GRC calculated links example

GRC establishes both direct and indirect links between GRC records that enable it to function with any hierarchy, regardless of the order in which the elements appear.

In this example hierarchy, an authority document manages building security regulations using a policy that defines the potential risk and a control to ensure that the policy is being followed. The goal is to report on authority documents by rolling up the results of failed and passed control tests through policies and risks. Procedures have been put into place to prevent loss of company property and data from unauthorized entry into company buildings. Security personnel are directed to check the doors once an hour and report any issues they find. For the purposes of this example, the authority document (a) is the first element created, and the control (e) is the last element. When the link (f) is created between the citations and the control, the system generates the calculated links needed to roll up data properly through the hierarchy. These links function the same with controls, risks, and policies in other configurations.

Figure 1. GRC calculated links example

Process for linking elements

The best method for linking together the elements of a GRC hierarchy is to create each element from within the record of another element. In this example, the first task is to create the authority document and its citations, and then create a policy linked to a risk and a control. Finally, the citations and the control are linked, which generates the calculated links between the authority document and the other elements in the hierarchy. Remember that all elements must be configured as pertinent for the system to complete the linking process.