Using the item generation process to generate controls and risks

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using the item generation process to generate controls and risks

    The ServiceNow Governance, Risk, and Compliance (GRC) suite includes an enhanced item generation process (v2) that automatically generates controls and risks for your organization. Controls represent the activities performed to manage compliance, linked to policies and risks. Risks denote potential threats or vulnerabilities affecting business objectives and are generated from associations with risk frameworks or statements.

    Show full answer Show less

    The enhanced process in version 13.x.x improves on the legacy version (v1) by resolving stalling and performance issues, enabling significantly faster processing of large volumes of controls and risks.

    How the Item Generation Process Works

    The process operates via an action queue, where actions are inserted and executed sequentially by a scheduled job that periodically checks and processes queued actions one at a time. This design prevents stalled or concurrent actions, ensuring consistent updates and reliable performance.

    Benefits

    • Faster processing of control and risk generation using an event queue system.
    • Elimination of stalled actions and race conditions that previously caused inconsistent updates.
    • Detailed logging of action history and status, facilitating easier tracking and troubleshooting.
    • Enhanced error reporting within the action queue for efficient issue resolution.
    • Supports near-autonomous management of controls and risks, reducing manual maintenance for compliance and risk managers.

    Applications Involved

    The item generation process involves the following GRC applications:

    • GRC: Policy and Compliance Management
    • GRC: Risk Management
    • GRC: Profiles (installed automatically with either of the above)

    Upgrade Requirements and Impact

    To utilize the enhanced item generation process (v2), you must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x. This upgrade automatically updates GRC: Profiles as well. Partial upgrades or mismatched versions of these applications will generate error messages prompting a full upgrade.

    The upgrade does not impact existing item generation implementations visibly; legacy processes remain supported until the upgrade.

    Technical Components and Configuration

    The process relies on several components such as tables, scheduled jobs, and script include action handlers:

    • Scheduled Job and Action Event Queue: Controls the timing and sequencing of item generation actions. Administrators with the sngrc.admin role can configure the scheduled job frequency.
    • Action Event Queue: Stores records of generation actions, allowing monitoring of status and error details for troubleshooting.
    • Script Include Action Handlers: Contain base and extended functions to process actions for control and risk generation. Managers with the sngrc.manager role can review base functions, while users with scriptincludeadmin role can customize action handling by overriding base functions.

    Operational Considerations

    When generating controls, the process prioritizes associating an existing common control to entities before creating new controls. This operational change optimizes control management and consistency across entities.

    The ServiceNow® GRC suite of applications can automatically generate controls and risks for your organization with the enhanced item generation process. The enhanced item generation process (v2) in version 13.x.x fixes the stalling and performance issues from the item generation process (v1) in version 12.x.x and earlier releases.

    Overview of the item generation process

    By using the Governance, Risk, and Compliance application, you can use the item generation process to generate controls and risks for your organization.

    A control is the actual control activity that an organization performs. For example, a control can be related to authoritative source content (legal articles, regulations, or public records), policies, and risks. A control is automatically generated when you associate a policy with an entity type (grouping of the entities that match a set of filter conditions) or an entity type with a control objective. For more information on controls, see Manage controls.

    A risk is any threat or vulnerability that could adversely affect an organization’s business objectives. For example, a risk can be related to any item, policy, control, or remediation task. A risk is automatically generated when you make associations between risk frameworks or risk statements and entity types.
    Note:
    Risk statements are general statements about potential risks or threats that could occur in an organization. A risk framework consists of a risk assessment, response, and accountability for the risk and mitigation activities around it.
    For more information on risks, see Using Risk Management.

    The item generation process (v1) in version 12.x.x and earlier releases generated out-of-sync updates due to the stalled actions in the action queue. The enhanced item generation process (v2) eliminates the stalling issues and improves the processing time of the controls and risks significantly. For example, the legacy item generation process (v1) generated 10,000 risks in approximately 13.7 minutes where the new item generation process (v2) can generate 10,000 risks in approximately 5.27 minutes.

    Flow of the item generation process

    The item generation process inserts an action in the action queue and executes the actions one by one in a sequence. A scheduled job runs periodically to check the action queue. If an action is running in the queue, the scheduled job skips it. When the current running action is completed and no other action is in process, the scheduled job picks up the next action in the Ready state in the queue as shown in the following example.
    Figure 1. Item generation process flow
    Item generation process flow.

    Benefits of the item generation process

    The new item generation process provides the following key benefits:

    • Processes the controls and risks quickly by using the item generation action event queue.
    • Eliminates the stalled actions and race conditions​ in the queue that generated the non-consistent updates.
    • Logs the history and status of the item generation actions.
    • Provides more information about an error in the item generation action event queue. It helps you to track and troubleshoot the issues quickly and efficiently.
    • Helps the compliance and risk managers to manage the controls and risks in an auto-pilot mode without much maintenance.

    Applications that are used in the item generation process

    The following GRC applications are used in the item generation process:
    • GRC: Policy and Compliance Management
    • GRC: Risk Management
    • GRC: Profiles

    The GRC: Profiles application is automatically installed when either the GRC: Policy and Compliance Management or GRC: Risk Management application is activated.

    Upgrade scenarios and their impact on the existing implementations

    You must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x. When you upgrade the Policy and Compliance Management and Risk Management applications to version 13.x.x, the new item generation process (v2) replaces the legacy item generation process (v1).

    Note:
    Upgrading the Policy and Compliance Management and Risk Management applications to version 13.x.x automatically upgrades the GRC: Profiles application to version 13.x.x​.
    Ensure that you have the required versions of the Policy and Compliance Management and Risk Management applications installed in your instance. If you have one of the following scenarios for the installed applications, you receive an error message on the screen:
    • You have both the Policy and Compliance Management and Risk Management applications previously installed in your instance and you upgrade only one of them to version 13.x.x.
    • You have only one of the Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    • You have both Policy and Compliance Management or Risk Management applications installed in your instance and you upgrade the GRC: Profiles application to version 13.x.x.
    The error message states that you must upgrade both Policy and Compliance Management and Risk Management applications to version 13.x.x as shown in the following example.
    Figure 2. Message for upgrading the applications
    Message for upgrading the applications.
    When you upgrade, you don't see any visible impact to your existing implementations of the item generation process.
    Note:
    If you haven’t upgraded to version 13.x.x, the legacy item generation process is still supported.

    Components that are used by the item generation process

    The item generation process uses several types of reference components such as tables, scheduled jobs, and action handlers. For more information on the components that are used with the item generation process, see Components installed with the item generation process.

    Using the scheduled job and action event queue

    The item generation process uses the Item generation action queue processor scheduled job and an action event queue in the background. As a user with the sn_grc.admin role, you can configure the frequency of the scheduled job as shown in the following example.
    Figure 3. Configure the frequency of the scheduled job
    Configure the frequency of the scheduled job.
    When you initiate an action that results in generating, updating, or deleting a control or risk, the scheduled job inserts a record for each action in the sn_grc_item_generation_action_event_queue.list table. The item generation action event queue is shown in the following example.
    Figure 4. Item generation action event queue
    Item generation action event queue.
    When an action is generated by using the item generation process, a message that the item generation process has been initiated is displayed. For example, when you add a risk statement to a control objective, you see the message that is shown in the following example.
    Figure 5. Initiation of the item generation process
    Initiation of the item generation process.

    If an error occurs while processing an action in the queue, the item generation process displays more information about the error. For example, you might see an error trace with the object ID.

    You can use the error trace and other details in the queue to track and troubleshoot the issue.

    Script includes action handlers

    The item generation process uses the script includes action handlers that process the actions for the Policy and Compliance Management and Risk Management applications.

    You can view the list of the supported action handlers by navigating to Script Includes in the application navigator as shown in the following example.

    Figure 6. Script includes action handlers
    Script includes action handlers.
    All script includes action handlers contain the base version and the extended version. The item generation process uses the base version for handling the actions. As a user with the sn_grc.manager role, you can review the base functions that are listed in the action handler as shown in the following example.
    Figure 7. Base functions
    Base functions.
    As a user with the script_include_admin role, you can revise the action strategy for a control or risk by overriding the base functions as shown in the following example.
    Figure 8. Override the base functions
    Override the base functions.