Governance, Risk, and Compliance (GRC) Governance, Risk, and Compliance (GRC) is the methodology created to manage the strict and complex regulatory and industry requirements across corporate environments. The ServiceNow® GRC suite contains four main applications: Policy and Compliance Management, Risk Management, Audit Management, and Vendor Risk Management. Who uses GRC? The complete GRC process involves all areas of your organization working together. Board of directors Audit committee IT steering committee Compliance officer Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Audit committee Auditors (an independent body, typically reporting to the board of directors) GRC and the Now Platform Because the GRC application is built on the Now Platform, data and evidence is provided back to GRC allowing you: full access to all asset, configuration, and IT data within the instance automatic evidence and data collection to see if controls are working access to source data from real-time reporting centralized access and management for all authoritative sources, policies, and controls full work flow integration and business process support integrating controls directly into your business processes document management and knowledge base can be used to support Policy Management and control test instructions secure integration to gather evidence and report on controls outside of the instance Applications and integrations supporting GRC workflow The following applications and integrations work together with other GRC applications or ServiceNow® applications to maximize your GRC workflow. Table 1. GRC integration plugins Plugin Name Can the plugin be activated by a user with the admin role? Is there demo data? What application is this plugin used with? GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) No GRC: Policy and Compliance Management (com.sn_compliance) GRC: Risk Management GRC: Compliance UCF (com.sn_comp_ucf) No GRC: Policy and Compliance Management (com.sn_compliance) GRC: Performance Analytics Integration (com.sn_grc_pa) No GRC: Policy and Compliance Management (com.sn_compliance) GRC: Risk Management GRC: SIG Questionnaire Integration (com.sn_sig_asmt) No GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) GRC terminology The following terms are used within GRC applications. Term Definition Additional information Authority documents The regulations, certifications, frameworks, standards that an organization chooses or is required for compliance with regulations. Related to controls, risks, policies. IT audits typically rely on the authority documents downloaded from Network Frontiers, Unified Compliance Framework. Citations Citations are records with the specific requirements cited by an authority document. The citation record relates authority documents to its applicable control. Policies Policies include policies, standards, and procedures. Policies are related to authoritative documents and control records. Publishing and version control of policies are managed using document and knowledge management capabilities from the Now Platform. Custom workflows ensure all policy changes are routed to the appropriate work owners for final approval. All approved organizational policies are published in the knowledge base. Risks A risk is any threat or vulnerability that could adversely affect your organization’s business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks requiring immediate or ongoing attention can be mitigated, prevented, or controlled using the defined controls and related control tests. Controls Controls are the actual control activities performed by your organization. These control records include the basic required information about the control (owner, activity, frequency, etc.) Controls can be related to authoritative source contents, policies, and risks. Control framework The control framework is a single consolidated set of controls which perform and preserve the cross mapping of controls that are critical for audits. Control test definitions Control test definitions specify how and when controls are tested, including testing steps, expected results, the group or individual responsible for the testing, and the test schedule. Control test instances are automatically generated from the test schedule. Remediations are automatically created when control tests fail or when audit observations are noted. Control Test Instances Control test instances are the specific occurrences when a control is tested, including: the assigned person or group, the execution steps and expected results (from the control test definition), and the results of the control test. Includes details from the control test definition. Audit An audit is a coordinated event where the organization identifies all of the controls that they want to test at one time and assigns responsibility of the overall audit to a single person. A single task manages the testing of all the controls. Audits are related to controls and control tests. Audit Activities An audit activity is one of the tasks within an audit that is assigned to an individual for execution of the audit. Audit Observations Audit observations are used by internal auditors for identifying control gaps or identifying new risks. Audit observations are related to control gaps and risks. Remediation Remediation tasks are automatically created when a control test fails or when audit observations are noted. Remediation tasks include information about the control test instance and is typically assigned to a remediation group or to the control owner. Remediations are related to controls, control test failures, and control test instances.