Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Integrate with GRC to identify application risks

Log in to subscribe to topics and get notified when content changes.

Integrate with GRC to identify application risks

Application Portfolio Management (APM) integrates with Governance, Risk, and Compliance (GRC) to help identify and assess risks on business applications.

Before you begin

Role required: admin

About this task

Using the GRC application, you can analyze the risks associated with assets such as hardware, software, and business application. Furthermore, identify and test controls associated with those risks as well as look at the audits that were conducted on those assets. This helps the application owners to understand the risk of the business application effectively.

Significant risks and compliance issues that your business applications are exposed to can be caught by the application owner, without having to engage an external auditing system and run the applications through the auditing process.

Activate the following plugins to integrate APM with GRC.


  1. Navigate to System Definition > Plugins.
  2. Install the GRC: GRC Profile Dependencies (com.snc.grc_profile_dep) plugin.
  3. Install the GRC: Vendor Risk Management Dependencies (com.snc.grc_vrm_dep) plugin.
    Note: The integration also requires certain applications that should be installed from the ServiceNow app store. See Request apps on the Store for instructions to download and activate them.

What to do next

Create an entity referencing the business application. Attach the entity to an audit.

Create an entity for audit referencing business application

Create an entity with reference to the business application table and its specific application record. Use the entity to scope risk exposure and perform risk assessments on business applications.

Before you begin

Role required: sn_audit.admin or sn_audit.manager

About this task

GRC uses the term, entity, instead of profile. An entity can be anything such as a database, server, or a business application that can be audited.


  1. Navigate to Audit > Scoping > All Entities.
  2. Click New.
  3. On the form, fill in the fields.
    Table 1. Entity form
    Field Description
    Name Name of the profile.
    Owned by Owner of the profile.
    Applies to Business application table where all the business application records are stored.

    In the dialog box that opens up, enter the business application table in the Table name field and the business application record in the Document field.

    Active Check box to activate the entity.
    Class Profile class to which the application belongs.
  4. Click Submit.

Associate a risk to the entity

Attach the entity to a risk and create a risk record. Assess and identify risks that can adversely affect your business applications.

Before you begin

Role required: sn_risk.admin and sn_risk.manager


  1. Navigate to Risk > Risk Register > All Risks.
  2. Create a risk in the Risk form.

    See: Create a risk manually.


    Relate the risk to the entity in the Entity field.

Add business application entity to an engagement

The entities are assessed and evaluated for audit engagement. After which the entities that are scoped for audit engagement and validated are associated to an audit.

Before you begin

Role required: sn_audit.manager or sn_audit.admin

To add a business application entity to an engagement, you should have created an entity referencing the business application in the Entity field of the Entity form. See: Create an entity for audit referencing business application.


  1. Navigate to Audit > Engagements > All Engagements.
  2. To add the business application entity to the engagement, click Add button in the Entities related list.
    Note: The engagement must be in Scope or Validate state.

    See: Add profiles to an engagement scope.

    When an application profile is attached to an engagement, an engagement record with the associated profile is created in Profile to Engagements [sn_audit_m2m_profile_engagement] table.

View GRC risks and engagements for business application

As an application owner, you can view the risks that a business application is exposed to. GRC audits the business application entity and the audited risks and engagements are captured as scripted related lists in the business application form.

Before you begin

Role required: sn_apm.apm_user, sn_apm.business_stakeholder_apm_user


  1. Navigate to Application Portfolio Management > Application Portfolio > All Business Applications.
  2. Click GRC Risks related item.
  3. View the name of the risk statement, its description, the category of risk (legal, financial, operational, and so on), inherent impact that indicates the levels of risk, and inherent likelihood that indicates the likelihood of the risk occurring.
  4. Click Engagements related item.
  5. View the name of the engagement, the user to whom it is assigned, the state in which the engagement is, planned start date on which the activity should begin, its end date, the percentage of engagement completed, and the actual cost of the engagement.