Great software for GRC
September 17, 2020

Great software for GRC

Anonymous | TrustRadius Reviewer
Score 5 out of 10
Vetted Review
Verified User

Software Version

IRM Enterprise

Overall Satisfaction with ServiceNow Governance, Risk, and Compliance

As our company looked to assess and document our Internal Controls Environment and management, we looked to ServiceNow and other vendors to provide us with a framework/baseline starting point. We carefully compared features/capabilities of ServiceNow, Metric Stream, Modulo, and others and really benefited from the software demos offered by each company. We chose ServiceNow because of our already positive experience with their IT helpdesk software (was already used in our company) and how intuitively the GRC software appeared to operate. We understood that some customization was necessary, but felt it would more easily be adapted to our business versus the other options. Our experience, so far, has been positive; however, we feel we are still in the configuration/expansion phase. The challenges we are still overcoming are in our understanding of GRC attributes of our Oracle EBS R12 system, Active Directory access controls, and change control over these and other IT systems.

Our experience has been positive, and we appreciate the level of reporting and insight we gained by selecting a software like ServiceNow GRC instead of trying to handle this ourselves with documents and spreadsheets. As with most implementations, the costs occur up front, but we do expect an ROI in the next few years as we establish processes of administration, assessment, and remediation.
  • Easily configurable and potentially customizable where needed
  • Handle multiple user inputs and change management
  • Good dashboard reporting and visibility for executive team
  • Dashboard reporting takes some configuration to show KPIs needed
  • Cost may increase as we add more users/expand its scope internationally
  • Needs better templates to help our team configure and deploy effectively
  • Great ROI in time savings
  • Scalable
  • Executive and Internal Audit visibility of Risks and Compliance
We performed these assessments manually for years before selecting ServiceNow GRC. Other companies we assessed were Modulo and Metric Stream. Our takeaway from the other companies was that they seemed too simplistic to handle the needs of an Oracle EBS R12 ERP and our other systems. Further, we liked the reporting elements that came out of the box from ServiceNow.
It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.
I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Do you think ServiceNow Governance, Risk, and Compliance delivers good value for the price?


Are you happy with ServiceNow Governance, Risk, and Compliance's feature set?


Did ServiceNow Governance, Risk, and Compliance live up to sales and marketing promises?


Did implementation of ServiceNow Governance, Risk, and Compliance go as expected?


Would you buy ServiceNow Governance, Risk, and Compliance again?


Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation.
ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

ServiceNow Governance, Risk, and Compliance Feature Ratings

Common repository of GRC items
Risk management
Integration with Corporate Performance Management (CPM) systems
GRC policy management
Incident management