Entities are the foundation of your GRC programme in BoardX. Everything you monitor for risk, compliance, and policy — your departments, systems, suppliers, processes — lives here. Before you can attach a risk or control to something in your organisation, it needs to exist as an entity.
This article explains what entities, entity groups, and entity classes are, how they are different, and how they work together.
The three building blocks
BoardX uses three concepts to organise the things you monitor. Understanding the difference between them is the most important thing to get right before you start.
Entity
An entity is one specific thing in your organisation that you want to track — a department, a software application, a supplier, a business process, a physical location. Think of an entity as a record card for that thing.
Examples: Finance department, Xero, your Dublin office, the Procurement process, a key supplier.
Entities are the objects risks and controls get attached to. You cannot create a risk or control in BoardX without linking it to at least one entity.
Entity class
An entity class is a label that tells BoardX what type of thing an entity is.
Every entity must have exactly one entity class. You cannot have an entity without a class.
Think of it like a filing system. If you have 50 entities, the entity class tells you which drawer each one belongs in — Departments in one drawer, Business Applications in another, Suppliers in another. This is what makes reporting and filtering possible.
Examples of entity classes: Department, Business Application, Supplier, Process, Location.
The key rule: One entity = one class. Always.
Entity group
An entity group is a collection of entities that share something in common — they face the same risk, they are covered by the same control, or they need to sign off on the same policy.
Entity groups are how you apply risks, controls, and policies to multiple entities at once, without having to do it one by one.
Examples of entity groups: All Departments, Critical IT Systems, All Employees, Finance Processes.
How entity class and entity group are different — and how they work together
This is the part that confuses most people, so here is a simple way to think about it.
Entity class answers the question: "What type of thing is this?" It is a label on the entity itself. It does not do anything — it just organises and describes.
Entity group answers the question: "Which things are covered by this risk, control, or policy?" It is a list you connect to your GRC activities. It is where the action happens.
Here is a real example. Imagine you have three entities: the Finance department, the HR department, and the IT department.
All three have the entity class "Department" — because that is what type of thing they are.
You then create an entity group called "All Departments" that contains all three. You map this group to a risk called "Operational disruption risk." Now all three departments have that risk attached to them.
Later, you create a second group called "Finance and HR" and map it to a compliance control about data handling. Only Finance and HR get that control — IT does not.
The class did not change. The groups are what determined which risks and controls each entity received.
The three questions to ask before creating an entity group
Before grouping entities together, check whether they share at least one of the following:
The same risk — All company laptops are at risk of data theft. Group them and apply the risk once.
The same control — All company laptops must have antivirus software. Group them and apply the control once.
The same policy — All employees must sign the expense policy. Group them and apply the attestation once.
If entities do not share a risk, control, or policy, they probably do not need to be in the same group.
System defaults — What BoardX creates automatically
Some entities and entity groups are created for you automatically. You do not need to set these up manually.
Users All users in your BoardX account are automatically converted into entities. Each user entity is assigned one of two default entity classes:
Regular user — for standard platform users
Employee — for users identified as employees in your organisation
Risk and compliance roles: Any role created in your Risk or Compliance workspace is automatically converted into an entity. The entity name matches the role title, and the entity owner is the person currently assigned to that role. This means your risk owners, compliance managers, and similar roles are always tracked as entities without any manual work.
Committees All committees set up in BoardX are automatically converted into entity groups. This means you can map risks, controls, or policies to a committee and every member entity within it will be covered.
Setting up your entity framework — recommended order
If you are building your entity framework from scratch, follow this sequence:
Create your entity classes first — decide what types of things you monitor (Department, Application, Supplier, Process, etc.)
Create entity class rules — map your data tables to classes so entities are classified automatically when created
Create entity groups — group similar entities together using filters (e.g. "all entities where parent is Finance")
Create any remaining entities manually — for one-off items that do not fit a group filter
Note: Users, roles, and committees are created automatically — you do not need to include these in your manual setup.
Quick reference
| Entity | Entity group | Entity class |
What it is | One specific thing | A collection of similar things | A type label |
Purpose | The object risks and controls attach to | Apply GRC activities to many entities at once | Organise and report on entities |
How many can an entity have? | — | Many | Exactly one |
Required? | Yes | Optional (but recommended) | Yes — mandatory |
Created automatically? | Users, roles | Committees | Users (Regular user / Employee) |