
How Arup realised global risk clarity to keep on top of compliance
Arup, with 17,000 employees across 36 countries, managed cyber and technology risk through manual processes and spreadsheets. A team of 10 struggled through administrative overhead — one person's full-time role consisted entirely of maintaining a mailbox of policy requests.
Pulsar delivered a 12-week IRM implementation addressing policy chaos, control visibility gaps, and compliance reporting. Policy Management centralised the global repository with multi-language support. Advanced Risk Management introduced workflows capturing risk at source. Compliance Management provided real-time visibility across all geographies.
12 weeks
End-to-end delivery
17,000
Employees
36
Countries
5/5
CSAT score
Ten people, infinite spreadsheets
Arup operates at the intersection of engineering, design, and consulting across 36 countries. With 17,000 employees delivering some of the world's most complex projects, the firm's reputation hinges on rigorous risk management. But the systems meant to manage cyber and technology risk had become a hindrance.
A global risk and compliance team of ten managed regulatory requirements across three dozen countries. One person's full-time role consisted entirely of maintaining a mailbox of policy requests. Proactive risk identification gave way to reactive firefighting. Control monitoring happened through email chains and shared drives.
For employees bidding on new work, the friction was tangible. Accessing current policies and demonstrating compliance credentials required navigating multiple systems and hoping the information was current. In professional services where reputation secures contracts, this wasn't acceptable.
The building blocks for risk visibility
ServiceNow Policy Management centralised Arup's global policy repository with multi-language support and SharePoint integration. Rather than policies living in departmental silos, a single system of record emerged with version control, automated review cycles, and approval workflows.
Advanced Risk Management introduced streamlined workflows for identifying risks in new business applications and services. The team designed processes that captured risk data at source — during procurement, service design, and deployment — rather than retrospectively through spreadsheet requests.
Compliance Management delivered what had been impossible manually: real-time visibility into regulatory obligations and control effectiveness across countries, departments, and applications.
Risk management that enables rather than burdens
The risk and compliance team transformed from administrative overhead to strategic capability. The mailbox that consumed one full-time role is gone. Policies are accessible, current, and governed. Control monitoring happens automatically. Compliance visibility spans every region in real time. And a 5/5 CSAT score validates the approach.
Risk Management
Centralised risk identification and monitoring.
Explore capabilityPolicy & Compliance Management
Single source of truth for regulations and controls.
The results
12-week end-to-end implementation delivering seamless global rollout
Single global hub for all policies with version control and automated review cycles
Automated control monitoring using accelerators and existing platform data
Real-time compliance visibility across regions, countries, departments, and applications
Full audit trails for all cyber and technology risk processes
5 out of 5 customer satisfaction score
Eliminated manual mailbox management, freeing team for proactive risk management
Facing something similar?
Talk to the practitioners behind this work — we'll tell you honestly what we'd do.