Item: ServiceNow Governance, Risk, and Compliance
Rating: 5
Author: Verified User

Use Cases and Deployment Scope

As our company looked to assess and document our Internal Controls Environment and management, we looked to ServiceNow and other vendors to provide us with a framework/baseline starting point. We carefully compared features/capabilities of ServiceNow, Metric Stream, Modulo, and others and really benefited from the software demos offered by each company. We chose ServiceNow because of our already positive experience with their IT helpdesk software (was already used in our company) and how intuitively the GRC software appeared to operate. We understood that some customization was necessary, but felt it would more easily be adapted to our business versus the other options. Our experience, so far, has been positive; however, we feel we are still in the configuration/expansion phase. The challenges we are still overcoming are in our understanding of GRC attributes of our Oracle EBS R12 system, Active Directory access controls, and change control over these and other IT systems.

Our experience has been positive, and we appreciate the level of reporting and insight we gained by selecting a software like ServiceNow GRC instead of trying to handle this ourselves with documents and spreadsheets. As with most implementations, the costs occur up front, but we do expect an ROI in the next few years as we establish processes of administration, assessment, and remediation.

Pros and Cons

Easily configurable and potentially customizable where needed
Handle multiple user inputs and change management
Good dashboard reporting and visibility for executive team

Dashboard reporting takes some configuration to show KPIs needed
Cost may increase as we add more users/expand its scope internationally
Needs better templates to help our team configure and deploy effectively

Return on Investment

Great ROI in time savings
Scalable
Executive and Internal Audit visibility of Risks and Compliance

Alternatives Considered

We performed these assessments manually for years before selecting ServiceNow GRC. Other companies we assessed were Modulo and Metric Stream. Our takeaway from the other companies was that they seemed too simplistic to handle the needs of an Oracle EBS R12 ERP and our other systems. Further, we liked the reporting elements that came out of the box from ServiceNow.

Support Rating

It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.

Usability

I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Key Insights

Do you think ServiceNow Governance, Risk, and Compliance delivers good value for the price?

Yes

Are you happy with ServiceNow Governance, Risk, and Compliance's feature set?

Yes

Did ServiceNow Governance, Risk, and Compliance live up to sales and marketing promises?

Yes

Did implementation of ServiceNow Governance, Risk, and Compliance go as expected?

Yes

Would you buy ServiceNow Governance, Risk, and Compliance again?

Yes

Likelihood to Recommend

Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation.
ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

Great software for GRC

Software Version

Overall Satisfaction with ServiceNow Governance, Risk, and Compliance