Governance, Risk & Compliance
ServiceNow has implemented Governance, Risk and Compliance (GRC) based on the OCEG (Open Compliance & Ethics Group) GRP Capability Model.
What is GRC?
- Governance allows an organisation to reliably achieve its objectives
- Risk addresses uncertainty in a structured manner
- Compliance ensures business activities are undertaken with integrity
Whether organisations formally recognize GRC or not, they all need to undertake some form of governance over their business activities or they will not be able to reliably achieve their goals.
When it comes to risk, recognising and addressing uncertainty ensures the durability of an organisation before it is placed in a position where it is under stress. Public and government expectations are that organisations will act with integrity; failure to do so may result in a loss of revenue, loss of social standing and possibly government fines or loss of licensing.
Governance, Risk and Compliance is built around the authority documents, policies and risks identified by the organisation as important.
Depending on the industry, there are a number of standards authorities and government regulations that form the basis for documents of authority, providing specific compliance regulations. ISO (the International Organisation for Standardization) has established quality assurance standards such as ISO 9000, and risk management frameworks such as ISO 31000, or ISO 27000 standards for information security management.
In addition to these, various governments may demand adherence to standards developed to protect the public, such as Sarbanes-Oxley (to protect investors against possible fraud), HIPAA (the US Health Insurance Portability and Accountability Act of 1996) and GDPR (the European Union’s General Data Protection Regulation). ServiceNow’s GRC allows organisations to manage these complex requirements and ensure they are compliant and operating efficiently.
The sheer number of documents and standards, along with the complexity of how they depend on and interact with each other, can make GRC daunting to administer. ServiceNow has simplified this process by structuring these activities in a logical framework.
Authority documents (like ISO 27000), internal policies and risk frameworks (like ISO 31000) represent a corporate library—the ideal state for the organisation. The question then becomes, how well does an organisation measure up to its ideals in terms of policies and risks?
ServiceNow addresses this by using profile types.
Profile types are a means of translating polices and risks into practice.
When policy types are applied to policy statements, they form the active controls for an organisation— that is, those controls from the library that are being actively monitored.
In the same way, when risks are applied to policy types, they form the risk register for the organization. This is the definitive list of those specific risks that are being actively measured and monitored, as opposed to all risks.
This approach allows organisations to accurately measure their governance model and understand which areas they need to focus on to improve.
The metrics supporting GRC profile types can be gathered manually via audit-styled surveys of employees and third-parties, or in an automated fashion using information stored elsewhere within ServiceNow (such as IT Service Management or Human Resources). In addition to this, GRC compliance metrics for the various profile types can be gathered using orchestration and automation, and by integrating with other systems to provide an accurate view of governance, risk and compliance.
If you would like to learn more about how ServiceNow can support your organisation manage the complexity of GRC, please speak to one of our account executives.
JDS and the GO Foundation
Read More
Mastering Modal Dialog Boxes
Read More
Virtual Agent: Understanding The Limitations Of LITE
Read More
ServiceNow & ReactJS
Like any enterprise platform, ServiceNow has a complex relationship with its underlying architecture. Originally, ServiceNow was built on Java ...
Read More
ServiceNow Safe Workplace Suite
Read More
Working With ACLs In ServiceNow
Read More
How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 4
Read More
How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 3
Read More
How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 2
Read More
How ServiceNow’s ‘Virtual Agent’ can assist your organisation: Part 1
Read More
How Field Service Management can help your customers
Read More
ServiceNow Upgrade Process
Read More
Modifying Service Portal Widgets On-The-Fly
Read More
Custom Glide Modal Dialog Boxes in ServiceNow
Read More
How Contract Management Can Help Your Customers
Read More
Manipulating Service Portal Widgets Without Modifying Them
Read More
Virtual Agent Is Your Friend
Read More
Using Common Functions in the Service Catalog
Read More
ServiceNow Archiving
Read More
Browser Console
Read More
Glide Variables
Read More
Asset Management in ServiceNow
Read More
Understanding Database Indexes in ServiceNow
Read More
Fast-track ServiceNow upgrades with Automated Testing Framework (ATF)
Read More
ServiceNow Catalog Client Scripts: G_Form Clear Values
Read More
How to effectively manage your CMDB in ServiceNow
Read More
Breaking down silos to create an enterprise capability
Read More
ServiceNow and single sign-on
Read More
How to customise the ServiceNow Service Portal
Read More
Integrating a hand-signed signature to an Incident Form in ServiceNow
Read More
Integrating OMi (Operations Manager i) with ServiceNow
Read More
Service portal simplicity
Read More
Filtered Reference Fields in ServiceNow
Read More
ServiceNow performance testing tips
Read More
Straight-Through Processing with ServiceNow
Read More
ServiceNow Choice List Dependencies
Read More