Exploring GRC: Metrics

  • Release version: Yokohama
  • Updated August 18, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring GRC: Metrics

    The GRC: Metrics application in ServiceNow Yokohama release enables organizations to measure, evaluate, and monitor the effectiveness of their processes, particularly in governance, risk, and compliance (GRC). By defining metrics that combine metric definitions with specific entities, organizations can collect data to assess process performance, such as incident resolution times. The key user role for managing metrics is theGRC: Metrics manager, who is responsible for creating, reading, and updating metric definitions and metrics.

    Show full answer Show less

    Key Features

    • Metric Definition and Creation: Metrics are defined through a form and linked to entities to track specific process performance.
    • Qualitative and Quantitative Metrics: Metrics can be qualitative, based on subjective assessments (e.g., risk severity categories), or quantitative, based on measurable numeric data (e.g., number of overdue risk assessments).
    • Customizable Metrics Framework: Organizations set goals and targets for metrics that align with business needs and decisions.
    • Workflow for Integrated Risk Management: The metrics workflow supports defining, operationalizing, and monitoring Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) with defined thresholds that trigger alerts or remediation actions.
    • Data Ownership and Collection: Data owners are assigned to provide and validate metric data either manually or via automated collection, ensuring data integrity and ongoing monitoring.

    Key Outcomes

    • Improved Risk Visibility: Organizations gain clear insight into enterprise risk exposure through monitored KRIs and KCIs.
    • Consistent Metrics Application: A standardized metrics framework ensures consistent measurement across risks and controls.
    • Proactive Risk Management: Thresholds set on metrics enable timely alerts and remediation to prevent or mitigate risk impacts.
    • Informed Decision-Making: Dashboards and reports allow leadership and risk managers to track trends, breaches, and overall risk posture effectively.

    A metric is used to measure and evaluate the effectiveness of your organizational processes. A metric or a combination of metrics can provide an insight into a system, component, or process.

    GRC: Metrics overview

    The GRC: Metrics application enables other applications to assess, compare, and track the performance of the processes.

    The user role that is responsible to read, create, and update the metric definitions and metrics is the GRC: Metrics manager (sn_grc_metric.manager).

    You define metrics by using the Metrics form. A metric combines a metric definition with an entity. When you apply a metric definition to an entity, the GRC: Metrics application creates a metric. After you define metrics, the application collects data to show how well each process works. For example, a metric can measure an incident resolution process by tracking the time needed to resolve an incident.

    Every organization has a range of data sources for building and structuring their own metric analysis. To establish a useful metric, the metrics manager must first assess and set the goals. Next, the manager sets the targets for the metrics that are integrated with their business decisions.

    Qualitative and quantitative metrics

    You can classify your metrics into qualitative and quantitative measurements.

    Qualitative metrics in Risk Management are derived from the subjective opinion that you form based on other information. Some examples of qualitative metrics in the Risk Management are categorizing risk severity as Low, Medium, or High, or assessing control effectiveness using descriptive scales.

    Quantitative metrics in Risk Management are the metrics that you can measure in a specific number through certain formulas. Some examples of quantitative metrics for an organization include the number of overdue risk assessments, number of failed controls, and so on.

    Examples of metrics

    Rising system downtime indicates infrastructure instability or maintenance gaps, which may lead to productivity loss and operational disruption. For example, a downtime exceeding 5 hours per month triggers a technical infrastructure audit.

    GRC: Metrics workflow in Integrated Risk Management

    The metrics workflow defines how organizations design, operationalize, and monitor Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) to gain visibility into enterprise risk exposure.

    Figure 1. Workflow of metrics
    Workflow of metrics in IRM.
    1. An operational risk manager defines the overall metrics framework. This establishes the foundation for measuring risk performance and verifies that KRIs and KCIs are consistently applied across the organization.
    2. The operational risk manager trains business stakeholders on how the metrics framework works, including how KRIs and KCIs are identified, measured, and used to monitor risk.
    3. Relevant risks and controls that require ongoing monitoring are identified.
    4. For each selected risk and control, appropriate KRIs and KCIs are identified.
    5. The operational risk manager defines the threshold values for KRIs and KCIs. It serves as a limit that triggers alerts or remediation if exceeded.
    6. The operational risk manager identifies data owners for each indicator. These owners are responsible for providing and validating the data used to calculate the metrics, either by manually submitting the required data or by configuring automated metrics that collect the data on an ongoing, automated basis.
    7. A business operational risk manager reviews the defined KRIs, KCIs, and thresholds to confirm that they align with business requirements.
    8. The business operational risk manager can refine the thresholds to align them with business needs.
    9. Employees provide the required data to calculate KRIs and KCIs at the defined frequency.

    10. The operational risk manager and the business operational risk manager continuously monitor the indicators and generate reports. Leadership and risk managers use dashboards and reports to view trends, threshold breaches, and the overall risk posture.

    What to explore next

    To learn more about configuring and using GRC: Metrics, see: