Using the item generation process to generate controls and risks
Summarize
Summary of Using the item generation process to generate controls and risks
The ServiceNow Governance, Risk, and Compliance (GRC) suite offers an enhanced item generation process (version 2) that automatically generates controls and risks for your organization. Controls are activities linked to policies, legal content, or risks, while risks represent potential threats affecting business objectives. The item generation process automates the creation of these items by associating policies, entity types, risk frameworks, and risk statements.
Show less
This updated process in version 13.x.x resolves performance bottlenecks and stalling issues present in version 12.x.x and earlier, resulting in significantly faster generation of controls and risks. For example, generating 10,000 risks is reduced from approximately 13.7 minutes to 5.27 minutes.
How the item generation process works
The process works by inserting actions into an action queue, which a scheduled job periodically processes in sequence. If an action is running, the job waits until completion before proceeding. This queue-based approach eliminates stalled actions and race conditions, ensuring consistent and reliable updates.
Key benefits
- Accelerated processing of controls and risks using an efficient action queue mechanism.
- Elimination of stalled actions and race conditions for consistent data updates.
- Detailed logging of action history and statuses to aid in monitoring and troubleshooting.
- Enhanced error reporting that facilitates swift issue resolution.
- Enables compliance and risk managers to maintain controls and risks with minimal manual intervention.
Applications involved
The item generation process integrates across these GRC applications:
- Policy and Compliance Management
- Risk Management
- Profiles (installed automatically with either of the above)
Upgrade considerations
To benefit from the enhanced item generation process, both the Policy and Compliance Management and Risk Management applications must be upgraded to version 13.x.x. Upgrading these automatically updates the Profiles application as well. Partial upgrades or mismatched versions trigger error messages requiring a full upgrade of both core applications to maintain compatibility.
Upgrading does not impact existing item generation implementations visibly, and legacy processes remain supported if upgrades are not applied.
Technical components and configuration
The process relies on several components, including reference tables, scheduled jobs, and script include action handlers. The scheduled job named "Item generation action queue processor" manages the execution frequency and processes queued actions. Administrators with the sngrc.admin role can configure this frequency to optimize processing.
When an item generation action is triggered (e.g., associating a risk statement with a control objective), a record is created in the action event queue, and users receive a notification confirming initiation. Errors during processing are logged with detailed traces, enabling administrators to track and resolve issues efficiently.
Customizing action handling
Script include action handlers define how controls and risks are generated and updated. Each handler contains base and extended versions. Users with sngrc.manager role can review base functions, while those with scriptincludeadmin role can override these functions to customize action strategies suited to their organizational needs.
Operational changes for common controls
The item generation process prioritizes associating reliant entities to existing common controls over creating new controls when generating items. This operational change ensures that standard controls are reused efficiently and consistency is maintained across entities.
The ServiceNow® GRC suite of applications can automatically generate controls and risks for your organization with the enhanced item generation process. The enhanced item generation process (v2) in version 13.x.x fixes the stalling and performance issues from the item generation process (v1) in version 12.x.x and earlier releases.
Overview of the item generation process
By using the Governance, Risk, and Compliance application, you can use the item generation process to generate controls and risks for your organization.
A control is the actual control activity that an organization performs. For example, a control can be related to authoritative source content (legal articles, regulations, or public records), policies, and risks. A control is automatically generated when you associate a policy with an entity type (grouping of the entities that match a set of filter conditions) or an entity type with a control objective. For more information on controls, see Manage controls.
The item generation process (v1) in version 12.x.x and earlier releases generated out-of-sync updates due to the stalled actions in the action queue. The enhanced item generation process (v2) eliminates the stalling issues and improves the processing time of the controls and risks significantly. For example, the legacy item generation process (v1) generated 10,000 risks in approximately 13.7 minutes where the new item generation process (v2) can generate 10,000 risks in approximately 5.27 minutes.
Flow of the item generation process
Benefits of the item generation process
The new item generation process provides the following key benefits:
- Processes the controls and risks quickly by using the item generation action event queue.
- Eliminates the stalled actions and race conditions in the queue that generated the non-consistent updates.
- Logs the history and status of the item generation actions.
- Provides more information about an error in the item generation action event queue. It helps you to track and troubleshoot the issues quickly and efficiently.
- Helps the compliance and risk managers to manage the controls and risks in an auto-pilot mode without much maintenance.
Applications that are used in the item generation process
- GRC: Policy and Compliance Management
- GRC: Risk Management
- GRC: Profiles
The GRC: Profiles application is automatically installed when either the GRC: Policy and Compliance Management or GRC: Risk Management application is activated.
Upgrade scenarios and their impact on the existing implementations
You must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x. When you upgrade the Policy and Compliance Management and Risk Management applications to version 13.x.x, the new item generation process (v2) replaces the legacy item generation process (v1).
- You have both the Policy and Compliance Management and Risk Management applications previously installed in your instance and you upgrade only one of them to version 13.x.x.
- You have only one of the Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
- You have both Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
Components that are used by the item generation process
The item generation process uses several types of reference components such as tables, scheduled jobs, and action handlers. For more information on the components that are used with the item generation process, see Components installed with the item generation process.
Using the scheduled job and action event queue
You can use the error trace and other details in the queue to track and troubleshoot the issue.
Script includes action handlers
The item generation process uses the script includes action handlers that process the actions for the Policy and Compliance Management and Risk Management applications.
You can view the list of the supported action handlers by navigating to Script Includes in the application navigator as shown in the following example.