What Can Financial Service’s Service Management Processes Teach Us About GRC?

If you’re a ServiceNow customer, you’re probably familiar with the platform’s bread and butter functionality – IT Service Management. From there, you likely expanded into customer service management, asset management, or other related modules. But what about some of ServiceNow’s less-well known modules that focus more on business management?

Business management apps in general, and GRC specifically, are very hot right now. According to ServiceNow, business management app revenue grew to be over a quarter of the company’s total revenue in the last quarter – with GRC being the lynchpin of their business app strategy. Here at Acorio, we have seen GRC app implementation requests doubled in just the past four months.i


What’s GRC?

Let’s start at the beginning, by defining the GRC space. The elements of the Governance, Risk and Compliance universe include:

  • Governance – overall how you run your business, making sure you have good processes and checks/balances in your organization
  • Risk – protecting your business from things that can harm it, and even taking some strategic risks in order to grow
  • Compliance – making sure you are doing what your regulatory body (or bodies) and government need you to do to follow laws and regulations

As you can imagine, those three bullets include an enormous amount of data, process, complexity, and other challenges. (We will parse out additional elements of GRC 101 in future blogs.)

Financial Service Regulations You Should Know

In the financial services industry alone there are numerous regulatory agencies including the Federal Reserve System, Office of the Comptroller of the Currency, and the Securities & Exchange Commission. Companies need to be compliant with financial accounting standards, legislation like Sarbanes-Oxley, and industry-specific regulations [1].

Focus on GRC Regulation

Both the Dodd-Frank Act and the Consumer Financial Protection Bureau require financial services companies to collect certain types of data on lending customers, to report that data to the regulatory agency, and to store it in a way that it’s accessible to the public. Keep in mind that this regulation shift also causes other regulations to kick in about consumer data protection and security.

Of course, financial services aren’t the only industry to deal with GRC – every industry including utilities, retail, and travel, is in a similar situation. And it’s a never-ending chase to make sure you’re compliant, since regulations are constantly being added and modified.

How to Eliminate Manual GRC Processes

The major challenge with most GRC internal processes: companies have a ton of data to track and tabulate. Even today, much of this cumbersome work is done manually, which makes it hard to manage, and takes up time that could be used to think strategically about how to protect your company from systematic risk.

GRC software frees up that time by helping companies automate the processes around discovering, aggregating, and reporting the data governments and regulatory agencies need regarding how a company is complying with laws and regulations, such as the Dodd-Frank Act. To help this painfully manual process, companies can implement GRC software to:

  • Increase the speed of compliance processes. Automating the process and making the data more readily accessible makes it faster for companies to get the information needed to the right regulatory agency than traditional methods trolling through terabytes of spreadsheets and emails.
  • Reduce the likelihood of data errors in reporting. By using GRC software, companies can have the data pulled directly from the source application and reduce the likelihood of errors that come from multiple data transfers, incorrect data entry, and other issues. And accuracy is not negotiable if you’re trying to avoid fines and other problems associated with compliance.
  • Lower compliance costs. When you can find and report faster, you save money. It’s also very likely that it takes fewer people to gather all of the information so there’s more savings there as you deploy staff to more proactive activities.

Did you notice those benefits look very much like the benefits you can get from service management? Making manual, intangible processes into traceable, tangible workflows with a single source of data integrated across the platform isn’t just a goal for your Service and IT teams. These workflows are a key reason why it makes so much sense to expand into GRC from your core service management implementation.

Service Management Best Practices to Steal for GRC

Instead of treating GRC as a unique problem, you can get results faster by leveraging all the best practices and tools from your existing service management implementation. Leveraging ServiceNow for GRC specifically improves on GRC apps by providing:

  • More accurate data. Since everything on the ServiceNow platform can use a single data source, you don’t have to worry about pulling from the wrong database. You’ll be able to automatically extract information from the other apps like service management and validate the data in the configuration management database.
  • Faster implementation. You can leverage the existing platform, the service portal and development tools, and of course the GRC module’s efficient integration with the existing ServiceNow implementation. Tools like Service Portal and delegated development that come from the latest Helsinki release make it even quicker to get GRC functionality quickly to the business.
  • Lower implementation costs. Since you have ServiceNow at work in your organization, you already have users, groups and departments defined in a manner useful to the GRC application. This makes control test assignment and remediation tasking a relatively straightforward exercise. Also, the cost of integrating to the other modules is far lower than creating or implementing APIs from standalone products into your existing systems.

Valuable on their own, those benefits are magnified by the power of ServiceNow as both your GRC tool and back-end Service Management system. By linking your daily business operations and compliance efforts, you will see faster initial ROI, and returns that annuitize over time. Rather than a bolt-on effort, incorporating compliance into your regular work processes can give you a competitive advantage – adding pace to your go-to-market strategies and improving visibility for any problems that come up.


[1] ServiceNow’s Q2 2016 Investor Presentation, pages 5 and 13