Few industries are more heavily regulated than gas and utilities.
From environmental laws to worker-safety standards, the compliance
burden is intense. For Calgary-based AltaGas, governance, risk and
compliance (GRC) management grew even more complex with its 2017
acquisition of WGL Energy.
At a Knowledge 2019 breakout session, Renato Cunha, AltaGas’s
cybersecurity lead, described the GRC challenges created by the
merger. AltaGas and WGL had different processes to manage,
cybersecurity, risk and compliance, which had to be aligned. One of
the requirements to complete the integration of their system’s was to
have both companies with an equivalent level of maturity of their
The merger compounded already serious problems in AltaGas’s existing
cybersecurity and GRC processes. They scored low on the maturity model
for effective risk management, and they provided little visibility
into the risks that the security team had to manage. The approval
process was inefficient and manual, and it required multiple sign
offs. Worst of all, the data was dispersed across multiple platforms,
making issue tracking and risk management “a spreadsheet nightmare,”
AltaGas turned to ServiceNow’s GRC solution on the Now Platform.
While colleagues pushed for alternate vendors whose products they had
used before, such as Archer , Cunha pitched ServiceNow for its
simplicity, robust platform and faster deployment. The GRC module was
ready to use without any customization, supporting the AltaGas’ goals.
“We implemented Risk Management 100% out of the box, and we did it
in 45 days.” Cunha said. “We kept it simple from Day 1.”
Using ServiceNow’s Risk Management GRC module, AltaGas created a
centralized register to track more than 180 risk factors from 15 data
sources and also automated the risk acceptance process, which had been
a manual and very inefficient process. With ServiceNow, everything is
on one page. Because the module did not require customization, the
company was able to boost its maturity score almost immediately.
Using ServiceNow allowed AltaGas to increase the maturity of the
cybersecurity and GRC processes and enable a better alignment with
WGL’s security processes.
The seven-step implementation took a mere six weeks, from
installation and configuration through user training and QA. Cunha
stressed that the rapid deployment was made possible because his team
started with a solid understanding of the model’s out-of-the-box capabilities.