Ideagen's Enterprise Risk Management (ERM) software solution (formerly known as Pentana Risk) fully integrates risk management processes, from identifying and assessing risk business-wide, to assigning and monitoring mitigation plans, all the way through to reporting and defining a long-term strategy for enhanced performance.
N/A
ServiceNow Governance, Risk, and Compliance
Score 8.1 out of 10
N/A
ServiceNow Governance, Risk, and Compliance provides the tools businesses use to proactively manage risk by measuring, testing and auditing internal processes. This solution helps business users ensure compliance to regulations, policies, standards and frameworks. It is available via the Standard, Professional, and Enterprise editions, the latter two supporting GRC and internal auditing processes.
Pentana is great for monitoring PIs and risks. We find it less helpful for monitoring projects (with the Actions module); it isn't quite flexible enough for our needs, though the support team have been very helpful in adding custom fields for us.
Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.
Pentana is excellent for monitoring, recording and reporting on PIs. Very easy to use the PI module.
Pentana is excellent for monitoring risks at various levels (service, strategic etc.). Risks are displayed very clearly in a tree structure and the module is relatively easy to use.
Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one
Pentana could improve the free Documents module that comes with Pentana Risk. At the moment documents have to be linked to an action in order to display query results (such as how many documents are due for review) - this can be confusing for users who don't understand why there is an action linked. There is also no easy way for users to see the documents that are assigned to them.
We would like to use the Actions module fully in order to monitor our corporate projects, but it a bit confusing for users and not very flexible when a project doesn't mirror Pentana's way of monitoring actions.
Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
Easier way to implement workflow.
Offering better metrics without buying add-on tools.
Some modules are more user-friendly than others. It's sometimes not obvious where to click to update the fields (or even that field titles can be clicked on). We have written 'Howdys' to help users. There can also seem to be a lot of steps/clicks to updating risks and actions. The Reports module on Pentana classic is certainly not user-friendly, particularly the Report Layout and Charts modules - we were told these would be integrated into the web version but this hasn't happened yet.
I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.
It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.
We selected Pentana because our neighbouring authorities are users and had spoken highly of the product and given us demonstrations; some of our staff were also familiar with Pentana when it was called Covalent. It seemed to be the best product on the market for monitoring risks, PIs and projects.
We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.
Pentana Risk has allowed my team to focus on other areas of work whereas before we would be manually chasing for updates on PIs and risk. Pentana Risk does the chasing for us!
We are able to produce reports for audit purposes very easily, rather than sending spreadsheets which is what we used to do.
New managers can easily inherit risks, projects and PIs and see all of this on a custom portal, saving them time when they start.
