Case StudyProfessional Services

How Arup realised global risk clarity to keep on top of compliance

How Arup realised global risk clarity to keep on top of compliance across all regions.

The Challenge

Arup, with 17,000 employees across 36 countries, managed cyber and technology risk through manual processes and spreadsheets. A team of 10 struggled through administrative overhead — one person's full-time role consisted entirely of maintaining a mailbox of policy requests.

Our Solution

Pulsar delivered a 12-week IRM implementation addressing policy chaos, control visibility gaps, and compliance reporting. Policy Management centralised the global repository with multi-language support. Advanced Risk Management introduced workflows capturing risk at source. Compliance Management provided real-time visibility across all geographies.

12 weeks

End-to-end delivery

17,000

Employees

Countries

5/5

CSAT score

Ten people, infinite spreadsheets

Arup operates at the intersection of engineering, design, and consulting across 36 countries. With 17,000 employees delivering some of the world's most complex projects, the firm's reputation hinges on rigorous risk management. But the systems meant to manage cyber and technology risk had become a hindrance.

A global risk and compliance team of ten managed regulatory requirements across three dozen countries. One person's full-time role consisted entirely of maintaining a mailbox of policy requests. Proactive risk identification gave way to reactive firefighting. Control monitoring happened through email chains and shared drives.

“

For employees bidding on new work, the friction was tangible. Accessing current policies and demonstrating compliance credentials required navigating multiple systems and hoping the information was current. In professional services where reputation secures contracts, this wasn't acceptable.

”

The building blocks for risk visibility

ServiceNow Policy Management centralised Arup's global policy repository with multi-language support and SharePoint integration. Rather than policies living in departmental silos, a single system of record emerged with version control, automated review cycles, and approval workflows.

Advanced Risk Management introduced streamlined workflows for identifying risks in new business applications and services. The team designed processes that captured risk data at source — during procurement, service design, and deployment — rather than retrospectively through spreadsheet requests.

Compliance Management delivered what had been impossible manually: real-time visibility into regulatory obligations and control effectiveness across countries, departments, and applications.

Risk management that enables rather than burdens

The risk and compliance team transformed from administrative overhead to strategic capability. The mailbox that consumed one full-time role is gone. Policies are accessible, current, and governed. Control monitoring happens automatically. Compliance visibility spans every region in real time. And a 5/5 CSAT score validates the approach.