Two of the most common technology acquisitions or upgrades under consideration for many large enterprises today are IT Service Management (ITSM) and Governance, Risk, and Compliance (GRC). Most organizations have separate departments evaluating and purchasing platforms and applications to enable each of these process disciplines. If stakeholders across these process areas are not talking to each other, there’s a high risk of needlessly double-investing in the licensing, implementation, and on-going maintenance costs required to run two separate platforms, and worse, creating silos of information that will slow down rather than enhance each process area.
This article describes the 4 main reasons why building an integrated GRC and ITSM solution on a single platform like Servicenow, and avoiding the purchase and acquisition of a stand-alone GRC platform, is a great idea:
#1. Most of the evidence required by your controls framework (SOX, HIPAA, PCI, etc.) already lives in Servicenow
This is the biggest and most exciting differentiator between Servicenow and other stand-alone GRC platforms such as EMC’s RSA Archer.
Most, if not all current Servicenow customers are utilizing the Servicenow platform to manage IT related processes including Incident, Problem, Change, Service Request, and Asset Management. In addition to these common IT processes, many customers have realized the robust platform capabilities of Servicenow and have already extended their Servicenow implementation to incorporate business processes including HR, Legal, and Facilities just to name a few.
Because Servicenow is becoming the new “ERP for IT” and is housing much of the IT and business data required by compliance frameworks such as SOX, HIPAA, and PCI…companies are now able to avoid acquiring a stand-alone GRC platform, and instead integrate their controls framework directly into Servicenow’s GRC application. An integrated strategy allows Servicenow customers to automate many of the manual audit and controls test activities that have, in the past, required thousands of man hours and millions of dollars to complete manually every year.
See how a public technology company was able to save $840k and 9,000 man hours every year by implementing GRC on their existing IT Service Management platform – Case Study: Integrating GRC & ITSM
#2. Effective Enterprise Risk Management requires real-time ITSM, GRC, and Business Data
Effective Enterprise Risk Management, or ERM, requires the aggregation and management of both IT and Business data across the enterprise to allow Directors, Executives, and Board Members to make better decisions by having a clear and holistic view into the overall risk of their organization.
Servicenow is the perfect platform for building a robust ERM program because it houses much of the data required to derive real-time risk scores for all the different aspects of your business. In the Servicenow example below, we’re able to derive risk scores for each business system (or business service) broken down by risk criteria including patching & vulnerability, asset age, documentation, system complexity, and skills check. Where Servicenow sets itself apart is this idea that the overall risk scores are derived based on real-time asset data housed in the Servicenow Configuration Management Database (CMDB) and managed using the Servicenow Asset Management application. No other GRC platform has the ease of access to IT and Business data required by a mature ERM program like we do with Servicenow.
(Business System Risk Profile – This report gives executives an overview of the overall risk of a particular business system. It provides individual metrics for the items above as well as an overall risk score per business systems.)
#3. Servicenow is a strategic platform, not just an IT Service Management application
Servicenow is a cutting edge cloud-based technology platform that happens to do IT Service Management really well out-of-the-box. With a world-class workflow, notifications, integrations, reporting, and orchestration engine, Servicenow is a platform that enables both software engineers and citizen developers alike to build cutting edge IT and business applications quicker and cleaner than ever before. Michael Dortches latest blog article on CERN is a great example of this: Enterprise City: Where Your Organization Needs to Be. Now.
Because of this ability to quickly and easily build pretty much any business or IT application on the Servicenow platform, the out-of-the-box IT Service Management capabilities, and the out-of-the-box GRC application, Servicenow has all the ingredients to not only compete with the leading GRC platforms, it also provides companies with a level of integration, automation, and visibility that only a Platform-as-a-Service (PaaS) offering like ServiceNow can provide.
#4. Stand-alone GRC platforms are expensive
Acquiring a stand-alone GRC platform can be very expensive. For example, a typical enterprise looking to implement a stand-alone GRC platform can expect licensing and year-one implementation costs between $200k – $500k, consulting fees of $50 – $150k, and annual maintenance costs of $40k – 120k. All of this without any of the benefits or capabilities of integrating and automating control processes, and accessing real-time data enabled by an integrated GRC and ITSM solution built on a platform like Servicenow.
In our experience, Intréis been able to implement a mature GRC program on Servicenow nearly two times faster, with 30% less resources, and at a fraction of the cost of what it would take to implement a stand-alone GRC platform.
To learn more, check out our webinar recording – Integrated GRC on ServiceNow!
