Which of the following best describes the relationship of Risk Statement within the GRC data model?

In ServiceNow GRC, the structure of risk data is extended with pieces that add detail without changing the core record. A Risk Statement is defined as a content extension for risk data, meaning it adds specialized fields and structure to articulate the risk more precisely within the existing risk record. This lets you capture the exact wording of the risk scenario, its potential causes, and its impact in a standardized way, while still linking to the broader risk, related controls, owners, and treatment actions as needed. This is why it's the best fit: a policy is a rule governing behavior, not a descriptive facet of a specific risk. Storing user access rights belongs to access management or identity tooling, not to risk narrative data. A risk treatment plan describes mitigations and actions, whereas the risk statement focuses on the clear articulation of the risk itself and its context, which the content extension supports by extending the risk data model.