How to Implement the Entity Framework

Verity · ‎11-16-2022

Compile all known external regulations, internal policies, control objectives, and risk statements. Review them to understand the scope of your risk and compliance activities and how to group entities (people, places, objects, or things that need to be monitored) to support those activities, for example:
- Being subject to SOX regulations, you are likely to require a list of SOX Business Applications
- To assess process risk in the organization, you will likely need lists of processes, business units, departments, etc.
- To complete an IT security audit, you are likely to require a list of IT assets

Upload quality, ‘single source of the truth’ foundational data into the ServiceNow tables e.g., departments, business applications, etc. These tables serve as the data source for creating entities, risks, and controls in the GRC/IRM application. Avoid creating standalone data; this will save time later when reconciling it with other areas. Key tables include:

(Check out part 1 of this article:

What is the GRC Entity Framework and how does it work?)

Table Name	Table Label	Table Description
core_company	Company	Company details
sys_user	Users	List of users in the organization
business_unit	Business Unit	Business units within the organization
cmn_department	Department	All departments
cmn_location	Location	Includes location data such as; Region, Country, State, City, Site, Building/Structure, Floor, Room
cmdb_ci_business_app	Business Application	A purchased or internally developed application.
cmdb_ci_business_process	Business Process	A process that is owned and carried out by the business and contributes to the delivery of a product or business service.
cmdb_ci_service	Business Service	IT Service that directly supports a Business Process (ITIL).
cmdb_ci_datacenter	Data Center	Facility used to house computer systems and associated components, such as telecommunications and storage systems.

Upload risk and control data, including policies, authority documents, citations, control objectives, risk framework, and risk statements.

Once these steps are complete, the entity framework should be created. Please see definitions of core components below:

Entity	Entity Type	Entity Class	Entity Class Rule	Entity Tier
Entities are people, places, objects, or things that are tracked for GRC activities such as managing risks and tracking control compliance, etc.	Entity types are dynamic categories containing one or more entities of a similar type that match conditions against tables in ServiceNow.	An entity class is a tag for entities and allows GRC managers to organize entities for aggregation and reporting.	A rule that maps what class should be assigned to the entity when created from a specific table.	An entity tier assigns a level to the entity class hierarchy.

Create Entity Tiers to build the levels within the Entity Class hierarchy (optional), e.g., Tier 1: Business, Tier 2: Application, Tier 3: IT Asset. Tiers can also be used to logically group Entity Classes, e.g., the ‘database’ and ‘server’ Entity Classes can be grouped together under an ‘IT asset’ Entity Tier.

Tip: Use the GRC Workbench for drag and drop interface to build and manage Entity Class hierarchy

Create Entity Classes to distinguish entities and organize them for reporting, e.g., Department, Business Application, Business service. If available, Entity Classes can be associated to Entity Tiers in the Entity Class form. Entity Classes are mandatory as of the San Diego release due to being critical for tagging Entities as well as being used in Advanced Risk Assessments to send assessments out in bulk to similar Entities, e.g., for an IT Risk Assessment RAM, the applicable Entity Classes may include IT assets, business applications, and servers.

Create Entity Class Rules to map tables to Entity Classes for automatic assignment of entities to entity classes. If Entities are created before this step, the Entity Class will have to be added manually.

Create Entity Types with Entity Filters to create Entities as well as automatically create risk and control instances in bulk for similar entities, e.g., critical IT assets.

Create additional Entities that do not require an entity type.

Create the Entity Hierarchy, essential for risk score roll-up in advanced risk assessments. This can be added via the ‘Hierarchy’ tab on each Entity record, or managed in the GRC Workbench via the ‘Dependency Map’ tab.

DouglasD · ‎01-30-2026

what would you recommend as hierarchy for a financial institution ?

mfriedman · ‎03-01-2026

I'm curious about the implementation across an assessment framework. For example, if I wanted to setup entities for a disability insurance program and a home insurance program, would I have the following setup:

I assume I would setup the disability insurance program as a process entity called Disability Program (which would be a parent Process). Then I would setup the subprocesses of: Intake, evidence collection, analysis, decision, notification.

I would then need to add Application Entities of: Intake Self Service Portal, Claims Processing System, outbound communications and notification system.

Question 1: Since the entire program as well as the end-to-end process isn't cleanly aligned to one organization and department, I'm assuming that I set the top entity as the parent process and link everything to that?

Question 2: If I later wanted to be able to assess and report on the whole program's risks, would I create an Entity Class "Disability Program" and tag the process, subprocess, and systems so that it will aggregate all the entities into the risk assessment and then also enable a dashboard summary?

I'm trying to extend this in my mind as there may also be a health insurance program as well as a home insurance program. The overall organization is a matrix so the departments and programs don't map cleanly.

Thanks