Role and Group naming conventions

Kim Machado · ‎11-24-2020

We are setting up groups and roles for Policy, risk management and vendor risk management. What is the best prefix to use on the role and group names, GRC or IRM? What do other clients use?

Inactive_Use855 · ‎12-07-2020

Might caution against using "GRC" as a prefix, it has historically been used as a role with universal rights over all GRC applications, (when "GRC" had fewer modules). ServiceNow has moved away from it also (still has older roles, but has moved to sn_compliance, sn_risk, sn_vdr_risk) for more specificity. See the ServiceNow booklet attached: Role Descriptions by Scope - Risk and Compliance Implementation - Student Resource.

As more applications are added within "GRC", e.g., Vendor Risk, Advanced Risk, and now Business Continuity Management, you may want to ensure you have separate role (unique) prefixes, for each application.

Specifically for more elevated roles such as Admin or Manager, persons with these roles may be in different departments or areas, e.g., someone in Enterprise Risk Management may not take kindly to someone in Policy Management having elevated access in Risk.

Sebastien Fix · ‎11-10-2021

SN GRC was renamed to IRM mainly to comply with the Gartner quadrant that looks at IRM. SN docs themselves are to this day inconsistent with using GRC and IRM. GRC also sounds less Risk-centric so I would use GRC when creating a group that includes roles from risk and p&c and audit etc.

If a group is only for the risk team obviously name it specifically for Risk and not GRC