The ServiceNow Emperor Has No GRC Clothes (Or Needs a Better Tailor)

Michael RasmussenWritten by
Published onUpdated onDiscussionLeave a Comment on The ServiceNow Emperor Has No GRC Clothes (Or Needs a Better Tailor)
The Emperor's New Clothes Tale. White Background Isolated. Vector Illustration for Children Books, Covers, Blogs, Web Pages.

“But he hasn’t got anything on!”—The Emperor’s New Clothes, Hans Christian Andersen

The Fable and the Analogy

Hans Christian Andersen’s tale of “The Emperor’s New Clothes” tells of a vain ruler tricked by swindlers who claim they can weave a magnificent fabric invisible to anyone incompetent or stupid. No one dares admit they see nothing—until a child innocently proclaims the truth.

The GRC technology market, like any other, has its own “emperors” and tailors. In recent years, ServiceNow has emerged as a dominant platform pushed into GRC use cases—branded not as GRC, but as IRM (Integrated Risk Management). And in many organizations, particularly outside of IT, people are starting to murmur: “But it doesn’t work for us.”

This article is not an attack, nor is it a “do not purchase” directive. Instead, it is a professional caution: a yellow light urging evaluation, due diligence, and an objective look before committing to ServiceNow for GRC. And it also is a call to action that should you desire to select ServiceNow for GRC . . . make damn sure you have the right tailor (professional service firm) as that is the only way you will get satisfaction.

A Flood of Market Feedback

My first LinkedIn post on this issue drew significant attention:

  • 43,000+ views
  • 450+ likes
  • 90+ comments
  • 50+ reposts

Which I had a follow-up LinkedIn post providing additional perspectives.

What was even more telling? Not one GRC professional outside of IT has come forward publicly or privately to say they love using ServiceNow for GRC. Not yet at least.

In contrast, I’ve received dozens of private messages and direct conversations from across industries, countries, and company sizes confirming consistent frustrations with ServiceNow for GRC/IRM use cases. One CISO at a mid-sized bank specifically stated, it was his “mission to get SNOW out of the bank for GRC use cases.”

The Core Issues with ServiceNow for GRC

🔴 1. Cost and Complexity

ServiceNow promotes its GRC modules as “out-of-the-box” solutions. Yet, in nearly every client conversation I have, these modules require extensive and expensive customization to even begin functioning as needed. One global organization told me:

“The TPRM module is their most immature and least thought-out module of all of ServiceNow.”

Another shared:

“ServiceNow is an ITSM platform they’ve tried to adapt for GRC. It’s tedious, unintuitive, and painful to maintain.”

The licensing model is complex, and the total cost of ownership (implementation + maintenance + upgrade costs) is the highest in the entire GRC market in GRC 20/20’s market research.

🔴 2. Performance Issues

The underlying architecture of ServiceNow was not originally built for GRC. Clients report slow response timesclunky workflows, and user experience limitations, especially when dealing with cross-functional risk and compliance processes.

🔴 3. Maintenance and Upgrades Are Difficult

ServiceNow’s relational database foundation includes an overwhelming number of interconnected tables. Clients say:

“Every new version potentially breaks something. We live in fear of upgrades.”

Customization increases fragility. Even ServiceNow’s own GRC modules can become unstable with version changes. For organizations with moderate to high customization, every upgrade is a risk.

🔴 4. GRC Decisions Driven by IT, Not Business Needs

This may be the most persistent challenge. Many implementations begin with IT departments selecting ServiceNow simply because it’s already in use for ITSM. The problem? Risk, compliance, audit, and legal teams are not consulted or heard. One organization told me:

“We never had a chance to weigh in. IT made the decision, and now we’re stuck.”

GRC should be business-led. IT is an enabler—not the driver.

I worked on one major GRC/ERM RFP in Europe, a global organization with over 60,000 employees. ServiceNow was eliminated in the very beginning against competitors and did not make the semi-finals or finals. A solution was chosen . . . IT steps in and says it will only be ServiceNow. SNOW wins RFPs that it loses.

🔴 5. Consulting Firms Stack the Deck

Consulting firms too often push ServiceNow regardless of fit. Why? Because of the massive ongoing revenue streamsthese projects generate. What starts as an implementation becomes an ETERNAL engagement.

In one case:

  • The an organization spent $12M+ and 5 years on ServiceNow for GRC.
  • Fired the first consulting firm, brought in another.
  • Still not fully implemented.

Several organizations have told me outright:

“We cannot afford the ongoing implementation and maintenance costs.”

Stories from the Field

A few anonymized insights from real organizations:

  • Large FinTech: Says TPRM module is their least mature and weakest component.
  • Healthcare System: Recently finished implementation. Team dislikes the product. Another healthcare peer did the same and recently left SNOW and bought another solution to compensate.
  • Retail Enterprise: Abandoned ServiceNow entirely for another GRC solution that was easier to use, implement, and maintain.
  • HighTech. Turned off ServiceNow for GRC, returned to manual processes in many areas, and is pending RFP again.
  • Banking: IT chose ServiceNow despite the GRC team ruling it out in the RFP process. GRC needs were ignored.

The stories keep coming . . .

The Tailor Matters

ServiceNow’s success often hinges on who implements it.

In GRC 20/20 research, we see that boutique ServiceNow specialists consistently deliver better results and higher satisfaction than the big consulting houses. There are great people, magnificent people, at large consulting firms . . . but too often their voices are drowned out in pursuit of large never-ending projects. The Never Ending Story for an analogy as well . . .

Why do boutiques have a better track record with ServiceNow for GRC?

  • More agile
  • More engaged
  • More experienced in GRC specifically
  • Less incentive to bloat the scope

This does not mean every big firm fails. But it does mean that organizations should choose implementation partners carefully, and never default to the big-name brand.

So, Should You Use ServiceNow for GRC?

The answer: Maybe. But only if it fits.

ServiceNow GRC/IRM can work, particularly in IT-focused environments or when there is deep platform expertise in-house or with the right consulting firm (but be VERY selective). But it should never be the default, and it should not be forced on the business by IT or consultants.

GRC selection must be business-driven.

GRC use cases span risk management, compliance, audit, legal, ESG, third-party risk, and operational resilience. These teams must be part of the selection process.

Let ServiceNow compete. But let it win on capabilities, not on convenience by IT mandates or consulting firms aiming for HUGE never ending projects.

The Analyst’s Role: Calling Out the Pattern

No solution is perfect. Every vendor has a mix of satisfied and dissatisfied clients. But as an analyst with over 25 years of analyst experience (and 33 years total GRC experience), I have a responsibility to flag patterns when they emerge.

And this is clear: ServiceNow for GRC has more reported issues and frustrations than any other GRC technology in the market today with the highest cost to implement and maintain,

Until I begin hearing positive stories from GRC professionals outside of IT, my position remains:

Proceed with caution. Evaluate ServiceNow objectively. Choose the right tailor (partner). And never let convenience override capability.

Who should I call out next . . .

Leave a Reply