Using the item generation process to generate controls and risks

  • Release version: Xanadu
  • Updated July 31, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using the item generation process to generate controls and risks

    The ServiceNow® Governance, Risk, and Compliance (GRC) suite enables automatic generation of controls and risks within an organization using the enhanced item generation process (version 2) available in release 13.x.x. This process replaces the legacy version 1 process, addressing previous stalling and performance issues to improve efficiency significantly.

    Show full answer Show less

    Controls represent the organization's actual control activities tied to policies, regulations, or risks, and are generated by associating policies with entity types or control objectives. Risks represent potential threats or vulnerabilities linked to items like policies, controls, or remediation tasks, generated by associating risk frameworks or risk statements with entity types.

    Key Features

    • Enhanced Performance: The new item generation process drastically reduces processing time for controls and risks, e.g., generating 10,000 risks in about 5.27 minutes versus 13.7 minutes in the legacy system.
    • Action Queue and Scheduled Job: Actions to generate or update controls and risks are queued and processed sequentially, managed by a scheduled job that prevents stalled actions and race conditions.
    • Error Handling and Logging: Detailed error messages and status logs provide transparency and assist compliance and risk managers in quickly troubleshooting issues.
    • Script Includes Action Handlers: Modular script includes handle item generation actions for Policy and Compliance Management and Risk Management, with roles allowing review and customization of action strategies.
    • Applications Involved: The process uses the GRC applications: Policy and Compliance Management, Risk Management, and Profiles (auto-installed with the former two).

    Upgrade Considerations

    To use the enhanced item generation process (v2), both the Policy and Compliance Management and Risk Management applications must be upgraded to version 13.x.x simultaneously. Partial upgrades or upgrading only the Profiles application will trigger error messages requiring both main applications to be upgraded. Existing implementations remain functional with no visible changes post-upgrade, while legacy versions remain supported if not upgraded.

    Configuration and Management

    Administrators with the sngrc.admin role can configure the frequency of the scheduled job that processes the item generation action queue, balancing system performance and processing needs. The action event queue records each generation action, allowing monitoring of progress and errors.

    Users with appropriate roles can access and customize script includes to tailor the behavior of the item generation process, enhancing flexibility to meet organizational needs.

    Practical Benefits for ServiceNow Customers

    • Automates and accelerates the generation of controls and risks, reducing manual effort and errors.
    • Improves reliability through elimination of stalled actions and race conditions in processing queues.
    • Provides comprehensive logging and error details to streamline troubleshooting and maintenance.
    • Enables compliance and risk managers to operate controls and risk management processes efficiently with minimal manual intervention.
    • Supports seamless upgrades with minimal disruption, ensuring continued alignment with evolving compliance and risk frameworks.

    The ServiceNow® GRC suite of applications can automatically generate controls and risks for your organization with the enhanced item generation process. The enhanced item generation process (v2) in version 13.x.x fixes the stalling and performance issues from the item generation process (v1) in version 12.x.x and earlier releases.

    Overview of the item generation process

    By using the Governance, Risk, and Compliance application, you can use the item generation process to generate controls and risks for your organization.

    A control is the actual control activity that an organization performs. For example, a control can be related to authoritative source content (legal articles, regulations, or public records), policies, and risks. A control is automatically generated when you associate a policy with an entity type (grouping of the entities that match a set of filter conditions) or an entity type with a control objective. For more information on controls, see Manage controls.

    A risk is any threat or vulnerability that could adversely affect an organization’s business objectives. For example, a risk can be related to any item, policy, control, or remediation task. A risk is automatically generated when you make associations between risk frameworks or risk statements and entity types.
    Note:
    Risk statements are general statements about potential risks or threats that could occur in an organization. A risk framework consists of a risk assessment, response, and accountability for the risk and mitigation activities around it.
    For more information on risks, see Using Risk Management.

    The item generation process (v1) in version 12.x.x and earlier releases generated out-of-sync updates due to the stalled actions in the action queue. The enhanced item generation process (v2) eliminates the stalling issues and improves the processing time of the controls and risks significantly. For example, the legacy item generation process (v1) generated 10,000 risks in approximately 13.7 minutes where the new item generation process (v2) can generate 10,000 risks in approximately 5.27 minutes.

    Flow of the item generation process

    The item generation process inserts an action in the action queue and executes the actions one by one in a sequence. A scheduled job runs periodically to check the action queue. If an action is running in the queue, the scheduled job skips it. When the current running action is completed and no other action is in process, the scheduled job picks up the next action in the Ready state in the queue as shown in the following example.
    Figure 1. Item generation process flow
    Item generation process flow.

    Benefits of the item generation process

    The new item generation process provides the following key benefits:

    • Processes the controls and risks quickly by using the item generation action event queue.
    • Eliminates the stalled actions and race conditions​ in the queue that generated the non-consistent updates.
    • Logs the history and status of the item generation actions.
    • Provides more information about an error in the item generation action event queue. It helps you to track and troubleshoot the issues quickly and efficiently.
    • Helps the compliance and risk managers to manage the controls and risks in an auto-pilot mode without much maintenance.

    Applications that are used in the item generation process

    The following GRC applications are used in the item generation process:
    • GRC: Policy and Compliance Management
    • GRC: Risk Management
    • GRC: Profiles

    The GRC: Profiles application is automatically installed when either the GRC: Policy and Compliance Management or GRC: Risk Management application is activated.

    Upgrade scenarios and their impact on the existing implementations

    You must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x. When you upgrade the Policy and Compliance Management and Risk Management applications to version 13.x.x, the new item generation process (v2) replaces the legacy item generation process (v1).

    Note:
    Upgrading the Policy and Compliance Management and Risk Management applications to version 13.x.x automatically upgrades the GRC: Profiles application to version 13.x.x​.
    Ensure that you have the required versions of the Policy and Compliance Management and Risk Management applications installed in your instance. If you have one of the following scenarios for the installed applications, you receive an error message on the screen:
    • You have both the Policy and Compliance Management and Risk Management applications previously installed in your instance and you upgrade only one of them to version 13.x.x.
    • You have only one of the Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    • You have both Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    The error message states that you must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x as shown in the following example.
    Figure 2. Message for upgrading the applications
    Message for upgrading the applications.
    When you upgrade, you don't see any visible impact to your existing implementations of the item generation process.
    Note:
    If you haven’t upgraded to version 13.x.x, the legacy item generation process is still supported.

    Components that are used by the item generation process

    The item generation process uses several types of reference components such as tables, scheduled jobs, and action handlers. For more information on the components that are used with the item generation process, see Components installed with the item generation process.

    Using the scheduled job and action event queue

    The item generation process uses the Item generation action queue processor scheduled job and an action event queue in the background. As a user with the sn_grc.admin role, you can configure the frequency of the scheduled job as shown in the following example.
    Figure 3. Configure the frequency of the scheduled job
    Configure the frequency of the scheduled job.
    When you initiate an action that results in generating, updating, or deleting a control or risk, the scheduled job inserts a record for each action in the sn_grc_item_generation_action_event_queue.list table. The item generation action event queue is shown in the following example.
    Figure 4. Item generation action event queue
    Item generation action event queue.
    When an action is generated by using the item generation process, a message that the item generation process has been initiated is displayed. For example, when you add a risk statement to a control objective, you see the message that is shown in the following example.
    Figure 5. Initiation of the item generation process
    Initiation of the item generation process.
    If an error occurs while processing an action in the queue, the item generation process displays more information about the error. For example, you might see an error trace with the object ID as shown in the following example.
    Figure 6. Error trace
    Error trace.

    You can use the error trace and other details in the queue to track and troubleshoot the issue.

    Script includes action handlers

    The item generation process uses the script includes action handlers that process the actions for the Policy and Compliance Management and Risk Management applications.

    You can view the list of the supported action handlers by navigating to Script Includes in the application navigator as shown in the following example.

    Figure 7. Script includes action handlers
    Script includes action handlers.
    All script includes action handlers contain the base version and the extended version. The item generation process uses the base version for handling the actions. As a user with the sn_grc.manager role, you can review the base functions that are listed in the action handler as shown in the following example.
    Figure 8. Base functions
    Base functions.
    As a user with the script_include_admin role, you can revise the action strategy for a control or risk by overriding the base functions as shown in the following example.
    Figure 9. Override the base functions
    Override the base functions.