Deploying ServiceNow full-suite GRC for next-generation risk management capabilities

AEON Bank (M) Berhad's (AEON Bank)’s implementation of a governance, risk and compliance (GRC) solution was driven by the need to align with regulatory expectations to digitise its operational risk management (ORM) and business continuity management (BCM) processes. Adopting a broader strategic approach, AEON Bank sought to go beyond the baseline regulatory expectations by implementing the full-suite GRC solution that seamlessly leverages its existing technological ecosystem. The scope includes covering key processes for operational risk management, technology risk management, business continuity management, regulatory compliance management, audit management, third-party risk management and security operations.

In addition to the compliance with Bank Negara’s expectations and requirements of a GRC solution, AEON Bank recognises the value of a truly integrated solution as a strategic enabler in providing full visibility of the bank’s risk and compliance posture, breaking down siloed operations and automating  its key GRC processes.

In searching for a vendor to deliver its strategic vision for an integrated GRC solution, the bank knew that it needed a solution that not only covers the entire scope expected but also a system integrator with a strong local presence and an implementation consultant with the breadth and depth of experience for such a complex and large-scale GRC solution.

“My vision was to build a truly integrated and intelligent GRC platform, one that seamlessly connects risk, compliance and internal audit functions to enhance decision-making, reduce rework and improve overall productivity,” says “Kirenjeet, Chief Risk Officer at AEON Bank. “I aspired to break down the siloed way of implementing second and third lines of defence by leveraging ServiceNow (SNOW) to create a unified GRC ecosystem. We needed an ecosystem where risks, controls, issues and audit findings can be managed via a single source of truth, with clear linkages and accountability across all lines of defense. It was important for us to embed not only IT Service Management (ITSM) but also the Security Operations (SecOps) module into the GRC platform.”

PricewaterhouseCoopers Risk Services Sdn. Bhd. (PwC) collaborated with Strateq Group, a leading ServiceNow system integrator in Malaysia and was chosen by the bank to deliver this mandate. Through this synergy, we offered what the bank needed - a delivery team with deep understanding of each of the GRC domains and a proven track record in delivering complex engagements for other financial institutions.

AEON Bank is an existing ServiceNow customer for its IT Service Management (ITSM) and IT Asset Management solution. Extending the platform to its GRC modules makes perfect sense, enabling  the bank to seamlessly leverage the IT assets that were inventorised for its technology risk assessments and security operations, and subsequently feedback any action plans required through its ITSM Change and Problem Management modules. This enables AEON Bank to have an end-to-end solution, bridging the gaps between IT operations and the respective GRC functions for the bank. 

Throughout the large-scale implementation, PwC diagnosed and addressed several key issues that were crucial for AEON Bank's transformation journey. One of the primary challenges was the need to establish a common taxonomy and shared organisational framework for all the GRC activities within the bank. Before deep diving into the modules for implementation, PwC facilitated the alignment of a unified entity scoping, which inventorised the organisation structure, providing a strong foundation and a single reference point for all GRC activities to ensure consistency in reporting with a common taxonomy.

PwC adopted a phased approach to the full-suite implementation. This strategy took regulatory expectations into consideration for certain modules, while calibrating the deployment according to the varied maturity and readiness levels of each of the bank’s functions. This tailored implementation ensured that each module was launched successfully and adapted to the unique needs of the bank.

Additionally, transitioning to an integrated GRC solution required AEON Bank to embrace new ways of working. PwC provided insights to bridge the gaps between the bank's requirements and industry best practices. Despite being a new digital bank, launched just a year ago, AEON Bank demonstrated remarkable agility and openness to change, even as some GRC processes were new and not fully established.

Active collaboration was key to this success, not only within common GRC functions such as risk, audit, and compliance, but also including the IT operations and cybersecurity teams. To facilitate greater adoption of the platform, PwC conducted a series of training sessions and produced, detailed, bite-sized video recordings that eased the transition for AEON Bank team members.

For organisations seeking to digitise and automate their GRC functions, PwC's engagement with AEON Bank exemplifies the impact of a full-suite solution in response to digitising and automating GRC functions, ensuring collaboration and information sharing across assurance functions.

One of the primary achievements was the creation of a single, unified source of truth across various domains, including operational risk, technology risk, business continuity, audit management, compliance, third-party management, and security operations. Aligning this taxonomy from the outset in the foundational phase was crucial to enable and automate AEON Bank’s GRC processes, ensuring accurate and targeted risk assessment across identified entities within the bank. This alignment, in turn, ensures consistent reporting by these entities and provides a comprehensive overview of risk, audit and compliance issues within the same unified framework.

AEON Bank now benefits from an integrated view of organisational and divisional risk posture, facilitated by advanced GRC dashboarding capabilities. These capabilities allow for a comprehensive and real-time understanding of risk across the entire bank, enabling informed decision-making and strategic planning. Notably, AEON Bank’s audit teams can now seamlessly incorporate risks identified by other functions into their evaluations, allowing unified risk management efforts.

AEON Bank continues to explore ways to enhance its ServiceNow platform, utilising the new predictive intelligence and agentic AI capabilities on the platform. Our efforts mark the beginnings of  comprehensive and integrated GRC capabilities for AEON Bank, equipped for the challenges of tomorrow.