Which option best describes the relationship between a facility and an entity in the GRC model?

In the GRC model, entities are the structural units that can own risks, controls, policies, and risk treatments. Treating a facility as an entity means the facility is a definable unit within the organization that you can assign risk items and controls to, track ownership for, and roll up into higher-level risk views. This enables facility-specific risk assessments and remediation actions just as you would for any other organizational unit. A policy is a rule or guideline, not a unit of governance. A control objective is the intended outcome a control should achieve, not the unit that holds risk or controls. A risk is a potential adverse event or condition, not a location or unit. Since the facility serves as a distinct unit that can own and be assessed for risk and controls, it is described as an entity.