Understanding how various parts of the organization are related to each other provides a
more comprehensive risk assessment process. Stakeholders can discern how risks in different
parts of the organization and at different levels of the organization impact each other. The
scoping of profiles is permitted in each of the GRC applications, but the GRC Workbench,
which provides a visual presentation of those dependencies, is only activated for use with Risk
What is Profile Scoping?
Profile scoping provides a way to allocate risks and controls at different levels. Profile
scoping involves the following elements:
- Profile Classes
- Profile classes allow GRC
managers to separate profiles for better distinction. For example, Business Service
Profiles, Department Profiles, Business Unit Profiles, and the like. Reports can be
filtered to define relationships between the different profile classes. A profile
class defines what a profile actually is. Profiles can belong to many profile types
but a profile can have only one profile class (for example, Business Service). Profile classes can roll up to each other, leading to the development of the
dependency model. See What is GRC dependency modeling and mapping?
- Profile Types
- Profiles types are dynamic categories containing one or more profiles. Business
logic automates the process of creating and categorizing any profiles in the system
that meet the profile type conditions. Profile types are assigned to policy
statements, which generate controls for every profile listed in the profile type.
- Profiles are the records that aggregate GRC information related to a
specific item. Each profile is associated with a single record from any table in the
instance. Profiles cannot be created for items that do not have a record in a table in
Who uses Profile Scoping?
- Policy and compliance managers use profile scoping to create a system of internal controls
and monitor compliance.
- Risk managers use profile scoping to monitor risk exposure and perform risk assessments.
Example of Profile Scoping
In this scoping example, the profile types contain the following profiles:
- Global Office Locations
- Los Angeles Office
- New York Office
- Berlin Office
- North American Office Locations
- Los Angeles Office
- New York City Office
- European Union Office Locations
How do profiles relate to Policy and Compliance Management?
Profile scoping provides a systematic assignment of policy statements to controls and
maintains relational and hierarchical connections between those controls. Profiles can be a many
to many relationship. Profile types are the high-level categories and profiles are the
individual items that can be associated to the profile type.
In this Policy and Compliance scoping example:
- policies and policy statements are assigned to profile types
- controls are created based on the profiles and associated policy statements
Note: Policy statements can be created without a policy, but must be assigned a profile type.
Controls can be created without an associated policy or policy statement, but must be assigned
to a profile.