Advanced Governance, Risk, and Compliance Application Risk dashboard

  • Release version: Zurich
  • Updated July 31, 2025
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Advanced Governance, Risk, and Compliance Application Risk Dashboard

    The Advanced Governance, Risk, and Compliance (GRC) Application Risk Dashboard in ServiceNow Zurich release provides a comprehensive view of the risk and compliance status of business applications across an enterprise. It is designed primarily for CIOs and application owners, who must have the appropriate roles (sncompliance.reader, snrisk.reader, snaudit.user) to access it. Activation of theGRC: Advanced DashboardsandPolicy and Compliance Managementplugins is required.

    Show full answer Show less

    This dashboard enables organizations to monitor application compliance, risk posture, remediation efforts, audit activities, and policy exceptions, helping stakeholders ensure applications operate optimally and meet governance requirements.

    Key Features

    • Compliance Overview: Displays active controls, compliant and non-compliant controls, monthly compliance status, and a summary of policies and controls related to business applications. Filters include business application, criticality, control state, and enforcement type.
    • Risk Overview: Shows risk heatmaps by application criticality, risk response tasks, application risk summaries focusing on high and moderate risks, and the status of mitigating controls. Filters include risk rating, application owner, and business owner.
    • Risk Posture: Provides detailed views of very high, high, and moderate risks, expiration of acceptance tasks, and trends in contributing risks over time, filtered by business application.
    • Audit Overview: Offers insights on audit engagements, open and past due issues, ineffective controls, and upcoming audits, with filtering options for business applications and audit engagements.
    • Policy Exceptions Overview: Tracks new, approved, rejected, expired exceptions, and those awaiting approval or expiration, helping manage exceptions effectively through time-based filters.
    • Issues Overview: Covers open, critical, high priority, accepted, past due issues and remediation tasks, along with trends in issue and remediation task creation and closure over time. Filterable by business application.

    Practical Benefits for ServiceNow Customers

    • Enables CIOs and application owners to assess compliance and risk levels for all business applications in a centralized interface.
    • Helps identify high-risk applications and control gaps requiring timely remediation to mitigate potential threats.
    • Facilitates tracking of audit activities and issue management to ensure governance standards are met and maintained.
    • Supports informed decision-making on policy exceptions and control effectiveness, optimizing risk mitigation strategies.
    • Offers customizable filtering and visual reports (bar graphs, donut charts, trend charts) to analyze data relevant to specific applications or risk categories.

    Access and Setup

    To use the Application Risk Dashboard effectively, ensure the following:

    • Activate the required plugins: GRC: Advanced Dashboards and Policy and Compliance Management.
    • Assign necessary roles to users (sncompliance.reader, snrisk.reader, snaudit.user).
    • Navigate via Advanced GRC Dashboard > Application Risk Dashboard in ServiceNow.

    The GRC Application Risk and Compliance Overview Dashboard provides the latest view of risk and compliance aspects for the business applications that are used in an enterprise.

    The Application Risk Dashboard is useful for the Chief Information Officer (CIO) and application owners. Both these users must have the sn_compliance.reader, sn_risk.reader, and sn_audit.user roles to view the dashboard. Navigate to Advanced GRC Dashboard > Application Risk Dashboard. The Application Risk and Compliance Overview Dashboard is displayed.
    Note:
    To be able to view this dashboard, you must activate the GRC: Advanced Dashboards (com.sn_grc_pa_advanced) plugin and the GRC: Policy and Compliance Management (sn_compliance) plugin.
    The Application Risk and Compliance Overview dashboard provides you a detailed report of the risk and compliance posture of all the business applications in an organization.
    This dashboard highlights the following:
    • The compliance impact of applications in use.
    • The risk posture of applications.
    • The state of remediation and exceptions activity of the issues.
    • The audit activity around applications and status.
    This dashboard provides answers to the following questions that are of interest to the CIO and the application owner:
    1. What are the key applications, and are they all operational and delivering the required services optimally?
    2. What are the policies and authority documents that the applications must be compliant to? Are the applications compliant to them?
    3. What are the risks faced by the applications? Are any of them high to raise a concern? Are there enough mitigations in place? Are there adequate controls in place and are they working effectively?
    4. For applications that need remediation, are the remediations being done on time according to the Service Level Agreements (SLAs)? Which are the applications that generate the maximum number of issues?
    5. Are exceptions being sought often on the applications and why? Are they within manageable limits?
    6. Are the applications due for audit any time? How have the applications performed on these audits?

    The dashboard offers various representations such as bar graphs, donut charts, and trend charts. Application owners can use various filters on the dashboard to view reports related to the business applications they own such as, critical business applications, mandated controls related to specific business application, or high priority issues and so on.

    Compliance Overview

    The Compliance Overview tab appears when you activate the Policy and Compliance plugin. The Compliance Overview tab provides an overview of the compliance posture of the business applications and displays the following reports:
    • Total Controls: This report provides the total number of active controls.
    • Compliant Controls: This report provides the total number of compliant controls which are not in draft or retired state.
    • Non-Compliant Controls: This report provides the total number of non-compliant controls which are not in draft or retired state.
    • Compliance Status By Month: This report provides the number of active controls by month.
      Note:
      This bar chart shows the compliance status for the current month and can be grouped by either Control Status or Business Application.
    • Compliance %: This report provides the percentage of different statuses of active controls such as Compliant, Non Compliant, and Not Applicable.
    • Application Compliance Summary: This report provides the summary of policies, authority documents, and the controls associated with business applications.
    The following filters can be used to filter data on the reports:
    • Business Application
    • Business Criticality
    • Entity Owner
    • Enforcement such as mandatory or voluntary controls
    • Key Control
    • Control State
    • Control Owning Group

    Risk Overview

    The Risk Overview tab appears when you activate the Advanced Risk plugin. The Risk Overview tab provides an overview of the risks associated with business applications and displays the following reports:
    • Risk Heatmap by Application Criticality: This report displays the heatmap of the application risks based on criticality of applications versus the risk rating of the application.
    • Risk Response Tasks Overview: This report displays the response tasks created for a risk and different states of those tasks.
      Note:
      This bar chart can be grouped by and stacked by risk response, risk response state, risk calculated score, risk response assigned to, or business application.
    • Application Risk Summary: This report displays the summary of risks directly associated with the applications that contribute to the overall risk rating of the application. Other downstream risks that contribute to the application risk rating are not represented in this report. The risks considered for this report are very high, high, and moderate.
    • Application Risk Mitigating Controls Status: This report provides the information for an application's risks and the associated controls. The risks considered for this report are very high, high, and moderate. The state of controls must not be in draft or retired. The risks for only one year are displayed.
    The following filters can be used to filter data on the reports:
    • Business Application
    • Criticality
    • Risk Rating
    • Application Owner
    • Business Owner

    Risk Posture

    The Risk Posture tab appears when you activate the Risk plugin. The Risk Posture tab provides information about the risk exposure of business applications. The reports in this tab can also be filtered using the Business Application filter. The Risk Posture tab displays the following:
    • Very High Risks: This report displays the very high risks of an application.
    • High Risks: This report displays the high risks of an application.
    • Moderate Risks: This report displays the moderate risks of an application.
    • Acceptance Task Expirations: This report displays the risk response acceptance tasks that have an expiration on the current day, the current week, the current month, the current quarter, and the current year.
    • Contributing Risks Trend: This report displays the trend of risks directly associated with business applications and how they are performing over a period. Other downstream risks that contribute to the application risk rating are not represented in this report.

    Audit Overview

    The Audit Overview tab appears when you activate the Audit plugin. The Audit Overview tab provides an overview of audit and audit activities related to business applications and displays the following reports:
    • Open Audit Engagements: This report displays the number of audit engagements in open state.
    • Ineffective Controls: This report displays the number of ineffective controls for an audit engagement.
    • Open Issues: This report displays the number of open issues for an audit engagement.
    • Past Due Issues: This report displays the number of past due audit issues for an application.
    • Upcoming Audit Engagements: This report displays the monthly count for the upcoming audit engagements.
    • Open Issues by Audit Engagements: This report displays the monthly count for the open audit issues.
    • Past Due Issues by Audit Engagements: This report displays the past due audit issues over a period.
    • Ineffective Controls by Audit Engagements: This report displays the information regarding audit engagements and the associated ineffective controls.
    The following filters can be used to filter data on the reports:
    • Business Application
    • Audit Engagement
    • Criticality

    Policy Exceptions Overview

    The Policy Exceptions Overview tab appears when you activate the Policy and Compliance plugin. The Policy Exception Overview tab provides information about policy exceptions requested for business applications. The data displayed in the Policy Exceptions Overview tab can be filtered using the Business Application filter. This tab displays the following reports:
    • New Exceptions: This report provides information about the new exceptions requested.
    • Approved Exceptions: This report provides information about the number of approved exceptions.
    • Rejected Exceptions: This report provides information about the number of rejected exceptions.
    • Expired Exceptions: This report provides information about the number of expired exceptions.
    • Exceptions Awaiting Approval: This report provides information about the exceptions that are awaiting approval and are due on the current date, the current week, the current month, and the current quarter.
    • Extensions Awaiting Approval: This report provides information about the extensions that are awaiting approval and are due on the current date, the current week, the current month, and the current quarter
    • Upcoming Exceptions Expirations: This report provides information about the exceptions that are about to expire and which are due on the current date, the day after the current date, the current week, the week after the current week, and the current month.
    • Exceptions Requested vs. Approved: This report provides information about the exceptions requested versus the number of exceptions approved per month.

    Issues Overview

    The Issues Overview tab appears when you activate either the Risk Management plugin or the Policy and Compliance Management plugin. The Issues Overview tab provides information about the various compliance and risk issues associated with business applications. The data displayed in the Issues Overview tab can be filtered using the Business Application filter. This tab displays the following reports:
    • Open Issues: This report displays the number of issues in open state.
    • Critical Priority Issues: This report displays the number of critical priority issues.
    • High Priority Issues: This report displays the number of high priority issues.
    • Accepted Issues: This report displays the number of issues that are accepted.
    • Past Due Issues: This report displays the number of past due issues.
    • Issues to be Resolved: This report displays the number of issues that must be resolved on the current date, the current week, current month, current quarter, and current year.
    • Remediation Tasks to be Completed: This report displays the number of remediation tasks that must be completed on the current date, the current week, current month, current quarter, and current year.
    • Past Due Issues: This report displays the number of past due issues over a time period.
    • Past Due Remediation Tasks: This report displays the number of past due remediation tasks over a time period.
    • Issue Creation Trend: This report displays the trend of how issues are created over a time period.
    • Issue Closure Trend: This report displays the trend of how issues are closed over a time period.
    • Remediation Task Creation Trend: This report displays the trend of how remediation tasks are created over a period.
    • Remediation Task Closure Trend: This report displays the trend of how remediation tasks are closed over a period.