From Spreadsheets to ServiceNow IRM

What Actually Changes When You Make the Switch

The Before Picture

Let me describe a scene you probably recognize.

It’s a Tuesday afternoon, three weeks before your annual audit. You open the master control spreadsheet, the one with 47 tabs that only one person on the team truly understands, and start hunting for evidence. You check SharePoint, where evidence folders are nested six levels deep under naming conventions that made sense to someone, at some point. You scroll through an email chain titled RE: RE: RE: FW: Control Evidence Q3 looking for the latest version of a screenshot you’re not even sure is current. You find three versions of the same document, none of them labeled clearly, and none of them timestamped in a way that an auditor would accept without a follow-up question.

Meanwhile, the actual risk work, identifying emerging threats, evaluating control effectiveness, and responding to a new regulatory requirement, has been sitting untouched for two weeks. Because right now, your entire GRC team isn’t managing risk, they’re managing spreadsheets.

This is not an exaggeration. Research from GRC 20/20 analyst Michael Rasmussen found that one mid-sized bank discovered eighty percent of their risk, compliance, and audit staff time was spent managing spreadsheets and building reports, not managing actual risk and compliance [1]. Another organization spent 200 hours building a single board-level risk report, aggregating data trapped across spreadsheets. The last year they did it that way, they discovered risk issues that had started eleven months earlier [1]. That’s not risk management. That’s archaeology.

Here’s the thing: this approach works. Organizations have operated this way for years, passed audits, and kept the lights on. The question isn’t whether it works. The question is whether it scales, and at what cost to your team, your accuracy, and your ability to make risk-informed decisions in real time.

So let me walk you through what actually changes when you move from spreadsheet-based GRC to ServiceNow IRM: the good, the hard, and the surprising. Not from a marketing deck. From someone who’s implemented it.

What Gets Easier: Evidence Collection and Audit Prep

If there’s one area where the shift from manual to IRM is felt immediately, it’s evidence management. And that’s because evidence collection is where spreadsheet-based GRC is at its most painful.

The manual reality

In a manual environment, evidence collection is a coordination exercise disguised as a compliance function. You send emails requesting screenshots, exports, and attestations. You chase people who haven’t responded. You get evidence back in different formats, dropped into different folders, with no consistent way to confirm who provided it, when, or whether it’s been modified. When the auditor asks “Where’s the evidence for this control?” Your answer involves searching through SharePoint, emails, and possibly someone’s desktop.

One regulator cited by GRC 20/20 told a mid-sized bank that their use of spreadsheets for compliance assessments was inadequate because they couldn’t provide a reliable audit trail of who assessed what, when, and whether those records had been altered [1]. That’s not a theoretical problem. It’s a finding waiting to happen.

The ServiceNow IRM shift

In ServiceNow IRM, evidence links directly to control objectives. You collect evidence once and reuse it across multiple audits and frameworks [2]. Evidence requests go out with deadlines, automatic reminders, and escalation paths [3]. Every piece of evidence is timestamped with the submitter, the reviewer, and the approval status. When an auditor asks “Where’s the evidence for this control?” you filter. You don’t hunt.

The audit preparation shift is equally significant. Instead of an all-hands scramble in the weeks before an audit (pulling screenshots, assembling documentation binders, and reconciling conflicting spreadsheets), audit readiness becomes an ongoing state. Evidence is collected continuously. Control assessments are documented as they happen. When audit season arrives, the work is already done.

What the numbers say

ServiceNow’s own internal implementation, what they call their “Now on Now” program, provides concrete benchmarks. After deploying IRM internally, ServiceNow reported a 66% reduction in quarterly control certification time, a 50% reduction in control testing time through continuous monitoring, and a 90% reduction in coordination time with external auditors. They also reported saving $2.6 million annually by automating end-to-end GRC processes [5].

A note of practitioner honesty: You don’t get these results on day one. The initial setup takes real time and effort. But the shift in ongoing maintenance, from “scramble” to “maintain,” is where the ROI compounds.

What Gets Easier: Visibility and Reporting

The manual reality

Ask a GRC team running on spreadsheets “What’s our risk posture right now?” and watch what happens. Someone opens 15 spreadsheets. Someone else pulls data from a different set of files. Numbers don’t match between teams because everyone’s working from different versions. The board report that eventually gets assembled represents a snapshot that was already outdated before it was presented.

Remember that 200-hour report I mentioned earlier? That wasn’t a one-time event. That organization was building that report every year. Two hundred hours of staff time, annually, to produce a single deliverable that was already stale by the time leadership read it [1]. ServiceNow reported that after implementing IRM, they saw an 85% reduction in status tracking time by replacing manual compilation with real-time dashboards [4].

The ServiceNow IRM shift

ServiceNow IRM introduces a single source of truth. Everyone, control owners, risk managers, compliance leads, and executives  see the same data. Real-time dashboards show compliance posture, open issues, control assessment status, and risk trends without anyone manually compiling anything [3]. Role-based workspaces mean executives see the strategic view they need while control owners see their specific tasks and deadlines.

But the reporting improvement isn’t just about dashboards. It’s about data integrity. In a spreadsheet environment, there’s no guarantee that the numbers in your Q3 report were calculated the same way as Q2. Different analysts may apply different criteria. Formulas break. Rows get accidentally deleted. ServiceNow IRM standardizes how data is captured, calculated, and presented, which means your quarter-over-quarter comparisons actually mean something.

The platform advantage

There’s a structural advantage here that’s easy to overlook. ServiceNow IRM sits on the Now Platform, the same platform that runs ITSM, Security Operations, HR Service Delivery, and IT Asset Management. That’s not a marketing point. It’s an architectural point. It means your IRM data can pull from vulnerability data in SecOps, change records from ITSM, and asset data from the CMDB [2]. Dependency modeling becomes possible because the platform already understands the relationships between your business services, applications, and infrastructure. When a control fails, you can trace the upstream and downstream impact, not because someone built a custom integration, but because the data already lives on the same platform.

What Gets Easier: Control Testing and Monitoring

The manual reality

In a manual GRC environment, control assessments are typically annual events. Each control can consume upward of 40 hours to test, and even then, you’re only testing a sample of three to five percent of actual activity [6]. The result is a point-in-time snapshot that tells you how things looked on the day you tested. It tells you nothing about the other 364 days.

Between assessment cycles, you’re essentially flying blind. A control could go non-compliant the day after your annual assessment, and you wouldn’t know until the next cycle, or worse, until an auditor finds it.

The ServiceNow IRM shift

This is where ServiceNow IRM makes one of its most fundamental changes: the shift from periodic to continuous controls monitoring. Indicator templates and scripted indicators pull data automatically from connected systems [3]. Instead of annually asking, "Is MFA enabled for all privileged accounts?" the system checks the Active Directory on a defined schedule—daily, weekly, or however you configure it.

When a control goes non-compliant, an issue is auto-generated and routed to the appropriate owner. No waiting for someone to notice. No waiting for the next audit cycle. The problem surfaces when it happens, not months later. Integration with vulnerability scanners like Qualys, Tenable, and Rapid7 extends this further. Configuration compliance data flows directly into IRM, so your compliance posture reflects actual system state, not what someone reported in a spreadsheet six months ago.

This is the paradigm shift: from “find problems during an audit” to “find problems as they happen.” That’s not incremental improvement. That’s a fundamentally different operating model for compliance.

What Stays Hard: The Honest Part

If I stopped the article here, this would read like a vendor pitch. And that’s not the point. ServiceNow IRM is a capable platform, but it’s not magic. Here’s what practitioners actually need to prepare for.

IRM begins before the tool

This is something I come back to again and again, and it’s the central question we explore in Episode 2 of Let’s Talk IRM: “True or False? IRM Begins Before Tool Implementation.” The answer is unequivocally before. I’ve seen organizations invest in six-figure IRM platform purchases and end up with expensive shelfware because they skipped the hardest part: defining their processes, controls, and organizational structure before ever opening the tool.

You have to define your controls, entities, and policies before the system can manage them. Your control framework needs to be cleaned up. Your entity scoping needs to be mapped. Your risk criteria needs to be established. If your control library is a mess of duplicate controls, inconsistent naming, and undocumented exceptions, ServiceNow IRM will automate that mess. Garbage in, garbage out applies here just as much as it does anywhere else.

Implementation takes real time

Each IRM capability, Policy and Compliance Management, Risk Management, and Audit Management, can have varying ranges depending on many factors such as organization’s maturity level, project team involved, and process and product understanding. Some may think that implementations may typically take around three months for initial setup [5], but that’s not three months of clicking buttons, that could be three months of designing and configuring workflows that improve how your organization actually operates, testing those workflows against real scenarios, and iterating based on what you learn.

Adoption is a change management challenge

Moving to IRM means control owners now interact with the system directly. They receive tasks, submit evidence, complete assessments, and update control status in the platform. Not everyone will be excited about this. People who have spent years working in Excel will try to export data back to spreadsheets and work there. The person who was your “human integration layer,” the one who understood all the spreadsheets and manually stitched everything together, may feel threatened by a system that automates their role.

This is real change management work. It requires training, communication, executive sponsorship, and patience. The technology is the easier part. Getting people to trust and use it consistently is where the real effort lives.

Integration isn’t automatic

Continuous monitoring only works if you connect the data sources. The CMDB dependency modeling I described earlier only means something if your CMDB data is accurate. Scripted indicators require someone who can write and maintain them. These aren’t out-of-the-box capabilities you just switch on. They’re capabilities you build and maintain over time.

My advice

Start with a phased approach. Phase one: do the pre-work. Define your control framework, map your entities, and establish your risk criteria before you configure anything. Phase two: consolidate your spreadsheets into the system and automate evidence collection. Phase three: introduce continuous monitoring and build out integrations. Don’t try to do everything at once. I’ve seen implementations stall when teams try to deploy every capability simultaneously. The organizations that succeed are the ones that get the foundation right first and expand from there.

Where to Start

Before you buy anything, before you even start evaluating platforms, map where your data lives today. Which spreadsheets hold your control library? Where does evidence get stored? Who owns which assessments? How does information flow between teams? Understanding your current pain is what you’re solving for. The clearer you are about that, the more effectively you can configure a solution that actually addresses it.

This is exactly what we unpack in Episode 2 of Let’s Talk IRM: “True or False? IRM Begins Before Tool Implementation.” We walk through real stories from the ServiceNow Community where teams skipped the process-before-platform step, and what happened when they did. If this article resonated with you, that episode will give you the framework for building the business case internally.

Want a structured way to assess your current state? Download the Manual to IRM Translation Checklist, a practical tool for mapping your existing processes to what IRM can automate, so you know exactly where to focus first.

Next in the series: What ServiceNow IRM gives you out of the box versus what requires configuration, and how to plan for both.

Sources

1. Rasmussen, M. / GRC 20/20, via Ansarada. “How Moving from Spreadsheets to a GRC Solution Provides Better Reporting.” ansarada.com

2. ServiceNow. “Integrated Risk and Compliance Use Case Guide” (PDF). servicenow.com

3. ServiceNow. “Integrated Risk Management” Data Sheet (PDF). servicenow.com

4. ServiceNow Community. “ServiceNow CIS-IRM Exam Prep Video Series” (includes “Now on Now” implementation statistics). servicenow.com/community

5. Milestone Technologies. “The Great Paradigm Shift: Moving from ServiceNow GRC to IRM.” milestone.tech

6. Pathlock. “GRC vs. IRM: Elements and 3 Key Differences.” pathlock.com