Out of the box GRC Processes – How two companies prospered
At first glance, AltaGas Ltd. and Align Technology don’t have much in common. AltaGas Ltd. is a North American energy infrastructure business with a focus on owning and operating assets to provide clean and affordable energy to its customers. Align Technology is a leading manufacturer of 3D digital scanners and clear aligners used in orthodontics.
However, the two companies share similar stories when it comes to the technology they use to manage governance, risk, and compliance (GRC) issues. Both are case studies in how implementing ServiceNow solutions out-of-the-box can result in quicker time –to value and pave the way to future innovations.
AltaGas: Energy and risk
AltaGas’ GRC processes intensified with a 2017 acquisition. AltaGas needed to integrate two company networks and establish equivalent security and risk processes across the newly consolidated enterprise.
In 2018, the company initiated a new cybersecurity/GRC regime with an aggressive deadline for reaching maturity. As a ServiceNow® ITSM customer, the company knew they could deploy ServiceNow Risk Management out of the box, without complex customization of dashboards, workflows, and tables. The initial project included 17 security standards with 120 new controls. AltaGas was up and running in just 45 days.
In 2019, the company built on that progress by implementing ServiceNow Issue Management to test the new controls, and ServiceNow Policy and Compliance to prepare for external audit testing. Previously, the AltaGas team used spreadsheets to track issues and met for an hour every day to discuss pending issues. Now they meet twice a week for half an hour and use a virtual task board that shows who is responsible for a task along with the status of each task.
Increased transparency and process automation helped AltaGas reach its goal of achieving 80% compliance on all controls in just three months. Just as important, senior management quickly saw the value of the out-of-the-box strategy and has greater confidence in the team’s ability to manage future audits.
Align Technology: Simplifying evidence collection
Align Technology also had a history with ServiceNow, so ServiceNow® Risk Management was an obvious candidate when the company began looking for a new solution to manage its compliance obligations while documenting and managing risk. The company implemented Risk Management and Issue Management out of the box in 2018. In 2019, the company developed a custom app to collect and track a growing volume of requests for its evidence for compliance and audit obligations. The compliance team created hundreds of requests using the tool, and they made frequent requests for changes in functionality and workflows.
The custom app was a departure from the out-of-the-box approach that drove the initial decision to go with ServiceNow. However, the Align team knew that ServiceNow offered similar capabilities, so they enlisted Iceberg Networks to help them replace their custom tool with standard capabilities from ServiceNow Policy and Compliance that were already part of their subscription.
“We picked ServiceNow GRC because it provided a single place to center our GRC program and allowed us to integrate with the systems already in place on our service desk,” says Adam Leigh, senior Manager for technology risk management at Align Technology
Iceberg Networks helped Align Technologies make the needed configuration changes and define their control objectives. When a request didn’t meet the control objective, the system would automatically create a control issue for tracking and remediation and adjust the risk score. They also used indicators to collect evidence.
By replacing the custom app with standard ServiceNow capabilities, the company got a solution that was easier to maintain and would benefit from future ServiceNow upgrades. Just as important, the team was able to automate the way it managed requests. The number of controls has continued to grow, even so, Align has moved from 670 manually created emails for evidence requests to just 100 the following year.
Different companies, same strategy
Although they’re two different companies working in very different industries, AltaGas and Align Technology used similar strategies to achieve value sooner with ServiceNow:
- Implement out-of-the-box as much as possible
- Pick a target and rally the entire organization around it
- Identify a success metric that will prove the value of the strategy
Every company has its unique processes and methods that help it create a competitive edge. However, AltaGas and Align Technology both demonstrate that you don’t necessarily need highly customized technology to support that uniqueness.