One of our customers, a major Dutch utility company with over 3000 employees and millions of customers, operates in a heavily regulated industry. That’s why demonstrating compliance with quality standards, laws and regulations is a critical priority for them. After a recent take-over by a Japanese organization, their Risk & Compliance efforts suddenly spiked due to JSOX requirements, putting their organization at risk of non-compliance.
The utility company’s IT landscape is vast and complex with varying levels of maturity across teams and tools. This also applies to their DevOps practices, where they maintain different DevOps tools and CI/CD pipelines.
The utility company was already using ServiceNow ITSM and HRSD and were investigating how to integrate DevOps pipelines in the ServiceNow Change Management processes for extended data standardization and aggregation.
Due to the use of multiple tools and different levels of maturity of these tools and their (DevOps) teams, there was no central place where they could monitor all the relevant CI/CD/Change Management data. This resulted in an inability to identify areas for improvement and monitor inefficiencies.
In addition, the former external auditor had repeatedly reported audit findings with respect to completeness and accuracy of audit trails within the Change Management data. Due to the fact the company now also falls under JSOX, it is expected that more significant findings will be found.
The above resulted in an increased burden on the operational layer (the DevOps teams), but also on the Risk & Compliance function (2nd line of defense). The disconnected IT Change Management landscape became less scalable and was also causing bigger risks in terms of non-compliance.
As we speak, we are in the process of creating a centralized platform, where the utility company and their DevOps teams can monitor the entire IT Change Management landscape. We do this by integrating multiple CI/CD pipelines in ServiceNow, allowing them to fully automate their end-to-end change management process, while conserving the entire change management audit trail to be able to demonstrate compliance more efficiently.
Additionally, we are deploying the ServiceNow Integrated Risk Management solution in conjunction with the audit trail change management data to automatically detect potential issues of non-compliance. ServiceNow Integrated Risk Management allows the Risk & Compliance teams to set up automated control indicators, so they can easily and continuously query the DevOps/Change Management data in the platform.
These queries are based on the control parameters as defined in (e.g.) the JSOX Change Management control definitions. This flexible querying solution is 100% managed by the Risk & Compliance teams. This means they no longer have to bother the DevOps teams or business users.
As it turned out, we were able to prevent any impediments in the end-to-end change management process whilst providing maximum automation and minimum intervention from Risk & Compliance. At the same time, the Risk & Compliance team and the external auditor have their own tailored views on the truth using the flexible IRM shell on top of the real-time data. This abstraction layer bridges the gap between the operational DevOps teams and the controlling function of Risk & Compliance, resulting in greater harmony and happier employees.
Sign up to our monthly Flow@Work Exclusive newsletter to get free access to our expertise and lots of tips and tricks to make work flow on the Now® Platform.