Correct:

C. Modify workflow or flow

Modifying the workflow or flow is the appropriate solution to accommodate unique approval requirements such as adding a second approval layer for policies.

ServiceNow workflows and flows are designed to manage approval logic, sequencing, and conditions.

This approach ensures the approval process remains automated, scalable, auditable, and aligned with the policy lifecycle.

Incorrect:

A. Add a UI Action to track who the stakeholders are

A UI Action only provides a button or trigger on the form and does not control or enforce approval processes.

It cannot manage multi-step approval logic or ensure that an approval sequence is followed.

B. Add a new related list to keep track of who has already approved it and who hasn’t approved yet

A related list can store information but does not drive or enforce an approval process.

Approval logic must be governed by a workflow/flow, not by passive data in a related list.

D. Create a new field and create notifications

A field with notifications only informs users, but it does not manage or enforce structured approval requirements.

Notifications cannot replace the process control, sequencing, escalation, and audit capability that workflows or flows provide.

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/concept/user-hierarchy-risk-remed-task.html
The concept of user hierarchy is helpful as it provides more visibility to the users in the hierarchy in tracking its completion when it is assigned to a user in a team. User hierarchy fields are not visible in the Issue or Remediation task form, however internally this feature enables you to restrict access to records based on those users in the hierarchy who can access them.

Correct:

C. Related list ‘Entity Filter‘ on the ‘Entity Type‘ form

The most direct and efficient place to create an Entity Filter is from the Entity Type form.

Each Entity Type can have one or more filters that define which records in the system should be generated as Entities.

Creating the filter here ensures the filter is immediately linked to that specific Entity Type and can be quickly used to generate Entities.

Incorrect:

A. Risk > Scoping > Entity Filters

This navigation path does not exist for creating Entity Filters in the Risk application.

Entity Filters are tied to Entity Types and are not created from the Risk Scoping module.

B. Related list ‘Entity Filter‘ on the ‘Entity Class‘ form

Entity Filters are not created or managed from the Entity Class level.

Entity Class defines a broader classification and is not the location where filters are set for generating Entities.

D. Policy and Compliance > Scoping > Entity Filters

This path is not intended for creating Entity Filters.

Policy and Compliance modules deal with compliance scoping, not Entity creation logic tied to Entity Types.

Annualized loss expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO). Used in Quantitative risk scoring.

Record is removed!

sn_risk_risk.FORM opens a form in a new window/tab

Correct:

B. ComplianceUtils

This script include is responsible for enforcing key compliance rules, including permissions that control who can edit records in specific states, such as the Review state.

It contains logic that can be customized to modify which roles or users are allowed to make changes during the review stage of compliance records.

Administrators use this script include when adjusting editing rules without altering core platform behavior.

Incorrect:

A. AssessmentStrategy

This script include is used to define and extend assessment-related logic, including how assessments are generated or processed.

It does not control edit permissions or behavior for records in the Review state.

C. ComplianceScoreCalculator

This script include calculates compliance scores based on citations, controls, and related evidence.

Its purpose is scoring logic, not permissions or edit control of compliance records.

D. ControlGeneratorStrategy

This script include is used for generating controls from authority documents or citations.

It has no role in determining who can edit a record in the Review state.

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/task/configure-ram.html

Create a risk assessment scheduler and assign it to the risk manager. A risk manager can then identify the entities and the risks within the entities for bulk initiation of risk assessments.
Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/concept/risk-assessment-scheduler.html

The system dictionary is a table, called Dictionary Entry [sys_dictionary] , that contains details for each table and the definition for every column on each table in an instance. Each row in the system dictionary represents either a table or a column in one of the tables.

Correct:

A. Attestation failure

An attestation is used to confirm ongoing compliance or control effectiveness.

When an attestation fails, it represents a breakdown in compliance, which automatically triggers the creation of an issue.

This ensures that failed attestations are investigated and remediated through the formal issue management process.

C. Indicator result is failed or not passed

Indicators measure control or process performance against defined thresholds.

When an indicator result fails or falls outside acceptable limits, an issue is automatically generated to highlight the failure.

This automation is intended to proactively surface compliance or risk-related deviations without manual intervention.

Incorrect:

B. Control tests have been assigned but not tested

Assigned but untested control activities do not automatically generate issues.

Issues are triggered by actual failures or negative results, not by incomplete task assignments or pending actions.

D. Policy Exception not approved

A policy exception that is not approved does not generate an automatic issue.

Policy exceptions follow an approval workflow, and rejection or non-approval does not serve as a trigger for issue creation.

Correct:

C. Authority documents

External legislations, regulations, and standards such as ISO, HIPAA, GDPR, SOX, and PCI-DSS are stored as Authority Documents within GRC.

These documents define the high-level regulatory requirements that organizations must comply with.

Authority Documents serve as the foundation for mapping citations, control objectives, and controls in the compliance hierarchy.

Incorrect:

A. Control objective

A Control Objective represents a required outcome derived from authority documents or regulatory sources.

It does not store the regulations themselves; it only breaks down regulatory requirements into more actionable expectations.

B. Control

A Control is an internal mechanism or activity designed to meet one or more control objectives.

Controls inherit and map compliance requirements but do not store external regulatory content.

D. Policy

A Policy contains internal organizational rules and guidelines for behavior, processes, or system use.

Policies are created in alignment with authority documents but do not store external regulations.

Correct:

C. Control

The Control table extends the Item table.

Controls represent internal measures implemented to meet compliance or risk requirements, and they inherit common item properties such as ownership, lifecycle states, and related records.

Extending the Item table ensures consistency and reuse of common fields across multiple GRC components.

D. Risk

The Risk table also extends the Item table.

Risks represent potential events or conditions that could negatively impact the organization, and by extending the Item table, they share a common structure with other GRC items.

This extension supports standardized tracking, reporting, and lifecycle handling for risk-related records.

Incorrect:

A. Citation

A Citation does not extend the Item table.

Citations represent specific clauses or requirements sourced from authority documents, and they function as part of the compliance structure rather than as GRC items.

B. Content

Content does not extend the Item table.

It is used for storing related information within GRC, but it does not function as a core GRC item in the way Controls and Risks do, and therefore does not inherit from the Item table.

Correct:

A. Time card

When advanced planning is enabled for an audit plan, Time Cards become available on the engagement.

This allows tracking of effort and time spent by audit resources against the engagement.

It helps audit managers monitor work allocation, time utilization, and overall audit execution effort.

B. Resource plan

A Resource Plan related list is added as part of advanced planning.

It enables resource allocation and planning, allowing assignment and forecasting of audit team members and their availability.

This supports better workload balancing and resource scheduling for the engagement.

C. Cost plan

Cost Plans are also introduced when advanced planning is used.

This feature allows tracking and estimating engagement-related financials, such as labor cost, travel, and other audit expenses.

It supports budgeting and cost transparency as part of audit oversight.

Incorrect:

D. Entities

Entities are not tied to advanced planning.

They may appear based on the engagement scope, but they are not introduced as an additional related list due to advanced planning.

E. Milestones

Milestones may already exist as part of basic planning functionality.

They are not part of the advanced planning feature set and therefore are not added as a result of selecting advanced planning.

The Governance, Risk, and Compliance (GRC) product line requires action from many users who do not have a traditional product role, such as Compliance Reader or Risk Reader. Even the reader roles allow access to the product module, dashboard, reports, and read-only tables.
To improve the internal security of the product, we created a dedicated GRC Business User role (sn_grc.business_user). This role should be assigned to users who require access only to GRC applications to perform tasks assigned to them; for example, a business user who must respond to an attestation or risk assessment. Users with the sn_grc.business_user role are provided limited access to information that is relevant to the tasks assigned to them.
The sn_grc.business_user role is also used for integration scenarios between GRC and other ServiceNow products. For example, a Vulnerability Response user with the sn_grc.business_user role can request a policy exception from GRC: Policy and Compliance Management.
Read more here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0864247

Read more here about Risk Reponse: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-workspace-risk/concept/risk-response.html

In servicenow quantitative and qualitative are indicated as risk scoring methods, while inherent, residual and calculated as risk scoring types

The Policy acknowledge campaign lifecycle typically starts with creating a new campaign, then moving to the pending acknowledgement stage where users are required to acknowledge the policy. Once all acknowledgements are received, the campaign is closed. If the campaign needs to be canceled for any reason, it can be done after the acknowledgment stage.

Correct:

B. 1 > 2 > 5 > 3 > 4 > 6

The Policy Exception lifecycle follows a structured sequence starting from creation, moving through evaluation, review, approval, and final closure.

The correct order is:

New

Analyze

Review

Awaiting Approval

Approved

Closed

This progression ensures that exceptions are analyzed first, formally reviewed, approved by the necessary authorities, and finally closed once completed.

Incorrect:

A. 1 > 3 > 4 > 2 > 5 > 6

This sequence jumps to approval steps before analysis and review, which breaks the intended lifecycle order.

An exception cannot be approved before being analyzed or reviewed.

C. 1 > 2 > 3 > 4 > 5 > 6

Although this sequence looks structured, it incorrectly places “Review“ at the end after approval.

Review must happen before approval, not after.

D. 1 > 3 > 2 > 4 > 5 > 6

This flow begins with approvals before the necessary analysis stage.

The policy exception must be analyzed and reviewed before entering an approval state.

Correct:

A. Upstream

The Workbench dependency map displays upstream relationships, which show entities that have an impact on or feed into the selected entity.

This helps users understand how failures or issues in one entity can affect other dependent entities earlier in the chain.

C. Downstream

Downstream dependencies are also displayed on the dependency map, showing entities that are impacted by the selected entity.

This provides visibility into the forward impact, enabling better risk analysis, remediation planning, and impact assessments.

Incorrect:

B. Complex

“Complex” is not a dependency type displayed on the dependency map.

Dependency views focus on directional relationships such as upstream and downstream, not abstract classifications.

D. Linear

“Linear” is not a recognized dependency type in GRC Workbench.

Dependencies are mapped based on upstream and downstream relationships, not linear flows.

Item – Risk (sn_risk_risk)
Content – Risk Statement (sn_risk_definiton)
Document – Risk Framework (sn_risk_framework)

Read more here: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0692108

Entities are assigned to control objectives and risk statements, which generate controls and risks for every entity type.
Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/c_Scoping.html

Correct:

A. System Administrator

A System Administrator has full platform permissions, including the ability to change workflow states on GRC records.

This role can manually transition a control to the Monitor state without restriction.

It is often used for administrative overrides, configuration validation, or troubleshooting.

D. Compliance Manager

A Compliance Manager is responsible for overseeing compliance activities and managing the control lifecycle.

This role has the required permissions to manually move a control into the Monitor state after implementation is complete.

It aligns with their responsibility to ensure controls are ready for continuous monitoring and testing.

Incorrect:

B. Audit User

An Audit User focuses on auditing tasks such as reviews, tests, and findings.

This role does not manage the control lifecycle and cannot manually transition controls into the Monitor state.

C. Compliance Reader

A Compliance Reader has read-only access to compliance records.

This role cannot make lifecycle changes or update control states.

E. Risk User

A Risk User is involved in risk-related activities, not compliance control lifecycle management.

This role does not have permissions to transition controls into the Monitor state.

Correct:

A. Risk Framework

The Risk Framework table extends the Document table.

It stores structured governance content related to how risks are categorized and managed within the organization.

Since frameworks serve as foundational documents, they inherit the characteristics of the Document table, such as versioning and lifecycle management.

Incorrect:

B. Risk

The Risk table does not extend the Document table.

It extends the Item table and represents an operational record used for identifying, assessing, and tracking organizational risks.

C. Risk Statement

Risk Statement does not extend the Document table.

It is used to define standardized risk language and typically relates to the Risk Framework but is not treated as a Document.

D. Risk Attestation

Risk Attestation does not extend the Document table.

It is associated with attestation activities used to validate risk-related information and is not part of the Document extension hierarchy.

Correct:

B. Review

When an attestation phase is completed, controls automatically transition to the Review state.

This state allows compliance managers or control owners to evaluate attestation results, validate effectiveness, and decide on next actions.

Transitioning to Review ensures there is oversight before a control moves forward in its lifecycle.

Incorrect:

A. Retired

Retired is the end-of-life state for a control when it is no longer applicable.

It is not part of the automatic transition from the attestation phase.

C. Monitor

Monitor is the steady-state where controls are actively observed and tested on a recurring basis.

Controls do not move directly to Monitor after attestation; a review is required first.

D. Draft

Draft is the initial state of a control when it is being created or refined.

Controls do not revert to Draft after attestation activities.

E. Attest

Attest is not a lifecycle state for controls; it is an activity or phase.

The attestation phase is completed before controls move to the Review state, not into an “Attest“ state.

Correct:

C. The sum of weights of compliant controls divided by the sum of weights of all controls, multiplied by 100.

A Control Objective’s compliance score is calculated using a weighted formula.

The system evaluates all controls under the control objective, adds up the weights of only the compliant controls, and divides this by the total weight of all associated controls.

The result is then multiplied by 100 to present the score as a percentage.

This ensures that more critical controls (with higher weights) influence the score appropriately.

Incorrect:

A. The sum of weights of compliant controls

This option is incomplete because it ignores the total weight of all controls.

Without dividing by the total weight and converting to a percentage, this does not reflect a true compliance score.

B. The average of all Control compliant scores

Control Objective scores are not calculated using a simple average.

Since weighting is an important factor in compliance scoring, a straight average would produce inaccurate results and is not used in ServiceNow GRC.

D. It is calculated manually by Compliance Manager

Compliance scores are system-calculated, not manually computed.

Although a Compliance Manager may review or act on the score, they do not manually calculate it.

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/task/configure-ram.html

Role required: sn_risk_advanced.ara_admin

sn_risk.admin contains the above role

Read more here: https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/task/t_ApprovePolicy.html
“When approval is granted, a new version of the knowledge base article is created.“

When the policy moves to the Published state the system automatically generates a Knowledge Base article. The policy becomes a mandate for all users to follow its guidelines and requirements, which is through the controls that are mapped to the policy. In this state, the policy can also be sent Back to Review, Retired, or Deleted.

Read the article: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0859355

Control objective this follow policy life cycle, it has not Active & Inactive status

Risk Statement allows you to configure the risk assessment methodology to be applied to individual risk statements, focusing on assessing risks at a granular level.
Project Risk allows you to configure the risk assessment methodology to be applied to risks associated with specific projects or initiatives.

Correct:

Attestation Responders

In the context of ServiceNow CIS – Risk and Compliance (R&C / GRC / IRM), the individual who should perform the actual task of completing a Control Attestation (certifying that a control is operating effectively) is the Attestation Responder.

This role is specifically designed to receive and act upon the attestation requests generated in the system. They are typically the people who are closest to the control‘s operation, such as a process owner or a team member responsible for the control‘s execution, and can provide accurate evidence and confirmation of its operational status.

Incorrect:

Risk Managers

Risk Managers typically focus on identifying, analyzing, evaluating, and treating risks. While they are central to the overall GRC process, their primary role is not to perform the hands-on Control Attestation. They rely on the results of attestations and testing to inform their risk management decisions.

Control Admins

The Control Admin role in ServiceNow is generally responsible for the administration and configuration of the controls within the system. This includes creating controls, assigning owners, and managing the attestation process itself (e.g., configuring attestation schedules or templates). They manage how the attestation is done, but they usually don‘t perform the attestation task itself.

Control Owner

The Control Owner is the individual accountable for the design and effective operation of the control. While they have ultimate responsibility, they often delegate the actual task of completing the attestation request (providing the evidence and answering questions) to a specific Attestation Responder who is better positioned to gather the current, necessary details. The Control Owner reviews and is responsible for the overall outcome, but the person who performs the attestation is the Responder.

Citation
[sn_compliance_citation]
Extends the Content [sn_grc_content] table and stores all citations.
Control objective
[sn_compliance_policy_statement]
Extends the Content [sn_grc_content] table and stores all control objectives

Correct:

Risk and compliance experts

These are the domain specialists. They provide the necessary knowledge on regulatory requirements, internal policies, risk frameworks, and control objectives. Their expertise is crucial for configuring the GRC applications to accurately reflect the organization‘s governance, risk, and compliance landscape. They define what needs to be managed.

Board of directors

The Board of Directors (or an equivalent Executive Leadership/Steering Committee) must be directly involved to provide executive sponsorship and strategic direction. Their involvement is essential to ensure the GRC implementation is aligned with the overall business strategy, receives the necessary funding/resources, and fosters a culture of risk-aware decision-making across the enterprise. Governance starts at the top.

CMDB process owner

ServiceNow‘s GRC application often leverages data from the Configuration Management Database (CMDB), which stores information about the organization‘s IT assets and services (Entities). The CMDB process owner ensures the data used for risk and compliance assessments (like linking risks to servers or applications) is accurate, reliable, and properly integrated into the GRC solution. This integration is critical for Continuous Monitoring.

Incorrect:

HR analysts

While HR data may be used by GRC (e.g., for aligning risk ownership or access rights), HR analysts are typically not part of the core implementation team. Their role is supportive and peripheral, not directly involved in the technical configuration or the definition of the risk/compliance framework.

ServiceNow platform experts

This term is generally too broad. While a ServiceNow developer team or Solution Architect is absolutely necessary for the technical implementation, the exam content typically highlights the business-facing roles and high-level sponsors. The platform experts are the implementers of the solution, but they are driven by the requirements set by the Risk, Compliance, and Executive stakeholders. In this context, the more specific, domain-focused roles (A, C, and E) are the intended answers.

Chief Executive

The Chief Executive Officer (CEO) is the ultimate authority, but they typically delegate the direct involvement, strategic oversight, and day-to-day governance to the Board of Directors and other senior executives (like the Chief Risk Officer or Chief Compliance Officer). While the CEO is the ultimate sponsor, the Board is the body most directly involved in GRC strategy and oversight as a stakeholder.

Correct:

sn_grc.manager

This is one of the two core roles required for the Audit Manager. The sn_grc.manager role grants broad access to core Governance, Risk, and Compliance features within the ServiceNow platform. This role allows the Audit Manager to view, manage, and report on the entities, policies, and risks that form the basis of the audit process. It is essential for an integrated view across the GRC landscape, which is fundamental to the IRM approach.

sn_audit.user

This is the primary role specific to the Audit Management application. It grants the necessary permissions for the user to perform the day-to-day functions of an Audit Manager, such as:

Creating and managing audit engagements.

Defining the audit scope and tasks.

Managing resources and schedules.

Tracking issues and remediation efforts resulting from the audit.

The combination of sn_grc.manager and sn_audit.user provides the full functional access needed to manage and execute audits within the GRC framework.

Incorrect:

sn_grc.reader

This role only grants read-only access to GRC data. While the Audit Manager needs to read data, this role would prevent them from creating, updating, or managing audit engagements and other tasks, making it insufficient for performing the full audit process.

sn_grc.developer

This is not a standard, out-of-the-box GRC role. Development tasks (like customizing workflows or scripts) are typically handled by a general platform administrator or developer, not by a functional role like the Audit Manager.

sn_grc.user

The sn_grc.user role grants basic operational access, such as completing attestations or viewing assigned tasks. This is typically assigned to general employees or control/risk owners. It does not have the elevated permissions or management capabilities required to oversee and manage the entire GRC program or the full Audit Management lifecycle, which the Audit Manager requires.

Correct:
• Content
? The Citation table is a child table of the Content table (sn_grc_content).
? In the ServiceNow GRC/IRM data model, the Content table serves as a central hub for various GRC components, including Authority Documents, Citations, and Policies. This parent-child relationship signifies that a Citation is considered a type of GRC content.

Incorrect:
Incorrect:
• Authority Document
? The Citation table is directly related to the Authority Document table (sn_grc_document) but is not a child of it. An Authority Document contains multiple Citations, establishing a one-to-many relationship, but the relationship in the database hierarchy is Citation $\rightarrow$ Content and Authority Document $\rightarrow$ Content.
• Item
? Item is a generic term and is not the correct specific parent table. The core GRC tables, like Citation, do not inherit directly from a table named “Item.“
• Document
? While the Authority Document table (sn_grc_document) is a critical GRC table (and a child of Content), the Citation table is a sibling of the Authority Document table under the common parent of Content, not a child of a generic “Document“ table. The correct parent is the more encompassing Content table.

A record producer is a specific type of catalog item that allows end users to create task-based records, such as incident records, from the service catalog. Use record producers to provide a better end-user experience instead of using the regular task-based form for creating records.

Controls are automatically generated when you associate a policy with an entity type or an entity type with a control objective. A control is created for each entity listed in the entity type for the control objective. Controls can also be manually created.

Correct:

A. Risk Framework, Policy, Authority, Document

These tables extend the Document table within ServiceNow GRC.

They represent governance and compliance documents such as frameworks, organizational policies, and external regulatory or authority documents.

By extending the Document table, they inherit common document attributes such as lifecycle state, versioning, ownership, and related records.

This extension supports a unified structure for managing compliance documentation in the platform.

Incorrect:

B. Risk Statement, Control Objective, Citation

These tables do not extend the Document table.

Risk Statement is used for defining risks but is part of the risk structure and not the document hierarchy.

Control Objective represents required outcomes from authority documents, but it has its own structure and does not extend the Document table.

Citation is used for mapping and referencing but does not extend the Document table.

C. Risk, Control

These tables belong to the core risk and control management process but are not part of the document model.

Risk is focused on risk identification, assessment, and scoring.

Control is related to mitigation activities and continuous monitoring.

Neither of these inherits from the Document table, as they serve operational risk and control functions rather than document governance.

D. Control Objective, Citation

These tables support compliance mapping and requirements, but they are not document-based tables.

Control Objective outlines compliance expectations derived from authoritative sources.

Citation is used to connect controls and policies with authority documents.

Both play key roles within compliance, but they do not extend the Document table.

Audit observations are the results of an audit. As an important part of the audit report, audit observations represent the results of reviews, analysis, interviews, and discussions.

Task, asset and document are not GRC tables.

Risk Framework extends sn_grc_document
Risk Statement extends sn_grc_content
Risk extends sn_grc_item

Correct:

A. Risk Developer

This role does not exist in ServiceNow GRC.

ServiceNow provides various GRC roles aligned to governance, risk, compliance, and audit activities, but there is no out-of-the-box role named Risk Developer.

Development or configuration work for GRC is typically handled by roles such as admin or custom roles created by organizations, not a predefined “Risk Developer” role.

Incorrect:

B. Risk Manager

This is a valid GRC role provided by ServiceNow.

It is designed for individuals responsible for managing risks, overseeing risk processes, and tracking remediation activities.

The role grants capabilities such as reviewing risks, approving assessments, and monitoring overall risk posture.

C. Risk Reader

This is a legitimate GRC role.

It provides read-only access to risk-related records and dashboards.

It is typically used by stakeholders or business users who need visibility into risks without performing updates.

D. Risk User

This role is part of the standard GRC role set.

It grants permissions to perform general risk-related tasks such as submitting risks, completing assigned activities, and participating in risk assessments.

It is commonly assigned to operational users involved in day-to-day risk handling.

The verification rule is used to verify the accuracy and completeness of a policy exception request prior to sending it out for approvals. You can define multiple levels of approvers for an application.
Approval rules define the criteria (risk rating, policy or control objective) that is used for sending approval requests for an exception. Rules can be configured for an application and you can identify multiple levels of approvers, as needed.

When you migrate to advanced risk assessment, individual risk score values do not roll up to give you the risk score. Instead, the values from advanced risk assessment are considered. For example, for an entity, in the Entity form, the Risk Rollup and Tolerance section is not displayed. The same applies to any risk statement. Instead, a related list called Aggregated Risk is displayed.

Controls are specific implementations of a policy statement. Retired controls do not appear in the list.
Controls inherit the Type, Category, and Classification from the policy statement. Controls are generated from the profile types that are assigned to a policy statement.
Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing.
These are part of Policy and Compliance Management

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-workspace-risk/task/schedule-risk-assessment-workspace.html

This is a definition from docs: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/grc-workbench.html

Entity class is not assigned to the Control Objective or Policies (the Entity type is)
Entity classes are used to add conceptual information about an entity. Entity classes represent a collection of entities that have the same attributes such as Department, Business Unit, or Business Service. You can gather data about an entity based on its entity class.

Read more here about calculation of compliance score: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0716583

Correct:

B. SLAs

SLAs are used in GRC to monitor the progress and timeliness of specific tasks.

They help track whether a task is progressing within the expected timeframe by measuring response and resolution times.

SLAs can trigger escalation, send alerts, or change task states when breached, making them ideal for monitoring task progress.

Incorrect:

A. Notifications

Notifications are used for informing users about events, updates, or changes in record status.

They do not monitor task progress; they only communicate updates through email or other channels.

C. Flow Designer

Flow Designer is a tool used to automate processes and actions.

It focuses on orchestrating tasks and system actions, not on tracking task progress or performance.

D. Workflow Editor

Workflow Editor is used to design and automate record lifecycle processes.

It defines how tasks move through different states, but it does not provide SLA-based task progress monitoring.

Read more here:

https://docs.servicenow.com/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-common/concept/confidential-records.html

Risk Framework and Policy extends Document table [sn_grc_document]
Risk Statement extends Content table [sn_grc_content]
Read more:
https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/reference/r_InstallWRisk.html
https://servicenow.com/docs/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-compliance/reference/r_InstallWPolAndCompl.html

Correct:

A. Click UI Action: ‘Update Entities from Filter‘

When an Entity Filter is created, the fastest way to generate the corresponding Entities is by using the Update Entities from Filter UI action.

This action immediately evaluates the filter conditions and creates or updates Entities based on the matching records.

It is designed for on-demand generation, especially useful during configuration or testing.

Incorrect:

B. Nothing, Entities should be created automatically

Entities are not created automatically just by defining a filter.

The platform requires an explicit action such as running the UI action or a scheduled job to generate or update Entity records.

C. Execute the scheduled job: ‘GRC: Profile Generation‘

This job is used for generating Profiles, not Entities.

It processes profile types and creates profiles from indicators, controls, risks, and other profile sources, making it unrelated to entity generation.

D. Execute the fix script: ‘Create/Update Entities‘

There is no standard fix script with this name for Entity Filter processing.

Fix scripts are not the recommended or typical method for creating Entities and are not part of the standard GRC Entity lifecycle process.

Entity Type + Control objective > Entity + Control

True
• The statement is True. In ServiceNow GRC/IRM, Control Objectives are explicitly related to Citations. This relationship is a Many-to-Many ($\text{M2M}$) relationship.
• The system uses this connection to establish the foundation of compliance: a Citation (a specific requirement or paragraph from a regulation/standard) is mapped to one or more Control Objectives (high-level statements defining what is needed to satisfy a requirement).
• This mapping is crucial for harmonization, allowing a single Control Objective (e.g., “Implement a strong password policy“) to demonstrate compliance for requirements found in multiple Citations (e.g., a HIPAA citation, a GDPR citation, and a PCI DSS citation). The relationship table for this mapping is sn_compliance_m2m_statement_citation.

Correct:

C. Control

Entity Type can be associated with multiple Controls, and each Control can apply to multiple Entity Types.

This many-to-many relationship helps define which controls are relevant for specific types of entities within the organization.

It supports scalable control applicability across different business units, locations, applications, or processes.

D. Risk

Entity Type also has a many-to-many relationship with Risks.

A single Entity Type can be exposed to multiple Risks, and a single Risk can apply to multiple Entity Types.

This relationship allows risk applicability to be inherited or assigned efficiently when performing risk assessments across multiple entities.

Incorrect:

A. Risk Statement

Risk Statements do not have a many-to-many relationship with Entity Type.

Risk Statements are used to define risk conditions and are linked through the risk framework, not directly through Entity Types.

B. Policy

Policies do not maintain a many-to-many relationship with Entity Types.

Policies are mapped through authority documents, controls, and compliance elements rather than through the Entity Type table.

Read more here: https://servicenow.com/docs/en-US/bundle/xanadu-governance-risk-compliance/page/product/grc-risk/concept/qual-vs-quant.html