Governance, Risk & Compliance

ServiceNow has implemented Governance, Risk and Compliance (GRC) based on the OCEG (Open Compliance & Ethics Group) GRP Capability Model.
What is GRC?
- Governance allows an organisation to reliably achieve its objectives
- Risk addresses uncertainty in a structured manner
- Compliance ensures business activities are undertaken with integrity
Whether organisations formally recognize GRC or not, they all need to undertake some form of governance over their business activities or they will not be able to reliably achieve their goals.
When it comes to risk, recognising and addressing uncertainty ensures the durability of an organisation before it is placed in a position where it is under stress. Public and government expectations are that organisations will act with integrity; failure to do so may result in a loss of revenue, loss of social standing and possibly government fines or loss of licensing.
Governance, Risk and Compliance is built around the authority documents, policies and risks identified by the organisation as important.
Depending on the industry, there are a number of standards authorities and government regulations that form the basis for documents of authority, providing specific compliance regulations. ISO (the International Organisation for Standardization) has established quality assurance standards such as ISO 9000, and risk management frameworks such as ISO 31000, or ISO 27000 standards for information security management.
In addition to these, various governments may demand adherence to standards developed to protect the public, such as Sarbanes-Oxley (to protect investors against possible fraud), HIPAA (the US Health Insurance Portability and Accountability Act of 1996) and GDPR (the European Union’s General Data Protection Regulation). ServiceNow’s GRC allows organisations to manage these complex requirements and ensure they are compliant and operating efficiently.
The sheer number of documents and standards, along with the complexity of how they depend on and interact with each other, can make GRC daunting to administer. ServiceNow has simplified this process by structuring these activities in a logical framework.
Authority documents (like ISO 27000), internal policies and risk frameworks (like ISO 31000) represent a corporate library—the ideal state for the organisation. The question then becomes, how well does an organisation measure up to its ideals in terms of policies and risks?
ServiceNow addresses this by using profile types.
Profile types are a means of translating polices and risks into practice.
When policy types are applied to policy statements, they form the active controls for an organisation— that is, those controls from the library that are being actively monitored.
In the same way, when risks are applied to policy types, they form the risk register for the organization. This is the definitive list of those specific risks that are being actively measured and monitored, as opposed to all risks.
This approach allows organisations to accurately measure their governance model and understand which areas they need to focus on to improve.
The metrics supporting GRC profile types can be gathered manually via audit-styled surveys of employees and third-parties, or in an automated fashion using information stored elsewhere within ServiceNow (such as IT Service Management or Human Resources). In addition to this, GRC compliance metrics for the various profile types can be gathered using orchestration and automation, and by integrating with other systems to provide an accurate view of governance, risk and compliance.
If you would like to learn more about how ServiceNow can support your organisation manage the complexity of GRC, please speak to one of our account executives.
Conclusion
It doesn't need to be complicated! Reach out to us and we can help you manage your organizational risks.
Our team on the case
Our ServiceNow stories

JDS and the GO Foundation
Read More

Mastering Modal Dialog Boxes
Read More

Virtual Agent: Understanding The Limitations Of LITE
Read More

ServiceNow & ReactJS
Like any enterprise platform, ServiceNow has a complex relationship with its underlying architecture. Originally, ServiceNow was built on Java ...
Read More

ServiceNow Safe Workplace Suite
Read More

Working With ACLs In ServiceNow
Read More

How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 4
Read More

How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 3
Read More

How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 2
Read More

How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 1
Read More

How Field Service Management can help your customers
Read More

ServiceNow Upgrade Process
Read More

Modifying Service Portal Widgets On-The-Fly
Read More

Custom Glide Modal Dialog Boxes in ServiceNow
Read More

How Contract Management Can Help Your Customers
Read More

Manipulating Service Portal Widgets Without Modifying Them
Read More

Virtual Agent Is Your Friend
Read More

Using Common Functions in the Service Catalog
Read More

ServiceNow Archiving
Read More

Browser Console
Read More

Glide Variables
Read More

Asset Management in ServiceNow
Read More

Understanding Database Indexes in ServiceNow
Read More

Fast-track ServiceNow upgrades with Automated Testing Framework (ATF)
Read More

ServiceNow Catalog Client Scripts: G_Form Clear Values
Read More

How to effectively manage your CMDB in ServiceNow
Read More

Breaking down silos to create an enterprise capability
Read More

ServiceNow and single sign-on
Read More

How to customise the ServiceNow Service Portal
Read More

Integrating a hand-signed signature to an Incident Form in ServiceNow
Read More

Integrating OMi (Operations Manager i) with ServiceNow
Read More

Service portal simplicity
Read More

Filtered Reference Fields in ServiceNow
Read More

ServiceNow performance testing tips
Read More

Straight-Through Processing with ServiceNow
Read More

ServiceNow Choice List Dependencies
Read More