Exploring GRC: Metrics

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring GRC: Metrics

    The GRC: Metrics application in ServiceNow enables organizations to measure, evaluate, and track the effectiveness of their processes through defined metrics. Metrics combine a metric definition with an entity to provide insights into system performance or process efficiency, such as tracking incident resolution times. The role responsible for managing metrics is the GRC: Metrics manager (sngrcmetric.manager), who defines metrics using the Metrics form. Once metrics are defined, data is collected to assess process performance aligned with organizational goals and targets integrated into business decisions.

    Show full answer Show less

    Key Features

    • Metric Types: Metrics can be qualitative (subjective assessments like risk severity or control effectiveness) or quantitative (numerical measurements such as number of overdue risk assessments or failed controls).
    • Metrics Workflow: The integrated risk management workflow ensures consistent design, operationalization, and monitoring of Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). It involves defining the metrics framework, training stakeholders, identifying relevant risks and controls, setting thresholds, assigning data owners, and continuous monitoring.
    • Data Collection & Validation: Data owners provide or automate data submission to calculate indicators, supporting accurate and timely metrics reporting.
    • Threshold Management: Thresholds trigger alerts or remediation when KRIs or KCIs exceed predefined limits, enabling proactive risk management.
    • Reporting and Monitoring: Operational and business risk managers monitor metrics and thresholds, while leadership uses dashboards to view risk trends and overall posture.

    Key Outcomes

    • Improved visibility into process and risk performance through structured metric definitions and data-driven insights.
    • Consistent application and monitoring of KRIs and KCIs across the organization, aligned with business needs.
    • Enhanced risk management through defined thresholds that enable timely alerts and remediation actions.
    • Empowered stakeholders through training and clear responsibility assignments for metric data ownership and validation.
    • Actionable reporting and dashboards that support informed decision-making and risk oversight by leadership.

    A metric is used to measure and evaluate the effectiveness of your organizational processes. A metric or a combination of metrics can provide an insight into a system, component, or process.

    GRC: Metrics overview

    The GRC: Metrics application enables other applications to assess, compare, and track the performance of the processes.

    The user role that is responsible to read, create, and update the metric definitions and metrics is the GRC: Metrics manager (sn_grc_metric.manager).

    You define metrics by using the Metrics form. A metric combines a metric definition with an entity. When you apply a metric definition to an entity, the GRC: Metrics application creates a metric. After you define metrics, the application collects data to show how well each process works. For example, a metric can measure an incident resolution process by tracking the time needed to resolve an incident.

    Every organization has a range of data sources for building and structuring their own metric analysis. To establish a useful metric, the metrics manager must first assess and set the goals. Next, the manager sets the targets for the metrics that are integrated with their business decisions.

    Qualitative and quantitative metrics

    You can classify your metrics into qualitative and quantitative measurements.

    Qualitative metrics in Risk Management are derived from the subjective opinion that you form based on other information. Some examples of qualitative metrics in the Risk Management are categorizing risk severity as Low, Medium, or High, or assessing control effectiveness using descriptive scales.

    Quantitative metrics in Risk Management are the metrics that you can measure in a specific number through certain formulas. Some examples of quantitative metrics for an organization include the number of overdue risk assessments, number of failed controls, and so on.

    Examples of metrics

    Rising system downtime indicates infrastructure instability or maintenance gaps, which may lead to productivity loss and operational disruption. For example, a downtime exceeding 5 hours per month triggers a technical infrastructure audit.

    GRC: Metrics workflow in Integrated Risk Management

    The metrics workflow defines how organizations design, operationalize, and monitor Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) to gain visibility into enterprise risk exposure.

    Figure 1. Workflow of metrics
    Workflow of metrics in IRM.
    1. An operational risk manager defines the overall metrics framework. This establishes the foundation for measuring risk performance and verifies that KRIs and KCIs are consistently applied across the organization.
    2. The operational risk manager trains business stakeholders on how the metrics framework works, including how KRIs and KCIs are identified, measured, and used to monitor risk.
    3. Relevant risks and controls that require ongoing monitoring are identified.
    4. For each selected risk and control, appropriate KRIs and KCIs are identified.
    5. The operational risk manager defines the threshold values for KRIs and KCIs. It serves as a limit that triggers alerts or remediation if exceeded.
    6. The operational risk manager identifies data owners for each indicator. These owners are responsible for providing and validating the data used to calculate the metrics, either by manually submitting the required data or by configuring automated metrics that collect the data on an ongoing, automated basis.
    7. A business operational risk manager reviews the defined KRIs, KCIs, and thresholds to confirm that they align with business requirements.
    8. The business operational risk manager can refine the thresholds to align them with business needs.
    9. Employees provide the required data to calculate KRIs and KCIs at the defined frequency.

    10. The operational risk manager and the business operational risk manager continuously monitor the indicators and generate reports. Leadership and risk managers use dashboards and reports to view trends, threshold breaches, and the overall risk posture.

    What to explore next

    To learn more about configuring and using GRC: Metrics, see: