Is it possible to connect citation to Controls & Business processes in Risk Workspace (IRM)

KshitijaS · ‎07-21-2025

Background -

In my company's servicenow instance, the Risk Workspace has been configured and the Policy and Compliance workspace is planned for a future phase, but currently, we are focused on merging SOX- related controls, risks, business apps, business processes into Risk Workspace.

Current Ask from Business:

The SOX team has requested the following capabilities:

1. Ability to connect Issues to Authority documents via related list

2. Ability to related Policies, Controls and business processes to Citations/Authority documents via related lists

My observations:

* I see that at the Issue level, servicenow provides an Authority Document related list OOB

* However, there is no related list for Citation, Control Objective or Authority document on the Control level or under Business processes in the Risk workspace library.

* Similarly, in the Business process records, I dont see citation, authority document or control objective in the related list.

Since business does not want to wait for the Policy and Compliance workspace setup and needs this capability now for SOX, I'm wondering : Is it recommended to build direct relationship via related lists or M2M tables between controls and citation, between business processes and citation?

or would it be better to maintain this mapping through control objectives or wait for the Policy and compliance workspace?

Appreciate your guidance on the best approach.

Thanks

Connor Levien · ‎07-22-2025

@KshitijaS firstly to check have you created your Business Processes as entities in IRM? Ideally you create a business process in the CMDB (which the OOTB list shows) and then have IRM create a corresponding Entity for the process so that risks, controls, and other IRM objects can be linked to them.

For example here is how a business process looks as an entity in IRM

It will show the controls and risks linked to it directly as well as the controls and risks linked to things down stream of it such as other processes or systems it depends on.

As seen in the screenshot I have also added citations here to show all the citations linked to the controls via the control objective.

OOTB citations are not mapped to control directly but via the control objective. This is also how the citation is mapped to a policy as the control objective belongs to one or many policies. You can make an M2M relationship between them to link them directly but would warn against it as it does require you to maintain it.

Our roadmap currently has a planned feature to allow Citations to be linked directly to Entities(e.g business processes) and Controls which at this stage is target to be released early next year but could be subject to change. If you would like more details on the roadmap it would be best to reach out to your account team and they can organise a session with you and the product team are eager to gather requirements for this planned feature.

Brent Sutton · 2 weeks ago

Hey @Connor Levien,

We also have a requirement to associate entities directly to citations. We're currently on Zurich and are yet to see this functionality released. Any ideas on which release this will be coming?

In the meantime, I noted that as Citations are extended from "Content" and have the "Additional Entities" related list available. This is normally used on Control Objectives and Risk Statements but would provide the ability to associate Entities directly to Citations (while we are waiting for this to be supported officially).

Is there any issues you can see with this approach? We would then have a m2m record which could be easily migrated when the time comes. Keen to get your thoughts on this.

Thanks in advance,

Brent

Connor Levien · 2 weeks ago

@Brent Sutton you need to activate the citation to control capability, its not enabled by default. The below docs page shows you how to enable it for the zurich release

https://www.servicenow.com/docs/r/zurich/governance-risk-compliance/policy-and-compliance-management...

There is no specific issues I see with using the content to additional entities related list if you want you can also build your own m2m to capture the entity to citation mapping. I would lean more towards your own M2M as you would also want some additional fields to capture whether there are downstream entities that address the citation. E.g if this citation is mapped to the entity are there any controls on the entity or downstream that also map to the citation

Brent Sutton · 2 weeks ago

Hey @Connor Levien, thanks for coming back to me. It is very much appreciated.

The citation to control capability was not the issue, but thanks for the link anyway as it will definitely be useful to others.

What I am really trying to understand is when citation to entity associations is likely to be officially supported. I am keen to avoid building a custom m2m table if this is something that will be provided out of the box in the near future. That is why I was looking at the “Additional entities” option as a possible stop gap.

If there is no clear view on when this might be supported, I would likely lean towards a custom m2m table so the logic can be cleanly isolated (as you suggested).