Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Modernize your GRC program with ServiceNow

Successfully driving GRC transformation

Wondering if or how you should migrate your legacy cybersecurity, risk, and compliance technology (also known as GRC)?  You are not alone. I continue to hear several common themes from clients who are facing the challenge of modernizing their GRC program, processes, and technology and wanted to provide my perspective on how to approach it based on my experience supporting clients with this in recent years.

What can make GRC so uniquely challenging is that it is inherently cross-functional. GRC intersects multiple functions across the business which commonly include cybersecurity, legal, finance, digital/IT, audit, and often numerous product or engineering organizations—all of which are responsible for a variety of compliance obligations and for measuring and monitoring organizational risk. Bringing these domains together into a unified program, on a common technical platform such as ServiceNow, is not an easy undertaking—but can be of immense value to executives and the board if successful. 

Here are a few common steps followed by organizations successfully driving GRC transformation:

  1. Level-set on your organization’s definition of GRC. Start with the vision and purpose of the program and establish a consistent understanding of what GRC means for your organization as well as a matrix of responsibility and accountability for each related function.
  2. Keep leadership bought-in and engaged. This means much more than having names listed on a slide or a few ad-hoc touchpoints on progress. Leadership that is truly bought into the value of GRC greatly helps in clearing common barriers to a valuable GRC technology transformation and strong ongoing cross-functional alignment. This is often effectively achieved through the establishment of strong governance mechanisms—or regular forums for key decision-makers to discuss the outcomes and evolution of the GRC program which would include a technology migration.
  3. Aligning the organization on a common framework, then aligning on the tool selection. These are crucial steps which can present many challenges. There are point-solutions (or tools tailored for specific use cases), and a variety of comprehensive enterprise platforms to consider, including ServiceNow, and more specifically ServiceNow Integrated Risk Management products. It is important to build consensus at the executive level around the strategic goals of the organization and the framework that the technology will support, with buy-in from all parties to avoid fragmentation or challenges with adoption. Consider conducting your analysis using a transparent scoring methodology to bring objectivity into the decision.
  4. Create and publish a comprehensive strategy. Define the key objectives the migration is setting out to accomplish, the processes and functions that will be part of the migration, and the way the migration will be executed along with the key outcomes to the business.
  5. Build and socialize a GRC maturity roadmap. Think about establishing value quickly and in a phased manner, avoid a big-bang deployment and instead focus on incremental releases that quickly gauge end-user feedback and make corrections quickly. Executing a migration using agile software development principles will build trust quickly with the first groups onboarded to the new GRC platform and incentivize others within the organization to join.
  6. The migration is just the beginning! The evolution of the platform, introduction of new features, and onboarding new cybersecurity, risk, and compliance uses cases make establishing ongoing product management and DevOps crucial to success. Don’t wait until after initial go-live to define your operating model. Make the transition from the initial migration to ongoing evolution seamless with a logical hand-off of initial deployment to ongoing DevOps teams—and show the continued evolution of your organizations GRC technology journey against your roadmap.  

For migration to be successful and enduring:

1

Don’t allow room for ambiguity in your strategy. A unified vision with a north star clearly defined and aligned to your business strategy is imperative. 

2

Make sure there is a schedule, timeline, or roadmap that is clearly visible, understood and supported by leadership.

3

Improve the user experience. Rethink the way users interact with the technology and refresh the interface to foster adoption. Many clients find the ServiceNow platform suited to provide that experience.

4

Don’t let governance be an afterthought. Establish a steering committee with representation from all stakeholder groups to help oversee quality and timeline; and make decisions on scope, issues, and budget; and ensure the right resources are in place. Issues and risks should always be escalated to the steering committee for visibility or resolution when required.

Think about the migration as a technical product transformation to drive measurable business value. Treating it as a product shifts the mindset and culture around how its handled, enabling a more agile approach, quicker path-to-value, and more effective collaboration between stakeholder groups.

A GRC technology migration and overall program modernization can be the catalyst to spark engagement across the business and build a normalized and comprehensive view of your organization’s risk and compliance posture to executives and the board, enabling more effective decision making and empowering the business with invaluable intelligence

- Joan A. Qafoku, Director Advisory, Cyber Security Services, KPMG LLP

Explore more

Is your legacy GRC tool holding you back?

It’s time for technology to help your GRC program reach it’s next stage of maturity.

Read more

Meet our team

Image of Angela Leggett
Angela Leggett
Advisory Managing Director, Cyber Security Services, KPMG US

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline