Governance, Risk, and Compliance release notes

Governance, Risk, and Compliance product enhancements and updates in the Geneva release.

Activation information

Administrators can activate the GRC plugin. Additional plugins are activated as needed. This plugin provides demo data. In addition, the GRC: Risk plugin (new in Geneva) must be activated to use Profiles.

New in the Geneva release

The new Risk application enhances the Risk Management capabilities in the Governance, Risk and Compliance product in the Geneva release.

The new Risk application:

  • Provides a mechanism to quickly identify the scope of risk assessments
  • Identifies at-risk items
  • Records risks against the at-risk items
  • Scores the risks and responds with remediation activities
Profile Types Profile Types are used to quickly identify a list of common records that should be assessed for risk. For example, a risk manager may want to perform a risk assessment against all of the organization’s operational applications. Using profile types, the user can define a source table (e.g. Applications) and apply filter conditions (e.g. Operational status = Operational).
Profiles Profiles aggregate Risk information related to a specific item. Profiles can exist for any record on any table on the platform, such as for a business service, vendor, demand, software, or contract. An item can only have one profile, but it can belong to many Profile Types.
Risk Definitions Risk Definitions act as a template for creating risks, but also allow you to group like risks together. Use Risk Definitions to ensure that risks are assessed consistently across all Profiles in a Profile Type. For example, a risk manager may want to assess all applications for the risk of an outage. A risk manager can create a risk definition (e.g. Application Outage) and relate the risk definition to the Profile type (e.g. Applications). ServiceNow will then generate a risk in the risk register for each record related to the related Profile Type.
Risk Criteria Risk Criteria are the scoring values attributed to the likelihood that a risk will occur, and the significance to your organization if the risk does occur. Risk Criteria values can be modified using the Risk Properties and Risk Criteria Thresholds.
Risk Properties Risk Properties allow an administrator to set the maximum Significance and Likelihood values that are available on the risk form.
Risk Scoring Users are now able to set an inherent and residual score for the likelihood and significance of a risk. These values result in a calculated score for the risk based on how an organization responds to it via mitigation or other methods. All of the scores for individual risks associated with a Profile roll-up to overall scores for the inherent, residual, and calculated risk of that Profile.
Risk Overview

The Risk Overview provides an executive view into Risk, allowing Risk Managers to quickly identify areas of concern by pinpointing Profiles with known high risk, as well as, by displaying warnings for Profiles in non-compliance, which increase risk. The overview is a homepage which displays up-to-the minute information in gauges which contain valuable visuals such as the new Heatmap.

Risk Criteria Thresholds Risk Criteria Thresholds allow an organization to modify the labels associated with the Risk Criteria values for Significance and Likelihood, so that the values align with the organization’s risk scoring methodology.

Changed in the Geneva release

  • All references to "IT GRC" have been eliminated, and are now simply "GRC".
  • On the control test definition form, when the condition type is "Attestation," the user recipient field is now a ‘slush bucket,’ so that multiple users or groups can be identified as recipients.
  • On the control test definition form, when the condition type is "Attestation," setting the assignment type field to Dynamic enables the admin to choose a field from a table as the recipient. All users specified in this field will be recipients of the attestation.