How banks can use the ServiceNow

Platform for Compliance Operations Virtually no one

Anyone who has worked in a bank for even a short time understands how much in any financial
compliance plays a role in virtually every activity in every part of the business.
institution is
Financial Regulators at the regional (e.g., NYDFS), country (e.g., FCA), and global
level (e.g., BASEL III) establish an ever-growing set of rules, which are generally exempt from some
aimed at reducing systemic risk, encouraging common adoption of standards,
protecting customers, and driving fair competition.
regulatory angle.
Virtually no one in any financial institution is exempt from some regulatory angle.
For example:
• A branch teller must learn about anti-money laundering, anti-terrorist
financing, know-your-customer rules before they sign up their first client
• The wealth management side needs to follow strict rules to appropriately
align investment decisions to client risk profiles
• Asset managers need to follow strict rules around marketing their products
• Capital markets teams need to ensure IPOs are fairly executed
• Finance needs to follow rigorous accounting standards
• Procurement needs to monitor vendor risk
• Treasury needs to ensure capital adequacy requirements are met
• IT needs to document access permissions and system changes
• Payments departments need to ensure they are conforming to PCI rules
• HR needs to ensure trading licensing and attestation is up to date
• All departments need to manage customer data privacy
• And more (the list is ever-growing)

Sample benefits taken from a recent Business Value Assessment run on our internal
implementation of Service GRC and compiled by our Head of Internal Audit.

1
Implementing one rule in support of one regulation in one country can be
complicated enough. When the big global players must address many different
layers of regulation for multiple authorities, and when the pace of regulatory
change increases, this becomes a very complicated process to build for and The Now Platform
can also be extremely costly in terms of fines incurred if compliance isn’t met.
can be used to
As outlined in the example below, regulatory compliance expenses can be
significant, especially for the larger financial institutions that are deemed to pose help escalate
higher systemic risk. What’s particularly obvious about the cost model shown and improve
is how much of the expense is allocated to personnel—suggesting that there is
still a very high degree of manual work associated with compliance delivery. regulatory
compliance
automation.

To address this issue, there are multiple niche compliance solutions and
companies that can help automate the processes. In my own past at various
financial institutions, I’ve been involved with custom builds, evaluations of off-
the-shelf tools and assessments of emerging fintech solutions such as Outside
Intelligence Quotient for KYC or Northern for PII categorization. While the niche
tools can be very effective in targeting a specific area or rule, they don’t always
address the problem of compliance responsibilities that are fragmented across
the organization.

Over time, this fragmentation can lead to inconsistent and disconnected

processes for risk assessment, testing, and reporting. To try and reduce this
fragmentation, financial institutions are now more frequently looking at enterprise-
wide platforms like ServiceNow that offer the fully integrated control framework
required to effectively deliver on compliance. For those of you interested in
learning more, I’ve outlined some examples and explanations of how the Now
Platform™ can be used to help escalate and improve regulatory compliance
automation.

2
ServiceNow basics
While we now have over 700 financial institutions on the Now Platform, it may
not yet be well known in all parts of the bank. For those of you who may still be
unfamiliar with the platform, I’ll start with some of the basics: ServiceNow is a ServiceNow is
cloud-based service with ~8,600 employees and $2.6 billion in revenues (as of a cloud-based
Q418). It is a robust platform with a few key capabilities including:
• Flexible, easy-to-use intuitive interface that enables users to request a service
service with ~8,600
or meet their needs through self-service employees and
• Real-time status transparency of any request (similar to how you can track
the status of a FedEx package or Uber)
$2.6 billion in
• Automated prioritization and assignment of requests to people or tools that revenues (as
will fulfill the request of Q418).
• Collaboration across a department or across an enterprise
• Workflow and automation to route requests and issues for faster, more
effective, auditable resolution

On top of the Now Platform, you can run any number of applications, including
HR, IT, customer service, compliance, etc. The routing and processing of IT tickets
was the first very popular application for the Now Platform, which almost all of
our banking customers are using today. Over time though, financial institutions
and other companies are starting to quickly expand use cases into other areas,
including more effective management of IT costs and services, back office
management, and customer-facing service resolution.

ServiceNow as a platform lends itself to a large array of useful functions. As more

and more customers begin using the platform for certain tasks (e.g., HR case
management, security automation), the company develops out-of-the-box
functionality to meet common needs and embeds that functionality into twice-
yearly releases. Among the quickly evolving use cases being embedded in the
platform is a governance, risk, and compliance (GRC) package.

Regulatory change management

Since “compliance” as a term means many different things to different people,

I’ll start with the situation that I’m most familiar with—when a large regulator first
issues a new or amended rule for financial institutions under their jurisdiction
to follow:
• An FS regulator (e.g., Federal Reserve Board) will generally start this process
by establishing the goal they want to meet—for example, protecting
consumers by ensuring that banks under their jurisdiction do not encourage
consumers to take on credit debt without knowing all the associated risks and
responsibilities
• The regulator will then generally spell out the rules/provisions for meeting the
goal (e.g., clearly stating how much interest will be incurred by a loan in terms
of an annual percentage rate (APR)
• As soon as any new regulation is issued, the first step generally is to assess
whether it applies to your bank or individual business line and consider whether
the rule may be addressed through other regulations that are already in place.
Generally, I’ve seen the Regulatory Affairs team take the first crack at this
high-level assessment

3
• The next step is to look at what the operational requirements to support
the rule might be. In looking at the truth in lending rule for example, some
things are easier than others to police

Taking the TILA operational requirements as an example, #3—“To ensure that

annual percentage rates and fees” are within tolerance is a relatively simple task
(albeit potentially painful to the bottom line), as setting percentage rates will
generally be a centralized process by Treasury. However, if we look at #7 in
TILA—“Ensuring originator incentives meet requirements”—this is a more com-
plicated process, as the originator may be a mortgage broker, a bank who has
resold the loan, front-line branch staff etc. making it much harder to control.

From an internal perspective, translating the regulation to a set of operational

requirements to follow, and understanding their impact is often quite com-
plicated. Referred to as regulatory change management, this exercise will
generally include process review, proposed governance, and depending
on the level of sophistication and criticality, will calculate cost of controls
implemented as well as regulatory impact reports with money tied to them.

After the upfront review, design, and planning phase is through the (often) very
heavy technology build to implement the control begins, along with
the control reports that auditors and regulators will want to see.

4
How the Now Platform technology supports compliance activities

For banking, like many other industries, there are many different sources of rules
including all the different regulatory authorities. The ServiceNow GRC module
starts with ingesting an unlimited amount of regulations and standards into the
Unified Compliance Framework (UCF). As illustrated below, the UCF holds all rules
in one central repository which allows drill-downs for the background to each rule,
and the associated controls that need to be in place to ensure compliance.

The advantages of having controls or standards all accumulated in one central

repository are many—not the least of which is the ability to link common controls to
multiple regulations. The one-to-many implications of this can lead to enormous
time savings in reporting and reduced risk of non-compliance. Having everything
recorded in a single system provides a hub to assign and track work, both within
compliance, and across business areas. It acts as a core repository for reference
information on a specific regulation, holds knowledge articles, FAQs, etc.

5
For Sarbanes-Oxley (SOX) for example, the UCF will list out all internal policies,
as well as controls organized by location and business unit responsible for
delivering on those controls. The relationship between risk and compliance is
clearly articulated such that if compliance goes down, risk rises and vice-versa.

GRC provides a REST-based plugin to integrate the GRC instance with UCF CCH.
UCF CCH content is not included with the GRC subscription.

Compliance workflow design

With every new rule or regulatory update, there often needs to be a revision of
the processes to ensure that new controls will meet the needs for risk mitigation
or auditability. In many large financial institutions, designing the compliance
processes is a very complicated exercise that stretches across many different
entities and is subject to frequent changes. By leveraging the Now Platform
Workflow Editor, a designer can utilize a drag-and-drop interface
that automates multi-step processes across the platform. After proper approvals,
the new process design can be loaded up into the platform which is then easily
implemented, easy to communicate, and transparent to audit.

6
Monitoring and reporting

Once the controls are defined and implemented, the monitoring and control
processes begin. In most large banks, this process is managed through control
self-assessments to begin with, then risk and control self-assessment as they get
Reports can be
more sophisticated, and eventually process and control risk self-assessment when scheduled or run
they start biting off operational risk.
on-demand to
ServiceNow workflow automation supports this process by:

• Defining scheduled control tasks for control owners to complete

provide insight
• Automating control testing based on control indicators, testing on ServiceNow
into control test
data automatically in the background, on a schedule (daily, weekly, monthly, attestations and
event based, etc.)
• Identifying compliance and non-compliance through exception reporting
coverage for
• Leveraging performance analytics indicator thresholds to identify non- risk, authority
compliance documents, and
• Leveraging the ServiceNow ecosystem to automatically identify compliance
of operational controls
policy violations.
• Enabling reporting compliance executive dashboards that offer custom
displays by regulatory authority (e.g., PCI); by department, etc.
• Automating remediation efforts

Reports can be scheduled or run on-demand to provide insight into control test
attestations and coverage for risk, authority documents, and policy violations.
Attestations can be sorted, monitored, and reported on through executive
dashboards built for this purpose.

7
Controls testing and auditing

After assigning policy statements by regulation and policies, and after controls
are generated from these policy statements towards profiles (infrastructure,
applications, processes, units, projects, people, etc.), setting up the attestation
of those controls, identifying any gaps and generating remediation activities
the testing and audit process begins.

Whether it’s an internal or external audit, what often needs to be produced is

“proof” that the control structure is in place and working as planned. Often this
can lead to a great deal of manual effort—at the end of which the auditors or
regulators may still be wanting more evidence. With the Now Platform much of
this manual work can be reduced as each stage of setting up and executing a
control has been captured throughout the whole lifecycle.

Managing the audit process itself is also made easier by leveraging the audit
engagement feature on the Now Platform and its workbench for managing
the audit plan. Through this module, it enables internal auditors to quickly plan,
scope, and execute audit activities, as well as schedule interviews, walkthroughs,
and control test activities.

By including selected profiles in the scope of your audit engagement, you will
automatically pull all risks, controls, and evidence collected along the period
you audit and related to the scoped profiles.

Audit “issues” that have been identified are tracked and incorporated into a single
integrated plan that can be shared and referenced throughout the organization.

8
System access by role

One of the most valuable capabilities of ServiceNow is the ability to avoid emails
and phone calls and replace them with one central engagement portal that
ensures a single source of truth and enables easy information sharing. At the same
time, to support a process as sensitive as compliance there are different access
levels defined that can easily be set up for different roles including compliance
administrator, compliance manager, risk manager, audit manager, system admin-
istrator, etc. Tasks can be assigned to the right person through a virtual task-board
that enables workload management and simplified status tracking.

Virtual Task Board for Compliance

Out-of-the-box vs. Configuration

ServiceNow provides a robust platform that includes all the key building blocks
for GRC management. In some cases, the company has seen enough consistency
across an industry to develop pre-packaged solutions, while in other instances,
clients are configuring solutions to meet their own specific needs.

Among the out-of-the-box solutions at the current time is IT risk management (the
first big use case for ServiceNow), vendor risk management, corporate compliance
and oversight, and audit management. Other use cases built on the platform
include operational risk management, business continuity management planning,
and enterprise legal management.

Because the GRC solutions are often put into place at financial institutions that
are already using the Now Platform elsewhere, it makes it easier to get folks
trained and certified on the GRC tools, versus other niche tools that may require
dedicated admins/business analysts, specialized training, etc.

9
Business case

From a pricing perspective, the ServiceNow historical model is to charge by

subscription fees based on the number of people using the system (in a fulfiller
model). However, as the platform is increasingly being used for more enterprise-
Since ServiceNow
wide functions such as GRC, the pricing model is changing to focus more on the is a platform rather
number of employees in the organization—which is good news for smaller, regional
banks who sometimes have to pay full freight for systems originally built for larger, than a single tool,
global organizations.
the number of use
Implementation of the GRC modules for a bank can be quite fast according to
Gartner. The “time to value is short with implementations sometimes taking just
cases is expanding
over two months.” From a benefits standpoint, return-on-investment from the very quickly across
GRC Suite is most directly found through levers that tackle the high degree of
manual effort expended. Along with the time or money saved from process the enterprise.
efficiency and automation is the cost avoidance that results from better risk
reduction overall, as well as investment funds freed up through lower capital
requirements and more.

Conclusion

Since ServiceNow offers a platform rather than a single tool, the number of use
cases is expanding very quickly across the enterprise. Since its popularity
generally began in IT departments that often already use it to manage IT Risk
and Compliance, the basic ServiceNow foundation is often already in place in
many financial institutions and already supported by knowledgeable, in-house
ServiceNow experts.

To move additional compliance functions onto the platform is generally straight-

forward and is supported by a growing number of SI Partners—many of whom
are establishing or strengthening their ServiceNow GRC practices. Among the
larger players who have set up specific ServiceNow GRC practices are
Accenture, Deloitte, EY, Fruition, Grant Thornton, KPMG, and PWC. Also available
to support is the ServiceNow professional services organization and the product
support folks for the GRC module, together with the GRC Global Practice
specialists.

About the authors

• Cliff Huntington, a former RSA executive, has global responsibility for GRC
sales and strategy at ServiceNow

• Eric Le Martret, a former chief risk officer and GRC consultant, is now the
senior advisory solution consultant for the ServiceNow EMEA GRC practice

• Julia Smith, a former financial services executive and transformation

consultant, has global responsibility for helping financial institutions explore
the possibilities of the platform through the ServiceNow Inspire practice.

© 2019 ServiceNow, Inc. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc.
in the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are associated.
SN-SolutionBrief-ComplianceOperations-082019

servicenow.com