Correct:

A. Impact Correct. In the context of ServiceNow IRM/GRC and the CIS–Risk and Compliance 2025 certification, SLE (Single Loss Expectancy) is a quantitative risk metric that estimates the financial loss expected from a single risk event. Its qualitative counterpart is Impact, which represents the severity or consequence of a risk event in non-financial terms (e.g., high, medium, low). Both describe how bad the outcome would be, just in different formats—SLE in dollars, Impact in qualitative levels.

Incorrect:

B. Engagement Incorrect. Engagement refers to involvement or participation, not a risk metric. It has no direct correlation to SLE or Impact in risk analysis.

C. Likelihood Incorrect. Likelihood is the qualitative equivalent of probability or frequency, not impact. It describes how likely a risk event is to occur, not how severe the outcome would be.

D. Priority Incorrect. Priority is a derived value, often based on a combination of Impact and Likelihood. It is not a direct equivalent of SLE, and it reflects urgency or response order, not loss magnitude.

Correct:

D. Many to Many This is the correct relationship between the Policy and Control Objective tables in ServiceNow’s Risk and Compliance (IRM/GRC) data model, as emphasized in the CIS–Risk and Compliance 2025 certification. Here‘s why:

A single Policy may support multiple Control Objectives.

A single Control Objective may be referenced by multiple Policies.

This relationship is implemented via a junction table (typically Policy Control Objective [grc_policy_control_objective]) that links the two.

This many-to-many structure allows for flexible mapping between governance documents and control frameworks, supporting reuse and modular compliance design.

Incorrect:

A. There is no relationship between Policy and Control Objective tables Incorrect. There is a defined relationship, implemented via a junction table. Saying there‘s no relationship contradicts the IRM data model.

B. One to Many Incorrect. This would imply that one Policy maps to many Control Objectives, but each Control Objective maps to only one Policy, which is not true. Control Objectives can be reused across multiple Policies.

C. One to One Incorrect. This would severely limit reuse and scalability. Policies and Control Objectives are designed to be modular and reusable, not locked into one-to-one mappings.

Correct:

B. Groups Correct. You can add Groups to the Policy Acknowledge audience to ensure that all members of a specific group (e.g., HR, IT Security) are required to acknowledge a policy. This is a scalable and efficient way to manage policy distribution across teams.

C. Users Correct. You can also add individual Users to the Policy Acknowledge audience. This allows for targeted acknowledgment requests when specific people (e.g., executives, auditors) need to confirm receipt and understanding of a policy.

These two options are explicitly supported in ServiceNow IRM/GRC and emphasized in the CIS–Risk and Compliance 2025 certification as valid audience configuration methods for policy acknowledgment workflows.

Incorrect:

A. Roles Incorrect. Roles cannot be directly added to the Policy Acknowledge audience. While roles control access and visibility, they do not define acknowledgment recipients. Audience targeting must be done via Users or Groups, not roles.

D. User criteria Incorrect. User criteria are used in Employee Center and Catalog targeting, not in Policy Acknowledge audience configuration. They are not supported for defining who must acknowledge a policy in IRM.

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-sox-compliance-content-pack/concept/sn-store-SOX-governance-risk-compliance.html
After installation the componentes are linked automatically.

Correct:

A. sn_compliance_citation Correct. This table extends the sn_grc_content table, and it is used to store regulatory citations—specific clauses or references from external regulations, standards, or frameworks. These citations can be mapped to policies and control objectives to ensure traceability and compliance coverage.

C. sn_compliance_policy_statement Correct. This table also extends sn_grc_content and is used to define individual policy statements—the actionable rules or expectations derived from a policy. These statements are linked to control objectives and are key to aligning internal governance with external requirements.

Both are explicitly covered in the CIS–Risk and Compliance 2025 certification as part of the content hierarchy and traceability model.

Incorrect:

B. sn_compliance_policy Incorrect. While this table is part of the GRC data model, it does not extend sn_grc_content. Instead, it serves as a container for policy statements, and its relationship to content is indirect via sn_compliance_policy_statement.

D. sn_risk_statement Incorrect. This table is used to define risk definitions or assertions, and it does not inherit from sn_grc_content. It belongs to the risk management domain, not the content hierarchy.

The system tracks workflows in update sets differently than other records because workflow information is stored across multiple tables.
Changes made to a workflow version are not added to the update set until the workflow is published, at which point the entire workflow is added into the update set. Update sets store workflows as a single Workflow [wf_workflow] record and only retain the latest version with the update type of Workflow.

The GRC: Workbench utilizes CMDB information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise.
The GRC Manager [sn_grc.manager] uses the GRC Workbench to:
Create entity classes.
Define the upstream/downstream relationships between entity classes. These relationships make up the dependency model and ensure that risks are defined and evaluated consistently across the enterprise.
Create entity types, create entities, and classify entities
The Risk Manager [sn_risk.manager] uses the GRC: Workbench to:
Perform all the same tasks as the GRC Manager
Create risk frameworks, risk statements, and risks
Define risk relationships

Some ServiceNow terms are referenced differently depending on the industry or organization.

Entities can belong to multiple entity types and only one entity class.

The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at any time, anywhere in the organization.

Create risk frameworks, risk statements, and risks AND Define risk relationships can be done by Risk Manager.
Read more about GRC Workbench here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/grc-workbench.html

Docs: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/task/t_ApprovePolicy.html
Role required: sn_compliance_user or sn_compliance_manager

Set risk properties and Create RAMs – can be done by sn_risk.admin

Correct:

A. Policy exception Correct. The Policy Exception table supports SLA definitions to track how long it takes to review, approve, or resolve exception requests. SLAs help enforce timely governance and ensure exceptions are handled within defined timeframes.

C. Indicator task Correct. Indicator Tasks are generated from Control Indicators and represent actionable compliance checks. SLAs can be applied to these tasks to monitor response or remediation time, ensuring timely execution of control evaluations.

D. Regulatory task Correct. Regulatory Tasks are tied to citations and regulatory requirements, often created during assessments or audits. SLAs help ensure these tasks are completed within compliance deadlines, making them SLA-eligible in the GRC context.

These three tables are explicitly covered in the CIS–Risk and Compliance 2025 certification as SLA-compatible components within the IRM/GRC framework.

Incorrect:

B. Control Incorrect. The Control table defines governance mechanisms but is not task-based and does not support SLAs directly. SLAs apply to tasks, not static records like Controls.

E. Policy Incorrect. Policies are governance documents, not workflow or task records. They do not support SLA tracking, as they are not time-bound actionable items.

Correct:

D. Citation Correct. The Citation table (sn_compliance_citation) is connected to the Control Objective table via a many-to-many relationship, just like the Policy table. This relationship is implemented using a junction table, allowing:

A single Citation (e.g., a clause from ISO 27001 or GDPR) to be linked to multiple Control Objectives.

A single Control Objective to be mapped to multiple Citations.

This structure supports traceability between external regulatory requirements and internal control frameworks, a key concept emphasized.

Incorrect

A. Control attestation Incorrect. The Control Attestation table is used to manage attestation tasks for Controls, not to define relationships with Control Objectives. It does not participate in many-to-many mapping with Control Objectives.

B. Risk Incorrect. While Risks can be scoped to entities and linked to Controls, they are not directly connected to Control Objectives via a many-to-many relationship. Their linkage is contextual, not structural.

C. Authority Documents Incorrect. Authority Documents are containers for Citations (e.g., ISO 27001, NIST 800-53), but they do not directly link to Control Objectives. The relationship flows through Citations, not directly from Authority Documents.

Correct Answer
A. There is no direct relationship This is the correct answer according to ServiceNow’s IRM/GRC data model as covered in the CIS–Risk and Compliance 2025 certification. Entity Class and Entity Type are distinct configuration elements:

Entity Class defines the table (e.g., cmdb_ci, business_unit) from which entities are sourced.

Entity Type categorizes entities for scoping and assessment purposes (e.g., Application, Location, Business Unit).

They are both used to define and organize entities, but they do not directly reference each other in the data model. Their relationship is indirect, mediated through the Entity record, which links to both.

Incorrect:

B. Relationships can be created manually by GRC Admin Incorrect. While GRC Admins can configure Entity Classes and Entity Types, they cannot create a direct relationship between the two. The linkage occurs through Entity records, not manual association.

C. They are associated with the same Entity Incorrect. This is partially true but misleading. While an Entity record may reference both an Entity Class and an Entity Type, this does not constitute a direct relationship between the two. They remain independent configurations.

D. They have the same risks assigned Incorrect. Risks are assigned to Entities, not directly to Entity Classes or Types. Even if multiple entities of different types or classes share risks, this does not imply a relationship between the class and type.

Correct:

B. sn_grc_m2m_profile_profile_type Correct. This table represents the many-to-many relationship between Entities (Profiles) and Entity Types in ServiceNow IRM/GRC. It links:

Profiles (which represent individual entities like applications, business units, locations)

To their corresponding Entity Types (e.g., Application, Business Unit, Location)

This linkage is essential for scoping, risk assessments, and control evaluations.

Incorrect:

A. sn_risk_m2m_risk_profile Incorrect. This table links Risks to Profiles, not Entity Types. It’s used in risk scoping, but does not define entity classification.

C. sn_compliance_m2m_policy_profile Incorrect. This table links Policies to Profiles, allowing policies to be scoped to entities. It does not connect Profiles to Entity Types.

D. sn_compliance_m2m_profile_profile_type Incorrect. This table name is misleading and invalid in the IRM data model. The correct table for linking Profiles to Entity Types is sn_grc_m2m_profile_profile_type, not a compliance-prefixed variant.

Draft
A compliance admin, compliance manager, or a compliance user can create a policy, define and capture its related information. In this draft state, reviewers are identified, who have the ability to edit the policy in its review state, and approvers who can approve the policy. Control objectives that already exist can be added to the policy or new ones can be created. Each policy has a Valid to period, within which it is updated, reviewed, republished, or retired. In this state, the actions that are available for you to perform on the policy are Update, Ready for Review, and Delete.
Review
Only the policy reviewers can Update the policy in this state to ensure that it satisfies all regulatory requirements. They review the control objectives, its associated entities, controls, and citations, and add additional information, remove unnecessary mappings, or create new control objectives. The reviewer can move the policy Back to Draft state if the policy does not fulfil the requirements or if more details are needed. The reviewer can also Request Approval for the policy or Delete if no longer needed.
Awaiting approval
If a policy approver is assigned to the policy, the policy moves to the Awaiting approval state. Otherwise, it moves to the Published state. In this state, the approver can Delete the policy as well. In the Awaiting approval state, a policy approval task is created and assigned to the approver. The task is in Requested state, and the approver can change it to any of the following states:
Requested
Approved
Rejected
Cancelled
No longer required
Published
When the policy moves to the Published state the system automatically generates a Knowledge Base article. The policy becomes a mandate for all users to follow its guidelines and requirements, which is through the controls that are mapped to the policy. In this state, the policy can also be sent Back to Review, Retired, or Deleted.
Retired
A policy may be retired if no longer required, or when it no longer serves a business purpose. The Knowledge Base article that was created is removed, but the policy stays in retired state for audit purpose. If the policy is needed again, it can be sent back to the Draft stage, and the policy‘s life cycle begins again.

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/concept/pre-req-policy-redlining.html

On the Policy record.

On the table dedicated to Policy acknowledgments, a record should have a reference to the Policy.

Correct:

C. On the Policy record. Correct. In ServiceNow IRM/GRC, the Policy record is where the Policy Acknowledge configuration is defined. This includes:

Enabling acknowledgment tracking

Specifying the audience (users or groups)

Setting acknowledgment due dates and notifications

This setup ensures that when a policy is published, designated users are prompted to review and acknowledge it.

Incorrect:

A. On the Employee Center Incorrect. While Employee Center is a delivery channel where users can view and acknowledge policies, it is not where acknowledgment is defined. The configuration must be done on the Policy record itself.

B. On the Control Objective record. Incorrect. Control Objectives are linked to policies but are not responsible for acknowledgment workflows. Acknowledgment is tied to the Policy, not its related objectives.

D. On the table dedicated to Policy acknowledgments, a record should have a reference to the Policy. Incorrect. This describes the resulting data structure, not the configuration point. The acknowledgment table stores records after the policy is published and acknowledgment is triggered, but the setup must originate from the Policy record.

Correct:

B. Indicator template Correct. Control Objectives can be linked to Indicator Templates, which define reusable configurations for Control Indicators. These templates help standardize how compliance is measured across multiple objectives and controls. This relationship is central to automating control monitoring in IRM.

C. Performance Analytics indicator Correct. Control Objectives can be associated with Performance Analytics indicators to visualize and track compliance metrics over time. This integration supports dashboarding and trend analysis, aligning with the CIS–Risk and Compliance 2025 emphasis on measurable governance.

E. Test template Correct. Control Objectives can be linked to Test Templates, which define reusable testing procedures for evaluating control effectiveness. These templates support manual or automated control testing, a key component of assurance workflows in IRM.

Incorrect:

A. Response task Incorrect. Response Tasks are part of Issue Management workflows, not template-based relationships with Control Objectives. They are generated from issues, not linked directly to objectives.

D. Issue Incorrect. Issues may be created as a result of failed control evaluations, but they are not template records and do not define reusable logic. The question specifically asks about template relationships, which excludes dynamic records like Issues.

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:
Risk Managemeng scoring is described here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0692108

Correct:

B. Controls Correct. The Unified Compliance Framework (UCF) includes a standardized collection of Controls derived from various regulatory and industry sources. These Controls are mapped across multiple frameworks to support harmonized compliance implementation in ServiceNow IRM.

C. Authority Documents Correct. UCF organizes compliance content around Authority Documents, which are formal publications like ISO 27001, HIPAA, or NIST 800-53. These documents serve as the source of regulatory requirements and are foundational to UCF’s structure.

D. Citations Correct. Citations in UCF represent specific clauses or requirements extracted from Authority Documents. They are granular references that link Authority Documents to Controls and Policy Statements, enabling traceability and audit readiness.

Incorrect

A. Control Indicators Incorrect. Control Indicators are ServiceNow-specific constructs used to measure control effectiveness. They are not part of UCF, which focuses on regulatory content, not platform-specific automation.

E. Policies Incorrect. Policies are internal governance documents created by organizations. UCF does not include Policies, but rather provides the external regulatory content (Authority Documents, Citations, Controls) that organizations use to build their own Policies.

After a new assessment is created on the same risk and the assessment is in the Monitor state, the other assessments automatically move to the Completed state. When an assessment instance is in the Monitor state, you can’t move the RAM back to the Draft state. A RAM can only be moved back to the Draft state if there are no assessment instances

Correct:

B. Risk Manager Correct. In ServiceNow IRM, the Risk Manager is the designated role responsible for reviewing the risk response, validating that mitigation or acceptance actions are appropriate, and then transitioning the Risk record into the Monitor state. This role has elevated permissions to:

Evaluate and approve risk responses

Move risks through lifecycle states (e.g., from Review to Monitor)

Ensure risks are actively tracked and reassessed

Incorrect

A. Risk Owner Incorrect. The Risk Owner is accountable for the risk and may propose or implement responses, but they do not have the authority to move the risk into the Monitor state. That action is reserved for the Risk Manager.

C. Risk User Incorrect. This is a general role with limited permissions, typically used for viewing or contributing to risk records. It does not include lifecycle transition authority.

D. Risk Reader Incorrect. This role is read-only, intended for stakeholders who need visibility into risk records but cannot edit or transition them. It’s useful for auditors or observers, not for workflow actions.

Correct:

A. Operational Correct. The Operational approach to entity scoping focuses on day-to-day business functions and processes. It involves identifying entities (e.g., applications, departments, locations) that are actively involved in operations and need to be assessed for risks, controls, and compliance. This approach is tactical and execution-focused, aligning with how services are delivered and managed.

B. Strategic Correct. The Strategic approach considers long-term business goals and priorities. It scopes entities based on their importance to organizational objectives, such as critical business units or high-impact services. This method ensures that risk and compliance efforts are aligned with enterprise-level strategy.

Incorrect

C. Technical Incorrect. While technical attributes (e.g., infrastructure, systems) may influence scoping decisions, Technical is not a defined scoping approach in ServiceNow IRM. It is not one of the two recognized methods in the certification.

D. Financial Incorrect. Financial considerations may affect risk prioritization, but Financial is not a formal scoping approach in the IRM framework. It is not one of the two core methods taught in the CIS–R&C.

Correct:

A. Manual entry Correct. GRC content such as Policies, Citations, Control Objectives, and Controls can be manually created within the ServiceNow IRM application. This method is useful for custom content or when entering small volumes of data directly through the UI.

B. Import (transform map) Correct. You can use Import Sets with Transform Maps to bulk load GRC content from external sources (e.g., spreadsheets, CSVs). This method is ideal for structured onboarding of large content sets and is a key capability emphasized in the certification for scalable content management.

C. Content Provider (subscription with a third-party) Correct. ServiceNow supports integration with third-party content providers such as Unified Compliance Framework (UCF) or ComplianceForge. These providers deliver pre-mapped regulatory content (Authority Documents, Citations, Controls) via subscription, streamlining compliance setup.

Incorrect:
D. LDAP integration Incorrect. LDAP is used for user and group synchronization, not for importing GRC content. It plays a role in access control and audience targeting, but it does not support content onboarding for IRM modules.

Read more here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0692108

Read more about entitiy types:

https://www.servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/what-is-an-entity.html

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/concept/manage-indicators-policy-comp.html

There is a module called Risk Criteria in the Admin section of the Risk App. That is where the records that drive the risk criteria matrix are stored. The baseline comes with a 5×5 matrix. You have a set of records for Impact, a set for Likelihood and then a set for score. You enter both the qualitative and quantitative values in the matrix. The quantitative values are needed to drive the ALE calculations. Even if you don‘t have good detailed quantitative info, hopefully you can enter values at more general level.
ServiceNow intends for customers to update the records in this table. You can add records if you want more levels or just change the values. Just keep the Impact $$ in line with the $$ values in the score records.
You can always come back and change these values – so you may want to play around with it.

Correct:

D. Monitor This is the only valid state in which Control Indicators can be triggered or scheduled in ServiceNow’s Risk and Compliance (IRM/GRC) application. When a Control is in the Monitor state:

It is considered active and in production.

Control Indicators can run on a schedule or be triggered manually to evaluate compliance.

This aligns with the operational phase of the control lifecycle, where ongoing monitoring and evidence collection occur.

This behavior is explicitly emphasized in the CIS–Risk and Compliance 2025 exam as part of understanding the Control lifecycle and automation.

Incorrect:

A. Retired Incorrect. A Control in the Retired state is inactive and no longer in use. Indicators cannot be triggered or scheduled in this state.

B. Attest Incorrect. The Attest state is used for attestation workflows, not for active monitoring. Indicators are not executed in this state.

C. Review Incorrect. The Review state is part of the control design or approval process. It is not intended for active monitoring or indicator execution.

E. Draft Incorrect. In the Draft state, the Control is still being defined or configured. Indicators are not active and cannot be triggered or scheduled.

Entity Type to Risk Statement [sn_risk_m2m_risk_definition_profile_type]
Extends Content to Entity Type table [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between entity types and risk statements

Control failure factor -> Sum of failed controls weighting divided by total controls weighting.
Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

Correct Answer

C. Draft > Attest > Review > Monitor > Retired This is the accurate Control record lifecycle in ServiceNow’s Risk and Compliance (IRM/GRC) application, as outlined in the CIS–Risk and Compliance 2025 certification. Each stage represents a distinct phase in the control’s maturity and operational readiness:

Draft – Control is being defined and configured.

Attest – Control is undergoing attestation to validate its design or effectiveness.

Review – Control is under formal review for approval or refinement.

Monitor – Control is active and being evaluated via indicators and evidence collection.

Retired – Control is no longer in use and has been decommissioned.

This lifecycle supports governance, auditability, and automation of control monitoring.

Incorrect:

A. New > Draft > Review > Approved > Closed Incorrect. This sequence includes non-standard states like “New” and “Approved” which are not part of the Control lifecycle in IRM. “Closed” is also not a valid terminal state for Controls.

B. Draft > Attest > Review > Approved > Closed Incorrect. While it starts correctly, “Approved” and “Closed” are not valid Control states in IRM. The correct operational state is Monitor, not Approved, and Controls are Retired, not Closed.

D. Draft > Review > Accepted > Closed > Retired Incorrect. “Accepted” and “Closed” are not part of the Control lifecycle. This sequence mixes terminology from Risk or Issue lifecycles, not Controls.

Entity type has a reference to the Control objective, Policy and Risk Statement

Policy and Compliance Management and Risk Management offer two methods for consolidating attestations and risk assessments into groups that help eliminate the task of providing repetitive responses for similar assessments.

If a new control is created it has the weight set to 10, so it is set when the control is created.

No way to send risk from assess state to monitor state

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/task/setup-ack-request.html
Role required: Compliance User

Role required:
sn_compliance.admin or sn_compliance.manager
sn_risk.admin or sn_risk.manager
sn_audit.admin or sn_audit.manager
sn_grc.user

The calculated risk factor value is calculated as:
Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2

Authority Documents & Citations – The UCF integration allows organizations to ingest authoritative documents, such as laws, regulations, industry standards, and frameworks, into ServiceNow. These documents provide the basis for compliance requirements and control objectives.
Risks, Issues, and Policies are not typically ingested directly from the UCF integration

Correct:

A. Scoping > Entity Types This is the correct module to navigate when you want to update Entity Types in ServiceNow’s Risk and Compliance (IRM/GRC) application. Entity Types define the categories of entities (e.g., Business Units, Applications, Locations) that are assessed and scoped during risk and compliance processes. The Scoping > Entity Types module allows you to:

Create new Entity Types

Modify existing ones

Control how entities are grouped and evaluated

This is explicitly covered in the CIS–Risk and Compliance 2025 exam as part of the scoping configuration domain.

Incorrect:

B. Scoping > Profile Types Incorrect. Profile Types define the structure of profiles (e.g., Risk Profiles, Control Profiles), not Entity Types. They are used to group related controls or risks, but do not manage entity categorization.

C. Governance > Entity Types Incorrect. There is no Governance > Entity Types module in the out-of-the-box IRM navigation. Entity Types are managed under Scoping, not Governance.

D. There isn‘t an out-of-the-box module specifically for Entity Types Incorrect. ServiceNow does provide an out-of-the-box module for managing Entity Types under Scoping > Entity Types. This is a key configuration area for entity-based scoping and assessments.

Correct Answer
A. I will override this function in ComplianceUtils. This is the correct approach in ServiceNow’s Risk and Compliance (IRM/GRC) architecture. The ComplianceUtilsBase script include is read-only and OOTB, designed to be extended but not modified directly. The ComplianceUtils script include is intended to extend ComplianceUtilsBase, allowing developers to:

Override specific functions from the base class

Customize behavior without altering OOTB logic

Preserve upgrade compatibility and best practices

This pattern is explicitly supported and recommended in the CIS–Risk and Compliance 2025 certification for safe customization.

? Incorrect Answers
B. I will try to unlock ComplianceUtilsBase and override this function. Incorrect. Unlocking and modifying read-only OOTB script includes violates ServiceNow best practices and risks breaking upgrade compatibility. This is strongly discouraged and not permitted in certified implementations.

C. There‘s nothing that can be done about it, and we shouldn‘t modify the out-of-the-box (OOTB) logic. Incorrect. While you shouldn’t modify OOTB logic directly, ServiceNow provides a supported extension mechanism via the ComplianceUtils class. Saying “nothing can be done” ignores this valid customization path.

D. I will copy ComplianceUtilsBase and override this function. Incorrect. Copying OOTB script includes leads to code duplication, maintenance issues, and upgrade conflicts. Extending the base class is the correct and supported method.

It has to be active to create Controls.

Review the docs:https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/confidential-records.html

UCF and GRC terminology differences

Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differs slightly as explained in the following table.

Read more about entities: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/what-is-an-entity.html

Role required: (per product)
In Policy and Compliance Management: compliance_admin, compliance_manager, sn_compliance.user, sn_grc.business_user, sn_grc.business_user_lite
In Risk Management: risk_admin, risk_manager, or sn_risk.user
In Audit Management: audit_admin, audit_manager, audit_admin, or sn_audit.user

[sn_compliance_policy_acknowledgement_instance] does not extend from a table

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/reference/risk-assessment-methodology-form.html

Correct:

B. From Control Objective record Correct. Users can initiate a Policy Exception request directly from a Control Objective record when they identify that a control cannot be implemented or complied with. This is a common entry point in the IRM workflow, especially during assessments or control reviews.

C. From Compliance Workspace Correct. The Compliance Workspace provides a centralized interface for risk and compliance professionals to manage exceptions, issues, and assessments. Users with appropriate roles can create Policy Exception requests from within this workspace.

E. From Policy Exception module Correct. This is the dedicated module for managing Policy Exceptions. Users can navigate here to create, view, and track exception requests, making it a direct and structured method for initiating exceptions.

F. Self-service > Employee Center Correct. The Employee Center allows end users to submit Policy Exception requests through a simplified, self-service interface. This is ideal for business users who need to request exceptions without navigating the full IRM workspace.

Incorrect:

A. From Control record Incorrect. While Controls are related to Policy Exceptions, the Control record itself does not provide a direct option to create a Policy Exception. Exceptions are tied to Control Objectives, not individual Controls.

D. From Service Operations Workspace Incorrect. The Service Operations Workspace is focused on ITSM and operational tasks (e.g., incidents, changes), not GRC workflows. It does not support Policy Exception creation.

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-rcm/task/set-up-rss-feeds.html

In ServiceNow GRC (Governance, Risk, and Compliance), a “Citation“ typically refers to a record or entry that documents a reference to a specific law, regulation, policy, or standard. Citations are used to associate and track compliance requirements with specific legal or regulatory documents.
For example, if a company needs to comply with data privacy regulations, they can create a Citation in ServiceNow GRC that links to the specific articles or sections of those regulations. This allows organizations to manage and demonstrate their compliance with various requirements by associating them with relevant laws or regulations.
Citations help organizations maintain transparency and accountability in their compliance efforts by providing a clear link between regulatory requirements and their internal policies and controls.

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/concept/integrate-ara-with-risks-and-controls.html

Installed with Risk Management: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/reference/r_InstallWRisk.html
Risk Statement
[sn_risk_definition]
Extends Content table [sn_grc_content] and stores definitions of risks.

When creating a new Entity Filter, the administrator must provide:

Assignment section – defines who or what the filter applies to, including:

Entity class

Fields related to Owner

Fields section – basic information about the filter, including:

Name

Table

Script (if custom logic is required)

These sections are essential to ensure the filter is properly defined, applied to the correct entities, and can execute its logic effectively. Other sections like Filter conditions or Entity section may provide additional configuration but are not mandatory to create a basic Entity Filter.

Nothing

The Policy will go back to the Review state

Overall explanation

Nothing, because additional days (defined in the system property – typically 30 by default) must pass before any action is taken.

Document [sn_grc_document]
Content [sn_grc_content]
Indicator [sn_grc_indicator]