Entity scoping in GRC

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Entity scoping is permitted in each of the core GRC applications. Scoping provides a way to allocate risks and controls at different levels. Dependencies are created using the dependency map in the GRC Workbench.

    Entity scoping overview

    Note:
    Starting with the New York release, the term profile was replaced with the term entity. See Governance, Risk, and Compliance application nomenclature updates and industry terminology for more information about all updated GRC application terms.

    Organizations have various control owners maintaining individual files and spreadsheets for tracking the compliance of different systems, projects, organizations, etc. In this environment, risk managers cannot avoid or even be aware of the duplicate risks and controls created on shared entities. The entire purpose of entity scoping is to provide a top-down approach for maintaining your risk universe, which is the hierarchical library of both risks and controls. Mature organizations with a healthy risk posture find that most risks are standard and recurring. Entity scoping helps you catalog and visualize upstream and downstream risks and controls based on the roll up of the related entities.

    Figure 1. From an organic approach to a structured system
    Legacy bottom-up approach to improved top-down system
    1. Create or edit Entity Types and map them using the Entity Filter to existing ServiceNow® tables.
    2. Map these entity types to external regulations and internal policies using control objectives and risk statements.
    3. Generate risk and control instances on related entities.
    4. Maintain your risk appetite and scoring results by the aggregated calculation for entities; all combos for risk scores on risk roll up.
    Figure 2. Scoping process
    image shows scoping process with old and new terms