Governance, Risk, and Compliance (GRC) The ServiceNow® GRC application contains three main products: Policy and Compliance Management, Risk Management, and Audit Management. The legacy GRC (com.snc.governance) plugin has been deprecated. Instances upgraded from a previous release can continue using legacy GRC, but the plugin is not available for activation. The GRC: Performance Analytics Premium Integration plugin provides an integration between Performance Analytics and the Risk Management and Policy and Compliance Management applications, providing more insight into organizational risk and compliance performance. The GRC Workbench plugin gives GRC administrators a graphical interface to create profile and risk dependencies enabling consistent risk mapping and modeling across the enterprise. Figure 1. GRC products The GRC-related applications allow your organization to: Manage issues to track remediation or issue exception Document and publish policies Download and import UCF content Utilize controls and mitigate risk Assess risk exposure Continuously monitor risks and controls Plan and conduct internal audits Notes about GRC plugins Whenever any of the GRC plugins are activated, both the GRC: Profiles [com.sn_grc] plugin and the GRC: Common [com.sn.grc.common] plugins are automatically activated, providing core components and a common architecture for all GRC applications. All three GRC applications can be configured for mobile applications using the basic ServiceNow platform capabilities. Although Audit Management does not require the activation of the Policy and Compliance Management or Risk Management plugins, the functionality and features in the audit application are more robust if all three GRC plugins are activated. GRC roles The GRC applications provide a set of ServiceNow roles that are personas for GRC professionals. These roles provide permissions to perform work and may contain other roles. Table 1. GRC roles Group Description Examples Governance Approves GRC documents Board of Directors, Executive Staff Specialized administrators Sets criteria for using GRC sn_compliance.admin, sn_risk.admin, sn_audit.admin Managers Perform all actions except those reserved for admins sn_compliance.manager, sn_risk.manager, sn_audit.manager Users Own specific items, submit requests, and manage their own tasks, access public pages, take surveys, and use Live Feed and Chat. sn_compliance.user, sn_risk.user, sn_audit.user Notes about integrations with UCF Users must have a UCF Common Controls Hub account to create shared lists and import them into ServiceNow® The UCF common controls functionality is not automatically turned on by activating Policy and Compliance Management. The GRC: Compliance UCF plugin must be activated and users must have a UCF Common Controls Hub account to create shared lists and import them into ServiceNow® Policy and Compliance ManagementThe ServiceNow® Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. Additionally, the application provides structured workflows for the identification, assessment, and continuous monitoring of control activities.Risk ManagementThe ServiceNow® Risk Management application provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues. Audit ManagementThe ServiceNow® Audit Management application involves a set of activities related to planning audit engagements, executing engagements, and reporting findings to the audit committee and executive board. Engagement reporting assures key stakeholders that the organization's risk and compliance management strategy is effective.Governance, Risk, and Compliance (GRC) - LegacyThe ServiceNow® Governance, Risk, and Compliance (GRC) application enables you to document authority documents, policies, and risks and then design controls to enforce those documents and mitigate risk. Your organization can schedule and run control tests and/or conduct audits to gather compliance evidence and identify failures that require remediation.