GRC establishes both direct and indirect links between GRC records that enable it to
function with any hierarchy, regardless of the order in which the elements appear.
In this example hierarchy, an authority document manages building security regulations using a
policy that defines the potential risk and a control to ensure that the policy is being followed.
The goal is to report on authority documents by rolling up the results of failed and passed
control tests through policies and risks. Procedures have been put into place to prevent loss of
company property and data from unauthorized entry into company buildings. Security personnel are
directed to check the doors once an hour and report any issues they find. For the purposes of
this example, the authority document (a) is the first element created, and
the control (e) is the last element. When the link
(f) is created between the citations and the control, the system
generates the calculated links needed to roll up data properly through the hierarchy. These links
function the same with controls, risks, and policies in other configurations.
Process for linking elements
The best method for linking together the elements of a GRC hierarchy is to create each element
from within the record of another element. In this example, the first task is to create the
authority document and its citations, and then create a policy linked to a risk and a control.
Finally, the citations and the control are linked, which generates the calculated links between
the authority document and the other elements in the hierarchy. Remember that all elements must
be configured as pertinent for the system to complete the linking process.