ServiceNow Governance, Risk, and Compliance

Being used in one of our departments to manage the GRC needs related to incident management of IT and non-IT applications and devices. SN BCM is being used to automate and manage the disaster recovery planning for critical IT applications serving the healthcare needs. This helped us lower the administration cost and also ensure the consistent uptime of applications helping us deliver patient care. Also, bringing everything in one place and automating helped us maintain a single source of truth to be leveraged across other enterprise applications.

ServiceNow Governance, Risk, and Compliance is our central request management system along with tools to generate value out of the data. It helps to keep track of requests within a huge organization and has options to archive them. Dashboards are very intuitive in nature and add value.

As our company looked to assess and document our Internal Controls Environment and management, we looked to ServiceNow and other vendors to provide us with a framework/baseline starting point. We carefully compared features/capabilities of ServiceNow, Metric Stream, Modulo, and others and really benefited from the software demos offered by each company. We chose ServiceNow because of our already positive experience with their IT helpdesk software (was already used in our company) and how intuitively the GRC software appeared to operate. We understood that some customization was necessary, but felt it would more easily be adapted to our business versus the other options. Our experience, so far, has been positive; however, we feel we are still in the configuration/expansion phase. The challenges we are still overcoming are in our understanding of GRC attributes of our Oracle EBS R12 system, Active Directory access controls, and change control over these and other IT systems.

Our experience has been positive, and we appreciate the level of reporting and insight we gained by selecting a software like ServiceNow GRC instead of trying to handle this ourselves with documents and spreadsheets. As with most implementations, the costs occur up front, but we do expect an ROI in the next few years as we establish processes of administration, assessment, and remediation.

I was on the team that implemented this at my former company and we are implementing this at my current company. On the security and risk teams, it is an absolute must to have a simple, repeatable way of mapping, tracking, and resolving security and risk issues. This is extremely valuable for us when we have our audits and need to provide evidence that we are adhering to what we say we do. ServiceNow GRC is very scalable and customizable which helped us meet both industry-standards and internal classification requirements in our organization.

This is a tool that's being used by the entire company. It has helped the entire company understand and have knowledge about incidents, problems, as well as other stuff that is happening in the different areas of the company. All in a single web interface, easy to use and for all users.

ServiceNow was already a product being used by my company. Within Information Security, we had a need for a GRC platform. It came to our attention ServiceNow offered this. Out of the box there was very little that could be leveraged to support a robust GRC platform. However, all the functionality was there to be used after extensive configuration, etc. Some custom code was required although we tried to limit wherever possible. After approximately 8 - 10 months of designing and developing our requirements into the tool, we had a program that could be supported by a GRC tool, that was largely built in a way that would fit our needs and current processes. The only cost was the additional license. The only frustration that comes from choosing ServiceNow, is that it took several months to get what other GRC tools (e.g. Modulo, MetricStream, etc) offer out of the box. However, that comes at a much higher cost. I would recommend ServiceNow Governance, Risk and Compliance (GRC) to anyone already using ServiceNow for Service Management and has a limited security budget. The other benefit is the integration with an existing CMDB or asset inventory where ServiceNow is the record of reference.