Integrate with Governance, Risk, and Compliance to identify application risks and controls

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 4 min. de leitura

    • Enterprise Architecture (formerly Application Portfolio Management) integrates with Governance, Risk, and Compliance (GRC) to help identify and assess risks on business applications.

    Antes de Iniciar

    Role required: admin

    Por Que e Quando Desempenhar Esta Tarefa

    Using GRC application, you can analyze the risks associated with assets such as hardware, software, and business application. You can also identify and test controls associated with those risks as well as look at the audits that were conducted on those assets. This analysis helps the application owners to understand the risk of the business application effectively.

    The application owner can identify significant risks and compliance issues that the business applications are exposed to, without having to engage an external auditing system and run the applications through the auditing process.

    Activate the following plugins to integrate Enterprise Architecture with GRC.

    Procedimento

    1. Navigate to All > System Definition > Plugins.
    2. Install the GRC: GRC Profile Dependencies (com.snc.grc_profile_dep) plugin.
    3. Install the GRC: Vendor Risk Management Dependencies (com.snc.grc_vrm_dep) plugin.
    4. Install GRC: Policy and Compliance Management Dependencies (com.snc.grc_policy_dep) plugin.

      This also requires installation of app-compliance from the ServiceNow app store.

      Nota:
      The integration also requires certain applications that should be installed from the ServiceNow app store. See Request apps on the Store for instructions to download and activate them.

    O que Fazer Depois

    Create an entity referencing the business application. Attach the entity to an audit.

    Create an entity for audit referencing business application

    Create an entity with reference to the business application table and its specific application record. Use the entity to scope risk exposure and perform risk assessments on business applications.

    Antes de Iniciar

    Role required: sn_audit.admin or sn_audit.manager

    Por Que e Quando Desempenhar Esta Tarefa

    GRC uses the term, entity, instead of profile. An entity can be anything such as a database, server, or a business application that can be audited.

    Procedimento

    1. Navigate to All > Audit > Scoping > All Entities.
    2. Click New.
    3. On the form, fill in the fields.
      For field information, see Entity Form.
    4. Click Submit.
      For more information, see:

    Associate a risk to the entity

    Attach the entity to a risk and create a risk record. Assess and identify risks that can adversely affect your business applications.

    Antes de Iniciar

    Role required: sn_risk.admin and sn_risk.manager

    Procedimento

    1. Navigate to All > Risk > Risk Register > All Risks.
    2. Create a risk in the Risk form.

      See: Create a risk manually.

      Nota:

      Relate the risk to the entity in the Entity field.

    Add business application entity to an engagement

    The entities are assessed and evaluated for audit engagement. After which the entities that are scoped for audit engagement and validated are associated to an audit.

    Antes de Iniciar

    Role required: sn_audit.manager or sn_audit.admin

    To add a business application entity to an engagement, you should have created an entity referencing the business application in the Entity field of the Entity form. See: Create an entity for audit referencing business application.

    Procedimento

    1. Navigate to All > Audit > Engagements > All Engagements.
    2. To add the business application entity to the engagement, click Add button in the Entities related list.
      Nota:
      The engagement must be in Scope or Validate state.

      See: Add profiles to an engagement scope.

      When an application profile is attached to an engagement, an engagement record with the associated profile is created in Profile to Engagements [sn_audit_m2m_profile_engagement] table.

    Add a control to the business application entity

    Associate a control to a business application entity that might be at risk. It is mandatory that you set effective control on the business applications to mitigate risks and protect your business. As you upgrade your business applications, you can replace your outdated controls.

    Antes de Iniciar

    Role required: admin

    You should have created an entity before associating a control to it. Controls are created in GRC.

    Procedimento

    To create a control and add an entity to the control, see Create a control.
    • The entity that you select from the Controls [sn_compliance_control] table must be a business application and the entity Class of the record must be application.
    • The control record can be either in the Draft or Retired state. However, controls in such states are not visible in Enterprise Architecture (formerly Application Portfolio Management) to be associated to a business application.

    View Governance, Risk, and Compliance risks and engagements for business application

    As an application owner, you can view the risks that a business application is exposed to. Governance, Risk, and Compliance (GRC) audits the business application entity and the audited risks and engagements are captured as scripted related lists in the business application form.

    Antes de Iniciar

    Role required: sn_apm.apm_user, sn_apm.business_stakeholder_apm_user

    Procedimento

    1. Navigate to All > Enterprise Architecture > Application Portfolio > All Business Applications.
    2. Click GRC Risks related item.
    3. View the name of the risk statement, its description, the category of risk (legal, financial, operational, and so on), inherent impact that indicates the levels of risk, and inherent likelihood that indicates the likelihood of the risk occurring.
      See: Manage risks, risk statements, and risk frameworks
    4. Click Engagements related item.
    5. View the name of the engagement, the user to whom it is assigned, the state in which the engagement is, planned start date on which the activity should begin, its end date, the percentage of engagement completed, and the actual cost of the engagement.
      See: Manage engagements
    6. Click Controls related item.
    7. View the name of the control, its owner, status of the control whether it is compliant or not, the classification of the control whether it is preventive, corrective, or detective, and the attestation frequency at which the scheduled job runs.

      See: Manage controls

    8. Click display/hide hierarchical lists arrow beside a risk record in the GRC Risks related list to view all the controls that you have associated to the risk of the business application.

      When you associate a control to a risk, the control with its associated risk is created in Risk to Control [sn_risk_m2m_risk_control] table.

      Figura 1. Controls associated to a risk
      Controls associated to risk