No More Legacy and Manual GRC Management

Many IT professionals today work in a world where “Compliance” and “Audit” are words to be feared and activities to be avoided.  I was there myself once, trying to figure out how to comply with 21CFR Part 11 requirements, survive internal and external audit, and work to keep up my organization’s own ISO 27001, and ISO 9001 certifications- all while still trying to do my own job.

In order to do it we had a great team of technical writers who maintained all of our documentation including our master document list (in MS Excel), our MS Word and PDF based process documentation, our document based controls, MS Excel based inventories, and our manual calendar of internal monitor & control tests to be executed by operational managers who already had day jobs.  The documentation process, control processes, and our interaction with internal audit and compliance were all highly manual.

In the last few weeks I have been talking to a large number of IT audit, risk, and compliance professionals as we grow our Cask team.  Universally, when the conversations turn to the state of the functions they represent in their current companies, the conversation is the same as when I was running a team almost 10 years ago:

  • Manual processes
  • Misalignment between the management of IT and the Controls that audit is looking for
  • MS Excel, MS Word, PDF, e-mail, and proprietary tools are the common elements in the toolkit
  • IT Management does not understand what their IT Risk and Compliance people or IT Audit people want out of them.
  • IT workers fail to have a “Culture of compliance” or a “Culture of work done under reasonable controls”

Many of you are thinking – Why is this a problem?  Why should I as an IT leader care?


You should care because:

Cause  Effect
  • This Risk Management is about mitigating business risks for your company.

  • IT Managers who expose their companies to excessive risk tend to be given opportunities to look for work somewhere else.
  • This Governance is about ensuring effectiveness and efficiency.
  • IT Leaders who can prove they are working better, faster, and cheaper are viewed as assets by their business partners.
  • Compliance with controls is about doing what you say you are going to do, when you said you were going to do it, the way you said you were going to do it.
  • IT Senior Leaders who can show that the organization is under control and performing to design have an ability to prove performance and quality of their services.


We all know why we should have a good IT GRC program….we all know that it is time consuming, expensive, and difficult as well…or is it?

Let’s face it, most of the work in GRC is administering another daily workflow and maintaining that system of controls.  Why not leverage a workflow system that your people work in EVERY DAY anyway to make it happen and document for the business what you are doing for them?

Enter ServiceNow….It isn’t just a helpdesk system, it can be that extra set of hands you need to manage your entire IT organization.  Combine it with a healthy effort around organizational change to get your people set up for success, and it can really make this tool work for you.

In place of a master document list hiding out on an Intranet site, ServiceNow’s GRC module allows you to build a hierarchy of related documentation starting with authoritative documents based on your industry or needs.  The system can then break those down into citations and supporting policies that represent your control objectives for your organization.

Hosting your central searchable repository in ServiceNow makes it seamless to link individual controls to the information already in your ServiceNow instance.  Leveraging the organizational CMDB, user, and business service data, individual control tests can be established, and distribution of the execution of those tests can be accomplished in the tool that your team uses to execute and manage the work they do every day.  It becomes a part of the day to day routine, infusing quality practices and controls without forcing managers to have to remember to do something, or keep up with an overfull email box.  The system can be configured so that the work appears in an individual manager’s homepage, enabling easy access and integration into each manager’s normal workday…no task switching penalty…no need to learn another system…no need to try to find that email from audit…the work just flows into the normal operating rhythm. Leaders don’t have to struggle to meet that SOX or SSAE 16 or other audit requirement.  In addition to this, ServiceNow offers the team a central, single list compiled of all the work that needs to be completed. There is no longer a need to check the ticketing systems for incidents, problems, and change because everything that needs to be completed is operationally and strategically located in their “My Work” queue.  When looking into taking your GRC program to help next level, think holistically about the power of data from ServiceNow that can be used to make your GRC program more effective and modern than ever.