Key Control Indicators (KCIs) under GRC: Metrics in ServiceNow IRM application
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi All,
While building a Key control indicators , do we really need the control to be in monitor state ?
What are the pros and cons if the control is in draft state and we are building the Key control indicators in GRC: Metrics in ServiceNow IRM application
KIndly share the response with a practical example.
Regards,
Rohit Bhushan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
No. But... Monitor says you have taken it through Review... which suggest its been Attested and therefore there is an owner who has accepted accountability.
The pros of monitoring controls in draft are, you get some early visibility.
Not sure if GRC: Metrics are equivalent to KCIs, really. Indicators for compliance work because they can fail and be responded to via Issue Management.
Metrics work for Risk, because it builds a picture and reports a non-binary position that informs the risk more appropriately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Rohit,
From a GRC / IRM perspective, it is generally expected that Key Control Indicators (KCIs) are triggered when a control is in the “Monitor” stage.
The purpose of the Monitor phase is to continuously assess whether the control is effectively implemented and operating as intended. If the control fails or is no longer performed, this can trigger:
- An indicator breach
- An issue
- Potentially a risk event, forming a risk chain
If you are planning automation (manual, semi-automated, or fully automated indicators), transitioning the control to the Monitor state is critical. This is because indicators are typically designed to evaluate live, operational controls, not controls still under design.
Let’s take a simple example:
Control: “All privileged user access must be reviewed monthly”
KCI: “% of privileged accounts reviewed within the last 30 days”
If the control is in Draft:
- The KCI may exist, but it won’t reflect real activity
- No alerts if reviews are missed
- Essentially just configuration without monitoring
If the control is in Monitor:
- The system evaluates review data every month (for example)
- If reviews are not completed, the KCI threshold is breached
- This can automatically trigger:
- An issue (missed control execution)
- A risk event (e.g., unauthorized access risk)
Hope it helps!
Best regards,
Wael
