Is it possible to connect citation to Controls & Business processes in Risk Workspace (IRM)

KshitijaS · ‎07-21-2025

Background -

In my company's servicenow instance, the Risk Workspace has been configured and the Policy and Compliance workspace is planned for a future phase, but currently, we are focused on merging SOX- related controls, risks, business apps, business processes into Risk Workspace.

Current Ask from Business:

The SOX team has requested the following capabilities:

1. Ability to connect Issues to Authority documents via related list

2. Ability to related Policies, Controls and business processes to Citations/Authority documents via related lists

My observations:

* I see that at the Issue level, servicenow provides an Authority Document related list OOB

* However, there is no related list for Citation, Control Objective or Authority document on the Control level or under Business processes in the Risk workspace library.

* Similarly, in the Business process records, I dont see citation, authority document or control objective in the related list.

Since business does not want to wait for the Policy and Compliance workspace setup and needs this capability now for SOX, I'm wondering : Is it recommended to build direct relationship via related lists or M2M tables between controls and citation, between business processes and citation?

or would it be better to maintain this mapping through control objectives or wait for the Policy and compliance workspace?

Appreciate your guidance on the best approach.

Thanks

Connor Levien · ‎07-22-2025

@KshitijaS firstly to check have you created your Business Processes as entities in IRM? Ideally you create a business process in the CMDB (which the OOTB list shows) and then have IRM create a corresponding Entity for the process so that risks, controls, and other IRM objects can be linked to them.

For example here is how a business process looks as an entity in IRM

It will show the controls and risks linked to it directly as well as the controls and risks linked to things down stream of it such as other processes or systems it depends on.

As seen in the screenshot I have also added citations here to show all the citations linked to the controls via the control objective.

OOTB citations are not mapped to control directly but via the control objective. This is also how the citation is mapped to a policy as the control objective belongs to one or many policies. You can make an M2M relationship between them to link them directly but would warn against it as it does require you to maintain it.

Our roadmap currently has a planned feature to allow Citations to be linked directly to Entities(e.g business processes) and Controls which at this stage is target to be released early next year but could be subject to change. If you would like more details on the roadmap it would be best to reach out to your account team and they can organise a session with you and the product team are eager to gather requirements for this planned feature.