Governance, Risk, and Compliance (GRC)

The ServiceNow® GRC application contains three main products: Policy and Compliance Management, Risk Management, and Audit Management. The legacy GRC (com.snc.governance) plugin has been deprecated. Instances upgraded from a previous release can continue using legacy GRC, but the plugin is not available for activation. The GRC: Performance Analytics Premium Integration plugin provides an integration between Performance Analytics and the Risk Management and Policy and Compliance Management applications, providing more insight into organizational risk and compliance performance. The GRC Workbench plugin gives GRC administrators a graphical interface to create profile and risk dependencies enabling consistent risk mapping and modeling across the enterprise.

Figure 1. GRC products
The GRC-related applications allow your organization to:
  • Manage issues to track remediation or issue exception
  • Document and publish policies
  • Download and import UCF content
  • Utilize controls and mitigate risk
  • Assess risk exposure
  • Continuously monitor risks and controls
  • Plan and conduct internal audits

Notes about GRC plugins

  • Whenever any of the GRC plugins are activated, both the GRC: Profiles [com.sn_grc] plugin and the GRC: Common [com.sn.grc.common] plugins are automatically activated, providing core components and a common architecture for all GRC applications.
  • All three GRC applications can be configured for mobile applications using the basic ServiceNow platform capabilities.
  • Although Audit Management does not require the activation of the Policy and Compliance Management or Risk Management plugins, the functionality and features in the audit application are more robust if all three GRC plugins are activated.

GRC roles

The GRC applications provide a set of ServiceNow roles that are personas for GRC professionals. These roles provide permissions to perform work and may contain other roles.

Table 1. GRC roles
Group Description Examples
Governance Approves GRC documents Board of Directors, Executive Staff
Specialized administrators Sets criteria for using GRC sn_compliance.admin, sn_risk.admin, sn_audit.admin
Managers Perform all actions except those reserved for admins

sn_compliance.manager, sn_risk.manager, sn_audit.manager

Users Own specific items, submit requests, and manage their own tasks, access public pages, take surveys, and use Live Feed and Chat. sn_compliance.user, sn_risk.user, sn_audit.user

Notes about integrations with UCF

  • Users must have a UCF Common Controls Hub account to create shared lists and import them into ServiceNow®
  • The UCF common controls functionality is not automatically turned on by activating Policy and Compliance Management. The GRC: Compliance UCF plugin must be activated and users must have a UCF Common Controls Hub account to create shared lists and import them into ServiceNow®