Entities in GRC

Release version: Yokohama

Updated July 31, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of Entities in GRC

In Governance, Risk, and Compliance (GRC), entities represent individuals, processes, departments, applications, or objects that require management of exposure. Each entity has defined controls for status visibility. For instance, critical financial systems can be categorized as individual entities under the entity class "Financial." This structure enhances accountability, allowing for targeted compliance audits and ownership identification.

Show full answer Show less

Key Features

Entity Definition: Establishes accountability by defining each entity with an owner, ensuring that only non-compliant entities are flagged during audits.
Entity Classes: Groups entities for conceptual clarity, allowing for tags such as "Location" for office spaces across various branches.
Entity Class Rules: Automatically assigns classes to new entities based on the table they are created in, streamlining the organization of entities.
Entity Types: Facilitates the grouping of similar entities, such as departments, under common classifications, aiding in risk and control management.
Entity Tiers: Establishes a hierarchy for entity classes, providing a method to prioritize and monitor critical business items.

Key Outcomes

By implementing entities in GRC, customers can expect improved accountability, streamlined compliance processes, and better tracking of non-compliant items. This structured approach enables effective risk management and enhances the overall governance framework within the organization.

In Governance, Risk, and Compliance, an entity can be a person, process, department, application, or object, whose exposure must be managed. These entities have controls that are defined to view the status.

To understand entities, consider the following example. Assume that you’re a new GRC user and you want to implement a change management process to all your critical financial systems. All the systems can be considered as individual entities. Map all the systems to an entity class called Financial. Have an entity type filter for critical financial systems to determine the systems that are identified as critical.

The primary benefit of creating entities is that you can maintain accountability because each entity has an owner. To understand this benefit, assume that you want to configure all the servers in a new way. After you finish the configuration, you perform an audit and then discover that only one server failed to comply with the new configuration. If you had not defined all the entities, then the entire audit result would have been deemed as failed. But because you have the entities defined, then only the non-compliant server entity and its identified owner are held accountable instead of all the servers.

Having defined entities ensures that the entity owners can be identified and that appropriate controls can be applied to those entities. It also helps in tracking the entities that are non-compliant. Any entity that has child entities can be said to have downstream entities. Any entity that has parent entities can be said to have upstream entities.

When a source record linked to an entity filter is created, an entity is automatically generated in GRC. If the source record name changes after the entity is created, the entity name updates to match the source record name. This behavior is controlled by the Sync Entity name with source record check box. When selected, the Name field becomes read only and stays in synchronization with the source record. Clearing the check box enables you to manually override the entity name.

After creating entities, you can tag the similar entities by defining the entity class for them individually or you can link them to an existing entity class.

Entity classes

Entity classes are used to add a conceptual information about the entity or tag the entity. To understand the concept of entity class, consider the following example. A company has office branches in three cities. The office space is considered as an entity and the entity class for these entities would be the location. You can create an entity class by associating it with an entity tier as shown in the following example.

Sample configuration for an entity class. — Figure 1. Sample configuration for an entity class

Entity class rules

Entity class rules help to assign classes to the entities at the table level. Any new entity created on the table gets that entity class automatically. Entity classes are used to tag your entities.

When you create an entity over a specific table, the class associated with that table automatically gets assigned to the entity. You can set a new entity class rule for a table.

Entity types

An entity type is a grouping of entities that is based on filtering. Entity types enable you to find and create entities that match a set of filter conditions. Hierarchy can be created within the entity classes.

Entity types also enable you to create risks and controls for each entity without spending much time. For example, an organization can have multiple departments, such as finance, HR, or IT. All these departments can be considered as entities and can be grouped under the entity type called Departments.

You can create an entity type by associating it with the core business pillar such as Technologies or Facilities as shown in the following example.

Sample configuration for an entity type. — Figure 2. Sample configuration for an entity type

Entity tiers

When you create entity tiers, you apply a level or hierarchy to the entity classes. This level applies to all the entities in those entity classes. Entity tiers enable you to select and view the status of the most critical items in the business as shown in the following example.

List view for an entity tier. — Figure 3. List view for an entity tier