In this session, we will explore the Governance, Risk, and Compliance (GRC) module in ServiceNow to review how it can strengthen your organization’s risk posture. Learn how automated workflows, real-time monitoring, and policy management drive smarter compliance and decision-making. Ideal for risk, audit, and compliance professionals seeking a unified approach to governance and control.
#ServiceNow #IntroToServiceNow #ServiceNowTraining #ServiceNowPlatform #ServiceNowEssentials #ITSM #DigitalWorkflows #ServiceNowBasics #ServiceNowLearning #CloudPlatform #IncidentManagement #ChangeManagement #ServiceCatalog #Workflows #EnterpriseIT #ITAutomation #ServiceNowForBeginners #ServiceManagement #PlatformAsAService #TechTraining #FutureOfWork #mindbyte #Sessions #tecman #Free #HR #GRC
#ServiceNow #IntroToServiceNow #ServiceNowTraining #ServiceNowPlatform #ServiceNowEssentials #ITSM #DigitalWorkflows #ServiceNowBasics #ServiceNowLearning #CloudPlatform #IncidentManagement #ChangeManagement #ServiceCatalog #Workflows #EnterpriseIT #ITAutomation #ServiceNowForBeginners #ServiceManagement #PlatformAsAService #TechTraining #FutureOfWork #mindbyte #Sessions #tecman #Free #HR #GRC
Category
🤖
TechTranscript
00:00Hello everyone. Welcome to our MindByte series presented by TechMath. So this session continues
00:27from our previous road where we introduce ServiceNow and explore IT Service Management, IT Operation
00:34Management, IT Asset Management, and HRSD. Today's session will focus on ServiceNow GRC. In this session, we will walk through what GRC is, its key concepts, and how it helps organizations manage
00:48goodness, risk, and compliance in a single integrated platform. We also look at the core modules and see how ServiceNow moves us from manual, scattered process to centralized, automated, and auditory systems.
01:04Today, our speakers in this session, Mr. Erzan John and Mr. Majid Said, both are very competent and ServiceNow certified consultants and trainers.
01:15So, you can watch all our sessions on YouTube, LinkedIn, and Facebook as well. So, we're proud to have RTTech Solution, Northcyber, OGMC, and Delta One as our strategic partners for our today's sessions.
01:32For upcoming updates and sessions, so please visit our TechMan official website and LinkedIn page and Facebook as well.
01:40So, let me just give you a quick rundown for our upcoming free sessions. So, it's going to be on ServiceNow SPM on September 18, and the next one in ServiceNow CSM on October 2.
01:56Before I hand over to Erzan, let me share how today's session will run down and why it will be valuable for you.
02:06This GRC session will be divided into two phases. One phase, introduction by Erzan John, and second phase, question answer with emergency.
02:15So, you can drop off your question in the comments during these sessions. So, Mr. Erzan, now it's short tense. So, give us some further enhancement and further presentation on this GRC. Thank you.
02:33Thank you and good afternoon. My name is Erzan Sakib and today we're going to be discussing GRC or Governance Risk Compliance.
02:57So, the agenda for today is going to be, first we're going to discuss what is GRC, how it's implemented in companies, what is Governance Risk and Compliance separately and specifically.
03:09Then we're going to discuss some key pillars of ServiceNow GRC, which are not exactly modules, but they're absolutely integral to making GRC work.
03:19After that, we're going to look at some of the core modules that GRC has to provide you with these services.
03:27And in the end, we're going to hold a Q&A session.
03:39So, let's start with something. Let's start with the basics. What exactly is GRC inside ServiceNow?
03:51So, GRC stands for Governance Risk and Compliance. And inside ServiceNow, it's delivered through what's often called the Integrated Risk Management application or the IRM application.
04:07At its core, it's about giving organizations a single structured system to manage all the rules they have to follow, the risks they have to face and the controls they have to put in place to stay compliant with regulations and other external rules that they have to follow.
04:25Now, why exactly is this important? In most cases that I've seen, Risk, Compliance and Governance used to live in separate places like spreadsheets, emails and disconnected tools, which is often disadvantageous for many companies.
04:45By separate and disconnected tools, I mean, let's say we can take an example. Let's say a company that is using different HRM tools like Orange HRM to manage their employees, to get their attendance, to record their leaves, etc.
05:04And to comply with the specific policies of those softwares, they have to send you emails and tasks on ClickUp, which are very disconnected and in separate places, so it's hard to keep track of them.
05:19But let's be more specific, like finance companies might need to adhere to Sarbanes' auxiliary controls and they have to manage that in Excel.
05:29IT security might track vulnerabilities in separate systems.
05:34Now, that might work for a while, but when executives ask, like, where exactly are we most exposed?
05:42Nobody has a single and trusted answer because all the data is just scattered in many different places.
05:49And many of the important things slip through the cracks and can't be compiled when they're needed for audits or any other reports.
05:57So it's a huge disadvantage for many companies out there.
06:02Other than that,
06:06OK, so this is where GRC comes in. Instead of having like silos of isolated data, you can get a centralized platform that ties everything together.
06:21Your policies, your controls and the risks that you're monitoring, everything.
06:27So from what I've seen in GRC, the real value is in the automation and visibility.
06:33You can basically automate many different tasks like evidence collection, trigger risk assessments when something changes in ServiceNow environment,
06:43and generate real-time dashboards for executives and auditors.
06:48That means no more chasing down documents before audits because all of that data is stored in one single place already.
06:56And this is, it's not just about avoiding fines through audits and etc.
07:02It's, although that's a huge driver, but organizations use GRC to make better decisions basically,
07:08because they can actually see what their risk exposure is in real time rather than waiting for a quarterly report or something like that.
07:17So in simple terms, ServiceNow GRC is how organizations move from reactive manual compliance to proactive and automated,
07:26where they implement a risk-aware culture in their company.
07:30Now let's look at GRC or governance risk and compliance separately.
07:36What is governance?
07:38When we say governance in an organization, we are really talking about the decision making and accountability.
07:45It's about making sure that the right people have the right authority and the policies are being followed consistently that are set by the company or other external regulations as well.
07:58So in ServiceNow, governance is enforced through different policies, control objectives and workflows,
08:07which are configured through to your personal needs of your company.
08:11For example, if your organization has a policy that all critical changes must be approved by a compliance officer.
08:20ServiceNow can enforce that automatically through approvals and role based access and other tools that it has.
08:28Governance also includes tools like reporting and oversight through dashboards and performance analytics provided in ServiceNow.
08:37It helps give executives and employees visibility into how well the company is meeting their governance objectives.
08:45It ensures that compliance and risk aren't just operational issues.
08:50They're built into the decision making process.
08:52After that, now we're moving on to risk.
08:58Risk is about the uncertainty or the possibility that something could go wrong and impact your business.
09:05But in the GRC module, risk management is structured.
09:10Each risk is written in a risk statement and the structure is basically first the cause is defined that what might be the trigger,
09:20then what the exact event was or what might happen because of that trigger and the impact it has the effect on the organization,
09:30the many things that it's going to affect that's stored in the impact section.
09:36Now, for example, because of like, we can take an example of a company because of weak access controls and unauthorized user may gain access leading to data breaches.
09:48Now, the cause here is the weak access control that's in the company.
09:55The event is some individual gaining unauthorized access to confidential data that your company holds and the impact is it causes a data breach.
10:06So risk in ServiceNow risks can be grouped into like frameworks which are IT security, financial, operational.
10:17All of these have them have categorized those risks and they're tied to entities as well in ServiceNow.
10:25These could be business units or processes or even specific assets that those risks apply to, which are stored in CMDB separately.
10:34So ServiceNow, it also allows you to apply risk scoring modules, which can be qualitative, like low, medium, high.
10:45It can be set according to your specific needs, what you prefer, what's easier for use, easier for you to use.
10:55It can also be quantitative using percentages or likelihoods.
11:00So it's a method to prioritize those risks.
11:04Now, in my opinion, the biggest advantage that ServiceNow GRC provides in risk management is, again, the automation.
11:13For example, if you have a vulnerability scanner, which finds critical issues on a server.
11:21Now, in that situation, because that's a huge risk and can lead to many problems down the stream.
11:30Instead of going all through the due diligence and assigning that problem to someone, it can automatically trigger the risk assessment.
11:40And assign it to the appropriate agent or the person that has to review it.
11:48So no waiting for manual intervention.
11:51Everything is automated.
11:55After that, we have compliance finally.
11:59So compliance is about making sure that the organization is following both external regulations and internal policies.
12:06Now, by external regulations and internal policies, I mean external regulations are like GDPR for data privacy or Sarbanes-Oxley for financial reporting or HIPAA for healthcare data.
12:20These are basically for many reasons like employee safety and maintain the market trust and avoid malpractice for companies.
12:29Basically, it's for check and balance on organizations.
12:35And as for internal policies, these are set by the company themselves.
12:39These are company specific rules like enforcing multifactor authentication or requiring employees to reset passwords every 90 days for cybersecurity.
12:49So in ServiceNow, these requirements are modeled as authority documents, both internal and external regulations are modeled as authority documents.
13:04Broken down into many different parts like citations, which are specific requirements and then map to controls that are companies that the company implements.
13:16So instead of compliance being like a checklist service now gives you a living records living system of records.
13:24Which is dynamic and constantly being updated.
13:28So every control is tied to an owner tasks evidence.
13:34So that way when auditors asks, show me like how your company is complying with certain article of GDPR of data security.
13:44So you can pull up exactly what they need.
13:48You can pull up instantly with the map controls and proof.
13:53Now that we have had a brief overview of what governance risk and compliance is, let's look on the key pillars that support GRC in ServiceNow.
14:10So let's talk about what I consider like the key building blocks of GRC in ServiceNow.
14:16These aren't modules on their own, but they're absolutely essential for making the whole governance risk and compliance framework work.
14:24So the first one is authority documents like we were discussing before.
14:33Think of authority documents as the source of truth for compliance rules.
14:39These are these are external regulations, frameworks or standards that your organization has to follow like ISO and HIPAA, as I mentioned before.
14:49So in ServiceNow, we load all of these authority documents into the system so that every compliance activity is linked back to the official regulation or standard.
15:00Now that way we are not working in isolation.
15:04Everything we do is anchored into real world requirements and is tracked through through logging as well.
15:12Now authority documents are made up of more specific instructions that brings us to this second pillar, which are citations.
15:24A citation is basically a clause or requirement inside ServiceNow.
15:29Sorry, inside the authority document, for example, let's say GDPR article might say you need to implement security measures for data protection.
15:41Now that's a citation.
15:44Citations are the actionable parts of the regulation that you need to comply with.
15:50In ServiceNow citations are actually broken down and then mapped to controls and policies inside your organization.
15:58This mapping is very critical because it lets you trace the compliance all the way from high level regulation down to the exact control or process that it satisfies.
16:09Now what I personally think is that this traceability is one of the most powerful parts of GRC because like if you're having an audit and the auditor asks, show me how you comply with the specific requirement.
16:25You don't have to dig through word documents or share points or other data that your company has.
16:31You can you can literally click through ServiceNow from menu in the banner to citation to control and then to the evidence to get all the relevant information that you need with just a few clicks.
16:46So that's a huge, huge advantage for companies.
16:52Next up, we have let's talk about the next two key pillars of ServiceNow GRC, which are control objectives and.
16:59Sorry.
17:00Yes, which are control objectives and policies.
17:12A control objectives is a high level goal.
17:16Basically, you can.
17:18It's you want to achieve in order to meet compliance and reduce the risk in your organization.
17:24Think of it as the intent behind your compliance activities.
17:28For example, a control objective might be to ensure only authorized users can access the sensitive data.
17:35Notice that's not a specific control yet.
17:40It's the overall objective in ServiceNow control objectives serve as a bridge between external requirements and the internal controls that your company has internal policies that your company has.
17:55So that's basically what that was.
17:58Now let's look at the last pillar, which is policies.
18:03Policies are in the integral rules and procedure procedures your company creates to meet those control objectives.
18:12If the objective is, like we said before, ensure only authorized users can access sensitive data.
18:19Then the policy might be all employees must use multifactor authentication for system access.
18:25So that's how those two connect in this module policies basically can be written directly into the system.
18:32And linked to authority documents and then mapped to the controls that they enforce, that they enforce, that have them enforce them.
18:44This way, employers can see them in the employee center as well.
18:49And auditors can see how they tie back to the compliance requirements.
18:52So together, these four, which were authority documents, citations, control objectives and policies.
19:00All of them can be linked and form a chase of traceability, like regulations define the rule, citations break breaks the rules down and control objectives set the goal.
19:14Whereas policies make it real in your environment and set specific goals that you can imply in your company.
19:22So that's basically the structure which makes GRC so powerful.
19:29Now that we've looked into that, let's move on to some of the core modules that ServiceNow GRC provides.
19:36These aren't all of them, but these are the main ones that we're going to be talking about today.
19:42So the first one is risk management.
19:44It's one of the core modules in GRC.
19:48In ServiceNow every risk is tracked as a record in the risk table, which is also SN risk, SN underscore risk.
19:57In that table, each record follows a specific structure, which is cause, event and impact.
20:06Now, all of the records adhere to this model, for example, because, let's say, because of weak access controls, an attacker might gain unauthorized access leading to data breach.
20:20Like this is the same example I gave before.
20:24In this, the cause of that problem is the weak access controls.
20:30The event is an unauthorized attacker gaining access to your company's data and confidential documents, etc.
20:41And the impact it has is that it had a huge data breach on your company.
20:48So risks through these to this table are assessed using scoring models.
20:55You can keep it simple with qualitative values like low, medium, high or use quantitative models like likelihood or impact or different scores.
21:06You can give it scores and percentages.
21:11So now these models live in the risk scoring model table, which is named SN underscore risk underscore scoring scoring model.
21:23This table can be customized as per the framework.
21:26Now, framework themselves are stored in a different table, which is the risk framework table.
21:31And different group related risks are stored in there as well.
21:37For example, IT security compliance or finance to make them to make the reporting easier.
21:43Everything is compartmentalized.
21:47So after that, once a risk is assessed through this model, you can log a response, mitigate it, accept it and transfer and then avoid it.
22:00These are all of these steps are tracked in the risk response table.
22:06In this table, you can also trigger tasks and policies and control control tests can be run as well.
22:13So and one of the more most powerful features is linking those risks to the business services or CIs in the CMTP so that this way when your access is compromised or there is a data breach or any other problem.
22:35When you assess the impact of that, you know exactly what system and services are at stake, what's affected and how you can come up with a way to deal with it.
22:49Finally, it also leverages the dashboard tools and performance analytic tools to create reports showing all your top risks, open responses and compliance coverage in real time.
23:04So in that sense, it also helps you with decision making as well.
23:10The next module is audit management, which helps organizations plan, execute and track both internal and external audits.
23:20Now in ServiceNow, every audit engagement is tracked in the audit engagement table, which is named SN audit underscore engagement.
23:30In this table, you can basically define the audit scope, the schedule and the teams assigned to the audit.
23:36And even the authority documents driving it like ISO or Sarbanes-Auxil.
23:42Audits are actually broken down into a different table, which is the audit and work workspaces table, where auditors collect evidence, run control tests and record findings.
23:56Basically evidence can be directly attached in this system.
24:00So everything stays centralized and traceable.
24:02When in those audits, when gaps are found, the system generates issues automatically, which can be assigned to business owners with remediation tasks as well.
24:14Also giving them due dates.
24:18It has many different features to organize those issues.
24:22That way findings don't just sit in reports.
24:24They trigger real action and require real real time action to solve them.
24:30Now, finally, we have vendor risk management.
24:34This is the last one we're going to be talking about today.
24:38Vendor risk management or VRM focuses on assessing and monitoring those risks from third party vendors.
24:48This is very critical since vendor and supply chain breaches are now one of the biggest risk factors in organizations.
24:54So in ServiceNowGRC, this module gives you features that help you track those vendors through different tables.
25:04Keep a track of those vendors in a table, which is SNVDR underscore vendor table.
25:12From there, you can launch different assessments, questionnaires, evidence requests.
25:18All of those are built from templates that define questions, scoring and thresholds.
25:24So this system calculates the risk scores based on those from these.
25:31So from these assessments, which can then trigger different workflows like remediation tasks or escalation for high risk vendors.
25:41This helps you mitigate many, many different down the stream risks and vulnerabilities that you are prone to.
25:49You can also integrate external data feeds into it, such as security ratings or financial health checks for continuous monitoring.
25:59And then you can use that data to make dashboards and then provide visibility at basically all levels.
26:09For example, procurement sees onboarding process.
26:13Risk teams see detailed vendor scores and executives get a very clear picture of the overall risk vendor, vendor risk exposure that they have.
26:23So that was basically what VRM or vendor risk management module provides in ServiceNow GRC.
26:33Now that we're done with the core modules, we're going to move on to the Q&A session.
26:41Thank you, Mr. Radhan.
26:42I really appreciate your wonderful presentation on GRC.
26:55Before we open the Q&A session, I want to highlight how ServiceNow GRC is shaping this 2025 ecosystem.
27:04As we look at 2025, ServiceNow GRC is playing a much bigger role in how organizations operate.
27:13Companies are no longer satisfied with just ticketing boxes for compliance.
27:18Instead, they are shifting towards a proactive risk of their culture where goodness, risk, and compliance are built into daily decision making.
27:27So what makes ServiceNow powerful is the way it connects everything goodness, risk management, compliance, audit, and even vendor risks into a single platform.
27:39With automation or real-time dashboards, so letters get clear visibility into risk and compliance gaps, so while teams can act quickly instead of waiting for the issue to pile up.
27:52So this is not just about staying compliant with regulations anymore.
27:58It's about creating resilience, building digital trust, and giving executives and regulators confidence that organization is in control.
28:09In today's ecosystem, that level of trust and agility can be the difference between keeping pace and change of falling behind.
28:19So we have some questions from our audience for Majid's side.
28:24So the question one I have, what is the ServiceNow GRC and why is it important for organization?
28:32So for the answer for the first one, why is it important for organizations?
28:38The ServiceNow GRC is a suite of applications that helps organizations to manage governance, risk, and compliance.
28:46It is a structured and automated way.
28:48It integrates risk management, policy enforcement, compliance tracking, and audits within a single platform.
28:55Governance ensures that organizational activities align with business goals.
29:01Risk identifies potential risk in the system, or it could be an incidence or an integration.
29:07It identifies that.
29:09Compliance ensures adherence to regulations, standards, and internal policies.
29:15So I could give an example for that as well.
29:18In real life, a bank needs to comply with SOX.
29:21It's just a simple regulation, SOX.
29:25And what benefits it could get while using ServiceNow GRC.
29:30It creates policies for financial data handling.
29:33It identifies risk like unauthorized access to financial systems.
29:38Also implements controls such as multi-factor authentication for finance applications.
29:43And automate evidence collections from AD and system logs to prove compliance.
29:48Dashboard shows execution, the real-time compliance score, and highlight failed controls.
29:54So what benefits that organization will get from this is this reduce the manual burden of yearly audits,
30:00prevent regulatory fines, and ensures continuous compliance.
30:07That's the answer to the first question.
30:09Okay, do we have another one on board?
30:11Yes, we have another question from our audience.
30:14So how does ServiceNow GRC manage risk effectively?
30:20So ServiceNow GRC manages risk through a structured lifecycle.
30:24At first, it just identifies the risk.
30:26Risk identification is the most crucial step and the initial step in ServiceNow GRC risk.
30:32Risk are captured from multiple resources like manual entries, compliance assessment, incident data, or vendor questionnaires, or integration.
30:40So first step or crucial step is to just first identify the risk.
30:44And then the second one is to just assess the risk first.
30:48Each risk is evaluated by likelihood.
30:50How often it might occur or an impact, what impact it will have on instance.
30:57The third step would be to just how the organization responds to that risk.
31:03If we just avoid that, like stop using the record, or remove the record from it first.
31:09Then the second step would be to mitigate, implement controls to reduce likelihood slash impact,
31:15or transfer it to another instance, outsource it, ensure against the risk, and accept it.
31:20Like they will just keep the risk in the system and move forward with their other work.
31:26The fourth step would be the risk monitoring.
31:30Risk are tracked over time with key risk indicators.
31:33Workflows and status updates.
31:35Mitigation progress is also monitored.
31:37Last would be the risk reporting dashboard.
31:40You can use dashboard for that.
31:42Like it will, the system will evaluate overall risk, risk that, potential risk that system has.
31:49And it will show it on your, it will show all of them on your dashboards.
31:54Example for that would be a global e-commerce company identifies the risk of website downtime during Black Friday.
32:01It's a common error.
32:02It happens every time.
32:03So what the company will do, it first identifies the risk.
32:07System monitoring tool flags over risk.
32:10Then it will just assess, assess the risk first.
32:13Like what, what's, what's the current impact of that risk in the system?
32:17Is it medium or it's a very high million in lost revenues?
32:22And the third one will be the, how company will respond to that risk.
32:27And fourth one will be monitoring it, keeping, keeping it tracked.
32:31In this case, it would be a CPU utilization and response, response time are tracked in real time.
32:37The last step would be the reporting.
32:40Executives view a heat map showing IT risk for critical sales systems.
32:44So benefits of just managing risk through this is that the company proactively manages and reduces risk instead of reacting after an incident.
32:54So that's how a company should effectively manage risk.
32:59That's the answer to the second question.
33:02Okay.
33:03Wonderful.
33:04So I have one more question from our audience, Mr. Umair.
33:08So how does ServiceNow GRC integrate with other ServiceNow Mod goals?
33:14ServiceNow GRC integrate with a couple of other modules such as CMDB.
33:19It could be CMDB.
33:20It could be incident and problem slash change management.
33:23It, it could be in SecOps, security operations, vendor management.
33:28So in CMDB, why, why it should integrate with CMDB?
33:31Of course, a risk and controls can be linked to assets, applications, services, or business units stored in the CMDB.
33:39This creates a traceability.
33:40If a server, app, or service fails compliance, the related risk is immediately visible.
33:48And why it should be integrated to incident problem and change.
33:51Risk and compliance issues can trigger ITSM workflows.
33:54And this will identify the risk before it's happening.
33:57Like if you do not have to go through incidents and wait for it to get resolved.
34:01You can just, you can just track it through dashboards and resolve it immediately.
34:05And why is it being used in SecOps?
34:08Vulnerability, security, incidents, and threat intelligence from SecOps feed into the risk register.
34:14Risks are updated automatically as new threats emerge.
34:17A real-time example for that would be a financial service company uses ServiceNow GRC integrated with multiple modules.
34:26A CMDB business service like online banking are mapped to associated risks.
34:31ITSM, when a control test fails, variable misconfiguration change request is automatically generated for it.
34:38And for SecOps, a vulnerability detected in the bank's mobile app feeds directly into the GRC risk register.
34:47And you could just track that risk from there and start working on it before it moves on to an incident.
34:53You should wait for it to get resolved.
34:55Like for, you have to wait for it to get resolved for like a week or two.
34:59But the GRC, it will get identified in no time and it will be resolved in no time.
35:04Sounds good.
35:08So, I have one more question about, can you explain the lifecycle of policy and compliance management in ServiceNow?
35:21Yeah, sure.
35:22The policy and compliance lifecycle in ServiceNow provides a structured way to ensure regulatory requirements.
35:28For the first step it does in the policy and compliance management, it just creates authority documents such as these are regulatory or industry frameworks.
35:38An organization must comply to these so it could just run smoothly and without any potential risk or impacts.
35:45Define citations, breakdown authority documents into specific requirements, clauses.
35:51The third one would be the map controls, create and link controls to citations to enforce compliance.
35:57Controls can be manual user access reviews or automated encryption settings.
36:03Fourth one would be assign ownership.
36:08Each control and policy is assigned to an account table owner.
36:12It could be an IT manager, it could be a compliance officer and a test controls would be conducted.
36:19Conduct control testing is to validate effectiveness and same for this one.
36:24It could be manually and it could be automated.
36:27Also, we can just monitor the compliance for it as well.
36:30It could just report issues, failed controls or test results automatically generate remediation tasks for customers or compliance managers.
36:38So he could just take over that, look over that task and try to resolve it as soon as possible.
36:43An example could be a pharmaceutical company must comply to FDA.
36:49It's an it's just a part of a regulation.
36:51It could be anything at FDA or CDA for electronic records and signatures.
36:56So it will just go through these steps to just keep it in the compliance and policy management.
37:02First, first one will be the authority document.
37:05And that is the FDA that I've mentioned before.
37:08It will be just inserted into service now.
37:11Citations will be implemented on that.
37:14It will just break down the records like audit trails must maintain for all electronic records.
37:20Then the third step will come at being is the controls, implement controls such as enabling system to logging for all clinical trial applications.
37:30And the next step would be the ownership and testing and monitoring.
37:38That's the answer for this question.
37:40Wonderful.
37:41Yes.
37:42Right.
37:43So I have one more question.
37:45So what are the main challenges organizations face when implementing GRC in ServiceNow?
37:51Organizations face several challenges when rolling out GRC in ServiceNow.
37:58It could be data quality issues.
38:00It could be change management.
38:02It could be customization out of the box.
38:05Integration complexity, scalability in data quality.
38:08I guess GRC relies on accurate CMDB and authoritative data resources,
38:12poor data unreliable risk as compliance reporting.
38:16An example could be a bank CMDB has duplicate servers.
38:20Wrong risk map creating false reports.
38:22That could be the main reason of data quality issues.
38:25Change management.
38:26Business units may resist adopting the centralized GRC platform.
38:30Requires strong communication, training and leadership support.
38:34For the customization, too much customization complicates upgrades and support.
38:38GRC uses out of the box workflows and rules that could just run any time when a risk is identified
38:47and it will work out of the box if you just customize it more and more.
38:50It will just become a mess for you to manage those rules.
38:55And if you're trying to create a new or complex rule of your own,
38:59you should just keep in mind the out-of-the-box functionality of GRC as well.
39:04So your own functionality could run easily.
39:07Integration complexity.
39:08GRC often needs data from HR, ERP, SecOps, vulnerability and scanners, ETC.
39:15Integration can be time consuming and costly as well.
39:18These are the main challenges that organizations face with GRC.
39:25Any other questions?
39:30Yes.
39:31So can you share some of the key dashboards and reports in ServiceNet GRC module?
39:37So GRC mostly use a risk heat map.
39:41This just shows risk by likelihood impact or drill down into high risk items and track KRIs.
39:49For example, hospital sees high risk in EHR due to legacy.
39:54And it will just show it right away on the risk heat map dashboard.
39:59The other one is compliance dashboard.
40:01Tracks and control, test, pass, hash, fail, race and compliance score.
40:06I've mentioned previously about the testing records.
40:10It could be done manually or automated.
40:12And the results for those are stored in this compliance dashboard
40:16to record the risk management that we're doing in the instance currently.
40:21It will just highlight failed or overdue controls.
40:24Example for that would be compliance score drops 91% due to failed access control test.
40:29And you could just identify everything from this dashboard and take actions accordingly.
40:36The other one would be the audit dashboard.
40:39Monitors audits findings and remediation status.
40:43Shows overdue or high severity findings as well.
40:47Vendor risk management, vendor risk dashboard.
40:49It just shows vendor risk management.
40:51Whatever risk is vendors having, it will show in this dashboard and evaluates it for you.
40:56It will monitor higher risk vendors and overdue questionnaires as well.
41:00The other one would be the executive GRC dashboard.
41:03Consolidates risk compliance and audit and vendor posture.
41:06Provides trend lines and exceptions for board reporting as well.
41:11These are, I guess, key dashboard that are used in GRC mostly.
41:21Yes, thank you.
41:23Thank you, Mr. Radhan and Marcid for sharing your expertise with us today.
41:28And big thank you to everyone who joined this session.
41:32We truly appreciate your time and engagement as well.
41:36So I would like to continue learning.
41:38And don't forget to explore more resources on our website.
41:41So I just share with you.
41:44Yes, so you can also visit our website at architect.
41:59So including our services, administration, development, implementation and maintenance and consultancy and support as well.
42:07So now you can explore more about Techman.
42:14So here are listed some free and some paid courses relevant to the service now.
42:22And some of our new information upcoming session as well.
42:29So at Techman Academy, we are committed to helping you start and advance your services journey.
42:38Whether you are looking for self-paced learning, live training and expert guidance as well.
42:45And must visit our relevant to this session about book service on GRC.
42:53But written by Mr. Shauna Lee and Sakit John.
42:58You can also buy from Amazon.
43:00And also we are listed more than 70 books relevant to the service now.
43:09And some other playbooks as well about the knowledge and some other guidance.
43:14And thank you. Thank you all.
43:19And don't forget to subscribe, like and share this video on YouTube, LinkedIn and Facebook.
43:24So other than benefit as well.
43:26So stay tuned for our upcoming sessions regarding SPM, CSM and APM.
43:32Once again, thank you to being part of our today Techman MindBatch session as well.
Recommended
4:57
0:46
2:11
2:55
11:13
1:00
2:50
Be the first to comment