Professional Documents
Culture Documents
Sample benefits taken from a recent Business Value Assessment run on our internal
implementation of Service GRC and compiled by our Head of Internal Audit.
1
Implementing one rule in support of one regulation in one country can be
complicated enough. When the big global players must address many different
layers of regulation for multiple authorities, and when the pace of regulatory
change increases, this becomes a very complicated process to build for and The Now Platform
can also be extremely costly in terms of fines incurred if compliance isn’t met.
can be used to
As outlined in the example below, regulatory compliance expenses can be
significant, especially for the larger financial institutions that are deemed to pose help escalate
higher systemic risk. What’s particularly obvious about the cost model shown and improve
is how much of the expense is allocated to personnel—suggesting that there is
still a very high degree of manual work associated with compliance delivery. regulatory
compliance
automation.
To address this issue, there are multiple niche compliance solutions and
companies that can help automate the processes. In my own past at various
financial institutions, I’ve been involved with custom builds, evaluations of off-
the-shelf tools and assessments of emerging fintech solutions such as Outside
Intelligence Quotient for KYC or Northern for PII categorization. While the niche
tools can be very effective in targeting a specific area or rule, they don’t always
address the problem of compliance responsibilities that are fragmented across
the organization.
2
ServiceNow basics
While we now have over 700 financial institutions on the Now Platform, it may
not yet be well known in all parts of the bank. For those of you who may still be
unfamiliar with the platform, I’ll start with some of the basics: ServiceNow is a ServiceNow is
cloud-based service with ~8,600 employees and $2.6 billion in revenues (as of a cloud-based
Q418). It is a robust platform with a few key capabilities including:
• Flexible, easy-to-use intuitive interface that enables users to request a service
service with ~8,600
or meet their needs through self-service employees and
• Real-time status transparency of any request (similar to how you can track
the status of a FedEx package or Uber)
$2.6 billion in
• Automated prioritization and assignment of requests to people or tools that revenues (as
will fulfill the request of Q418).
• Collaboration across a department or across an enterprise
• Workflow and automation to route requests and issues for faster, more
effective, auditable resolution
On top of the Now Platform, you can run any number of applications, including
HR, IT, customer service, compliance, etc. The routing and processing of IT tickets
was the first very popular application for the Now Platform, which almost all of
our banking customers are using today. Over time though, financial institutions
and other companies are starting to quickly expand use cases into other areas,
including more effective management of IT costs and services, back office
management, and customer-facing service resolution.
3
• The next step is to look at what the operational requirements to support
the rule might be. In looking at the truth in lending rule for example, some
things are easier than others to police
After the upfront review, design, and planning phase is through the (often) very
heavy technology build to implement the control begins, along with
the control reports that auditors and regulators will want to see.
4
How the Now Platform technology supports compliance activities
For banking, like many other industries, there are many different sources of rules
including all the different regulatory authorities. The ServiceNow GRC module
starts with ingesting an unlimited amount of regulations and standards into the
Unified Compliance Framework (UCF). As illustrated below, the UCF holds all rules
in one central repository which allows drill-downs for the background to each rule,
and the associated controls that need to be in place to ensure compliance.
5
For Sarbanes-Oxley (SOX) for example, the UCF will list out all internal policies,
as well as controls organized by location and business unit responsible for
delivering on those controls. The relationship between risk and compliance is
clearly articulated such that if compliance goes down, risk rises and vice-versa.
GRC provides a REST-based plugin to integrate the GRC instance with UCF CCH.
UCF CCH content is not included with the GRC subscription.
With every new rule or regulatory update, there often needs to be a revision of
the processes to ensure that new controls will meet the needs for risk mitigation
or auditability. In many large financial institutions, designing the compliance
processes is a very complicated exercise that stretches across many different
entities and is subject to frequent changes. By leveraging the Now Platform
Workflow Editor, a designer can utilize a drag-and-drop interface
that automates multi-step processes across the platform. After proper approvals,
the new process design can be loaded up into the platform which is then easily
implemented, easy to communicate, and transparent to audit.
6
Monitoring and reporting
Once the controls are defined and implemented, the monitoring and control
processes begin. In most large banks, this process is managed through control
self-assessments to begin with, then risk and control self-assessment as they get
Reports can be
more sophisticated, and eventually process and control risk self-assessment when scheduled or run
they start biting off operational risk.
on-demand to
ServiceNow workflow automation supports this process by:
Reports can be scheduled or run on-demand to provide insight into control test
attestations and coverage for risk, authority documents, and policy violations.
Attestations can be sorted, monitored, and reported on through executive
dashboards built for this purpose.
7
Controls testing and auditing
After assigning policy statements by regulation and policies, and after controls
are generated from these policy statements towards profiles (infrastructure,
applications, processes, units, projects, people, etc.), setting up the attestation
of those controls, identifying any gaps and generating remediation activities
the testing and audit process begins.
Managing the audit process itself is also made easier by leveraging the audit
engagement feature on the Now Platform and its workbench for managing
the audit plan. Through this module, it enables internal auditors to quickly plan,
scope, and execute audit activities, as well as schedule interviews, walkthroughs,
and control test activities.
By including selected profiles in the scope of your audit engagement, you will
automatically pull all risks, controls, and evidence collected along the period
you audit and related to the scoped profiles.
Audit “issues” that have been identified are tracked and incorporated into a single
integrated plan that can be shared and referenced throughout the organization.
8
System access by role
One of the most valuable capabilities of ServiceNow is the ability to avoid emails
and phone calls and replace them with one central engagement portal that
ensures a single source of truth and enables easy information sharing. At the same
time, to support a process as sensitive as compliance there are different access
levels defined that can easily be set up for different roles including compliance
administrator, compliance manager, risk manager, audit manager, system admin-
istrator, etc. Tasks can be assigned to the right person through a virtual task-board
that enables workload management and simplified status tracking.
ServiceNow provides a robust platform that includes all the key building blocks
for GRC management. In some cases, the company has seen enough consistency
across an industry to develop pre-packaged solutions, while in other instances,
clients are configuring solutions to meet their own specific needs.
Among the out-of-the-box solutions at the current time is IT risk management (the
first big use case for ServiceNow), vendor risk management, corporate compliance
and oversight, and audit management. Other use cases built on the platform
include operational risk management, business continuity management planning,
and enterprise legal management.
Because the GRC solutions are often put into place at financial institutions that
are already using the Now Platform elsewhere, it makes it easier to get folks
trained and certified on the GRC tools, versus other niche tools that may require
dedicated admins/business analysts, specialized training, etc.
9
Business case
Conclusion
Since ServiceNow offers a platform rather than a single tool, the number of use
cases is expanding very quickly across the enterprise. Since its popularity
generally began in IT departments that often already use it to manage IT Risk
and Compliance, the basic ServiceNow foundation is often already in place in
many financial institutions and already supported by knowledgeable, in-house
ServiceNow experts.
• Cliff Huntington, a former RSA executive, has global responsibility for GRC
sales and strategy at ServiceNow
• Eric Le Martret, a former chief risk officer and GRC consultant, is now the
senior advisory solution consultant for the ServiceNow EMEA GRC practice
© 2019 ServiceNow, Inc. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc.
in the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are associated.
SN-SolutionBrief-ComplianceOperations-082019
servicenow.com