KnowBe4 KCM GRC Platform (discontinued) vs. ServiceNow Governance, Risk, and Compliance

KnowBe4 KCM GRC Platform is well suited for a company that knows what they're doing compliance wise and needs to save time doing it. It won't be something you can spend a few hours on and then put on autopilot. It was made to create a rhythm within your own team, and you'll need to have the buy-in. It's useful for IT and Legal teams that already have a vendor risk management process, but want to have a better handle on it. Giving an outside auditor read-only access to a scope is also a huge time saver.

Incentivized

Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

Incentivized

• Mapping controls across different compliance frameworks. It saves you a ton of time and energy!
• Performing risk assessments at the granularity that you prefer, splitting assessments across departments and teams if you wish.

Incentivized

• Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
• Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
• Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one

Incentivized

• Vendor management has a few kinks to work out. We want to be able to do internal questionnaires for vendors as a compliance checklist before we sign off on a contract. Nothing in the works yet, but there are a few workarounds.
• The navigation between different tasks in scope is clunky, and it's easy to lose your place, and it forces you back to the main page of the scope to retrace your steps.

Incentivized

• Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
• Easier way to implement workflow.
• Offering better metrics without buying add-on tools.

Incentivized

I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Incentivized

Support from KnowBe4 KCM GRC Platform is always great. It's always in-house localized support, with excellent response times, and dedicated Customer Success Managers to answer the bulk of your questions or take your suggestions and make them a feature request. They will also reach out at least quarterly and do health checks to make sure you're using the platform to the best of your ability.

Incentivized

It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.

Incentivized

Quantivate and Fusion were the other two options we checked out. The quantity was high, and a good bit more expensive, but it was the best performing with its platform. They also had more modules that each cost extra to add to your subscription. KnowBe4 KCM GRC Platform was all-in-one and a little less mature, but the better buy. Fusion was hard to follow in the demo, and I was not overly impressed. I may have made my decision early enough in the demo to not pay much more attention to it.

Incentivized

We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.

Incentivized

• Just having the capacity to do things the right way, and formally, has driven some of our compliance efforts.
• Due to licensing limitations, we likely overspent on seats to the platform that we didn't need but also didn't want to miss out on.

Incentivized

• Effective Enterprise Risk Management
• Holistic Real-time Monitoring of your technology and Risk
• Negative - Asset Management has some issues and Ghost / Shadow IT is big issue