Strategic thoughts on Governance Risk & Compliance (a Knowledge 21 Presentation)

For ServiceNow Knowledge 21 annual event, I was invited to do a presentation on Compliance. The requirement was to do a live TedTalk style presentation… no slides… no pre-recorded session.

The video is now available on-demand at the Knowledge 21 website. But for those who prefer reading, this is the full text transcript of the presentation.

The target audience is corporate leadership, platform owners, and risk & compliance specialists. This is a vendor and platform agnostic presentation, focussing on corporate governance.

Speaker Introduction by ServiceNow

Today, we have invited a worldwide expert from the field of Compliance. Let me introduce Shiva Thomas, who has an amazing track record of being one of the very few technical AND business expert for Governance, Risk and Compliance (GRC).

He’s here as one of the few ServiceNow Certified Master Architects in the world. Shiva also has been awarded Community MVP status twice, our elite recognition for public contributions within our online Community.

CMA and MVP are our most elite recognitions. They each have been given to about 60 experts from all around the world, but Shiva is the only one who achieved both.

Shiva Thomas works at Cognizant where he’s the GRC/IRM Domain Lead. He has been guiding and implementing ServiceNow instances for the past ten years.

Welcome Shiva.


I’m from a country that loves regulations and compliance. In my region, the joke is that every Swiss seems to act as a compliance officer. In my case, the joke is real, as a became one! 😁

That’s why, today, I’ve been asked to share with you a few knowledge nuggets from a Master Architect, who has specialised in Governance, Risk and Compliance…

What is a Master Architect, some of you may ask? It’s the expert who connect with the top-management of large-enterprises, to understand their business objectives, and to advise on strategic solutions. I also lead teams of technical architects to help design the global solutions that will contribute to the enterprise objectives.

Today, I’m happy to be with you to discuss:

  • How rooting Risk & Compliance within the foundation of your business processes can help you achieve better organisational resilience.
  • I’ll also share what is the most frequent and biggest mistake I’ve seen hampering such a goal.


Building a solid enterprise is very hard. Really! Everyone will assure you that they have experience, common sense, and use best practices. If that was truly the case, there would not be so many failed projects in the world.

Compliance failures and bad risk management, also known as cheating, is what led to the Volkswagen diesel-gate scandal.

That’s why investors, insurers, and regulators forces companies to follow standardized best practices, and audit them for compliance… To avoid long lasting consequence of failures.

Regulations like SOX, HIPAA, the credit-card industry’s PCI DSS, the various disclosure laws, the European Data Protection Act… — all of those are the sticks the industry has found to beat companies over the head with. Regulations and audits forces companies to take their due diligence duties more seriously.

Implementing compliance is hard. I know, as I have been a PCI DSS Compliance Officer and Chief Information Security Officer. You need good technological solutions, but you also need support and commitment from the CEO.

Now, let’s pause there… Not having support and commitment from the CEO is the biggest and most frequent issue I’m confronted with when I help customers implement or improve their compliance!

Top-Down vs Bottom-Up

Let me share some real-life example… When a specific department asks me to implement Risk & Compliance for them, it’s the sign of a bottom-up approach. That department needs to be compliant, so they are looking for a solution to help them fulfill that requirement. If that department is IT, they will probably only be interested by the compliance of their IT Assets.

Yet, value providing Risk & Compliance can only be achieved at the whole company level, across every departments. If your best IT expert leaves unexpectantly, you may find yourself victim of a new operational risk. A monthly employee satisfaction survey may help you measure that probability. Unfortunately, this kind of risk management is almost never implemented at the level a single department, as you would need to onboard the HR as well.

Another yearly survey could ask the IT managers to assess the financial impact of the sudden departure of their key employees. Without many efforts, you’re now be able to financially quantify the risk of losing your experts. You’re now able to negotiate remediation measures to lower this threat and you’re increasing your company operational resilience!

I’ve seen that most departments are lacking that big-picture mindset and are losing themselves in fulfilling their mandatory compliance. This fragmented approach, called bottom-up, is killing the value that the whole company could benefit, if they switched to a top-down approach.

Top-down is when Risk and Compliance is designed to apply across all departments, and that every efforts are targeted toward giving top-management the information they need to make informed decisions based on costs vs rewards.

The CEO of a large company doesn’t want to know if a specific anti-intrusion software is worth its price. That kind of information may matter to the head of IT and the Chief Risk Officer. But the CEO of a large group needs to know which of his legal entities is having a financial risk larger than its revenue… or for which country or department he should focus his attention to increase the company resilience against risks. To get that information, numbers need to be aggregated across the whole business, flowing, or levitating, from the bottom of the organization’s pyramid to its top.

Compliance vs Risk

Let’s dig on that costs vs rewards

When I was a little kid, my parents gave me sets of rules to follows. I had to brush my teeth after each meal, I had to cross the road only at pedestrian crossings.

As a kid, compliance was my focus. I had to follows those rules, else I would be reprimanded.

Unknown to me at that time, for my parents, risk was the focus. If I forgot to brush my teeth once, nothing bad would happen to me… But crossing the road at the wrong place, would increase the risk of dire consequences.

The adult, risk-focusing, approach is all about comparing best cases vs worst cases to govern your decisions.

The same logic applies to any enterprise, so please consider your own processes. Is Compliance build into the core of your daily tasks, or was that added as an afterthought?

Are you aware of a recurring process to assess the financial or reputational risks that your job may have on the company itself? Answering those questions should give you a good idea on how mature your company is regarding Risk and Compliance.

Key takeaways

I’ll start with a short licensing quick win. I’ve noticed that customers with ServiceNow contracts signed years ago may have Policy & Compliance solutions grandfathered in their license at no additional cost. Yet some of you are not aware of it… Especially compliance teams. If you’re not sure, I encourage you to check with your account manager.

Now, let’s move back to processes… Like Security-by-design, Compliance-by-design means that your business should be built from the foundations to be compliant. Growing into compliance-by-design after a process was created is possible, but it’s a change of mentality that will take time and effort to achieve. Keep that in mind, if you want to shift to better resilience and add compliance-by-design in your company practices.

Another important thing to understand… Compliance, in itself, is not a goal. Nobody is ever 100% compliant in every domains.

If you focus strictly on Compliance this is probably the symptom of you living in a Bottom-Up approach.

If it’s not a goal, it’s because Monitoring your Compliance is a tool for Risk management, which is a tool to enable Strategic Governance and Operational Resilience

Let’s add some big emphasis here! That imply that Strategic Governance and Operational Resilience are the real Top-Down objectives you should focus on.

Therefore, I’m back to my previous biggest implementation mistake: To avoid being stuck in a bottom-up approach, and loose governance value, your project should have active sponsorship from either your CRO, CISO, or ideally the CEO.

To conclude, let me suggest adding Operational Resilience as a strategic goal.

I’ve used that word a lot, let’s formalize its definition: Resilience is the psychological quality that allows some people to be knocked down by the adversities of life and come back at least as strong as before.

Operational resilience is your business’ ability to change or adapt during times of stress, disruption, or uncertainty.

Since both are key factors for success in these turbulent times, I wish you as much resilience as possible, both as an individual, and for your enterprises.

I’m the GRC/IRM Domain Lead for Cognizant, one of the largest ServiceNow Partners awarded Elite Status by ServiceNow. You’re more than welcome to reach me via mail or via the comments section of this article.

Thank you!

Leave a Reply