Using the item generation process to generate controls and risks

  • Release version: Zurich
  • Updated July 31, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using the item generation process to generate controls and risks

    The ServiceNow® GRC suite offers an enhanced item generation process (v2) in version 13.x.x that automates the creation of controls and risks for your organization. Controls represent actual control activities linked to policies, regulations, or risks, while risks represent threats or vulnerabilities impacting business objectives. Controls are generated by associating policies with entity types or control objectives, and risks are generated through associations between risk frameworks, risk statements, and entity types.

    Show full answer Show less

    The enhanced process addresses performance and stalling issues found in version 12.x.x and earlier, significantly improving processing speed (e.g., generating 10,000 risks in about 5.27 minutes versus 13.7 minutes previously).

    How the Item Generation Process Works

    The process inserts actions into an action queue, which are executed sequentially by a scheduled job that periodically checks the queue to process ready actions. This queue-based execution prevents stalled actions and race conditions, ensuring consistent updates.

    Benefits

    • Faster processing of controls and risks using the action event queue.
    • Elimination of stalled actions and race conditions for consistent data updates.
    • Detailed logging of action history and status to facilitate troubleshooting.
    • Improved error information to quickly identify and resolve issues.
    • Enables compliance and risk managers to operate controls and risks management with minimal manual intervention.

    Applications and Components Involved

    The process leverages these GRC applications:

    • GRC: Policy and Compliance Management
    • GRC: Risk Management
    • GRC: Profiles (installed automatically with either of the above)

    It also uses various reference components including tables, scheduled jobs, and script include action handlers that handle the processing logic for controls and risks.

    Upgrade Considerations

    To benefit from item generation process v2, both Policy and Compliance Management and Risk Management applications must be upgraded to version 13.x.x simultaneously. This upgrade replaces the legacy process with the enhanced version without visible impact on existing implementations. Failure to upgrade both applications together results in error messages requiring the upgrade of both.

    Configuration and Troubleshooting

    Administrators with the sngrc.admin role can configure the frequency of the scheduled job that processes the action queue. When an item generation action occurs (e.g., generating a control or risk), a record is inserted into the action event queue. Errors during processing provide detailed traces and status information to help quickly identify and fix issues.

    Script includes provide the action handlers for different applications, allowing users with the sngrc.manager role to review base functions, and users with scriptincludeadmin role can customize action handling by overriding base functions.

    Operational Changes

    In generating common controls, associating a reliant entity to an existing common control takes precedence over creating new controls for that entity, improving consistency and control management efficiency.

    The ServiceNow® GRC suite of applications can automatically generate controls and risks for your organization with the enhanced item generation process. The enhanced item generation process (v2) in version 13.x.x fixes the stalling and performance issues from the item generation process (v1) in version 12.x.x and earlier releases.

    Overview of the item generation process

    By using the Governance, Risk, and Compliance application, you can use the item generation process to generate controls and risks for your organization.

    A control is the actual control activity that an organization performs. For example, a control can be related to authoritative source content (legal articles, regulations, or public records), policies, and risks. A control is automatically generated when you associate a policy with an entity type (grouping of the entities that match a set of filter conditions) or an entity type with a control objective. For more information on controls, see Manage controls.

    A risk is any threat or vulnerability that could adversely affect an organization’s business objectives. For example, a risk can be related to any item, policy, control, or remediation task. A risk is automatically generated when you make associations between risk frameworks or risk statements and entity types.
    Note:
    Risk statements are general statements about potential risks or threats that could occur in an organization. A risk framework consists of a risk assessment, response, and accountability for the risk and mitigation activities around it.
    For more information on risks, see Using Risk Management.

    The item generation process (v1) in version 12.x.x and earlier releases generated out-of-sync updates due to the stalled actions in the action queue. The enhanced item generation process (v2) eliminates the stalling issues and improves the processing time of the controls and risks significantly. For example, the legacy item generation process (v1) generated 10,000 risks in approximately 13.7 minutes where the new item generation process (v2) can generate 10,000 risks in approximately 5.27 minutes.

    Flow of the item generation process

    The item generation process inserts an action in the action queue and executes the actions one by one in a sequence. A scheduled job runs periodically to check the action queue. If an action is running in the queue, the scheduled job skips it. When the current running action is completed and no other action is in process, the scheduled job picks up the next action in the Ready state in the queue as shown in the following example.
    Figure 1. Item generation process flow
    Item generation process flow.

    Benefits of the item generation process

    The new item generation process provides the following key benefits:

    • Processes the controls and risks quickly by using the item generation action event queue.
    • Eliminates the stalled actions and race conditions​ in the queue that generated the non-consistent updates.
    • Logs the history and status of the item generation actions.
    • Provides more information about an error in the item generation action event queue. It helps you to track and troubleshoot the issues quickly and efficiently.
    • Helps the compliance and risk managers to manage the controls and risks in an auto-pilot mode without much maintenance.

    Applications that are used in the item generation process

    The following GRC applications are used in the item generation process:
    • GRC: Policy and Compliance Management
    • GRC: Risk Management
    • GRC: Profiles

    The GRC: Profiles application is automatically installed when either the GRC: Policy and Compliance Management or GRC: Risk Management application is activated.

    Upgrade scenarios and their impact on the existing implementations

    You must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x. When you upgrade the Policy and Compliance Management and Risk Management applications to version 13.x.x, the new item generation process (v2) replaces the legacy item generation process (v1).

    Note:
    Upgrading the Policy and Compliance Management and Risk Management applications to version 13.x.x automatically upgrades the GRC: Profiles application to version 13.x.x​.
    Ensure that you have the required versions of the Policy and Compliance Management and Risk Management applications installed in your instance. If you have one of the following scenarios for the installed applications, you receive an error message on the screen:
    • You have both the Policy and Compliance Management and Risk Management applications previously installed in your instance and you upgrade only one of them to version 13.x.x.
    • You have only one of the Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    • You have both Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    The error message states that you must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x as shown in the following example.
    Figure 2. Message for upgrading the applications
    Message for upgrading the applications.
    When you upgrade, you don't see any visible impact to your existing implementations of the item generation process.
    Note:
    If you haven’t upgraded to version 13.x.x, the legacy item generation process is still supported.

    Components that are used by the item generation process

    The item generation process uses several types of reference components such as tables, scheduled jobs, and action handlers. For more information on the components that are used with the item generation process, see Components installed with the item generation process.

    Using the scheduled job and action event queue

    The item generation process uses the Item generation action queue processor scheduled job and an action event queue in the background. As a user with the sn_grc.admin role, you can configure the frequency of the scheduled job as shown in the following example.
    Figure 3. Configure the frequency of the scheduled job
    Configure the frequency of the scheduled job.
    When you initiate an action that results in generating, updating, or deleting a control or risk, the scheduled job inserts a record for each action in the sn_grc_item_generation_action_event_queue.list table. The item generation action event queue is shown in the following example.
    Figure 4. Item generation action event queue
    Item generation action event queue.
    When an action is generated by using the item generation process, a message that the item generation process has been initiated is displayed. For example, when you add a risk statement to a control objective, you see the message that is shown in the following example.
    Figure 5. Initiation of the item generation process
    Initiation of the item generation process.
    If an error occurs while processing an action in the queue, the item generation process displays more information about the error. For example, you might see an error trace with the object ID as shown in the following example.
    Figure 6. Error trace
    Error trace.

    You can use the error trace and other details in the queue to track and troubleshoot the issue.

    Script includes action handlers

    The item generation process uses the script includes action handlers that process the actions for the Policy and Compliance Management and Risk Management applications.

    You can view the list of the supported action handlers by navigating to Script Includes in the application navigator as shown in the following example.

    Figure 7. Script includes action handlers
    Script includes action handlers.
    All script includes action handlers contain the base version and the extended version. The item generation process uses the base version for handling the actions. As a user with the sn_grc.manager role, you can review the base functions that are listed in the action handler as shown in the following example.
    Figure 8. Base functions
    Base functions.
    As a user with the script_include_admin role, you can revise the action strategy for a control or risk by overriding the base functions as shown in the following example.
    Figure 9. Override the base functions
    Override the base functions.