As organizations embark on their journey towardssuccessful risk management with a governance, risk, and compliance (GRC) program, they need to view GRC as a structured approach to aligning IT with business objectives. While GRC, in its initial incarnation entails implementation of a set of tools and technologies, enterprises often fail to think through the entire GRC technology implementation and forge ahead without analysis and planning. According to Bobby Foster-Westgarth, Practice Director, 2MC, most enterprises focus on following an extensive process of identifying the right product for their businesses. However, they often overlook the implementation aspect and the amount of effort required to ensure that the technology is aligned with the organization’s needs. “This is an extremely understated part of the process,” he stresses. He also explains that the challenge boils down to inefficient management ofdata across an organization, which makes the GRC implementation process convoluted. The complicated processes not only reduce the chances of successful implementation but also saddle the users navigating through the system. As someone who has rich experience in the realm of GRC, Foster- Westgarth relishes the challenge.
Rolling up his sleeves to tackle whatever comes his way, Foster-Westgarth leads his team at 2MC to ensurerisk management isa de facto standard throughout the industry. 2MC, a part of TÜV Rheinland Group, is a specialized integrated risk management (IRM) business that has completed over 650 successful GRC projects through a variety of platforms. With an unparalleled understanding of GRC best practices, 2MC provides bespoke and business-led consulting and services to ensure that each project’s requirements are impartially evaluated and suitably matched with the most appropriate technology. “We have a 15-year history and legacy of implementing some of the best-integrated risk management technologies for some of the biggest organizations in the world,” says Dev O’Nion, Head of Business Development, 2MC.
2MC is currently embarking on a new partnership with ServiceNow, who has recently entered into the Risk space and are aggressively looking to grow and mature their tools in this realm. In partnership with ServiceNow, 2MC helps enterprises to identify and handle risks and develop sustainable governance and compliance structures. Laser-focused on automating compliance, reducing risk and making every implementation a success, 2MC navigates leaders in optimizing their security programs and turn those into actions through standards and procedures. The company also specializes in GRC implementation for operational technology, empowering companies across industries to protect their industrial operations. While the risks today have magnified in the wake of broader internet connectivity and IoT, 2MC is aiming to let the GRC aspects in IT and business world collide with the operational technology, providing a third dimension to GRC. Currently amid collaborative brainstorming, 2MC, at the helm, is steering ServiceNow to weave its IT and operational technology worlds together and enable evolution and maturation of their tools.
Unlocking New Opportunities with ServiceNow
Combining the extensive IRM/GRC domain experience and technical deployment of many of the existing, leading IRM platforms, both ServiceNow and 2MC see this partnership as a unique opportunity. Unlike other consultants who typically partner with ServiceNow in the ITSM world, 2MC has carved a niche for itself by solely focusing on the implementation of GRC around ServiceNow’s new tool—The Now Platform™. This latest offering from ServiceNow accelerates the digitization of manual business processes by enabling rapidly building, testing, and deployment applications that automate work across the enterprise. The platform is used by nearly 800 of the Forbes Global 2000 companies to accelerate their digital transformation initiatives. “While ServiceNow has ventured into the world of integrated risk management with a set of new tools, we are guiding both ServiceNow and the customers to successfully implement GRC into the product and also derive immense value by linking the GRC elements of the tool into some of the other areas of their business. That’s the sweet spot where we work with ServiceNow,” says Foster- Westgarth.
He goes on to mention that ServiceNow’s capability to expand its footprint in the GRC market perfectly complements 2MC’s domain and technology expertise, making their partnership an ideal collaboration. “As most companies are quite immature when it comes to GRC, we aim to use ServiceNow’s massive footprint to improve the education around GRC.”
The Modus Operandi
We have a 15-year history and legacy of implementing some of the best-integrated risk management technologies for some of the biggest organizations in the world
To begin with, 2MC brings in a unique combination of its engineering expertise and GRC experience to the table. From process alignmentand tool streamlining to custom training and installations, 2MC implements all aspects of GRC and also creates custom solutions for requirements that fall outside of the typical GRC areas. The company’s complementary and independent advisory services encompass process improvement, business adoption, legislation/ regulation, GRC best practice, and cyber-security. On the path to manage risks, many companies that partner with ServiceNow are developers first and consultants second. However, 2MC differentiates itself by focusing on configuration rather than development. Despite ServiceNow being a flexible tool, 2MC simplifies the processes and wrapsthem around the tool rather than overly engineering the tool. Instead of exhibiting purely a developer mindset, the experts at 2MC take a consultative approach to meet the client’s needs.
In essence, the company’s modus operandi involves having a firm grasp of the requirements of the customers. To maximize customer success, 2MC believes in encouraging the client to be actively engaged throughout the entire process, which, in turn, deepensits understanding of the project’s objectives and the expected results. Working closely with the clients, the company takesan educational approach to ensureusers becomeacquainted with the tools. Before making a plethora of changes, the 2MC experts perform a meticulous process analysis to assess and understand the client’s data, simplify and improve their GRC processes and provide a seamless GRC ecosystem. This is followed by walking the clients through design, build, prototyping, and implementation phase, allowing the toolsto evolve as per their requirements. In the test phase, the 2MC team allows the clients to test the tool, evaluate if the system works as expected and ensures that the users are comfortable with how the tool works, before transitioning to the “go-live” phase. Foster-Westgarth emphasizes the need for a customer-centric implementation process that keeps the clients engaged and up-to-date about the progress throughout the process—from beginning to end.
From the data security perspective, while enabling digital transformation for its clients, 2MC, as part of the wider TÜV Rheinland Group,guides how to address security concerns amongst its tool implementations in addition to the wider security concerns of modern business, including the Internet of Things (IoT). 2MCequips clients with robust risk management, vulnerability testing, penetration testing and more, keeping GRC as the foundation for cybersecurity. “One cannot understand how to secure something without having a true reflection of the risk it holds for the organization. GRC is a foundational element for digital transformation,” explains O’Nion.
2MC’s expertise and efficiency in GRC implementation can be best explained through a customer success story that involved a large company operating in the PCI space. Despite being one of the biggest players in this space, the client, who leverages ServiceNow, was burdened with the predicament of following the PCI standards and effectively achieving compliance. The challenge for the client stemmed from generating 15 different reports for all of their componentsthat were PCI applicable. The client lacked well-thought processes and tools in place to manage these reports, which led them to pay millions of pounds in fines every year for not adhering to the standard. This is where 2MC stepped in to link ServiceNow with the CMDB information that the client had within their environment. The information was automatically pulled together withinthe compliance areaof the GRC architecture, which helped to determine levels of compliance with the standard. As a result, the client was able to demonstrate their compliance status using their ServiceNow instance and dramatically decrease the significant amount of fines this year.
Scripting similar success stories for its clients, 2MC will continue leveraging its experience to bring to bear on risk management and ServiceNow. Moving ahead, 2MC is focused on helping ServiceNow expand and develop the tool in the operational technology space. Unlike other consulting companies that often wax eloquent about their focus on the “customer”, and claiming global best practices, 2MC makes a difference with its winning delivery methodology that strives to service any request locally. Besides aggressive expansion plans in the UK market, the company also looks forward to taping intoand growing the TÜV Rheinland Groupfurther in the GRC and cybersecurity sectors in Germany and the US, fitting into an exciting niche in both of those markets.