Profile scoping is permitted in each of the GRC applications. Policy and compliance
managers use profile scoping to create a system of internal controls and monitor compliance.
Risk managers use profile scoping to monitor risk exposure and perform risk assessments.
Dependencies are created using the dependency map and model or by creating tiers.
Profile scoping provides a way to allocate risks and controls at different levels. Profile
scoping involves the following elements:
- Profile Classes
- Profile classes allow GRC
managers to separate profiles for better distinction. For example, Business Service
Profiles, Department Profiles, and Business Unit Profiles. Reports can be filtered to
define relationships between the different profile classes. A profile class defines what
a profile actually is. Profiles can belong to many profile types but a profile can have
only one profile class (for example, Business Service). Profile classes can roll up to
- Profile Types
- Profiles types are dynamic categories containing one or more profiles. Business logic
automates the process of creating and categorizing any profiles in the system that meet
the profile type filters. Profile types are associated to policy statements, which
generate controls for every profile listed in the profile type.
- Profiles are the records that aggregate GRC information related to a
specific item. Each profile is associated with a single record from any table in the
instance. Profiles cannot be created for items that do not have a record in a table in
Example of Profile Scoping
In this scoping example, the profile types contain the following profiles:
- Global Office Locations
- Los Angeles Office
- New York Office
- Berlin Office
- North American Office Locations
- Los Angeles Office
- New York City Office
- European Union Office Locations
How do profiles relate to Policy and Compliance Management?
Profile scoping provides a systematic assignment of policy statements to controls and
maintains relational and hierarchical connections between those controls. Profiles can be a
many to many relationship. Profile types are the high-level categories and profiles are the
individual items that can be associated to the profile type.
In this Policy and Compliance scoping example:
- policies and policy statements are assigned to profile types
- controls are created based on the profiles and associated policy statements
Note: Policy statements can be created without a policy, but must be assigned a profile type.
Controls can be created without an associated policy or policy statement, but must be
assigned to a profile.
Dependency models and maps
In the Jakarta release, the dependency map was aligned with the dependency model for
establishing upstream and downstream relationships between profiles. In the Kingston
release, tiers establish those relationships.
- Dependency models
Dependency modeling ensures that an organization establishes a uniform definition
of risk across the enterprise. The dependency model defines what relationships are
allowed between different types of areas in the organization. This enables more
effective risk normalization and aggregation by allowing stakeholders to more
effectively compare and contrast risk appetite and exposure at various levels of the
Creating a dependency model involves creating profile classes and defining how
classes are structured in relation to each other using the Roll up
- Dependency maps
Once dependency modeling is complete, you can build out a dependency map to define
how different parts of the organization are related to each other. The dependency
map represents what profile relationships exist. For example, you could specify that
certain projects and business services affect the HR department, which in turn
affects the enterprise.
Defining the dependency map involves creating profiles, defining the profile class
for each profile, then relating profiles to each other by specifying the
In the Kingston release, tiers establish upstream and downstream relationships. Profile
tiers are assigned to profile classes. The base system provides: Business, Application, and
IT Asset. Administrators can edit or add to the tiers.