Compliance case workflow

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Compliance case workflow

    The Compliance Case Management workflow in ServiceNow's GRC application enables organizations to systematically report, manage, investigate, and resolve compliance cases requiring attention from the compliance team. This process ensures thorough handling from initial reporting through closure, supporting regulatory adherence and risk mitigation.

    Show full answer Show less

    Key Features

    • Reporting Compliance Cases: Business users or compliance team members can report compliance violations via the Employee Center or Compliance Workspace applications.
    • Triage: The compliance team validates reported cases and assigns a case analyst for detailed management.
    • Investigation and Evaluation: The assigned case analyst collaborates with multiple teams to gather evidence, create case tasks, and assess the compliance issue. They document impacted areas (entities, controls, locations, users), related areas (policies, citations, control objectives, risk events), applicable compliance regulations, and causes and consequences (root cause and organizational impact).
    • Resolution: The case analyst initiates remediation actions and preventive measures, tracking regulatory violations to ensure timely reporting to relevant authorities.
    • Post Case Review and Closure: The analyst conducts root cause analysis, manages related issues, collaborates with teams for review, and formally closes the case.

    Key Outcomes

    • Structured and transparent process for managing compliance cases from reporting to closure.
    • Improved collaboration across teams for comprehensive investigation and assessment.
    • Clear identification and documentation of impacted areas, related policies, and regulations to support compliance and risk management.
    • Effective remediation and preventive actions to resolve compliance issues and prevent recurrence.
    • Ensured regulatory reporting and formal closure of compliance cases to maintain audit readiness and organizational accountability.

    The workflow in the Compliance Case Management application is a process that enables you to report and manage cases that need the compliance team's attention.

    The following diagram shows the workflow of the GRC: Compliance Case Management application.
    Figure 1. GRC: Compliance Case Management workflow
    Workflow of a compliance case.
    The different stages of the workflow are described as follows:
    • Report a compliance case
    • Triage the compliance case
    • Investigate and evaluate the compliance case
    • Resolve the compliance case
    • Post case review and closure

    Report a compliance case

    A business user or a compliance team can report a compliance violation in the Employee Center application. Compliance case team can report cases in the Compliance Workspace application. For more information, see Reporting a compliance case in GRC: Compliance Case Management.

    Triage the compliance case

    After a compliance case is reported, the compliance team triages the case from a validity standpoint. The team then assigns a case analyst to work on the case.

    Investigate and evaluate the compliance case

    The compliance case analyst collaborates with multiple teams to investigate, gather evidence, and capture the details and responses about the case. Then, the case analyst creates the case tasks to initiate an investigation and assessment of a reported case and assigns them to a case task owner.

    The case task owner adds the requested details and submits them to the case analyst for review. Based on the investigation and assessment responses, the case analyst performs the following tasks:
    • Add the areas that are impacted by a compliance case. For example, the impacted areas or records that could be impacted are the entities, controls, locations, or users that are affected by the compliance case. For more information, see Add an impacted area to a compliance case.
    • Add the areas that are related to the compliance case. For example, the related areas include the policies, citations, control objectives, or risk events. For more information, see Add a related area to a compliance case.
    • Add the compliance regulations that might be impacted by the compliance case. For more information, see Add compliance regulations to a compliance case.
    • Add the causes and consequences of this compliance case such as the root cause for the reported compliance case or event and its consequences to the organization. For more information, see Add a cause and consequence to a compliance case.

    Resolve the compliance case

    After all the analysis for the reported case is completed, the case analyst initiates the remediation actions and preventive measures to resolve the case. The case analyst also tracks the reportable regulatory violations to ensure their lodgement to the regulators.

    Post case review and closure

    The case analyst analyzes the causes and consequences of the case. Then, the case analyst​ conduct​s a root-cause analysis to remove the cause of the case. The case analyst can review the case to identify and manage the issues that are related to the impacted areas. For more information, see Add or create an issue for a compliance case. Finally, the compliance analyst works closely with the various teams to review and close the compliance case.