as ISO 27001, SSAE 16, and FedRAMP. Empowered business process owners Now, our business process owners are full partners in the compliance process, using our ServiceNow service portal to manage their own policies and controls. With ServiceNow Performance Analytics dashboards, they can also track audit activities, monitor compliance, and get real-time insights into the status of their control and risk landscape. And this is done on the same Now Platform that business owners use for their day-to-day work. There s no need to open up a separate GRC system. It s right there along with their other business tools. That makes GRC a part of their DNA. We ve also integrated GRC directly into their business processes. For example, our finance team uses ServiceNow to manage their monthly reconciliation. We ve built controls around that, and as the reconciliation progresses, it automatically generates indicators linked back to these controls. It s basically zero touch, said Andrew. 8

Real-time visibility of compliance and risk Monthly accounting reconciliation is just one example of how we re using ServiceNow GRC to give us near real-time visibility of our control and risk status. Currently, we re automatically monitoring more than 100 indicators tied to controls. We re also monitoring a complete set of SOX financial risks, as well as 50 other key risks across our business. Combined with event-based alerts, that gives us 2/7 assurance. Andrew cites our SAP system as an example. ServiceNow GRC automatically monitors our SAP configuration tables. When there s a significant change, it alerts the business owner and asks them to confirm that the change was approved. If it wasn t, we know right away and can roll back the change. Without ServiceNow GRC, we might never discover the issue. 9

66% REDUCTION IN QUARTERLY CONTROL CERTIFICATION VIA AUTOMATED SURVEYS AND MONITORING Dramatically increased efficiency Back to our original problem: slow manual processes that just wouldn t scale. How has GRC helped to transform the landscape, giving us the bandwidth we need to support our business growth? Here are some examples: 66% reduction in quarterly control certification due to continuous control monitoring, as well as automated surveys, which are built into the Now Platform 85% reduction in the time needed to track status, due to real-time reporting and dashboards 90% reduction in coordination efforts with external auditors now using ServiceNow GRC to gain direct, transparent access to all our GRC data 10

Where are we going next? Since our initial SOX launch, we ve already successfully tackled areas such as ISO 27001, SSAE 16, and FedRAMP. Now, we re working on GDPR and SANS, and expect to go live with these shortly. By freeing up our GRC resources, we ve been able to take on more and more critical areas. The more we automate, the more capacity we have to automate, creating a positive snowball effect. However, it s not just about taking on new compliance areas. Andrew says that, We re also driving further fundamental improvements in our GRC processes for example, expanding our automated monitoring capabilities. And there are a huge number of other opportunities. For example, ServiceNow GRC lets us rationalize controls across multiple overlapping authority documents, streamlining compliance even further. 2/7 ASSURANCE THROUGH CONTINUOUS MONITORING AND EVENT-BASED ALERTS 11

The bottom line With ServiceNow GRC, we ve saved $30,000 a year through process automation, and that s just for SOX. That s freed up resources to broaden our GRC coverage and keep pace with business growth. And we ve made GRC far stronger by turning it into a living, breathing discipline. Before, GRC was a slow, historical process that didn t add value for our business owners. Now, business owners have real-time visibility of their controls and risks, so they can take action right away to address issues, before they become major problems. That empowers them, giving them ownership and accountability and repositions our GRC team as a trusted business partner. $30K SAVED ANNUALLY AUTOMATING END-TO-END GRC PROCESSES 12

Now on Now How we use our own technology LEARN MORE About ServiceNow ServiceNow was started in 200 with the belief that getting simple stuff done at work can be easy, and getting complex multi-step tasks completed can be painless. From the beginning, ServiceNow envisioned a world where anyone could create powerful workflows to get enterprise work done. Today, ServiceNow is the cloud-based platform that simplifies the way we work. ServiceNow software automates, predicts, digitizes, and optimizes business processes and tasks, across IT, customer service, security, human resources, and more, to create a better experience for your employees and customers while transforming your enterprise. ServiceNow is how work gets done. Copyright 2018 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, and other ServiceNow marks are trademarks and /or registered trademarks of ServiceNow, Inc., in the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are associated. BACK SN-EB-NOW-ON-NOW-GRC-022018

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback