The ServiceNow platform continues to grow at a rapid pace. A clear result of this is that we are seeing an increase in the number of organizations looking to expand their implementations to include the ServiceNow GRC offerings.

ServiceNow is a platform-as-a-service for technical management support, such as IT service management, to the IT operations of large corporations, including providing help desk functionality and electronic workflow management. The company’s core business revolves around the management of “incident, problem, and change” IT operational events but further can extend to include  hardware and software inventory management, as well as governance, risk and compliance.

If you’re unfamiliar with the ServiceNow platform as a whole or its GRC offerings, learn more in our recent blog post.

How is a ServiceNow GRC implementation different from traditional GRC solutions?

Organizations that are used to more traditional GRC solutions will likely find the ServiceNow data model to be foreign to them, including terminology and the relationships between controls, risks, objects, and assets. Prior to implementing the solution or importing any data, GRC stakeholders should familiarize themselves with ServiceNow’s out-of-the box GRC objects and processes.

ServiceNow’s GRC module relies on a standardized set of foundational data or what ServiceNow calls entities and entity types (e.g., CMDB, organizational structure, processes, etc.) that is utilized across all aspects of the ServiceNow platform. While this approach has many reporting advantages, risk & compliance teams may struggle to align the foundational data to meet their needs without developing complex workarounds. Teams utilizing the ServiceNow platform will therefore need to determine how they will work together to properly define their foundational structure to meet everybody’s needs. 

Additionally due to ServiceNow’s unique data model and use of entities, ServiceNow’s reporting capabilities for risk and compliance teams can be broken down to an extremely granular level. This can result in significantly more detailed levels of controls and risks, and can often be overwhelming for stakeholders who are not familiar with the ServiceNow model prior to starting the implementation process.

A ServiceNow GRC implementation requires a high level of work to effectively implement, even for organizations that have been successful operating their GRC for several years through other traditional GRC systems.

Five Steps To Ensure Your ServiceNow GRC Implementation Is Successful


1. Understand the different terminologies.

A core distinction between ServiceNow and other GRC platforms is the different terminologies. For instance, what most platforms or risk practitioners would call a control, or an overarching control that groups different controls together, ServiceNow defines it as a control objective

Name changes or terminology differences are going to be one of the bigger challenges that an organization will go through when moving from a different GRC system to ServiceNow. In this integration period, it’s essential that your team understands the different terminologies and that everyone is in sync throughout the adjustments.

2. Get your CMDB in order.

If you’re new to ServiceNow, the way you want to be spending your most amount of effort initially in the ia configuration management database (CMDB). The CMDB primarily holds the asset management of all of your equipment and systems—making it crucial for the GRC program to operate effectively. Your CMDB health is a top priority when attempting to implement the GRC suite to its full effect.

(Side note: A healthy CMDB is not just for the GRC module within ServiceNow. This applies to IT services and almost every other ServiceNow module as well.)

3. Streamline your user interface.

For those companies that are new to ServiceNow, or at least new to the ServiceNow GRC tool, it can be an overwhelming user interface especially when it isn’t properly pulled together in the ServiceNow portal.

At Cential, we often talk about ‘streamlining your GRC’ which is placing the focus on how we design processes and how end users interact with those processes inside a given tool.

We seek to answer the question “How can we create the most ease of use for those front-line individuals that are only going to go into ServiceNow once a month or once a quarter to do a control assessment, risk assessment, or log an incident?” It’s important to make that process simple for them to be able to go in and perform their tasks without feeling overwhelmed.

For those who don’t frequently work in ServiceNow, the extensive options and landing points can quickly become too much, driving away users from performing their tasks and therefore impacting the effectiveness of your risk and compliance program. So, when implementing a new GRC process, consider foregoing a complex back-end process (that really only pertains to your higher level risk managers) and instead create smooth, efficient workflows that require just a few clicks of a button to complete their tasks or activities.

4. Identify the actionable insights.

Identifying actionable insights means identifying key metrics that you are hoping to gain from implementing the process in ServiceNow or that are required to ensure the process runs effectively.There is so much information available in the ServiceNow dashboard, which makes it extremely powerful, but often not relevant for the majority of users. To streamline the process, consider what information the end user needs to perform their day-to-day job, which outstanding information points they should monitor, and which high risk action items they should be aware of.

It can be tempting to throw every piece of data and information possible into your dashboard as it looks impressive from a high-level glance, but oftentimes ultimately discourages user adoption and efficiency due to being overwhelmed and a lack of clarity.

5. Establish a Governance Structure 

A strong governance structure is important for any GRC program, but with the level of integration in the ServiceNow platform, it becomes critical. Identify the stakeholders, their roles, objectives, and current and planned use of the ServiceNow platform.

By understanding the stakeholder’s processes and how they work together in the context of ServiceNow GRC, you can then refer to entity types and the CMDB to determine the standards you may want to apply during the implementation of the GRC module. 

Cential’s Guiding Principles for Implementation

We have identified three guiding principles to guide all of our GRC implementations, including ServiceNow:

  1. The GRC solution should be intuitive.

    This principle goes back to the user interface and the end user experience that we mentioned above; how easy is the solution to use for those end users, and does the process make sense for them? Is it overly complex, or can the end user easily get in and perform the tasks that need to be done?

  2. The GRC solution needs to be right-sized.

    As you build out the GRC processes and/or enable them in ServiceNow, it’s important to narrow in on what the organization’s needs truly are. What is the value for the organization that you’re trying to achieve? Are you building something that goes way above or below what is required to meet the goals you’ve established as an organization? Is your GRC solution directly driving towards the overall organization vision and do your GRC processes support that? In other words…is your solution the right size for your organization?

    Another key component of right-sizing, especially true for implementing GRC within ServiceNow, is evaluating if the level of effort and resources required to implement ServiceNow GRC will indeed yield these actionable insights.
  1. The GRC solution needs to be effective.

    By effective, we mean that the data entered should be up-to-date, meaningful, accurate and easily understood by the people accessing it.

    This ties back to the actionable insights mentioned earlier. The information provided shouldn’t just be for the sake of providing information, but should actually drive your organization to understand what your risks are and how you may need to react to those risks.

How Cential Can Help

At Cential we assist with every single step of the process. We place an emphasis on driving understanding of the streamlined process, who your stakeholders are and what it is that they need so we can help your organization understand what you need before you even buy a solution. When it comes time to implement ServiceNow or whichever GRC solution you select around, we work to clarify your governance structure, implement the platform, build out the processes and improve how you can sustain your risk management. Ultimately, the goal is that you can eventually run your GRC processes yourself should you so desire.

The truth is that many organizations don’t spend enough time in the preparation stage, which is critical. During the preparation stage, it’s important to think about your governance and processes as mentioned above, but it’s equally as important to clarify your risk standards and if you have the right resources to support your first line of defense.

If the resources aren’t there, it may be time to consider utilizing managed services to drive and support that essential first line of defense which often goes under-supported.

Both throughout and following the process, Cential is always there as a resource for you to answer questions, step in when it’s time to make updates, or whatever it is that your organization may need.


There’s a lot of up-front effort that most likely will need to be put in when undergoing a ServiceNow GRC implementation, but once you’ve built out a streamlined, actionable solution that can easily be adopted across all three lines of defense, the payout from the powerful GRC capabilities that ServiceNow holds will be well worth it.

For more insights on how to seamlessly integrate ServiceNow with your GRC/IRM tools and take advantage of new ServiceNow GRC/IRM features, join our free webinar on Thursday, September 22, 2022, at 12PM EST.