Compliance score rollup from downstream entities to parent entities
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-18-2020 07:56 AM
Hello everyone,
I have a use case where downstream entity compliance scores must roll up at parent entity. Has anyone looked at this? So in detail: let's say I have entity class defined such as
- Company (Root Class)
- Org Level 1 (Rolls up to Company)
- Org Level 2 (Rolls up to Org Level 1)
- Business Application (Rolls up to Org Level 2)
Controls will apply at Org Level 2 and/or Application level. It is possible that some Org Level 2 will have downstream Apps. Org level 2 will have their own set of controls as well. So: Let's say at Org Level 2 - I have entity = ABC and this ABC entity has application entities App1, App2 and App3. There are controls which apply at ABC level and also there are controls which apply to App 1, App2 and App3. Now final compliance score at ABC level should cover ABC control and App1, App2 and App3 controls compliance to be rolled up to Org Level 2.
Can anyone guide?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-24-2020 11:08 AM
Hi Sameer - you should be able to look at compliance at various levels e.g., by Authority, Policy, Control Objectives, Entity Types, and Entities.
Just to cover the salient fundamental concepts, Compliance score is driven by the weights of the compliant controls. The weight of the Controls in the following states are NOT included:
-Retired
-Not applicable
- Draft
This is the calculation for the Control Objective.
Then for Control Objectives with Children control objectives it takes into account the scores of the children Control Objectives as follows:
- Average score for all downstream Controls
- Calculate Compliance percentage of the parent Control Objective as a stand alone entity (Compliant/Total) * Add the downstream Control average to the Parent Compliance percentage and divide by two.
Since Controls are the a specific instance of a CO, the data is there to support the roll up from the Entity POV. It will be affected by how your Control Objectives are set up. Think of Entities as the other side of the same coin. So you would need to set up the Entity Relationships you want. You can set the relationships in the GRC Workbench. Each of the 4 level's you have can be a Entity Class, then workbench will allow you to graphically set the actually entities that make up the class so the the compliance score rolls up appropriately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-27-2020 01:22 AM
Thanks AnneMarie Fernandez for your revert. Unfortunately the OOTB setup doesn't address my requirement.
However I was able to design and setup something through new attribute (Combined compliance status) which rolls up compliance on Parent entities from downstream entities. A two sample use cases are listed below. Individual entities OOTB scores helps us know if the entity has non-compliant controls or has no control. But Let's say if Parent Entity's score is > 0, then Combined Compliance Status let's us know if Child Entities are in compliance or not. This helps Entity Owners know overall impact to their entities because of downstream entities.
This should help you understand better, of what I needed. Anyways this is resolved for now. Thanks again for responding to my question.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-01-2021 08:49 AM
Very helpful! Could you please share some more details as to how you made it work? How did you roll-up to "combined compliance status" from downstream to upstream entities? Custom code?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-17-2023 07:10 PM
Hi sameerpandey, this looks like exactly what I am looking for!
Are you able to share how you achieved this? If it's custom code, is there any chance you could share the code to see if I can use it for my engagement?
Or if anyone else has done this (without using the Advanced licensing), if you have a custom solution that would be awesome.
Thanks!