Project Name

From Spreadsheets to ServiceNow: Built a GRC Programme Across 5 Business Units for a Diversified Financial Group

From Spreadsheets to ServiceNow: Built a GRC Programme Across 5 Business Units for a Diversified Financial Group
Industry
Financial Services
Technology
ServiceNow Governance, Risk, and Compliance (Integrated Risk Management), ServiceNow Policy and Compliance Management, ServiceNow Risk Management with continuous control monitoring, ServiceNow Audit Management, ServiceNow Third Party Risk Management, COSO ERM modelled within the platform, ServiceNow CMDB integration, Now Assist for IRM, ServiceNow dashboards and performance analytics

Loading

From Spreadsheets to ServiceNow: Built a GRC Programme Across 5 Business Units for a Diversified Financial Group
Overview

The client is a diversified financial services group operating five distinct business units spanning lending, asset management, insurance distribution, payments, and a shared technology services arm. Each unit carried its own regulatory obligations, its own risk register, and its own way of tracking controls.

 

Growth had multiplied the number of frameworks the group needed to satisfy: ISO 27001, PCI DSS, SOC 2, and applicable privacy regulations, but the operating model behind governance, risk, and compliance had not kept pace.

 

What worked at a single unit had become unmanageable across five, and the accumulated manual effort behind policy distribution, control testing, audit preparation, and vendor oversight was consuming governance capacity that should have been directed at judgment rather than data entry.

Key Challenges

Five business units, each running its own risk register, its own control interpretation, and its own vendor oversight process with no way to reconcile any of it without weeks of manual collation.

  • Spreadsheet-Based Risk Registers: Each business unit maintained risk registers in separate spreadsheets and documents. Versions diverged, ownership was unclear, and creating a consolidated risk view required extensive manual effort.
  • Five Disconnected Operating Models: Every unit applied different control interpretations, scoring methods, and evidence requirements. This inconsistency created risk blind spots across the organization.
  • Duplicated Control Effort: Teams tested similar controls independently across multiple frameworks, resulting in duplicated work, repeated evidence collection, and unnecessary governance costs.
  • No Enterprise-Wide Risk Visibility: Leadership lacked a single, real-time view of risk and compliance. Reports were manually compiled, often arriving outdated and incomplete.
  • Slow, Manual Audit Preparation: Audit teams spent significant time gathering evidence, chasing stakeholders, and reconciling documentation across business units instead of focusing on control evaluation.
  • Inconsistent Policy Management: Policies were distributed via email with limited tracking. The organization had no reliable way to verify version adoption or employee acknowledgements.
  • Limited Third-Party Risk Oversight: Vendor assessments were scattered across inboxes and local files, making it difficult to track review status, compliance gaps, and high-risk suppliers.
  • Manual Compliance Mapping: Control mapping for frameworks such as ISO 27001, PCI DSS, and SOC 2 was handled manually, making updates slow, error-prone, and heavily dependent on individual expertise.
Our Solution

Ksolves, an AI-first ServiceNow consulting services company, delivered the programme on ServiceNow in phases, standing up a shared foundation first and then rolling each capability across the five units with a consistent operating model.

  • Entity and Profile Framework: Built a unified framework covering all five business units, applications, and assets, enabling risks and controls to be automatically scoped without manual assignment.
  • Centralised Policy Lifecycle: Migrated policies into ServiceNow Policy and Compliance Management with structured authoring, approvals, reviews, and acknowledgement tracking across all business units.
  • Shared Control Library and Framework Mapping: Created a common control library mapped to ISO 27001, PCI DSS, SOC 2, and privacy regulations, allowing a single control to satisfy multiple compliance requirements.
  • Unified Risk Register: Replaced spreadsheet-based registers with a single risk model using consistent scoring, ownership, treatment plans, and real-time visibility across all units.
  • Automated Control Testing: Implemented continuous control monitoring with automated indicators that test controls regularly and raise issues as soon as compliance drifts occur.
  • Connected Audit Management: Centralised audit planning, fieldwork, evidence collection, findings, and remediation in ServiceNow, leveraging existing controls and evidence to streamline audit cycles.
  • Third-Party Risk Management: Implemented a centralised process to onboard, tier, assess, and continuously monitor vendors, improving visibility into risk exposure and overdue reviews.
  • CMDB-Linked Risk Management: Connected risks and controls to ServiceNow CMDB assets, enabling direct visibility into the systems and services affected by each risk.
  • AI-Assisted IRM Workflows: Leveraged Now Assist for IRM to draft assessments, summarise records, and recommend remediation actions, reducing manual effort and accelerating governance activities.

Technology Stack

Category Technology
Core Platform ServiceNow Governance, Risk, and Compliance (Integrated Risk Management)
Policy and Compliance ServiceNow Policy and Compliance Management
Risk ServiceNow Risk Management with continuous control monitoring
Audit ServiceNow Audit Management
Third Party ServiceNow Third Party Risk Management
Risk Framework COSO ERM modelled within the platform
Asset Context ServiceNow CMDB integration
Intelligence Now Assist for IRM
Reporting ServiceNow dashboards and performance analytics
Impact

From five disconnected spreadsheet registers and no enterprise-wide visibility to a unified system of record where risks stay current, controls are mapped once, and audits start from a live governance foundation.

  • Single Source of Truth Across Five Business Units: Risk, compliance, audit, policy, and vendor data now reside on one platform with consistent definitions, scoring, and evidence across the enterprise.
  • Manual Risk Collation Eliminated: The enterprise risk register updates automatically across all five units, removing the need for manual spreadsheet consolidation and reconciliation.
  • Control Mapping Streamlined Across Frameworks: Controls are mapped once to support ISO 27001, PCI DSS, SOC 2, and privacy requirements, eliminating duplicate testing and evidence collection.
  • Real-Time Leadership Visibility: Executives and board members now have a live, consolidated view of enterprise risk and compliance instead of relying on outdated manual reports.
  • Faster Audit Cycles: Audits leverage an existing repository of controls and evidence, reducing preparation effort and improving efficiency for auditors and business teams.
  • Reliable Policy Acknowledgement Tracking: Every policy version includes a complete record of reviews and acknowledgements, creating a defensible audit trail across all units.
  • Centralised Third-Party Risk Oversight: Vendor assessments, findings, and review schedules are managed in one place, providing continuous visibility into third-party risk exposure.
  • Reduced Administrative Effort with AI: Now Assist for IRM automates drafting, summarisation, and remediation recommendations, allowing governance teams to focus on higher-value risk and compliance activities.
Solution Architecture
stream-dfd
Conclusion

What was once a fragmented GRC environment spread across spreadsheets, emails, and disconnected processes is now a unified governance platform built on ServiceNow. Ksolves established a single source of truth for risk, compliance, audit, policy, and third-party management across all five business units. Controls are mapped once and reused across frameworks, risks are visible in real time, and audits operate from a continuously maintained record. The result is stronger governance, greater operational efficiency, and a scalable foundation ready to support future regulations, business growth, and evolving risk requirements.

Is Your Risk and Compliance Function Still Held Together by Spreadsheets Across Multiple Business Units?

Copyright 2026© Ksolves.com | All Rights Reserved
Ksolves USP