Compliance score rollup from downstream entities to parent entities

sameerpandey · ‎07-18-2020

Hello everyone,

I have a use case where downstream entity compliance scores must roll up at parent entity. Has anyone looked at this? So in detail: let's say I have entity class defined such as

Company (Root Class)
- Org Level 1 (Rolls up to Company)
- - Org Level 2 (Rolls up to Org Level 1)
  - - Business Application (Rolls up to Org Level 2)

Controls will apply at Org Level 2 and/or Application level. It is possible that some Org Level 2 will have downstream Apps. Org level 2 will have their own set of controls as well. So: Let's say at Org Level 2 - I have entity = ABC and this ABC entity has application entities App1, App2 and App3. There are controls which apply at ABC level and also there are controls which apply to App 1, App2 and App3. Now final compliance score at ABC level should cover ABC control and App1, App2 and App3 controls compliance to be rolled up to Org Level 2.

Can anyone guide?

AnneMarie Ferna · ‎08-24-2020

Hi Sameer - you should be able to look at compliance at various levels e.g., by Authority, Policy, Control Objectives, Entity Types, and Entities.

Just to cover the salient fundamental concepts, Compliance score is driven by the weights of the compliant controls. The weight of the Controls in the following states are NOT included:
-Retired
-Not applicable
- Draft

This is the calculation for the Control Objective.

Then for Control Objectives with Children control objectives it takes into account the scores of the children Control Objectives as follows:
- Average score for all downstream Controls
- Calculate Compliance percentage of the parent Control Objective as a stand alone entity (Compliant/Total) * Add the downstream Control average to the Parent Compliance percentage and divide by two.

Since Controls are the a specific instance of a CO, the data is there to support the roll up from the Entity POV. It will be affected by how your Control Objectives are set up. Think of Entities as the other side of the same coin. So you would need to set up the Entity Relationships you want. You can set the relationships in the GRC Workbench. Each of the 4 level's you have can be a Entity Class, then workbench will allow you to graphically set the actually entities that make up the class so the the compliance score rolls up appropriately.

sameerpandey · ‎08-27-2020

Thanks AnneMarie Fernandez for your revert. Unfortunately the OOTB setup doesn't address my requirement.

However I was able to design and setup something through new attribute (Combined compliance status) which rolls up compliance on Parent entities from downstream entities. A two sample use cases are listed below. Individual entities OOTB scores helps us know if the entity has non-compliant controls or has no control. But Let's say if Parent Entity's score is > 0, then Combined Compliance Status let's us know if Child Entities are in compliance or not. This helps Entity Owners know overall impact to their entities because of downstream entities.

This should help you understand better, of what I needed. Anyways this is resolved for now. Thanks again for responding to my question.

Tasis · ‎10-01-2021

Very helpful! Could you please share some more details as to how you made it work? How did you roll-up to "combined compliance status" from downstream to upstream entities? Custom code?

SnowedIn · ‎04-17-2023

Hi sameerpandey, this looks like exactly what I am looking for!

Are you able to share how you achieved this? If it's custom code, is there any chance you could share the code to see if I can use it for my engagement?

Or if anyone else has done this (without using the Advanced licensing), if you have a custom solution that would be awesome.

Thanks!