GRC is of paramount importance for organizations today and relates to strategies for the management of governance, risk management and compliance in accordance with regulations. It entails a structured approach that aligns IT with business objectives, while helping organizations effectively manage risks and compliance.
A clear strategy for GRC can result in numerous organizational improvements such as better decision-making, minimal fragmentation across departments, improved productivity, elimination of silos and better investments in IT. Many organizations are turning to software solutions for their GRC requirements.
On the ServiceNow platform, one of the latest offerings is a holistic GRC module that improves inefficient workflows, enabling real-time risk response and management. Failures and potential risks can be detected and quickly resolved. Prioritization and automation facilitate better governance and risk management.
Companies typically face challenges with disjointed, manual processes for assessing vendor risk and other GRC tasks. New GRC features in the London release of ServiceNow ease some of these challenges.
1. Vendor Tiering and Risk Management
Vendor tiering is a powerful capability that lets you manage vendor risk in a single window. It significantly reduces the time required to assess vendor risk.
Vendor tiering helps organizations classify their vendors into categories of potential risk. Vendors are tiered on a pre-defined scale of tiers – Critical, High, Moderate, Low and Minor. Vendors are assigned to a particular tier on this scale based on their tiering assessment score. Different assessment questions and documents are associated with each tier.
This feature helps you control risk in your extended enterprise with a formal process. You can easily create internal tiering assessments. Tiering assessments can be conducted with either standardized or custom questionnaires. You can also determine vendor tier with automated tiering-score calculations, and lastly you can configure score range for each tier.
An internal tiering-assessment workflow logically assesses vendors for potential risk as part of the on-boarding process. There is an option to route tiering assessments to internal vendor assessors. Vendor assessments can be initiated automatically based on the assigned vendor tier.
2. Integrations with Security Score Vendors
This feature helps with improved identification of your critical vendors. It enables you to improve continuous vendor monitoring and reduce non-compliance. You have more control as you can fine-tune vendor tiers to more accurately reflect risk.
This feature allows you to assess and monitor a vendor’s security posture by using third-party score providers like BitSight Technologies and SecurityScorecard Inc. Vendor risk managers can use these scores or internal metrics when it comes to determining potential vendor risk.
Security Score Integration normalizes the different score ranges of each provider, so that security scores can be determined according to a standard scale. In addition, you can create rules to automatically send vendor assessments based on security score changes.
3. SOX Content Pack
The SOX content pack helps streamline SOX assessments. SOX compliance pertains to the Sarbanes-Oxley Act to protect shareholders and the general public from accounting errors and enterprise fraud. The act requires any publicly held company to establish in-house procedures and controls for financial reporting. Although it has been more than 10 years since the Sarbanes-Oxley Act was passed, many companies still struggle with SOX compliance and auditing necessities.
The pack details basic SOX content that enables an organization to initiate and manage activities related to attaining operational SOX compliance. This includes templates, indicators and reporting that are required for SOX compliance. The SOX content pack essentially eases the work of both internal and external auditors for SOX audits. The pack is available on the ServiceNow store.
As a holistic package, ServiceNow GRC helps transform inefficient processes across an entire enterprise. It combines security, IT and risk capabilities into an integrated program that provides a number of benefits. It empowers organizations with real-time rapid responses to business risks. It provides powerful capabilities for continuous monitoring, automation and prioritization that enable better performance overall.
If you’re interested in GRC with ServiceNow, but aren’t sure where to begin, please feel free to contact us. Our experts at abhra Inc. are experienced ServiceNow implementation partners for all things ServiceNow such as ServiceNow implementations, MSPs, CMDB and modules for GRC, SAM and more.