Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Entity scoping in GRC

Log in to subscribe to topics and get notified when content changes.

Entity scoping in GRC

Entity scoping is permitted in each of the core GRC applications. Scoping provides a way to allocate risks and controls at different levels. Dependencies are created using the dependency map in the GRC Workbench.

What is entity scoping?

Note: Starting with New York, the term profile was replaced with the term entity. See GRC application nomenclature updates and industry terminology for more information about all updated GRC application terms.

Organizations have various control owners maintaining individual files and spreadsheets for tracking the compliance of different systems, projects, organizations, etc. In this environment, risk managers cannot prevent or even be aware of the duplicate risks and controls created on shared entities. The entire purpose of entity scoping is to provide a top-down approach for maintaining your risk universe, which is the hierarchical library of both risks and controls. Mature organizations with a healthy risk posture find that most risks are standard and recurring. Entity scoping helps you catalog and visualize upstream and downstream risks and controls based on the roll up of the related entities.

Figure 1. From an organic approach to a structured system
image shows legacy system with various excel spreadsheets tracking individual risks and the improved top-down structure with relationship hierarchy
  1. Create or edit Entity Types and map them using the Entity Filter to existing ServiceNow® tables.
  2. Map these entity types to external regulations and internal policies using control objectives and risk statements.
  3. Generate risk and control instances on related entities.
  4. Maintain your risk appetite and scoring results by the aggregated calculation for entities; all combos for risk scores on risk roll up.
Figure 2. Scoping process
Scoping process
Feedback