ibm openpages grc platform version 7.1.0: modules...

IBM OpenPages GRC PlatformVersion 7.1.0

Modules Guide

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 83.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.1.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2015.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. vObject type licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. vOpenPages Financial Controls Management . . . . . . . . . . . . . . . . . . . . . . . .. vOpenPages Operational Risk Management . . . . . . . . . . . . . . . . . . . . . . . .. vi

Algo Risk Content on Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . .. viiOpenPages Policy and Compliance Management . . . . . . . . . . . . . . . . . . . . . .. viiOpenPages IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. viiiOpenPages Internal Audit Management . . . . . . . . . . . . . . . . . . . . . . . . .. ixIssue Management and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . .. ixKey Risk Indicators and Key Performance Indicators (KRIs and KPIs) . . . . . . . . . . . . . . .. xi

Chapter 1. What's new? . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1New features in version 7.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1New features in version 7.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1

Chapter 2. Object types . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 3Object name mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 5Object type descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 8Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 21

Chapter 3. Computed fields . . . . . . . . . . . . . . . . . . . . . . . . . .. 25

Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 29Scenario Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 30KRI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 30KPI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 30RCSA Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 31RCSA Process Alignment helper . . . . . . . . . . . . . . . . . . . . . . . . . . .. 31RCSA Launch Utility helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32RCSA Site Sync helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32Policy Viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32Compare Policy View helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 33Policy Unlock helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 33Publishing Batch Notification helper . . . . . . . . . . . . . . . . . . . . . . . . . .. 34Policy Awareness View helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 34Attestation Creation Report helper. . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Get Baselines helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Create Resource Links helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Close Audit helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Add or Modify Plans helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35Timesheet Entry Report helper . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 36Administrator Timesheet Entry Report helper . . . . . . . . . . . . . . . . . . . . . . .. 36

Chapter 5. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . .. 37KPI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 38KPI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 38KRI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 38KRI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 38

Chapter 6. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 39Risk assessment reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 42Risk reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 42Control reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 43

iii

Testing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 43Visualization reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 44Indicator reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 44Loss Event reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 44Issue Management and Remediation reports . . . . . . . . . . . . . . . . . . . . . . .. 45Scenario Analysis reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 45Capital modeling reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 45Regulatory Compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 46IT Asset reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 46IT Compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 47Audit Management reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 48

Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 51Object types that contain triggers . . . . . . . . . . . . . . . . . . . . . . . . . . .. 51Issue Management and Remediation triggers . . . . . . . . . . . . . . . . . . . . . . .. 52

Issue Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 53Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . .. 53Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54KRI and KPI Lifecycle triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54Loss Event Lifecycle triggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 54

Loss Event Computation trigger . . . . . . . . . . . . . . . . . . . . . . . . . .. 55Loss Event Approval Submission trigger. . . . . . . . . . . . . . . . . . . . . . . .. 55Loss Event Approval trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55

Policy Import trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55Policy Lock trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 56Audit Risk Rating Computations trigger . . . . . . . . . . . . . . . . . . . . . . . . .. 57Audit Close Automation trigger . . . . . . . . . . . . . . . . . . . . . . . . . . .. 57

Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59OpenPages FCM Master profile. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59OpenPages ORM Master profile . . . . . . . . . . . . . . . . . . . . . . . . . . .. 59ORM Operational Risk Team profile . . . . . . . . . . . . . . . . . . . . . . . . . .. 60ORM Business User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 60ORM Simplified User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61OpenPages FIRST Loss profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 61OpenPages PCM Master profile . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62OpenPages ITG Master profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62OpenPages IAM Master profile . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62Home page filtered lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 63Activity views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 67Grid views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 73

Chapter 9. Role templates . . . . . . . . . . . . . . . . . . . . . . . . . .. 75Role template permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 75Object type permissions assigned by role templates . . . . . . . . . . . . . . . . . . . . .. 75

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 83

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 87

iv IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

Introduction

IBM® OpenPages® GRC Platform contains solutions such as IBM OpenPagesFinancial Controls Management and IBM OpenPages Operational RiskManagement.

Audience

The IBM® OpenPages® GRC Platform Solutions Guide is intended for users who needto use the solutions that are provided with OpenPages GRC Platform. The contentdescribes the object types for each solution. It also identifies subcomponents,computed fields, helpers, notifications, reports, triggers, profiles, and role templatesthat are supported by each solution.

Finding information

To find product documentation on the web, including all translateddocumentation, access IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter).

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products. OpenPagesGRC Platform documentation has accessibility features. PDF documents aresupplemental and include no added accessibility features.

Forward-looking statements

This documentation describes the current functionality of the product. Referencesto items that are not currently available may be included. No implication of anyfuture availability should be inferred. Any such references are not a commitment,promise, or legal obligation to deliver any material, code, or functionality. Thedevelopment, release, and timing of features or functionality remain at the solediscretion of IBM.

Object type licensingYou are licensed to use the object types for each IBM OpenPages GRC Platformsolution that you have purchased.

For a full list of object types provided with each solution, see Chapter 2, “Objecttypes,” on page 3. Use of any other object types is prohibited without prior writtenapproval from IBM.

OpenPages Financial Controls ManagementIBM OpenPages Financial Controls Management reduces the time and resourcecosts that are associated with ongoing compliance for financial reportingregulations.

IBM OpenPages Financial Controls Management combines powerful document andprocess management with rich interactive reporting capabilities in a flexible,

v

http://www.ibm.com/support/knowledgecenter

adaptable easy-to-use environment. This feature provides CEOs, CFOs, managers,independent auditors, and audit committees the ability to perform all activities forcomplying with financial reporting regulations in a simple and efficient manner.

It allows users to easily see the status of their financial controls documentationproject, and provides a secure repository for the storage of their internal controlsdocumentation.

Key features include:v A Financial Controls Management Repository, which logically presents processes,

risks and controls in many-to-many and shared relationships at multiple levels,and enables file attachment capability and action plans for processes, risks,controls, and tests at all levels.

v Flexible automation, which provides notification and completion of financialcontrols management activities, such as design review, operating review, andcertification.

v Reporting, monitoring, and analytics.

For more information, see the OpenPages GRC Platform FCM Solution Detailsdocument.

OpenPages Operational Risk ManagementIBM OpenPages Operational Risk Management combines document and processmanagement with a monitoring and decision support system. IBM OpenPagesOperational Risk Management enables organizations to analyze, manage, andmitigate risk in a simple and efficient manner.

IBM OpenPages Operational Risk Management helps automate the process ofmeasuring and monitoring operational risk. It combines all risk data, including riskand control self assessments, loss events, scenario analysis, external losses, and keyrisk indicators (KRI), into a single integrated solution.

IBM OpenPages Financial Controls Management includes the following keyfeatures:v Loss Events to tracking, assess, and manage internal and external events that

might result in operational loss.v Risk and Control Self Assessments (RCSA) to identify, measure, and mitigate

risk.v Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), which can

track performance metrics to potentially show the presence or state of a riskcondition or trend.

v Scenario Analysis, which is an assessment technique that is used to identify andmeasure specific kinds of risks, in particular, low frequency, high-severity events.

v External Loss Events to import loss data from IBM Algo Risk® Content onCloud, ORX, and ORIC loss databases

v Issue Management and Remediation (IMR)v Capital Modeling, which provides the ability to store capital modeling

information in OpenPages. The Capital Modeling feature in IBM OpenPagesGRC Platform provides seamless integration with the IBM OpenPages CapitalModeling application.

v Reporting, monitoring, and analytics

vi IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

For more information, see the OpenPages GRC Platform ORM Solution Detailsdocument.

Algo Risk Content on CloudThe IBM Algo Risk Content on Cloud database is a collection of external, publicoperational risk loss events in the form of risk case studies.

Algo Risk Content on Cloud events are targeted at the financial sector and containover 20 years of events, which have been indexed to 13 keyword hierarchies,including Basel category and business line. Other hierarchies include control factor,event trigger, business unit type, and entity type. Algo Risk Content on Cloudcases include detailed descriptions that break down the event to analyze rootcause, identify control breakdowns, lessons learned, management response andaftermath of the event. Events can also include sections with supporting detail thatprovide a timeline for the event, relevant information about the institution that ithappened to, or other detail about loss impacts.

Most events in Algo Risk Content on Cloud capture quantitative information aswell as detailed qualitative analysis. This quantitative information takes the formof loss amounts that are captured at the time of the event.

Algo Risk Content on Cloud offers a subscription to a data add-on refreshed dailywith the Algo Risk Content on Cloud database in a format that is compatible withthe FastMap feature. IBM OpenPages GRC Platform customers can use the AlgoRisk Content on Cloud FastMap data add-on to provide end users with access toAlgo Risk Content on Cloud case studies within the OpenPages GRC Platformapplication. After the data is loaded into OpenPages GRC Platform, end users canbrowse and associate Algo Risk Content on Cloud case studies to objects likeScenario Analyses, Risks, and Loss Events. Consult your IBM accountrepresentative for details on obtaining the Algo Risk Content on Cloud dataadd-on for OpenPages GRC Platform.

If you subscribe to the Algo Risk Content on Cloud database service, Algo RiskContent on Cloud provides a compatible FastMap file for a seamless load of AlgoRisk Content on Cloud data to IBM OpenPages Operational Risk Management.

By default, IBM OpenPages Operational Risk Management includes the OpenPagesFIRST Loss profile. Users with this profile can load FIRST Loss data through theIBM OpenPages FastMap feature. For more information about this profile, see“OpenPages FIRST Loss profile” on page 61.

OpenPages Policy and Compliance ManagementIBM OpenPages Policy and Compliance Management is an enterprise compliancemanagement software solution that reduces the cost, complexity, and cumbersomenature of compliance with multiple regulatory mandates and corporate policies.

IBM OpenPages Policy and Compliance Management allows companies to manageand monitor compliance activities through a full set of integrated functionalityincluding:v Regulatory Libraries and Change Managementv Risk and Control Assessmentsv Policy Management, including Policy Creation, Review & Approval and Policy

Awareness

Introduction vii

v Control Testing and Issue Remediationv Regulator Interaction Managementv Incident Trackingv Key Performance Indicatorsv Reporting, monitoring, and analytics

Within IBM OpenPages Policy and Compliance Management, IBM OpenPages GRCPlatform supports three approaches:

DatacentricPolicy attributes are stored as metadata in the Policy object. Policy andProcedure content is created, stored, edited, and reviewed in PolicyViewers. Red-lined track changes within draft iterations are not supported.

DocucentricPolicy attributes are stored as metadata in the Policy object. Policy andProcedure content is created outside of OpenPages GRC Platform and theentire document is attached to the Policy Object. Policy and Procedurecontent is never imported nor stored in OpenPages GRC Platform.

HybridPolicy attributes are stored as metadata in the Policy object. Policy andProcedure content is created and edited in Microsoft Word documents thenimported and stored in OpenPages GRC Platform. The Track Changesfunctionality available in Microsoft Word is used for tracking red-linechanges within draft iterations.

For more information, see the OpenPages GRC Platform PCM Solution Detailsdocument.

OpenPages IT GovernanceIBM OpenPages IT Governance aligns IT services, risks, and policies withcorporate business initiatives, strategy, and operational standards.

IBM OpenPages IT Governance allows you to manage internal IT control and riskaccording to the business processes they support. In addition, it unites multiplesilos of IT risk and compliance to deliver improved visibility, better decisionsupport, and ultimately enhanced corporate performance.

Key features include:v IT Regulatory and Policy Compliancev Risk and Control Assessmentsv Control Testing and Issue Remediationv IT Resource Managementv Incident Trackingv Key Performance and Key Risk Indicatorsv Reporting, monitoring, and analytics

For more information, see the OpenPages GRC Platform ITG Solution Detailsdocument.

viii IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

OpenPages Internal Audit ManagementIBM OpenPages Internal Audit Management provides internal auditors with auniquely configured view into organizational governance, risk, and compliance(GRC), affording audit the chance to supplement and coexist with broader risk andcompliance management activities.

IBM OpenPages Internal Audit Management is completely integrated with financialcontrols management, IT governance, policy and compliance efforts andoperational risk management programs. The internal audit team has the capabilityto work as a fully integrated partner to business stakeholders, completelyindependently, or anywhere in between, as determined by the specific needs of theaudit department or a particular audit being undertaken.

Key features include:v The capability to risk rank the audit universe, configured according to your

audit methodology– Powerful support for your risk assessment methodology.– Full reporting across the entire audit universe.

v The ability to define, plan, execute, and report on audits across your business– Track and manage audits, audit sections, workpapers, and audit resource

requirements and allocations.– Automate operations through fully configurable reporting and workflow.

v The ability to provide independent assurance to the business or work as anintegrated part of GRC efforts– Opine on management's GRC efforts independently.– Control access to confidential audits, fields, and audit-only views.

For more information, see the OpenPages GRC Platform IAM Solution Detailsdocument.

Issue Management and RemediationThe Issue Management and Remediation (IMR) process is an essential componentto any risk management program. A sound IMR framework provides awareness,validation, and transparency to the risk management program that it supports.

When successfully implemented, it provides high value with minimal overheadand serves as the underlying stimulus for the continuous improvement of a riskmanagement program. An effective IMR framework effectively documents,monitors, remediates, and audits identified issues.

Issues are events that negatively affect the ability to accurately manage and reportrisk. The issues are identified against the documented IMR framework. Issues canbe associated with objects within the framework and commonly have attributes,such as ownership, scheduling, or remediation status that identify the area offocus. An issue can be associated with multiple parents. For example, if an issue isdiscovered through a loss event, the issue can be associated with the loss event,the risk that occurred, and any failing controls that are documented.

The IMR process operates in the following key activities:1. Issue Creation and Assignment2. Action Creation and Assignment

Introduction ix

3. Remediation Performance4. Issue closedown5. Reporting

Issue Creation and Assignment

Issues arise as a result of various risk management activities, such as a loss event,KRI threshold breach, or control weakness identification. Throughout theseactivities, users can create an issue within IBM OpenPages GRC Platform.

Issues are added through the standard user interface; they are not createdautomatically as a result of a causal factor.

At creation, the issue status is set to open. The creator must enter a value in thecurrent due date field. The first time that you save an issue, the current due date iscopied to a read-only field that contains the original due date. When an issue iscreated, the issue owner (who cannot be the creator) is notified by email.

Action Creation and Assignment

It is the responsibility of the issue owner to establish and record the appropriateactions to resolve the identified issue. Actions are created manually through thestandard user interface. The following data is captured on an action item:description, assignee, start date, due date, actual closure date, status (read-only)and comments.

Action assignees are notified that they must complete an action through My OpenAction Items or by email.

Remediation Performance

After being notified, the assignee completes the assigned action. Some actions cantake time to complete, so the assignee uses the Comment field to track progress.

When the action is complete, the assignee sets the Submit for Closure field to Yes,which copies the issue owner field from the parent issue to the action and sets theaction status to Awaiting Approval.

The change of status takes the action to the issue owner's homepage for reviewand approval.

Issue Closedown

The issue owner accesses a list of actions to approve for closure from the homepage or from an email.

If the action is rejected and saved, the status reverts to open and the action returnsto the action assignee. If the action is accepted for closure and saved, the actionstatus changes to closed and the field Closure date is populated with the currentdate.

When actions are completed, the issue owner reviews the issue and updates thestatus to Closed.

x IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

Reporting

A selection of issue and action reports is available to all users. In addition, allemail notifications are included in a consolidated issue and action bulletin to users,including the following information:v Issues assigned to the recipient in the past X days.v Actions assigned to recipient in the past X days.v Issues due for closure in the next X days.v Actions due for closure in the next X days.v Overdue issues.v Overdue actions.v Actions awaiting closure approval.

For more information, see the OpenPages GRC Platform Solutions Issue Managementand Remediation Details document.

Key Risk Indicators and Key Performance Indicators (KRIs and KPIs)Key Risk Indicators (KRIs) and Key Performance Indicators (KPis) are available tothe following solutions: IBM OpenPages Operational Risk Management, IBMOpenPages Operational Risk Management, and IBM OpenPages IT Governance.

The main stages within the Key Indicator life cycle are definition, value creation,value capture, and reporting. The following automation is provided in these stagesfor both KRIs and for KPIs in support of a metrics management program:

Indicator DefinitionIndicators can be created from scratch or can be created based on standardindicators in an indicator library.

Value CreationKRI and KPI Value objects are created automatically by the Value Creationutility, which is normally run on a scheduled basis. The value creationutility can be run by an administrator if the automatic scheduled job failsto run.

Value CaptureNotifications that a value needs to be entered are automatically sent to thevalue Collector of Active indicators which are close to their collection date,through Home Page filtered lists and email. When the value has beenentered and saved, KRI or KPI triggers calculate Breach and other statusvalues, persist them on the value and on the indicator, and sendnotifications to the Risk owner if the Breach Status moves from Green orAmber to Red.

Indicator ReportingKRI and KPI dashboard reports display summary indicator information forthe selected Business Entity and its descendants, with the ability todrill-through to detail and trend information for the indicator values.

For more information about the KRI and KPI triggers, see the OpenPages GRCPlatform Solutions Metrics Details document. For more information about the KRIand KPI Dashboard reports, see the OpenPages GRC Platform Solutions Report Detailsdocument.

Introduction xi

xii IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

Chapter 1. What's new?

New features are available for this release of IBM OpenPages GRC Platformsolutions.

For information about all new features for this release, see the IBM OpenPages GRCPlatform New Features Guide.

New features in version 7.1.0This topic provides an overview of the major new features and enhancements toIBM OpenPages GRC Platform modules.

Integration with OpenPages Capital Modeling

IBM OpenPages Operational Risk Management is integrated with OpenPagesCapital Modeling. The integration provides users with capital modeling capabilitiesand reports. Users can simultaneously collect, model, and report on operationalrisk data and capital. Users load data (internal and external loss data) fromOpenPages GRC Platform into the Capital Modeling application. After themodeling process is complete, models are saved within the OpenPages applicationfor further reporting and analysis.

The following object types are included:v Capital Modelv Model Result

The following reports are included:v Capital Contribution by Business Entityv Capital Contribution by Risk Category

Activity Views have been added for the Add New wizard

Add New activity views are included for the following object types:v Riskv Controlv Workpaper

New features in version 7.0.0This topic provides an overview of the major new features and enhancements toIBM OpenPages GRC Platform.

Enriched Operational Risk Management functionality

New workflow, automation, and reports have been added to IBM OpenPagesOperational Risk Management to provide standard approaches for the followingpractices:v Loss Eventsv Risk and Control Self Assessment

1

v Key Risk Indicatorsv Key Performance Indicatorsv Scenario Analysisv External Loss Data Analysisv Issue Management and Remediation

Visualizations

As a Risk analyst or Compliance manager, you can graphically render yourbusiness process and communicate it to other users of risk analysis. You can createinteractive visualizations to communicate information about the process flows andthe Business Entity hierarchical structure.

The following object types are included:v Process Diagramv Data Inputv Data Output

2 IBM OpenPages GRC Platform Version 7.1.0: Modules Guide

Chapter 2. Object types

IBM OpenPages GRC Platform solutions consist of various object types.

The OpenPages GRC Object Model Details document provides information about therelationships between object types for each solution.

The following table lists the object types that are available for each solution, andwhether they are enabled or disabled by default. Where a blank cell is shown, theobject type is not available for that solution.

The following acronyms are used in the table:v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governancev IAM = IBM OpenPages Internal Audit Management

Table 1. Object types in IBM OpenPages GRC Platform solutions

Object type FCM ORM PCM ITG IAM

Signature Enabled Enabled Enabled Enabled Enabled

Milestone Enabled Enabled Enabled Enabled Enabled

Milestone Action Item Enabled Enabled Enabled Enabled Enabled

Issue Enabled Enabled Enabled Enabled Enabled

Action Item Enabled Enabled Enabled Enabled Enabled

File Enabled Enabled Enabled Enabled Enabled

Link Enabled Enabled Enabled Enabled Enabled

Business Entity Enabled Enabled Enabled Enabled Enabled

Process Enabled Enabled Enabled Enabled Enabled

Sub-Process Enabled Enabled Enabled Enabled Enabled

Risk Enabled Enabled Enabled Enabled Enabled

Control Enabled Enabled Enabled Enabled Enabled

Test Plan Enabled Enabled Enabled Enabled Enabled

Test Result Enabled Enabled Enabled Enabled Enabled

Risk Assessment Enabled Enabled Enabled Enabled Enabled

Process Diagram Enabled Enabled Enabled Enabled Enabled

Data Input Enabled Enabled Enabled Enabled Enabled

Data Output Enabled Enabled Enabled Enabled Enabled

Control Objective Disabled Disabled Disabled Disabled Disabled

Account Enabled

Sub-Account Enabled

Assertion Disabled

Process Eval Disabled Enabled Disabled Disabled Disabled

3

Table 1. Object types in IBM OpenPages GRC Platform solutions (continued)


Risk Eval Disabled Enabled Disabled Disabled Disabled

Control Eval Disabled Enabled Disabled Disabled Disabled

Risk Assessment Eval Disabled Enabled Disabled Disabled Disabled

Questionnaire Disabled Enabled Enabled Disabled Disabled

Section Disabled Enabled Enabled Disabled Disabled

Question Disabled Enabled Enabled Disabled Disabled

Preference Group Enabled Enabled Enabled Enabled Enabled

Preference Enabled Enabled Enabled Enabled Enabled

FIRST Loss Enabled

Loss Event Enabled

Loss Recovery Enabled

ORIC Loss Enabled

ORX Loss Enabled

Scenario Analysis Enabled

Scenario Result Enabled

Capital Model Enabled

Model Result Enabled

Cost Center Disabled

KRI Disabled Enabled Enabled

KRI Value Disabled Enabled Enabled

KPI Disabled Enabled Enabled

KPI Value Disabled Enabled Enabled

Incident Enabled Enabled

Waiver Enabled Enabled

Mandate Enabled Enabled

Sub-Mandate Enabled Enabled

Requirement Enabled Enabled

Policy Enabled Enabled

Procedure Enabled Enabled

Attestation Enabled

Campaign Enabled

Employee Enabled

Policy Review Comment Enabled

Regulator Enabled

Regulator Interaction Enabled

RI Category Enabled

RI Request Enabled

Regulation Applicability Enabled

Regulatory Change Enabled

Regulatory Task Enabled


Table 1. Object types in IBM OpenPages GRC Platform solutions (continued)


Control Plan Enabled

Baseline Enabled

Resource Enabled

Resource Link Enabled

Auditable Entity Enabled

Audit Enabled

Audit Section Enabled

Workpaper Enabled

Finding Enabled

Plan Enabled

Timesheet Enabled

Auditor Enabled

Audit Review Comment Enabled

Object name mappingThis topic lists the default object type labels mapped to object names.

Table 2. Object type labels mapped to object names

Icon Object name Object type label

Assertion Assertion

Attestation Attestation

AuditableEntity Auditable Entity

Auditor Auditor

AuditPhase Audit Section

AuditProgram Audit

Campaign Campaign

CapitalModel Capital Model

CostCenter Cost Center

CtlEval Control Eval

DataInput Data Input

DataOutput Data Output

Employee Employee

Finding Finding

FIRSTLoss FIRST Loss

Incident Incident

Chapter 2. Object types 5

Table 2. Object type labels mapped to object names (continued)


KeyPerfIndicator KPI

KeyPerfIndicatorValue KPI Value

KeyRiskIndicator KRI

KeyRiskIndicatorValue KRI Value

LossEvent Loss Event

LossImpact Loss Impact

LossRecovery Loss Recovery

Mandate Mandate

Model Result Model Result

ORICLoss ORIC Loss

ORXLoss ORX Loss

Plan Plan

Policy Policy

PolicyReviewComment Policy Review Comment

Preference Preference

PrefGrp Preference Group

Procedure Procedure

ProcessDiagram Process Diagram

ProcessEval Process Eval

ProjectActionItem Milestone Action Item

Qsection Section

Quest Question

Questionnaire Questionnaire

RAEval Risk Assessment Eval

RegApp Regulation Applicability

RegChange Regulatory Change

RegInt Regulator Interaction

RegTask Regulatory Task

Regulator Regulator

Requirement Requirement




Resource Resource

ResourceLink Resource Link

ReviewComment Audit Review Comment

RICat RI Category

RIReq RI Request

RiskAssessment Risk Assessment

RiskEntity Control Plan

RiskEval Risk Eval

RiskSubEntity Baseline

ScenarioAnalysis Scenario Analysis

ScenarioResult Scenario Result

SOXAccount Account

SOXBusEntity Business Entity

SOXControl Control

SOXControlObjective Control Objective

SOXDocument File

SOXExternalDocument Link

SOXIssue Issue

SOXMilestone Milestone

SOXProcess Process

SOXRisk Risk

SOXSignature Signature

SOXSubaccount Sub-Account

SOXSubprocess Sub-Process

SOXTask Action Item

SOXTest Test Plan

SOXTestResult Test Result

Submandate Sub-Mandate

Timesheet Timesheet

Waiver Waiver




Workpaper Workpaper

Object type descriptionsIBM OpenPages GRC Platform solutions consist of various object types.

AccountAccounts correspond to one or more line items on a financial report. Eachaccount is affected by recurring Processes. These Processes can introduceRisks that must be documented during the financial controlsdocumentation project. An account is identified as significant based onfactors such as size, complexity of the processes that operate on theaccount, or if the account is associated with new product lines within thebusiness. The risks that might materialize and have material effect on theaccount are identified by consideration of the processes operating on theaccount.

AssertionThe Assertion object is used to link Control objects to Account (orSub-Account) objects. A common practice is to store the type of assertionthat the Control is covering as a data field on the Assertion object.

AttestationThe Attestation object, part of the Policy Awareness capability, is used tocapture an employee affirmation that they have read and understood apolicy. An Attestation's primary parent is the Employee record and thesecondary parent is the associated Campaign.

Audit An Audit represents each execution of an audit against an Auditable Entity.For example, if an Auditable Entity is audited every two years, a separatechild Audit instance must be created for each two year period, such as2006 and 2008. An organization might audit various processes. Forexample, you could audit an entity, a specific regulatory requirement, or adata center physical security.

The Audit object is configured as a self-contained object type and a folderis automatically created for each Audit instance. This configuration allowsyou to copy template audits and audit components from a library to theaudit hierarchy without object naming conflicts.

Planning and scheduling of the Audit resources is done at the Audit level.

High level Audit progress can be tracked by monitoring the Status valuesand Date values on the Audit. Key audit milestones can be tracked byadding fields that represent completion dates for each of the keymilestones to track.

Use the Audit object to manage the audit process across your enterprise.The Audit identifies a holding point to capture information such as scope,objectives, timing information, review, execution and approval roles. Youcan track a subset of audits that you are undertaking in a given planninghorizon, or all audits in the audit universe.

Audit Review CommentThe Audit Review Comment object type is used to provide feedback


during the review process for an Audit and its components. It is associatedas a child to the instance of the Audit, Section, Workpaper or Finding forwhich feedback is being provided.

Audit SectionAudit Sections can be used to represent the phases of the Audit, workprograms within the Audit, or other components of the Audit at thedesired level of granularity.

Organizations might have multiple standard components for each Audit.Template audits that include sections for each standard component can becreated in a library. Planned and Actual Start and End Dates for thesesections are used to report progress on key milestones in the audits.

Detailed Audit progress can be tracked by including an Audit Section foreach milestone. Alternatively, some organizations might add fields on theAudit that represent completion dates for each of the key milestones theywish to track.

Although Audit Sections can be used for planning and scheduling Auditresources, most organizations find this method to be too detailed.

Auditable EntityAn Auditable Entity object is a child of a Business Entity. An InternalAudit Business Entity hierarchy is established and all Auditable Entities arecreated as a child of the Internal Audit Business Entity object. AuditableEntities that are aligned with elements of the Business EntityOrganizational Hierarchy are also associated to those Business Entities.

An Auditable Entity represents a single element of the Audit Universe; thecollection of things in the business that might be audited. Most AuditableEntities represent business or legal entities, but they can also representprocesses, long-running projects or initiatives, compliance programs, orshared IT Services.

Auditable Entities are risk ranked every year to determine the priority ofperforming an audit that year. A Weighted Risk Score is calculated but thescore can be overridden.

AuditorResource planning and allocating requires key information about eachindividual who might perform audit work. The Auditor object is used tocreate a pool of Auditors who can be assigned to Audits.

Each user who is assigned to audit work is represented as an Auditorinstance. Auditors are then available for resource allocation. The Auditorobject includes attributes to use to evaluate and select Auditors for auditengagements, such as specialties, languages, and certifications. Auditorobjects are associated with the relevant component of the Internal Auditorganizational hierarchy. As a best practice, match the Name on theAuditor object with the username.

BaselineA Baseline object type represents a template of library requirements. It isself-contained, meaning folders are created for each Baseline. Baselines inthe Library represent elements of the IT operating environment. They arelinked to Requirements for that type of element. The Baseline object iscopied from the library to the business hierarchy, an association is made toa Requirement in the library, and Risk, Control, and Test object types arecreated as child objects. The Risk, Control, and Test objects are populatedwith data from the Requirement.


For example, a Baseline object can represent a collection of Requirementobjects for a data center with Personally Identifiable Information (PII) anda Confidential Data classification. For each Requirement object, set up abest practice to define what to control (Risk object) and how to control it(Control object). You can also establish a practice for verifying theeffectiveness of the Control (Test object).

Business EntityBusiness entities are abstract representations of your business structure. Abusiness entity can contain sub-entities (such as departments, businessunits, or geographic locations). The entity structure that you createdepends on your business needs. For example, you could create a parententity for your business headquarters and a sub-entity for each location ordepartment. You might also want to represent both a legal entity structureand a business entity structure.

Business entities are also used to organize library data such as risk andcontrol libraries, or regulatory content (for example, laws, regulations, andstandards).

When setting up your business entity hierarchy, work with your IBMOpenPages GRC consultant. The structure of your business entities impactthe type and quality of information that can be extracted from theapplication.

In IBM OpenPages Internal Audit Management, Business Entities alsomodel the Internal Audit organizational structure, which facilitatesreporting and security for the Internal Audit team. The Internal Auditorganizational structure is a top level entity to minimize the chance ofaccidentally granting a business user access to Internal Audit information.The elements of the Audit Universe that are owned by an Internal Auditteam are associated with the team Business Entity. Another top levelBusiness Entity structure can be created to organize confidential Audits,providing special security to these Audits. Business Entity can also be usedto organize a Library of template audit content.

CampaignThe Campaign object is part of the Policy Awareness capability and is usedto manage the project management aspects of an awareness campaign. It isalso used to define the requirements and criteria that identify whichemployees need to read and attest to each Policy. Campaigns are typicallycreated in the Published Policy Hierarchy.

Capital ModelThe Capital Model is the model created in the IBM OpenPages CapitalModeling application that calculates the operational risk capital for aparticular unit of measure, either Business Entity or Risk Category. TheCapital Model can be constructed using internal loss data, scenario data, orexternal loss data that is collected within IBM OpenPages Operational RiskManagement. The Capital Model consists of a frequency distribution andits associated parameters, best-fit severity distribution and its associatedparameters, and the resulting operational risk capital estimates at varyingpercentiles. There are three types of Capital Models, depending on the datathat was used to construct the model and the number of models used toconstruct the model. Single Models are constructed at a more granularlevel (usually Business Entity and Risk Category) using Scenario data(Scenario Model), internal loss data (Internal Loss Model) or FIRST externalloss data (FIRST Loss Model). Combined models are constructed usingpreviously saved Single Models and are used to create capital estimates at


a higher level, across Business Entities, or Risk Categories, for example.These include Independent Models, which assume there is no dependencebetween the selected individual models and Correlated Models whichassumes a dependence structure between the selected individual models.The saved capital model object type displays the frequency distributionparameters; best fit severity distribution parameters as well as the resultsof the aggregate loss distribution and other descriptive information aboutthe model. A zip file attachment is also saved along with the CapitalModel object type. This file attachment is read by the OpenPages CapitalModeling application to display saved models. It contains all theinformation about the model, including fitted parameters, results, and allfitted data points generated from the Monte Carlo simulation.

ControlControls are policies and procedures that make sure that risk mitigationresponses are performed.

After identifying the risks that occur in your practices, establish controls,such as approvals, authorizations, and verifications. These controls remove,limit, or transfer these risks.

Controls provide either prevention or detection of risks. Controls areassociated with tests that ensure that a control is effective. For example, thehuman resources department identifies a risk in the new hire process. Theprocess does not comply with regulations and guidelines for diversity anddiscrimination. Define controls to mitigate this risk, such as, establishhiring policies and procedures, and conduct mandatory training for hiringmanagers.

In IBM OpenPages Internal Audit Management, use Controls to create adetailed model of the Controls that exist or that you want to enforce on theactivities that are audited. If shared with the Business, the Controls can berated separately by Internal Audit and by the Business.

Control EvalControl Eval objects are similar to Risk Evaluation objects except that theyare created as children of Controls. They store control assessment data.When report periods and control assessment evaluation cycles are notaligned, use Control Eval objects to capture multiple evaluation cycleswithin a single reporting period.

Control ObjectiveA Control Objective is an assessment object that defines the risk categoriesfor a Process or Sub-Process.

Control Objectives define the COSO compliance categories that theControls are intended to mitigate. Control Objectives can be classified intocategories such as Compliance, Financial Reporting, Strategic, Operations,or Unknown.

After a Control Objective is identified, the Risks belonging to that ControlObjective can then be defined. In most cases, each Control Objective hasone Risk that is associated with it. However, it might have more than oneRisk that is associated with it. For example, a financial services companyemploys traders that are aware of the required ethical standards. The HRdepartment sets up a control objective called 'Personnel'. A risk that isassociated with the Control Objective is, “Employees engage in businessdealings that conflict with the company objectives for ethical and fairtrading.”


By default, an OpenPages Internal Audit Management Control Objective isdisabled. This object is not often used, except to align with other solutionsthat might use it.

Control PlanControl Plan is a self-contained object type; this means that folders arecreated for each Control Plan. It groups multiple Baselines to representelements in the operating environment that can be assessed for risk. It actsas a container for a collection of Baseline objects that together perform afunction or comprise an IT service. For example, a Control Plan objectcould represent the servers, operating systems, applications, databases,support personnel, and facilities that provide the corporate email.

Cost CenterCost Center objects are used to group loss events under a business entity.In many cases, firms want to track where loss events occur at a finegranularity, such as cost center level, but do not want to represent all ofthe organizational layers as business entities.

Data Input, Data OutputThe Data Input Object and Data Output Object are child objects of theProcess and can have associations only to existing Risks. They representelements of a flow to depict an Input into the Business Flow or an Outputfrom various activities within a process, such as running a report orupdating a CRM system or getting an external data source feed.

EmployeeThe Employee object is part of the Policy Awareness Capability. It is usedto capture information about individual employees such as the name, title,email, region, department, status, etc. Information from the employeeprofile is then matched against the Attestation Requirements defined on aCampaign to determine which Employees need to attest to each Policy.Employee data is typically derived from an HR system export, loaded viaOnline FastMap, and resides in the reference Employee Business Entity. Itis a best practice that the Employee Name field matches the user'susername.

File The File object type is used to embed a reference to a file (such as adocument, flow chart or spreadsheet) in the IBM OpenPages system, andassociate it to one or more relevant objects.

FindingFindings can be used to represent observations which are reportable to thebusiness, to the Audit Committee, or both. Alternatively, Findings can beused to represent individual factual observations, while Issues are used torepresent consolidated themes and systemic problems, which are thenreported to the business, to the Audit Committee, or both.

A Finding represents anything uncovered in the course of an audit thatneeds to be accounted for and addressed by management. You can use afinding to track management's progress in addressing the underlying issueidentified. The Issue object can be used in place of, or in conjunction with,the Finding object.

FIRST LossFIRST Loss objects can be imported from the FIRST external loss database,for use with scenario analysis, benchmarking, and reports generation, andto export loss data to analytic tools or capital allocation applications. FIRSTLoss objects are often organized by loss categories, such as product lines orevent types. For example, use a Business Entity to create a hierarchy for


FIRST loss data. Name the root object 'FIRST-data,' and create categoryfolders under the root. Link external losses to it.

IncidentAn incident is an occurrence that has a potentially adverse effect on yourenterprise. Create an Incident object to record information, such as theperson responsible for investigating the incident and other related data.Use the Incident object with other tracking systems, such as atrouble-ticketing system, to facilitate incident analysis. For example, if yourtrouble-ticket system tracks all incidents, use Incident objects to track onlyincidents that warrant further analysis. Categories that apply to incidentsinclude Regulatory Compliance, Legal Compliance, Information Security,and IT. Incidents are stored under the Business Entity or IT Resourcewhere the event occurred and associated secondarily to an impactedMandate or Policy.

Issue, Action ItemAlthough issues are generated in areas where internal controls are notproperly implemented, use the Issue object to document a concernassociated with any object type. For example, a Test is associated with aControl, but the Test failed the last time it completed. This potentialproblem can be highlighted by capturing it in an Issue object.

An Issue is resolved through Action Items. You can use an Action Item or aseries of related Action Items to form an Action Plan. Each Action Item isassigned to a user for resolution, and tracks progress. After all ActionItems for an Issue are complete (when an assignee sets the value to 100%),close the Issue.

In OpenPages Internal Audit Management, Issues and Action Items can beused instead of, or with, Findings.

KPI, KPI ValueKPIs (Key Performance Indicators) are components of the risk monitoringprocess and are used to provide leading or lagging indicators for potentialrisk conditions. Each instance of a KPI within the organization can haveunique target and threshold limits. The KPI Value object type records thevalue of a KPI object at a specific point. Create a KPI object, and thenperiodically (daily, weekly, monthly) create a KPI Value object so you candetect trends.

KRI, KRI ValueKRIs (Key Risk Indicators) are components of the risk monitoring processand are used to provide leading or lagging indicators for potential riskconditions. Each instance of a KRI within the organization can have uniquetarget and threshold limits. KRI values are used to record the actual valueof an indicator at a specific point in time.

Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevant objects.

Loss EventLoss Events are used to track operational losses that occur in any part ofan organization. Loss Events are typically stored under the Business Entitywhere the loss occurred. The Loss Event objects are used to track, assess,and manage the related internal loss data. You can add multiple impactsand recoveries for each Loss Event using the Loss Impact and LossRecovery objects.


Loss ImpactA loss impact is a financial and non-financial consequence resulting from aloss event. Loss Impacts track different types of impacts triggered by aLoss Event, such as legal liability, asset loss and damage, or businessinterruption. There can be multiple Loss Impacts associated with each LossEvent.

Loss RecoveryLoss Recovery objects are used to track the processes associated withrecouping damages that result from Loss Events.

MandateMandates represent external items with which organizations need tocomply, such as laws, regulations, and standards. Out of the box theconfiguration directly supports content provided by Deloitte and UCF, andcan be adapted to support content from other vendors. Mandates arerepresented in a Library Business Entity structure, and are not replicatedthroughout the system. For example, an insurance company has a Mandateobject for HIPAA and another Mandate object for GLBA. You can associatethe same mandate with different groups within your organization. Privacymandates, for example, might apply to payroll, insurance services, legal,and IT departments. Mandate also supports content for regulatorycompliance. Regulations can be extracted from IBM Regulatory ComplianceAnalytics and populated as Mandates for IBM OpenPages RegulatoryCompliance Management.

Milestone, Milestone Action ItemA Milestone represents a significant point in the development of yourproject. You can tie Milestones to specific dates, or use them to signify thecompletion of a portion of the entire project. Milestones can contain otherMilestones or Milestone Action Items. You cannot associate a Milestonewith other objects in the object hierarchy.

A Milestone Action Item is a specific objective that must be completed inorder to reach a Milestone. In general, all Milestone Action Itemsassociated with a Milestone must be completed in order to reach aMilestone. When you are assigned a Milestone Action Item object, it isdisplayed (if configured) in the My Milestone Action Items section of yourMy Work tab.

Model ResultThe Model Result object is the resulting operational risk capital estimate orthe aggregate loss distribution resulting from the simulation of the selectedbest fit frequency and severity distributions. Each Model Result isassociated to a Capital Model object. For Single Models (Scenario Model,Internal Loss Model, FIRST Loss Model) Individual Value at Risk (VaR)capital is displayed at varying percentiles (the number and value ofpercentiles can be configured). For Independent and Correlated Models,capital is displayed for Individual VaR, Additive ESF (Expected Shortfall),and Additive VaR at varying percentiles (the number and value ofpercentiles can be configured).

ORIC LossORIC Loss objects can be imported from the ORIC external loss database,for use with scenario analysis, benchmarking, and reports generation, andto export loss data to analytic tools or capital allocation applications.

ORX LossORX Loss objects can be imported from the ORX external loss database, for


use with scenario analysis, benchmarking, and reports generation, and toexport loss data to analytic tools or capital allocation applications. You canimport external ORX loss data into OpenPages Operational RiskManagement for use with scenario analysis and capital modeling.

Plan, TimesheetA Plan object type facilitates audit resource scheduling and allocation atany level. For example, you can create a single Plan object for an entireaudit, or you can create one Plan object per task for each auditor involvedwith the audit. Plan objects are used to determine the availability, skills,and experience required of the desired resource. OpenPages Audit ActivityViews, reports, etc. are aligned with Planning at the Audit level. Plans caninstead be associated to Audit Sections, in which case these componentswould need to be modified.

Plan objects also drive time tracking - all time is tracked against Plans. ATimesheet object type is used to record weekly actual hours and expensesexpended against a Plan object for an Audit. Because Timesheet objects areassociated with Plans, it is easy to track deviations between planned andactual time and expenses. The Timesheet Entry interactive report shouldalways be used to enter or modify time and expense data. For this reason,there is no Timesheet top menu item in the default OpenPages InternalAudit Management configuration.

You typically create or modify a Plan object using the Add or Modify Planshelper, accessed from a link on the Audit detail page.

Policy Policies represent internal guidelines generally adopted by the Board ofDirectors or senior governance body within an organization. The text of aPolicy can either be stored in standardized fields on the object or as anattachment to the object. Policies typically have a distinct lifecycle fromDraft to Published to Expired, as well as a review and approval process.Draft policies typically reside in the Organizational Business Hierarchy,while Published and Expired Policies typically reside in reference Libraryentities. Policies are also often mapped to applicable Mandates in theLibrary to which they relate.

Policy Review CommentPolicy Review Comments support and facilitate the review and approvalprocess of Policies and Procedures by Subject Matter Experts andCompliance Personnel.

Preference, Preference GroupThe Preference object is a child of a Business Entity, and includes variablevalues that can drive reports, workflows, and computed fields. It hasentity-specific variable values that enable different behavior for the sameworkflows. For example, define variable values to determine the behaviorfor review and approval workflows such as the appropriate users for eachlevel of review and approval, and the thresholds for determining howmany levels of review and approval are required.

The Preference Group is used to group Preference objects together. Withoutthis grouping object, each Preference object must be associated separatelywith each relevant Business Entities. The Preference Group helps minimizethe associated maintenance.

In the default IBM OpenPages Internal Audit Management configuration,these objects are used to hold weights for Risk Factors used in AnnualAssessment Risk Ranking. Since the weights and factors can be differentfor each type of audit, such as financial, operational, or strategic, create a


separate Preference instance for each audit type. As a child of BusinessEntity, this approach provides the ability to have entity-specific variablevalues.

ProcedureProcedures represent the 'what', 'where', 'when', and 'how' of how policiesare implemented in an organization. The text of Procedures is typicallystored in the fields on the object. Typically, Procedures are represented aschildren of a Policy and reside in the same entity structure as its parentPolicy.

ProcessProcesses represent the major end-to-end business activities within abusiness entity that are subject to risk. Processes reside in areas such asfinancial reporting, compliance, and information security. For example,Processes in the Accounts Receivable department such as order-to-cashcould be improved with controls to protect against financial reporting riskssuch as fraudulent behavior or financial reporting inaccuracies.

In OpenPages Internal Audit Management, Processes are also used inscoping audits. Audits can copy Processes that are created by the businessentity, or create their own Processes.

Process DiagramA Process Diagram is a child object of the Process and can have manydiagrams per process. It is used to store the sequence of sub-processes oractivities within a process with associated Risks and Controls along withany annotations such as decision nodes. All attributes of the BusinessProcess visualization are stored in the Process Diagram object.

Process EvalProcess Evaluation objects are children of Process objects and they are usedto capture process measurement values for trending purposes.

When the reporting periods do not align with the evaluation cycles, youcan use Process Eval objects to capture multiple evaluation cycles within asingle reporting period.

Questionnaire, Section, QuestionQuestionnaire, Section, and Question objects are used together toimplement questionnaires. Questionnaires are created as templates in alibrary and gather information from respondents. Section objects arechildren of parent Questionnaire objects and organize sets of relatedquestions. Question objects are children of Section objects and capturerespondent data. Business administrators use the Questionnaire Set UpActivity View to configure questionnaire templates. Questionnairetemplates are then copied to parent Business Entity, Process, Sub-Process,or Employee object types.

Regulation ApplicabilityThe Regulation Applicability object resides in the organizational businesshierarchy. It assesses and tracks the regulatory impact of a Mandate in thelibrary on a Business Entity.

RegulatorThe Regulator object is part of the Regulator Interaction Managementcapability and provides the ability for organizations to create a singleinventory of all Regulators with which they interact. Regulators are


typically created in a reference Library Business Entity. The object is a childof Business Entity and can be associated to Mandates and RegulatorInteractions.

Regulator InteractionThe Regulator Interaction object is part of the Regulator InteractionManagement capability and provides the ability to manage the interactions,communication, internal work, review and approvals associated withexternal regulators such as inquiries, submissions, filings, exams andaudits. For complex interactions such as exams and audits, customers canuse a three-tier object structure (Regulator Interaction, RI Category and RIRequest) to manage and track the overall interaction, each section of theinteraction, and the individual requests. For simpler requests and inquiries,customers can use the Regulator Interaction object by itself to manage therequest details and response details.

Regulatory ChangeThe Regulatory Change object is part of the Regulatory ChangeManagement capability. It supports the ability to track regulatory changes(change or guidance to an existing regulation or a new regulatoryrequirement), assess the impact of a change on the organization,communicate the change internally to the appropriate people and driveinternal processes in response to the change. Regulatory Changes typicallyreside in the Library Business Entity, and are associated directly to theMandate that changed. It then has multiple Regulatory Tasks associated toit; one for each Business Entity impacted by the respective Mandate.

Regulatory TaskThe Regulatory Task object is part of the Regulatory Change Managementcapability. It facilitates the change management process associated with aRegulatory Change. A Regulatory Task is created in the OrganizationalBusiness Hierarchy and assigned to an individual in each of the BusinessEntities impacted by the Mandate that was changed. The object is thenused to track and monitor if an action is required as a result of the change(such as revise policy, control assessment, training) and the progress of theaction.

RequirementRequirements represent the normalized tasks to accomplish in order tocomply with all of their associated Sub-Mandates. Requirementsaccomplish two primary purposes: They translate the often difficult andwordy language of Mandates and Sub-Mandates into plain English, andthey leverage the commonality across multiple Sub-Mandates. For example,there might be many Sub-Mandates across numerous Mandates which areall telling you to have strong passwords. A single Requirement candocument the details of the strong password needs. By complying withthis single Requirement, IT can satisfy many Mandates and Sub-Mandates.

Out of the box the configuration directly supports content provided byDeloitte and UCF, and can be adapted to support content from othervendors. Typically, Requirements are represented in a Library BusinessEntity structure, and are not replicated throughout the system.

Requirements also support content for regulatory compliance.Requirements can be used to represent regulatory obligations derived fromregulatory papers. Requirements can be extracted from IBM RegulatoryCompliance Analytics and populated as Requirements for regulatorycompliance management.


ResourceCOBIT suggests that there are four types of IT assets, while practitionersoften include additional types as well. The Resource object is sub-typedusing dependent fields to represent any of these types of IT assets.Resources are typically created as a pool associated to the owning orresponsible IT Business Entity, then associated to the relevant operatingelements (Baselines, Processes, etc.) in the IT Operating Environment, andpotentially associated to relevant Business Entities for the Business as well.Although Resources can represent individual IT Assets (for example, aparticular Microsoft Windows 2003 server) they will more often represent agroup of assets (for example, a pool of Windows 2003 Application Serversused for a particular application).

Resource LinkCOBIT suggests that IT assets have complicated relationships. Theyindicate that assets of type People, Process, Infrastructure and Informationcan each be parents and can each be children of each other. In addition,Resources of the same type often need to be related to each other. AResource Link can be used to link Resources in a many-to-many fashion,but the practice (supported by the User Interface helper) is to link exactlytwo Resources. Note that if the names or attributes of either of the parentresources are changed, the Resource Link name and attributes will be 'outof sync' with its parent Resources.

RI CategoryThe RI Category object is part of the Regulator Interaction Managementcapability and is used as the middle tier of the three-tier object model(Regulator Interaction, RI Category and RI Request). The object is used toorganize and track the progress of individual sections or categories of acomplex interaction such as an exam or audit.

RI RequestThe RI Request object is part of the Regulator Interaction Managementcapability and is used as the last tier of the three-tier object model(Regulator Interaction, RI Category and RI Request). The object is used toorganize and track the individual requests, reviews and approvals ofpre-work and onsite tasks as part of a complex interaction such as an examor audit.

Risk Risks are potential liabilities. Risks can be associated with businessprocesses, business entities, or a compliance with a mandate. Each risk hascontrols that provide safeguards against the risk. The controls help lessenconsequences that result from the risk. Use the Risk object to categorizerisks; capture the frequency, rating, and severity of observed and computedrisk data; and view reports to identify top risk items. For example, theCash account has a process called Payroll. A potential risk that might occurin the payroll is a duplicate payroll disbursements or the creation offictitious payroll disbursements. Identifying risks in processes is a keycomponent of developing a financial controls documentation project.

In OpenPages Internal Audit Management, a Risk that is shared betweenan internal audit and the business can be rated separately.

Risk AssessmentRisk assessments give you the ability to evaluate and report potentialliabilities for a set of business entities or processes. A Risk Assessmentobject contains the names of the assessor and reviewer, the assessment timeframes, and the status of the assessment. Use a Risk Assessment to managethe risk self-assessment process. Associate Risk objects with a Risk


Assessment to create a link between the business entity and the Risks. Forexample, create a Risk Assessment to assess operational risks, such asexternal theft and fraud, internal fraud, physical property damage, orbusiness disruption.

Risk Assessment EvalRisk Assessment Evaluation objects are similar to Risk Evaluation objectsexcept that they are instantiated as children of Risk Assessments. Theystore risk assessment data.

Risk EvalRisk Evaluation objects are children of Risk objects and they are used tocapture risk measurement values for trending purposes. Often reportingperiods do not line up with risk evaluation cycles and so Risk Eval objectscan be used to capture multiple evaluation cycles within a single reportingperiod.

Scenario AnalysisScenario Analysis is an assessment technique used to identify and measurespecific kinds of risks, in particular, low frequency, high-impact eventssuch as earthquakes, recessions, or power grid failures.

Scenario ResultScenario Result objects are children of Scenario Analysis objects and theyare used to capture the results of Scenario Analysis workshops forcomparison and trending purposes.

SignatureA Signature generally indicates agreement that the object meets yourapproval. It has no enforcement powers, and does not prevent the itemfrom being modified after approval has been given. An object with aSignature has a Signature icon next to the signer's name on the Signaturestab.

Depending on your system configuration, signatures (with or withoutassociated locks) can be applied to an object in the following ways:v Manually from the detail page of an object.v Automatically through a workflow task.v Some combination of both automatic and manual.

If Signature locks are configured on your system, when you sign off on anobject, the object and all its associated child objects are locked and cannotbe modified until you either revoke your Signature or an administratorunlocks the object.

Sub-AccountA Sub-Account represents a smaller, more targeted line item that is part ofa larger parent Account (or of another Sub-Account). Each Sub-Accountobject can be associated with parent Account or Sub-Account objects.

Sub-MandateSub-Mandates represent external (or internal) sub-items with which theorganization needs to comply. Out of the box the configuration directlysupports content provided by Deloitte and UCF, and the configuration canbe adapted to support content from other vendors. Typically, Sub-Mandatesare represented in a Library Business Entity structure, and are notreplicated throughout the system. Sub-Mandate is recursive, but Deloitteand UCF content use exactly one level of Sub-Mandate. Sub-Mandates alsosupport content for regulatory compliance. Sub-mandates can be used torepresent paragraphs derived from regulatory papers. Paragraphs can be


extracted from IBM Regulatory Compliance Analytics and populated asSub-Mandates for regulatory compliance management.

Sub-ProcessA Sub-Process is a component of a Process. It is used to divide Processesinto smaller units for assessment purposes. For example, an order-to-cashfinancial Process might be composed of several Sub-Processes such asaccounts payable, purchasing, and general accounting. Any of theseSub-Processes might expose the Business Entity to risk and can beimproved, using controls.

In OpenPages Internal Audit Management, this object is not used in auditscoping, but may be used in documenting Process details.

Test PlanA Test Plan is a container for tests and can be associated with parentControl objects and child objects, such as Test Results and Issues.Determine the operating effectiveness of a Control by conducting detailedtests and then documenting the results. Test Plans describe the mechanismsthat determine if a Control is effective. For example, a sample Control is:“Human Resources authorizes changes in employee status.” A test for thiscontrol might be: “Verify HR authorization stamp on new employeerecords.” The test verifies that the new Control is implemented and in use.

The default OpenPages Internal Audit Management configuration uses theWorkpaper object in place of the Test Plan and Test Result. The Auditobject needs access to these objects because they are often used todocument business testing.

Test ResultA Test Result is the information obtained from running a test plan.

The default OpenPages Internal Audit Management configuration uses theWorkpaper object in place of the Test Plan and Test Result. The Auditobject needs access to these objects because they are often used todocument business testing.

WaiverWaivers give you the ability to document, process and manage the lifecycleof exceptions to Corporate Policies, InfoSec Policies, IT Policies orRegulatory Compliance Requirements. Waivers can be associated toBusiness Entities, Policies, Procedures, Requirements, Risks, Controls,Baselines and Resources.

WorkpaperA Workpaper is any artifact or deliverable you want to track in the scopeof an audit. It can represent an engagement letter, a testing matrix,interview notes or anything else appropriate to the audit in question. Theworkpaper itself can be attributes stored on the Workpaper object, or it canbe a Microsoft Word, Microsoft Excel or other type of file attached to aWorkpaper object. When Workpaper is used for test evidence, it documentsboth the test planning and the test results.

Create a Workpaper object from the detail page of an Audit Section.Workpaper objects can also be copied from a library, where they representtemplates of different types of workpapers generated by an internal auditdepartment.


SubcomponentsIBM OpenPages GRC Platform solutions consist of several subcomponents.

A subcomponent is a group of objects types that supports a logical function withinthe solution.

The following table lists the subcomponents that are included by default.


Table 3. Subcomponents in OpenPages GRC Platform

Subcomponent Object type label FCM ORM PCM ITG IAM

Organization Business Entity X X X X X

Preference Preference Group,Preference

X X X X X

Risk Assessment Risk Assessment,Risk AssessmentEval

X X X X X

Process Process, ProcessEval, Sub-Process,Control Objective

X X X X X

Risk Risk, Risk Eval X X X X X

Control Control, ControlEval

X X X X X

Test Test Plan, TestResult

X X X X X

Issue Issue, Action Item X X X X X

Questionnaire Questionnaire,Section, Question

X X X X X

Milestone Milestone,Milestone ActionItem

X X X X X

Visualization Process Diagram,Data Input, DataOutput

X X X X X

Account Account,Sub-Account,Assertion

X

ScenarioAnalysis

Scenario Analysis,Scenario Result

X

External Loss ORX Loss, ORICLoss, FIRST Loss

X


Table 3. Subcomponents in OpenPages GRC Platform (continued)

Subcomponent Object type label FCM ORM PCM ITG IAM

Loss Event Loss Event, LossImpact, LossRecovery, CostCenter

X

CapitalModeling

Capital Model,Model Result

X

KRI KRI, KRI Value X X X

KPI KPI, KPI Value X X X

RegulatoryLibrary

Mandate,Sub-Mandate,Requirement

X X

Incident Incident X X

Waiver Waiver X X

Policy Policy, Procedure,Policy ReviewComment

X

PolicyAttestation

Policy, Procedure,Attestation

X

Campaign Campaign,Employee,Attestation

X

RegulatorInteraction

RegulatorInteraction,Regulator, RICategory, RIRequest

X

RegulatoryChange

Regulatory Change,RegulationApplicability,Regulatory Task

X

ITG Policy Policy, Procedure X

Control Plan Control Plan,Baseline

X

Resource Resource, ResourceLink

X

Annual Plan Auditable Entity,Audit

X

EngagementPlan

Plan, Timesheet,Auditor

X

Findings Finding X

Field Work Audit Section,Workpaper, AuditReview Comment

X

In addition to the subcomponents listed in the table, the following object types areincluded in each solution and can be accessed by any authorized user:v Signaturev File


v Link


Chapter 3. Computed fields

IBM OpenPages GRC Platform solutions consist of several computed fields. Acomputed field is a read-only field whose value is derived from the values of otherfields. Computed fields can contain data types such as Boolean, date, decimal,integer, and simple strings.

The following table lists the computed fields that are included for each solution bydefault.


Table 4. Computed fields in OpenPages GRC Platform solutions

Object type label

Field group

Field name Description FCM ORM PCM ITG IAM

Risk Assessment

RCSA CompletionHelper

Creates a link that launchesthe RCSA Completion helper.This helper allows the RCSACoordinator to complete theRisk Assessment and create anevaluation tree for historicalreferencing.

X

Risk Assessment

RCSA ProcessAlignment Helper

Creates a link that launchesthe RCSA Completion helper.This helper allows the RCSACoordinator to review theassociate Processes, Risks, andControls, and create furtherassociations. The helper alsosets the Processes, Risks, andControls to a status ofAwaiting Assessment.

X

Scenario Analysis

ScenarioCompletion Helper

Creates a link that launchesthe Scenario Completionhelper. This helper is used tocreate Scenario Results aftercompletion of a workshop.

The Scenario Owner or Riskteam can start the helpermanually when scenarioanalysis is complete.

X

25

Table 4. Computed fields in OpenPages GRC Platform solutions (continued)

Object type label

Field group


Attestation

OPSS-Attest

Policy Attestation

Creates a link that launchesthe Policy Awareness Viewhelper.

X

Policy

OPSS-Pol

Modify Policy

Creates a link that launchesthe Policy Editor helper.

X

Policy

OPSS-Pol

View Policy

Creates a link that launchesthe Policy Viewer helper.

X

Policy

OPSS-Pol

Open Policy fornew Revision Cycleor Re-Open Policyfor AdditionalChanges

Creates a link that launchesthe Policy Editor helper.

X

Policy ReviewComment

OPSS-PolRevComm

Review Policy

Creates a link that launchesthe Policy Review Viewhelper.

X

Control Plan

OPSS-RiskEnt

Baselines

Creates a link to launch theGet Baselines helper.

X

Resource

OPSS-Res

Resource Links

Creates a link to launch theAdd a Resource Link helper.

X

Auditable Entity

OPSS-AudEnt

Weighted Risk Score

Calculates the sum of theproducts of each relevant RiskFactor value and its associatedRisk Factor Weight. RiskFactor values are entered onthe Auditable Entity. RiskFactor Weights are from the"nearest" Audit Risk FactorPreference object, matchingthe Audit Type specified onthe Auditable Entity.

X


Table 4. Computed fields in OpenPages GRC Platform solutions (continued)

Object type label

Field group


Audit

OPSS-Aud

Close Audit

Creates a link to launch theClose Audit helper.

X

Audit

OPSS-Aud

Plans

Creates a link to launch theAudit Launch helper.

X

Audit

Actual T&E

Calculates the sum of the T&Eentries on all of theTimesheets for all of the Plansfor this Audit.

X

Audit

Actual Hours

Calculates the sum of theHours entries on all of theTimesheets for all of the Plansfor this Audit.

X

Plan

OPSS-Plan

Actual Hours

Calculates the sum of the T&Eentries on all of theTimesheets for all of the Plansfor this Audit.

X

Plan

OPSS-Plan

Actual T&E

Calculates the sum of theHours entries on all of theTimesheets for this Plan.

X

Note: OpenPages Policy and Compliance Management launches helperapplications from URL fields. The computed fields are implemented as URL fields.

Chapter 3. Computed fields 27

Chapter 4. Helpers

IBM OpenPages GRC Platform solutions include several helpers.

The following table lists the helpers that are included for each solution by default.v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governancev IAM = IBM OpenPages Internal Audit Management

Table 5. Helpers in IBM OpenPages GRC Platform solutions

Helper FCM ORM PCM ITG IAM

“Scenario Completion helper” on page 30 X

“KRI Value Creation utility” on page 30 X X X

“KPI Value Creation utility” on page 30 X X X

“RCSA Completion helper” on page 31 X

“RCSA Process Alignment helper” on page 31 X

“RCSA Launch Utility helper” on page 32 X

“RCSA Site Sync helper” on page 32 X

View PolicyNote: This helper and the Review Policy are thesame helper. Each has a different function anddepends upon where in the lifecycle the policy is.

X

Review PolicyNote: This helper and the View Policy are the samehelper. Each has a different function and dependsupon where in the lifecycle the policy is.

X

“Compare Policy View helper” on page 33 X

“Policy Unlock helper” on page 33 X

Publishing Batch Notifications X

Policy Awareness View X

Attestation Create Report X

“Get Baselines helper” on page 35 X

“Create Resource Links helper” on page 35 X

“Close Audit helper” on page 35 X

“Add or Modify Plans helper” on page 35 X

“Timesheet Entry Report helper” on page 36 X

“Administrator Timesheet Entry Report helper” onpage 36

X

29

Scenario Completion helperWhen the Scenario Workshop is complete, the Operational risk team or theScenario Owner updates the Scenario outcomes on the Scenario object. To finalizethe Scenario, the Owner runs the Scenario Completion helper.

As facilitators of the Scenario Analysis process, the Operational Risk Teamcompletes most of the activities in IBM OpenPages GRC Platform. The helpercompletes the following steps:1. Validates data.2. Creates a Scenario Results object.3. Populates Scenario Result fields from the Scenario Analysis.4. Runs the Scenario Result Detail report and attaches it to the Scenario result.

KRI Value Creation utilityAfter the Key Risk Indicator (KRI) is defined, the KRI Value Creation utilitydetermines whether it must generate a KRI Value object as a child of the KRIobject.

The KRI Value Creation utility generates blank KRI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.

The utility reviews the KRIs and identifies any KRIs that are due for collection inthe next seven days. The KRIs are identified based on the KRI Frequency and theFrequency Offset data values. If the KRI is marked as Active, the KRI ValueCreation utility generates a child KRI value and populates the value with thefollowing data:v IDv Description, based on the parent KRI.v KRI owner, based on the parent KRI.

The owner is the user who records the KRI value in OpenPages GRC Platform.v Expected capture date.

This date is a read-only field and is based on the Frequency and FrequencyOffset values.

v Status of KRI Value, which is set to Awaiting Collection.If the KRI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

KPI Value Creation utilityAfter the KPI is defined, the OpenPages GRC Platform helper function determineswhether it must generate a KPI Value object as a child of the KPI.

The KPI Value Creation utility generates blank KPI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.


The utility reviews the KPIs and identifies any KPIs that are due for collection inthe next seven days. The KPIs are identified based on the KPI Frequency and theFrequency Offset data values. If the KPI is marked as Active, the KPI ValueCreation utility generates a child KPI value and populates the value with thefollowing data:v ID.v Description, that is based on the parent KPI.v KPI owner, that is based on the parent KPI.

The owner is the user who records the KPI value in OpenPages GRC Platform.v Expected capture date.

This date is a read-only field, which is based on the Frequency and FrequencyOffset values.

v Status of KPI Value, which is set to Awaiting Collection.If the KPI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

RCSA Completion helperThe RCSA Completion helper allows the RCSA Coordinator to complete the RiskAssessment and create an evaluation tree for historical referencing.

The RCSA Coordinator receives a message that asks whether to proceed. When thecoordinator confirms the message, the helper completes the following actions:1. Sets the Risk Assessment status field to Approved.2. Creates the following linked structure for the child Evaluation record:v Risk Assessment Evaluationv Process Evaluationv Risk Evaluationv Control Evaluation

3. Copies key data to the new Evaluation records and makes secondaryassociations.You must specify which fields to copy (Settings menu).

RCSA Process Alignment helperThe RCSA Process Alignment helper allows the RCSA Coordinator to review theassociate Processes, Risks, and Controls, and create further associations. The helperalso sets the Processes, Risks, and Controls to a status of Awaiting Assessment.

When the RCSA coordinator wants to begin the RCSA cycle, the coordinator canstart the helper from a URL link on the Risk Assessment Detail Page.

The task-driven helper completes the following actions when it is started:1. Adds or removes Processes, Risks, and Controls2. Reviews Process, Risk, and Control Ownership3. Asks if the RCSA Coordinator wants to start the Assessmentv If the coordinator responds Yes, the helper continues with the following

processes:– Sets all Risk and Controls to Awaiting Assessment.

Chapter 4. Helpers 31

– Sets the Submit for Approval field on the Risk object to No.– Sets the Approve/Reject field on the Risk object to a blank value.– Sets the Rejection Comments field on the Risk object to a blank value.

v If the coordinator does not want to begin the RCSA cycle, save and close theAssessment.

RCSA Launch Utility helperThe RCSA Launch Utility helper generates Risk Assessment objects for In scopeentities.

The Launch Utility helper assists the administrator with starting the RCSA processin the following ways:1. Creates a Risk Assessment under the Business Entity and associates all

processes that are under that Business Entity to the Risk Assessment.2. Asks for Risk Assessment details.

The administrator provides values to fields on all generated Risk assessments,such as Start Date, End Date, and Instructions / Guidance.

3. Identifies all In-scope entities.4. Generates a Risk Assessment object for all In scope entities.5. Populates the Risk Assessment object with the values provided in step 1.6. Sets the Risk Assessment status to Not Started and the RCSA Administrator

field is populated with the appropriate user name.7. Sends the RCSA coordinator an email that informs the coordinator that the

RCSA cycle can start.The administrator can specify the content of the email through the Settingspage. The Risk coordinator email uses information from the nearest Preferencerecord that has the specified RCSA coordinator.

RCSA Site Sync helperThe RCSA Site Sync helper synchronizes Business instances of object data withvalues in a Library data structure.

When the helper starts, it identifies all changes to the Master/Library object. Thehelper uses a Library reference field as a common key and synchronizes all localinstances of the object with the Master.

Policy ViewersA series of Policy Viewers facilitate the process of creating, editing, reviewing, andapproving policies and procedures. It aggregates multiple sections of a policy andassociated procedures into a single narrative view for editing, reviewing andapproving, while allowing customers to maintain standardization on a Policytemplate.

This helper has the following views:v Modify Policy - Opened from a Policy object, the Modify Policy is an editable

view that allows a policy author and owner to create and edit a Policy objectand its associated Procedures. The Modify Policy viewer is only used as part ofthe Datacentric approach to Policy Management.


v View Policy - Opened from a Policy object, the View Policy is a read-only viewthat allows users to see a policy and its procedures in a formatted, narrativeview (Datacentric and Hybrid approach) or from a Policy Attachment link(Docucentric approach).

v Review Policy - Opened from a Policy Review Comment object, Review Policyis a role-based view that facilitates the review and approval process. In additionto displaying the Policy and Procedure objects, or the Policy Attachment link, itincludes the Policy Review Comment object that allow reviewers and approversto submit feedback by either editing the Policy object directly or using theComment form. Reviewers are presented with either an editable or read-onlyview of the policy and its procedures, depending on the parameter set in IBMOpenPages GRC Platform on the Settings page. Approvers are presented with aread-only view of the policy.

Configure this component to behave according to the customer methodology usingsettings and application text settings.

Compare Policy View helperThe Compare Policy View helper enables users to view red-lined differences fromone version of a policy to another. For example, a user can visually see thedifference between a current draft of a policy and the published policy, or pastexpired versions.

The Compare Policy View is used with the Datacentric and Hybrid approaches.

Configure this component to behave as appropriate for the customers'methodology using settings and application text settings.

Policy Unlock helperThe Policy Unlock helper is opened from the Policy object after the policy movesinto the review and approval phase. The Policy Unlock helper unlocks the Policyobject and its components (Procedures, Attachments, Policy Review Comments)for revision.

The Policy Unlock helper supports the three policy approaches: Datacentric,Docucentric, and Hybrid.

The Policy Unlock helper supports two use cases:1. Reopening a Policy object for changes within a review cycle:v Sets the Approval Status to In Revision.v Unlocks any locked objects or attachments that are needed during the

revision process.v Updates the version number.

2. Opening a Policy for a new revision cycle:v Sets the Approval Status to In Revision.v Unlocks the Policy object and its components (such as Procedures,

Attachments).v Resets and clears fields such as Publishing Date, Publishing Status, Next

Review Date.v Updates the version number.v Deletes or clears Policy Review Comment objects.


v Sets a flag on the corresponding published policy to signify that the draft isIn Revision.

IBM OpenPages GRC Platform or the customer can configure this component tomeet the customer methodology by using settings and application text settings.

Publishing Batch Notification helperThe Publishing Batch Notification helper facilitates the process of promoting anapproved draft policy to the published library, and moving the current publishedversion to the expired library. It also retires a policy by moving the publishedpolicy to the published library and deleting the draft. You can use the PublishingBatch Notification Helper with the Datacentric, Docucentric, and Hybrid policyapproaches.

The Publishing Batch Notification helper runs on a scheduled basis and performsthe following tasks:v Updates Draft Policy:

– Sets fields on draft policy such as Approval Status, Published Date, andPublishing Status.

– Updates a version number according to the significance of a policy change.v Promotes a published Policy object to the expired library:

– Renames the Policy object (appends Expired – V#).– Sets Policy Location to Expired and specifies the expiration date.– Maintains approvals and associations with objects such as Entities and

Mandates.– Removes hybrid policy attachments.

v Promotes a draft Policy object to the published library:– Sets Policy Location to Published.– Maintains approvals and associations with objects such as Entities and

Mandates.– Maintains existing object associations (Risk Assessment) on a published

Policy object.v Sends emails upon successful publishing.

Configure this component to behave as appropriate for the customer methodologyby using settings and application text settings.

Policy Awareness View helperPolicy Awareness View helper is an intuitive view that allows employees (highvolume, low touch users) to easily read a policy and its procedures in a narrativeformat. The employee attests to reading and understanding the policy.

The Policy Awareness View helper completes the following tasks:v Displays the Policy and its Procedure objects in a single read-only, narrative

form with the look and feel of a corporate policy.v Enables employees to attest to the policy with a single click and no navigation.v Enables employees to request an exception to the policy attestation requirement.

Configure this component to behave as appropriate for the customer methodologyby using registry and application text settings.


Attestation Creation Report helperThe Attestation Creation Report helper is a scheduled notification. It can also berun from the Reporting menu (under Attestation Reports menu).

This notification report supports the Policy Awareness capability. It is intended torun on a scheduled basis and completes the following tasks:v Finds all Campaign objects with a status of Ready to Start associated to

published policies.v Finds all active employees that match the same attestation requirements criteria

defined on the Campaign object.v Creates an Attestation record for each matching employee for that policy

campaign.v Drives the Attestation record to the employee’s home page by using the

configured Home page filtered list.v Sends each employee an email notification and alerts them that an attestation is

due.

Get Baselines helperLaunched from a computed field link on the Control Plan object, this helper copiesthe selected Baseline from the Library to the IT operating environment, and copies,or creates and pre-populates, descendent Risks, Controls and Test Plans. The helpercreates associations from the new elements back to the Library elements and writesstatus information to the Additional Description field on the created Baseline.

Create Resource Links helperLaunched from a computed field link on the Resource object, this helper creates aResource Link as a child of the starting Resource, and as a child of the selectedResource. The helper pre-populates fields on the created Resource Link object.

Close Audit helperLaunched from a computed field link on the Audit object, the Close Audit helperfacilitates automation of the Audit Close process.

It provides a summary and optionally details of the readiness for close status ofthe audit from which this helper was launched, and all of its components. Whenall components are ready, provides a Close Audit button which automates theactions taken when an audit is closed, such as setting and clearing field values,deleting object instances and locking objects.

Configure this component to behave as appropriate for the customer methodologyusing the registry and application text settings.

Add or Modify Plans helperLaunched from a computed field link on the Audit object, the Add or ModifyPlans helper facilitates creating and editing Audit Plans. It finds and populatesAuditors to assign to the Plans.

These processes are time consuming, error prone, and cumbersome to performwith the platform user interface.


The helper provides a summary of and the ability to modify the existing Plans forthis Audit. It provides the ability to add a new Plan for this Audit. It also enablesthe ability to search the Auditor pool or a selected portion of it, for Auditors whomatch the skills, attributes and availability requirements that are identified in thePlan. It provides the ability to view details of other Plans for each found Auditor,and to select and auto-populate the appropriate auditor from the search results.

Configure this component to behave as appropriate for the customer methodologyusing the registry and application text settings.

Timesheet Entry Report helperLaunched from the Reporting menu, the Timesheet Entry Report helper allows anAuditor to enter or review their time.

It defaults to the current week. Weeks start on Mondays, which is consistent withthe GANTT chart reports. This interactive report is used for reviewing yourpreviously entered time and expenses, and also for entering your actual time andexpenses. The report automatically filters itself to the current user, and to includePlans for which the user is the assigned Auditor.

The user can move to a different nearby week using Previous Week and NextWeek buttons. User can move to a different week that isn’t nearby by using acalendar widget to select a date in the desired week and then clicking the Go ToWeek button.

Time and expenses can be entered against only Plans with assigned Auditors.Navigate to the Week for which you want to enter or view time and expenses.There is no restriction on creating or editing Timesheets in advance or arrears otherthan by Status. Timesheet rows with Status Submitted or Approved cannot beedited.

When you click Save, Timesheet objects are created and populated for any newrows, and values are saved in any existing Timesheets. T&E expenses are a singleentry per row per week; they are not broken down into expense categories. T&E isalways entered and displayed in Base Currency.

Configure this component as appropriate for the customer methodology. Do notconfigure it as an embedded home page report. If you do, it uses the entire homepage and prevents the user from accessing the underlying content.

Administrator Timesheet Entry Report helperLaunched from the Reporting menu, the Administrator Timesheet Entry Reporthelper is an extension of the Timesheet Entry Report helper which includes ascoping page that allows a user with access to this report to select a different userfor whom to enter time.

The Administrator version of the helper includes Approve and Reject buttons andassociated functionality.

Configure this component to behave as appropriate for the customer methodology.Do not configure it as an embedded home page report. If you do, it uses the entirehome page and prevents the user from accessing the underlying content.


Chapter 5. Notifications

Notifications are emails that are sent to owners of a process as a reminder to act.These notifications can occur at different stages of a process or as a final step in atrigger.

The OpenPages GRC Platform Issue Management and Remediation Details documentand the OpenPages GRC Platform Metrics Details document provide more details onthe items listed in this topic.

All notifications that are sent from IBM OpenPages GRC Platform solutions use thefollowing sender address. Configure the email address and server settings, usingthe appropriate solution abbreviation:v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notifications.v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notifications.v /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications.

OpenPages GRC Platform solutions consist of several notifications. The followingtable lists the notifications that are included for each solution by default.v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governancev IAM = IBM OpenPages Internal Audit Management

Table 6. Notifications in IBM OpenPages GRC Platform solutions

Notification FCM ORM PCM ITG IAM

“Issue and Action Bulletinnotification”

X X X X X

“KPI Reminder notification” onpage 38

X X X

“KPI Breach notification” on page38

X X X

“KRI Reminder notification” onpage 38

X X X

“KRI Breach notification” on page38

X X X

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

37

KPI Reminder notificationThe KPI Reminder notification is an email that is sent to the KPI owner. It containsa list of all KPI values that the owner or recipient is required to capture in the nextseven days.

KPI Breach notificationThe KPI Breach notification sends an email to the risk owner when a KPI breachstatus changes from Green to Red or from Amber to Red.

The KPI Breach notification is started by the KPI Lifecycle trigger. The emailnotification contains a link to the KPI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

KRI Reminder notificationThe KRI Reminder notification is an email that is sent to the KRI owner. It containsa list of all KRI values that the owner or recipient is required to capture in the nextseven days.

KRI Breach notificationThe KRI Breach notification sends an email to the Risk Owner when a KRI breachstatus changes from Green to Red or from Amber to Red.

The KRI Breach notification is started by the KRI Lifecycle trigger. The emailnotification contains a link to the KRI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.


Chapter 6. Reports

IBM OpenPages GRC Platform solutions consist of several reports.

The OpenPages GRC Solutions Report Details document provides additional detailson the reports listed in this topic. There are additional reports installed with theOpenPages GRC Platform and available to all solutions, which are described in theIBM OpenPages GRC Platform Administrators Guide.

The following tables list the reports that are included with each solution bydefault.v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governancev IAM = IBM OpenPages Internal Audit Management

Table 7. Risk Assessment reports in IBM OpenPages GRC Platform solutions

Report FCM ORM PCM ITG IAM

Risk Assessment List X X X X X

Risk Assessment Status X X X X X

Risk Assessment Summary X X X X X

Risk Assessment Issues andAction Items

X X X X X

For more information related to the previous table, see “Risk assessment reports”on page 42.

Table 8. Risk reports in IBM OpenPages GRC Platform solutions


Risk Analysis X X X X X

Risk Heat Map X X X X X

Risk Rating by Entity X X X X X

Risk Rating by Category X X X X X

Top Risks X X X X X

For more information related to the previous table, see “Risk reports” on page 42.

Table 9. Control reports in IBM OpenPages GRC Platform solutions


Risk and Control Matrix X X X X X

Control Effectiveness Map X X X X X

For more information related to the previous table, see “Control reports” on page43.

39

Table 10. Testing reports in IBM OpenPages GRC Platform solutions


Testing Dashboard X X X X X

For more information related to the previous table, see “Testing reports” on page43.

Table 11. Visualization reports in IBM OpenPages GRC Platform solutions


Process Analysis X X X X X

For more information related to the previous table, see “Visualization reports” onpage 44.

Table 12. Indicator reports in IBM OpenPages GRC Platform solutions


KRI Dashboard X X X

KPI Dashboard X X X

For more information related to the previous table, see “Indicator reports” on page44.

Table 13. Loss Event reports in IBM OpenPages GRC Platform solutions


Loss Event Dashboard X

Loss Event Summary X

Loss Event Trend X

Risk vs Loss X

For more information related to the previous table, see “Loss Event reports” onpage 44.

Table 14. Issue Management and Remediation reports in IBM OpenPages GRC Platform solutions


ORM Issue Dashboard X

ORM Issues and Action Items X

For more information related to the previous table, see “Issue Management andRemediation reports” on page 45.

Table 15. Scenario Analysis reports in IBM OpenPages GRC Platform solutions


Scenario Summary X

For more information related to the previous table, see “Scenario Analysis reports”on page 45.


Table 16. Capital Modeling reports in IBM OpenPages GRC Platform solutions


Capital Contribution by BusinessEntity

X

Capital Contribution by RiskCategory

X

For more information related to the previous table, see “Capital modeling reports”on page 45.

Table 17. Regulatory Compliance reports in IBM OpenPages GRC Platform solutions


Process Control Effectiveness byMandate

X

Regulatory Applicability Matrix X

For more information related to the previous table, see “Regulatory Compliancereports” on page 46.

Table 18. IT Asset reports in IBM OpenPages GRC Platform solutions


Baseline X

Control Plan X

For more information related to the previous table, see “IT Asset reports” on page46.

Table 19. IT Compliance reports in IBM OpenPages GRC Platform solutions


IT Control Effectiveness byMandate

X

Requirements Library X

UCF Requirements Library X

For more information related to the previous table, see “IT Compliance reports” onpage 47.

Table 20. Audit Management reports in IBM OpenPages GRC Platform solutions


Audit Universe X

Audit Plan X

Auditor Plan X

Audit Overview X

Internal Audit Report X

Audit Deviation X

Auditor Deviation X

Timesheet Entry X

Chapter 6. Reports 41

Table 20. Audit Management reports in IBM OpenPages GRC Platform solutions (continued)


Administrator Timesheet Entry X

For more information related to the previous table, see “Audit Managementreports” on page 48.

Risk assessment reportsRisk assessment reports provide support for management by driving betterdecision-making that leads to action. These reports are a part of the action stage ofthe Risk and Control Self-assessment (RCSA) process.

The following table describes the available risk assessment reports. Users can drillthrough some reports to detail information.

Table 21. Risk assessment reports

Name Drill-through report Description

Risk Assessment List Shows Risk Assessment details for aspecified Business Entity and all of itsdescendants.

Risk AssessmentStatus

Risk AssessmentStatus Detail

Shows a stacked column chart showing thestatus of Risk Assessments for the specifiedBusiness Entity and its direct descendants.

Risk AssessmentSummary

Risk AssessmentIssues and ActionItems

Shows Risk Assessment details along withall associated Risks and Controls. Adrill-through report shows Issues andAction Items that are related to the RiskAssessments, Risks, or Controls.

Risk AssessmentIssues and ActionItems

Shows all Issues and Action Items that arerelated to the selected Risk Assessment andits associated Risks and controls. ParentObject shows only the Risk Assessment,Risk, and Control parents.

The report prompts for two values:Business Entity and Risk Assessment. Datais filtered on the selected entity. Users canselect from all Risk Assessments that areassociated, whether directly or indirectly, tothe selected Business Entity.

Risk reportsRisk reports are available in IBM OpenPages GRC Platform solutions. Users candrill through some reports to detail information.

Table 22. Risk reports


Risk Analysis Shows Risks grouped by Process for aspecified Business Entity.


Table 22. Risk reports (continued)


Risk Heat Map Risk Detail Shows a table that aggregates Risks byResidual Impact and Likelihood for aspecified Business Entity.

Risk Rating by Entity Risk Rating by EntityDetail

Shows Residual Risk Rating summaryinformation for the selected Business Entityand its descendants. A drill-through reportshows Risk details.

Risk Rating byCategory

Risk Rating byCategory Detail

Shows Risk Category and Residual RiskRating summary information for theselected Business Entity. A drill-throughreport shows Risk details.

Top Risks Show a summary of the top Risks rankedby Residual Risk Exposure, and also showsthe Inherent Risk Exposure.

By default, Risk quantitative assessmentfields are not included in the followingsolutions so this report may not beappropriate for users of these solutions:

v IBM OpenPages Policy and ComplianceManagement

v IBM OpenPages Financial ControlsManagement

v IBM OpenPages IT Governance

Control reportsControl reports are available in IBM OpenPages GRC Platform solutions. Users candrill through from some reports to detail information.

Table 23. Control reports


Risk and ControlMatrix

Shows Risk and Control data for specifiedBusiness Entity and Processes.

Control EffectivenessMap

Control EffectivenessDetail

Shows counts of Controls grouped byProcesses and Operating Effectiveness. Adrill-through report contains more detail.

Testing reportsTesting reports are available in IBM OpenPages GRC Platform solutions. Users candrill through to detail information.

Table 24. Testing reports


Testing Dashboard Testing DashboardDetail

Shows summary Test Result information forthe selected Business Entity. A drill-throughreport shows detail and trend information.


Visualization reportsVisualization reports are available in IBM OpenPages GRC Platform solutions.Users can drill through to detail information.

Table 25. Visualization reports


Process Analysis Business Process Flowdiagram

Business EntityHierarchy diagram

Risk Heat Map

Shows Risks and Controls in the context ofa process diagram. Provides an aggregatedview of Risk and Controls with risk ratingand control effectiveness at the Process andBusiness Entity level.

Indicator reportsReporting is the final stage of the Key Risk Indicator (KRI) or Key PerformanceIndicator (KPI) cycle. After the owner defines the KRIs or KPIs, and captures theirvalues, standard indicator reports are provided for summary information for theselected business entities.

The following table describes the Indicator reports available in the IBM OpenPagesOperational Risk Management, IBM OpenPages Policy and ComplianceManagement, and IBM OpenPages IT Governance solutions. Users can drillthrough to detail information.

Table 26. Indicator reports


KRI Dashboard KRI Dashboard Detail Displays summary KRI information for theselected Business Entity and itsdescendants. A drill-through report showsdetail and trend information.

KPI Dashboard KPI Dashboard Detail Displays summary KPI information for theselected Business Entity and itsdescendants. A drill-through report showsdetail and trend information.

Loss Event reportsLoss Event reports ensure that information about loss events is collectedconsistently across the organization.

The following table describes the Loss Event reports available in IBM OpenPagesOperational Risk Management. Users can drill through from some reports to detailinformation.

Table 27. Loss Event reports


Loss EventDashboard

Loss EventDashboard Detail

Shows the count of Loss Events for theselected Business Entity and itsdescendants, broken out by Status and RiskCategory. A drill-through report showsdetail information.


Table 27. Loss Event reports (continued)


Loss Event Summary Loss Event Detail Shows a column chart (representingentities) showing Net Loss broken out byRisk Category. A drill-through report showsLoss Event details.

Loss Event Trend Loss Event TrendDetail

Shows the trend of Net Loss by RiskCategory for a specified Business Entity.

Risk vs Loss Shows the annual Net Loss of a BusinessEntity for a specified date compared withthe current Residual Risk Exposure.

Issue Management and Remediation reportsIssues are items that are identified against the documented framework. They aredeemed as negatively affecting the ability to accurately manage and report risk.

The following table describes the issue management and remediation reportsavailable in IBM OpenPages Operational Risk Management. Users can drillthrough from some reports to detail information. For users of other solutions, thereare two platform reports: Issues List and Issues and Action Items.

Table 28. Issue Management and Remediation reports


ORM IssueDashboard

Issue DashboardDetail

Shows a graphical representation of thenumber of issues by status. The report isscoped on the entity object and date range.

ORM Issues andAction Items

Variant of the Issue Dashboard Detailreport. Shows summary information on theassociated action items.

Scenario Analysis reportsScenarios involve the quantification of significant events (impacts and frequenciesfor potential events) that can be realized for an organization. The analysis capturesthe what-if scenarios of losses. The scenario analysis reports support the review ofexisting scenarios for each Business unit.

The following table describes the scenario analysis reports available in IBMOpenPages Operational Risk Management. Users can drill through to detailinformation.

Table 29. Scenario Analysis reports


Scenario Summary Scenario Result Detail Shows all Scenarios by Entity. Detailsinclude ID, Description, Status, and Owner.

Capital modeling reportsCapital modeling reports provide information about capital contributions.


The following table describes the capital modeling reports available in IBMOpenPages Operational Risk Management.

Table 30. Capital Modeling reports


Capital Contributionby Business Entity

Displays the capital contribution to theoverall Firm capital by each Business Entity.

Capital Contributionby Risk Category

Displays the capital contribution to theoverall Firm capital by each Risk Category.

Regulatory Compliance reportsThe following table describes the Regulatory Compliance reports available in IBMOpenPages Policy and Compliance Management. Users can drill through somereports to detail information.

Table 31. Regulatory Compliance reports


Process ControlEffectiveness byMandate

Process ControlEffectiveness bySub-Mandate

For a selected Business Entity, the reportshows associated Mandates with the % ofEffective Controls associated to Processes. Adrill-through report shows detailinformation.

RegulatoryApplicability Matrix

Shows a Matrix view of the Mandates andthe Business Entities for which they apply.

IT Asset reportsThe following table describes the IT Asset reports available in IBM OpenPages ITGovernance.

Table 32. IT Asset reports


Baseline Shows key attributes of the selectedBaseline, along with associatedRequirements, and recommended ControlActivities and Test Procedures.

Control Plan Shows key attributes of the selected ControlPlan, along with associated Baselines, theirRequirements, and recommended andimplemented Control Activities and TestProcedures.


IT Compliance reportsThe following table describes the IT Compliance reports available in IBMOpenPages IT Governance. Users can drill through from some reports to detailinformation.

Table 33. IT Compliance reports


IT ControlEffectiveness byMandate

IT ControlEffectiveness bySub-Mandate

For a selected Business Entity, the reportshows associated Mandates with the % ofEffective Controls associated to ControlPlans. A drill-through report shows detailinformation.

The report looks at IT operatingenvironment Controls that are sharedbetween Mandates and Baselines in the IToperating environment. It provides a viewof Control Operating Effectiveness byMandate. One sub-report drills through forthe selected Mandate to show ControlOperating Effectiveness by Sub-Mandate.The other sub-report drills through for theselected Mandate to show Test Resultsgrouped by Resource (type=Application).This report provides a view of howcompliant each application is. This report isalways run from the IT operatingenvironment (it filters out the LibraryBusiness Entity).

Requirements Library For the selected Requirements, the reportshows all applicable laws and regulations.

It reports hierarchy upwards from theRequirements that fit the prompt scoping,to the Sub-Mandates and Mandates thateach of those Requirements satisfy. Thisshows you that meeting this oneRequirement satisfies many Laws. Thereport has one page per Requirement andassociated Mandates. This report is runfrom the Library.

UCF RequirementsLibrary

For the selected UCF Harmonized Controls,the report shows all applicable AuthorityDocuments.


Audit Management reportsThe following table describes the Audit Management reports available in IBMOpenPages Internal Audit Management. Users can drill through some reports todetail information.

Table 34. Audit Management reports


Audit Universe For the selected audit organization, this report shows AuditableEntities, including risk ranking and previous audit results.

Scoped by Business Entity, a user can choose sort order. If theselected Business Entity is in the Internal Audit businesshierarchy, the report shows the portion of the audit universethat is owned by that internal audit team. If the Business Entityis in the organizational hierarchy, the report shows elements ofthe audit universe that are associated with that Business Entityor any descendent Business Entities. This report is used in theearly annual planning stages to determine which elements ofthe audit universe to audit this year.

Audit Plan Audit Plan Detail For the selected audit organization and date range, this reportprovides a GANTT chart view of the Audit Plan.

Scoped by Business Entity and Date Range, a user can chooseto display information by days, weeks, months, or quarters.Selected date range displays the current year plan, a 3 or 5-yearplan, or a planning time frame. When viewing the report, youcan view Detail View to show details for each scheduled auditfor each Auditable Entity. View Summary View to view aroll-up of the audits for each Auditable Entity. If the AuditScheduled Start Date and Scheduled End Date overlap with acell, then the entire cell is highlighted. Summary cells that areshown in red indicate more than one audit is scheduled duringthat time for that Auditable Entity. The report is filtered toinclude only Audits whose status is set to Planned orScheduled.

Auditor Plan Auditor Plan Detail For the selected audit organization, Auditors and date range,this report provides a GANTT chart view of Plans.

Scoped by Business Entity, Auditor, and Date Range, you candisplay information by days, weeks, months, or quarters. TheAuditors available are those who are associated with theselected Business Entity or its descendants. Selected date rangedisplays the current year plan or a planning time frame. Whenviewing the report, you can toggle between Detail View (showsdetails for each Plan for each Auditor) and Summary View(shows only a roll-up of the Plans for each Auditor). If anAuditor is scheduled for more than one Plan in a given column,then the entire cell is highlighted. Summary cells that areshown in red indicate more than one Plan that is assignedduring that time for that Auditor. The report does not utilizethe Percent Allocated information on the Plan to determinewhether there is a conflict.


Table 34. Audit Management reports (continued)


Audit Overview v Audit Findings Detail

v Audit Issues Detail

v Audit ReviewComments Detail

For the selected Audit, view the status of its Audit Sections andWorkpapers, and view associated Findings, Issues and AuditReview Comments.

Scoped by Audit, the report includes Findings, Issues, andReview Comments that are direct children of the Audit,Sections, and Workpapers. Clicking the number of Issues,Findings, or Audit Review Comments starts a detail report,which includes more details and provides links to the objects inthe application.

Internal Audit Report Complete report for the selected Audit, including an executivesummary and associated Findings and Issues.

Scoped by Auditable Entity and then by Audit. IncludesFindings associated to Audits, Audit Sections and Workpapers,and Issues associated with the Audit.

Audit Deviation For the selected Audit, view its Plans and Audit Sections,including schedule and budget information, with highlights forsignificant deviations.

This report lists the plans and sections for the selected Audit. Itincludes schedule and budget information and highlightssignificant deviations. Cells shown in yellow indicate missingkey information. Cells shown in red indicate an unfavorabledeviation from plan of more than 20%. Scoped by AuditableEntity and then by Audit. Includes the selected Audit, andPlans and Audit Sections associated directly to the Audit.

Auditor Deviation For the selected Auditors, view their planned and actual dates,hours and expenses.

Scoped by Auditors Business Entity, Auditor and Date Range.The Auditors available are those who are associated with theselected Business Entity or its descendants. Selected date rangeprovides the ability to view a particular time frame. Reportshows Plans for each selected Auditor including the Scheduled,Expected and Actual Start and End Dates, the number ofplanned hours for each, and the number of actual timesheethours, and the amount of planned and actual T&E recordedagainst each Plan during each time period. Cells shown in redindicate amounts that are 20% or more larger than plannedamounts. Includes all Plans where the Auditor is the selectedAuditor; Plans that do not have an assigned Auditor are notincluded in this report. The report includes a summary row foreach Auditor and for the entire report. It defaults to HTMLformat and is also available in Microsoft Excel format.

Timesheet Entry See “Timesheet Entry Report helper” on page 36.

Administrator TimesheetEntry

Timesheet Entry See “Administrator Timesheet Entry Report helper” on page 36.


Chapter 7. Triggers

The IBM OpenPages GRC Platform solutions include several triggers.

The OpenPages GRC Platform Solution Trigger Details document provides moredetails on the triggers listed in this topic.

The following table lists the triggers that are included with each solution bydefault.v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governancev IAM = IBM OpenPages Internal Audit Management

Table 35. Triggers in IBM OpenPages GRC Platform solutions

Trigger FCM ORM PCM ITG IAM

“Issue Management andRemediation triggers” on page 52

X X X X X

“Risk and ControlSelf-assessments triggers” onpage 53

X X X X X

“Visualization triggers” on page54

X X X X X

“KRI and KPI Lifecycle triggers”on page 54

X X X

“Loss Event Lifecycle triggers” onpage 54

X

X X X X X

“Policy Import trigger” on page55

X

“Policy Lock trigger” on page 56 X

“Audit Risk Rating Computationstrigger” on page 57

X

“Audit Close Automation trigger”on page 57

X

Object types that contain triggersBefore you use the ObjectManager tool to load XML instance data, disable triggerson any object types for which you want to load data.

The following table lists the object types for which triggers are included by default.

Table 36. Object types that contain triggers in IBM OpenPages GRC Platform solutions


Data Input X X X X X

51

Table 36. Object types that contain triggers in IBM OpenPages GRC Platform solutions (continued)


Data Output X X X X X

Risk X X X X X

Issue X X X X X

Action Item X X X X X

Loss Event X

Loss Impact X

Loss Recovery X

KPI Value X X X

KRI Value X X X

File (SOXDocument) X

Policy X

Audit X

Audit Review Comment X

Audit Section X

Finding X

Plan X

Timesheet X

Workpaper X

Issue Management and Remediation triggersIn an Issue Management and Remediation (IMR) framework, you can effectivelydocument, monitor, remediate, and audit issues.

Issues are items that are identified against the documented framework and aredeemed to negatively affect the ability to accurately manage and report risk. In itslifecycle, an Issue can have one of two states: Open or Closed.

To resolve the identified Issue, the Issue Owner establishes and records theappropriate actions. When an Action is complete, the Assignee sets the Action toSubmit for Approval. When the field is saved, a trigger is started and completesthe following actions:v Copies the value in the Issue Owner field from the parent Issue to the Action

Issue Owner for Approval field.v Sets the Action Status field to Awaiting Approval.v Sends an email to the Issue Owner informing them that an Action is awaiting

their approval.

The Issue owner reviews the Action, and approves or rejects the closure of theIssue in the Approve/Reject field.

If the Issue owner selects Approve, a trigger is started and sets the Status field toClosed.

If the Issue owner selects Reject, a trigger is started and completes the followingactions:


v Reverts the status field Open.v Sets the Submit for Approval field to No.v Sends an email to the Action Assignee informing them the Action has been

rejected.

The following triggers automate the Issue management process:v “Issue Lifecycle trigger”v Action Lifecycle

Issue Lifecycle triggerThe Issue Lifecycle trigger sets the Original Due date on the first instance of Saveof Issue and checks for any Open Actions when the Issue status is Closed.

When an Issue object type is created or updated, and the status is set to Closed,the trigger completes the following actions:v The trigger checks all direct child Actions and determines if they are all closed.

If any Actions have a status of Open or Awaiting Approval, the triggergenerates an error message. If all Actions are closed, the trigger saves thechanges.

Note: As an administrator, you can configure the error message usingAdministrator > Settings menu.

v If the Original Due date on the Issue is blank, the trigger populates theOriginal Due date with the Current Due date value.

Risk and Control Self-assessments triggersThe Risk Assessments process is used to identify, assess, and quantify a risk profileof a business. Each Risk is assessed on either a Qualitative or Quantitative basis.

Triggers provide the process workflow for Risk Control and Self-assessment of thebusiness.

When a Risk is saved, the Qualitative risk rating trigger determines a Risk Ratingof Low, Medium, High, or Very High. The trigger also populates the hiddenQuantitative fields: Severity, Frequency, and Exposure.

When a Risk is saved, the Quantitative risk rating trigger completes the followingactions:1. Computes the Exposure (Frequency x Severity)2. Computes the Risk Rating as Low, Medium, High, or Very High3. Derives the Impact value (1 - 10) based on a mapping table for each Business

Unit that is stored in its Preference record.4. Derives the Likelihood value (1 - 10) based on a mapping table for each

Business Unit that is stored in its Preference record

The following triggers are used for Risk and Control Self-assessments:v RCSA Quantitative triggerv RCSA Qualitative triggerv Risk Approval Submission triggerv RCSA Risk and Control Approval trigger

Chapter 7. Triggers 53

Visualization triggersThe Visualization triggers prevent a user from adding new Risks as children of theData Input and Data Output object types. The Data Input and Data Output objectsare children of the Process and can have associations only to existing Risks. Thedata input object represents elements of a flow to depict an input into the BusinessFlow. The data output object depicts an output from activities within a process,such as running a report or updating a CRM system.

Risks can be added only as children of these object types by associating existingRisks to them. Data Input and Data Output object types cannot be primary parentsof Risks.

KRI and KPI Lifecycle triggersThe KRI and KPI Lifecycle triggers calculate and maintain field values on theKRI/KPI and KRI/KPI Value object types. The trigger occurs only if the Collectionstatus of the KRI or KPI value is set to Collected.

When a KRI or KPI Value object is updated, associated, or disassociated, thetrigger completes the following steps:1. Determines whether KRI or KPI is set for approval.v If the status is Yes, the trigger updates the status to Awaiting Approval and

proceeds with steps 2, 3, 4, and 6.v If the status is No, the trigger updates the status from Awaiting Collection

to Collected and proceeds with steps 2, 3, 4, and 5.2. Copies the current threshold information from the KRI or KPI to the child KRI

or KPI Value.3. Evaluates the Breach status.4. Copies the KRI or KPI Value, Value Date, Collection, and Breach status to the

parent KRI or KPI.5. If the status of the KRI or KPI Breach field changed from Green or Amber to

Red, the trigger sends an email notification to the Risk Owner to inform theowner of the breach.

6. If the status is set to Awaiting Approval, the KRI or KPI Value is displayed onthe home page of the KRI or KPI Owner. The KRI or KPI Owner can approveor reject the value:v If the KRI or KPI Owner saves the record with a Reject status, the KRI or

KPI Value and Value Date are changed to a blank and the KRI or KPI Valuestatus is set to Awaiting Collection.

v If the KRI or KPI Owner saves the record with an Approved status, theCollection status changes to Collected on the Value field and on the KRI orKPI.

Note: When the KRI or KPI owner defines the KRI or KPI, the owner canspecify the details regarding its approval.

Loss Event Lifecycle triggersThe Loss Event Lifecycle triggers calculate and maintain three fields on the LossEvent object, when related fields are created or changed on any descendant LossImpact and Loss Recovery objects.


The triggers automate the approval process and remediation performance of LossEvent as described in the triggers for Loss Event Approval Submission and LossEvent Approval.

The loss event lifecycle process consists of three triggers:v “Loss Event Computation trigger”v “Loss Event Approval Submission trigger”v “Loss Event Approval trigger”

Loss Event Computation triggerThe Loss Event Computation trigger computes summary values in system basecurrency on a Loss Event that is based on associated Loss Impact and Recoveries.

Loss Event Approval Submission triggerThe Loss Event Approval Submission trigger changes a Loss Event from an Openevent to the Approval stage of its lifecycle. The trigger validates data.

The trigger occurs when the user saves a Loss Event with a Status field that is setto Open and the Submit for Approval field is set to Yes.

Loss Event Approval triggerThe Loss Event Approval trigger allows for the Approval or Rejection of LossEvents.

The trigger is started when all the following conditions are set:v Status is set to anything other than Open or Closed.v Submit for Approval is set to Yes.v Approve/Reject is not blank.

Policy Import triggerThe Policy Import trigger imports Policy and Procedure content from a structuredMicrosoft Word document into IBM OpenPages GRC Platform Policy andProcedure fields by parsing the different sections of the document. It is triggeredby checking in an attachment to the Policy object.

The trigger supports the Hybrid approach to Policy Management, It also supportsupdating the version number in the Docucentric approach when a new policydocument is checked in. As part of the import process, the trigger also performsextensive validation to ensure that the structure of the Word document adheres tothe defined Policy Template.

OpenPages GRC Platform or the customer can configure this component to behavefor the customer methodology through registry and application text settings.

The IBM OpenPages Policy and Compliance Management Policy Import Triggerhas the following known limitations:v Bulleted lists only support the disc and circle bullet format.v Numbered lists only support decimal, upper-alpha, lower-alpha, upper-roman,

and lower-roman.v Symbol fonts are not supported. You can use the Insert Symbol option and

select a symbol using normal font (for example, the copyright symbol).


v Wingding font is not supported.v Cannot set Shading from Format Borders and Shading. Workaround: Use text

highlighting to achieve a similar effect. (.doc only)v Will not display the value of a FORMDROPDOWN. (.doc only)v Ordered lists always use a period as the separator. For example, if a list item in

the Word doc looks like '1)' then it will be '1.' after the import.v For .doc, the style of the list item marker will be inferred from the text content

of the list. The marker's font family and font size will match the first piece oftext in the list item. The marker will be bold, italic, and/or colored if all the textin the list item has that same styling.

v Images, Word Art, and diagrams are not supported.v Does not support importing a Table of Contents.v All underline styles show as single solid linev Superscript/subscripts defined by within a style are not supported (.doc only).

Workaround is: Apply sub/superscript from the Font menu instead of using astyle.

v Formatting overrides that conflict with custom styles. For example, if customstyle includes a 'Strong' text format and the user manually un-bolds the textwithin the document, the text will show up bold per the Strong style. (.doconly)

v Tabs default to 4 spaces, which is not guaranteed to match the spacing in thedocument since tabs are based on positioning in the document. It is better to useindent when aligning content.

v Hanging indent (that is, First Line Indents) for lists is not guaranteed to line upperfectly due to the varying width of the list item markers.

v Within lists, mixing techniques for creating bullets, lists, and indentations willoften result in items not being aligned correctly and incorrect numbering ofitems.

v Entering several carriage returns to create spacing will not render as extraspacing.

v Unsupported features:– Changes in Text Direction– Double Strike Through– Emboss, Engrave, Shadow text– Text Effects– Emphasis Marks– Custom Text Spacing– Shadowed borders– Ascending diagonal cell borders

Policy Lock triggerThe Policy Lock trigger locks the Policy or the Policy and its components(Procedures, Attachments, Policy Review Comments) at different points in theReview and Approval Process. This trigger supports all three approaches to PolicyManagement: Datacentric, Hybrid, and Docucentric.

The Lock trigger supports two use cases:


v Locking Policy Attachments in support of a policy being put into a review andapproval cycle to ensure that the policy content cannot be changed duringapprovals. (Applicable for Hybrid and Docucentric approaches.)

v Locking the entire Draft Policy hierarchy (Policy, Procedures, Attachments andPolicy Review Comments) after the Policy has been given final approval and isready for publishing. (Applicable for all three policy approaches.)

The customer can configure this component to behave as appropriate for thecustomer methodology using the registry and application text settings.

Audit Risk Rating Computations triggerThe Audit Risk Rating Computations trigger calculates and maintains the AuditInherent and Residual Risk Rating field values on the Risk object.

The RCSA Quantitative trigger and the RCSA Qualitative trigger apply to theAudit Risk Rating Computations trigger.

Audit Close Automation triggerThe Audit Close Automation trigger assesses close readiness for each configuredcomponent of an audit. By default, the trigger is configured for the followingobject types: Audit, Audit Section, Workpaper, Finding, Audit Review Comment,Plan, and Timesheet.

When an instance of a configured object type is created or updated, the triggerevaluates all the criteria which are configured for that object type. If all the criteriahave been met, then the trigger sets the Ready To Close field value to Yes. Thisfield value is used by the Audit Close helper to determine if all of the auditcomponents are ready to close.

Configured ready to close criteria categories include fields that are required, datefields that must be set to on or before today's date, date fields that must be set tovalues on or before other date field values, and user fields that cannot be set thesame as other user fields.


Chapter 8. Profiles

IBM OpenPages GRC Platform solutions consist of several profiles.

By default, for each solution, a master profile is provided that includes all thefields and configuration required for that solution. The following list displays themaster profiles:v “OpenPages FCM Master profile” - IBM OpenPages Financial Controls

Managementv “OpenPages ORM Master profile” - IBM OpenPages Operational Risk

Managementv “OpenPages PCM Master profile” on page 62 - IBM OpenPages Policy and

Compliance Managementv “OpenPages ITG Master profile” on page 62 - IBM OpenPages IT Governancev “OpenPages IAM Master profile” on page 62 - IBM OpenPages Internal Audit

Management

When all OpenPages GRC Platform default solutions are installed, the solutions forOpenPages Master profile are also included.

The OpenPages Operational Risk Management also includes the following profilesthat are solution-specific:v “ORM Operational Risk Team profile” on page 60v “ORM Business User profile” on page 60v “ORM Simplified User profile” on page 61v “OpenPages FIRST Loss profile” on page 61

OpenPages FCM Master profileThe OpenPages FCM Master profile includes the fields and configuration requiredfor IBM OpenPages Financial Controls Management.

This profile includes the following components:v Filtersv My Work home page and home page tabsv Dependent fields and dependent pick listsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid view, and List

Views

Subsets of this profile to use with a Process Owner, Control Tester, and other userare created during the implementation project.

OpenPages ORM Master profileThe OpenPages ORM Master profile includes the fields and configuration requiredfor IBM OpenPages Operational Risk Management.

This profile includes the following components:v Filters

59

v My Work Home page and home page tabsv Dependent fields and dependent pick listsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views

More information is available in the following topics:v “Home page filtered lists” on page 63v “Activity views” on page 67v “Grid views” on page 73

ORM Operational Risk Team profileThe ORM Operational Risk Team profile includes the configuration required by apower user who uses most capabilities of IBM OpenPages GRC Platform but doesnot have read access to library IDs and object status fields.

A user of this profile can complete the following events:v Maintain Processesv Manage Risk & Control Librariesv Perform RCSA Scopingv Perform and oversee the RCSA processv Administer, review, and oversee Loss Eventv Define and capture KRIsv Manage Issue and Action closurev Coordinate Scenario Analysis

This profile includes the following components:v Filtersv My Work home page and home page tabsv Dependent fields and dependent pick listsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views


ORM Business User profileThe ORM Business User profile includes fields and configuration required by a riskmanager to use in the operations of the business. This user is an active participantin most Operational Risk Management activities.

A user of this profile can modify the following items:v Log a Loss Eventv Perform RCSA Scopingv Approve Risk Assessmentsv Capture Key Risk Indicatorsv Manage Issue and Action closurev Participate in scenario workshops


This profile includes the following components:v Filtersv My Work Home page and Home page tabsv Dependent fields and dependent pick listsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views


ORM Simplified User profileThe ORM Simplified User profile allows a user to focus on loss events, KRI valuecapture, and issue management.

This profile includes the following components:v Filtersv My Work Home page and Home page tabsv Dependent fields and dependent pick listsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views


OpenPages FIRST Loss profileThe OpenPages FIRST Loss profile includes the fields and configuration thatfacilitate the loading of FIRST Loss data through the IBM OpenPages FastMapfeature to IBM OpenPages Operational Risk Management.

Users of this profile can edit all fields in FIRST Loss objects so that data can beloaded. This profile should be assigned only to users who are responsible forloading FIRST Loss data through FastMap. All other users should have read-onlyaccess to FIRST Loss objects.

Note that it is not necessary to assign this profile to a user. Instead, you canconfigure the FastMap spreadsheet containing FIRST Loss data to load using theOpenPages FIRST Loss profile.

This profile includes the following features:v My Work home page and home page tabsv Dependent pick listsv Detail, Context, Folder, Overview, Filtered List, and List Views

Chapter 8. Profiles 61

OpenPages PCM Master profileThe OpenPages PCM Master profile includes the fields and configuration requiredfor IBM OpenPages Policy and Compliance Management.

This profile includes:v Filtersv My Work home page and home page tabsv Dependent fields and dependent pick listsv Computed fieldsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List

Views

Subsets of this profile that are appropriate for a Compliance Program Manager,Privacy Officer, and other users are created during the implementation project.


OpenPages ITG Master profileThe OpenPages ITG Master profile includes the fields and configuration requiredfor IBM OpenPages IT Governance.

This profile includes:v Filtersv My Work home page tab and home page tabsv Dependent fields and dependent pick listsv Computed fieldsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List

Views

Subsets of this profile that are appropriate for an IT library administrator, ITdirector, and other users are created during the implementation project.


OpenPages IAM Master profileThe OpenPages IAM Master profile includes the fields and configuration requiredfor IBM OpenPages Internal Audit Management.

This profile includes:v Filtersv My Work home page tab and home page tabsv Dependent fields and dependent pick lists


v Computed fieldsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List

Views

Subsets of this profile that are appropriate for a lead auditor, audit director, andother user profiles are created during the implementation project.

More information is available in the following topics:v “Home page filtered lists”v “Activity views” on page 67v “Grid views” on page 73

Home page filtered listsThe following table shows the filtered lists that are defined for the My Work homepage for each profile.

The following table identifies the filtered lists that are defined for the profiles thatare provided with each solution.

The columns use abbreviations for the following profiles:v FCM = FCM Master profilev ORM = ORM Master profilev Risk = ORM Operational Risk Team profilev BU = ORM Business User profilev SU = ORM Simplified User profilev PCM = PCM Master profilev ITG = ITG Master profilev IAM = IAM Master profile

Table 37. Home page filtered lists for OpenPages GRC profiles

Object type

FilterHome Page Filtered List

Description FCM ORM Risk BU SU PCM ITG IAM

Issue

My Open Issues

List of open issues that areowned by the logged in userand that requireremediation.

X X X X X X X X

Test Result

Failed Test Results

Home page access to TestResults that failed.

X

Action Item

Actions AwaitingApproval

Provides a list of ActionItems that are awaitingapproval. The list displaysAction Items where thelogged in user is the IssueOwner.

X

Action Item

My Open Action Items

A list of the Action Itemsthat are assigned to the user,but not yet complete.

X

Issue

Open Issues

Home page access to yourissues.

X X X


Table 37. Home page filtered lists for OpenPages GRC profiles (continued)

Object type



KRI value

KRIs Awaiting Entry

Returns a list of KRI valuesthat have a status ofawaiting collection and anexpected collection dateeither in the next 7 days orin the last 365 days. It alsorequires that KRI Collectoris set to logged in user.

X X X

KRI value

My KRIs in Breach

Returns any KRIs owned bythe logged in user with aBreach status of Red.

X X X

KRI value

My KRIs AwaitingApproval

Returns KRI values thatmatch the collection statusof Awaiting Approval andthe KRI Owner is equal tologged user.

X X X

KPI value

KPIs Awaiting Entry

Returns a list of KPI valuesthat have a status ofawaiting collection and anexpected collection dateeither in the next 7 days orin the last 365 days. It alsorequires that KPI Collector isset to logged in user.

X X X

KPI value

My KPIs AwaitingApproval

Returns KPI values thatmatch the collection statusof Awaiting Approval,where the KPI Owner isequal to logged user.

X X X

KPI value

My KPIs in Breach

Returns any KPIs that areowned by the logged in userwith a Breach status of Red.

X X X

Loss Event

Events AwaitingApproval

Home page displays LossEvents with a status ofAwaiting Approval orAwaiting Approval L2 andthe Approver L1 or L2 is alogged in user.

X X X

Loss Event

Open Loss Events Over1M

Home page access to largeopen loss events.

X X X

Process

Process AwaitingApproval

Returns a list of allProcesses that are owned bythe logged in user and havea status of AwaitingApproval.

X X X

Risk

Risks AwaitingAssessment

Returns a list of all risks thatare owned by the logged inuser with a status ofAwaiting Assessment.

X X X



Object type



Risk Assessment

My Risks Assessment

Home page access to yourrisk assessments.

X X

KRI

KRI Breaches

Home page access to KRIsthat have a breach status ofred.

X X X X

Action Item

My Action Items

Home page access to actionitems.

X X X X

Action Item

Remediation PendingApproval

Home page access to yourremediation items that arewaiting for approval.

The user is notified of itemsthat are pending approvaland the action to take. If anaction requires time tocomplete, add a comment totrack the updates. When theAction is complete, set theSubmit for Closure field toYes.

X X X X

Loss Events

My Open Events

Displays a list of LossEvents where the status isOpen and the Event Owneris the logged in user.

X X X X

Attestations

Attestation ExceptionRequests

Home page access torequested Attestationexceptions that requirereview.

X

Attestation

My Attestations

Home page access to yourPolicy Attestations due forcompletion. It includes alink to launch the PolicyAwareness View.

X

Incident

Critical ComplianceIncidents

Home page access toCompliance Incidents with aPriority rating of critical.

X

Policy Review Comment

My Policy ReviewComments

Home page access to youropen Policy ReviewComments. It includes a linkto launch the Review PolicyView.

X


Policies Waiting for MyApproval

Home page access to youropen requests for PolicyApproval. It includes a linkto launch the Review PolicyView.

X



Object type




Policies Waiting for MyReview

Home page access to youropen requests for PolicyReview.

X

Questionnaire

My Questionnaires Duefor Completion

Home page access to yourQuestionnaires due forcompletion.

X

Regulatory Change

My Open High ImpactRegulatory Changes

Home page access to youropen Regulatory Changesassessed to be high impact.

X

Regulatory Task

My Regulatory Tasks

Home page access to yourRegulatory Tasks requiringattention.

X

RI Request

Meeting Requests

Home page access to yourRegulatory MeetingRequests for which you arethe business owner.

X

RI Request

On-Site Requests

Home page access to yourRegulatory On-Site Requestsfor which you are thebusiness owner.

X

RI Request

Pre-Work Requests

Home page access to yourRegulatory Pre-WorkRequests for which you arethe business owner.

X

Policy

My Draft Policies

Home page access to DraftPolicies for which you arethe Author. It includes a linkto launch the Create PolicyHelper.

X

Policy

My Published Policies

Home page access toPublished Policies for whichyou are the Author. Itincludes a link to launch theView Policy Helper.

X

KPI

KPI Breaches

Home page access to KPIsthat have a breach status ofred.

X X

Audits

My Audits in Progress

Home page access to theAudits you own and thatyou are likely to be workingon now.

X

Audit Review Comment

My Open Audit ReviewComments

Home page access to AuditReview Comments requiringaction, where you are theOwner.

X

Finding

My Findings for Review

Home page access to OpenFindings where you are theReviewer.

X



Object type



Finding

My Open Findings

Home page access to OpenFindings where you are theone who prepared theinformation.

X

Workpaper

My Workpapers InProgress

Home page access toWorkpapers requiring actionwhere you are the reviewerfor the information.

X

Workpaper

Workpapers Ready forMy Review

Home page access toWorkpapers requiring actionwhere you are prepared theinformation.

X

Control Plan

Control Plans UnderDevelopment

Home page access toControl Plans beingdeveloped.

X

Incident

Critical IT Incidents

Home page access to opencritical IT-related Incidents.

X

Waiver

Expiring Waivers

Home page access toapproved Waivers expiringin the next 3 months.

X

Waiver

My Waiver Approvals

Home page access torequested Attestationexceptions that requirereview.

X

Activity viewsThe following tables identify the activity views that are defined for each profile.

The following table identifies the activity views that are defined for the profilesthat are provided with each solution.

The columns use abbreviations for the following profiles:v FCM = FCM Master profilev ORM = ORM Master profilev Risk = ORM Operational Risk Team profilev BU = ORM Business User profilev SU = ORM Simplified User profilev PCM = PCM Master profilev ITG = ITG Master profilev IAM = IAM Master profile


Table 38. Activity views for OpenPages GRC profiles

Object type

Activity Viewname Activity View Description FCM ORM Risk BU SU PCM ITG IAM

Process

ControlAssessment

Facilitates conductingprocess-based Risk andControl Self Assessments.

X

Control

Control TestingSummary

Used to indicate ControlOperating Effectiveness.Provides Test Plan and TestResult information thatinforms the OperatingEffectiveness decision.

X X X X X

Questionnaire

Questionnaire

Used to respond toquestionnaires using theQuestionnaire, Section,Question object model.

X X X X X X

Questionnaire

Questionnaire SetUp

Used to create and modifyquestionnaires using theQuestionnaire, Section,Question object model.

X X X X X

Process

RCSA Approval

Used by Risk Coordinator toapprove Risk and ControlSelf Assessments.

X X X X X

Process

Process Approval

Used by the Process Ownerto confirm the assessment ofeach Risk and Control.

X X X X X X X

Scenario

ScenarioManagement

Used to indicateapplicability of a Scenario.

X X X

Event

Loss EventApproval

If an Event is submitted forApproval and it is valid andgreater than Loss Eventthreshold 1, the statuschanges to Awaitingapproval. The Approver isnotified to review andapprove or reject the event.

X X X X

KPI Value

KPI Value Entry

Used to enter KPI valuesand change the status tocollected.

X X X

KRI Value

KRI ValueApproval

Used to approve KRIvalues.

X X X X X

KRI Value

KRI Value Entry

Used to enter KRI valuesand change the status tocollected.

X X X X X


Table 38. Activity views for OpenPages GRC profiles (continued)

Object type


KRI Value

KRI Value

After the KRI is defined, thesystem determines if a KRIvalue is required. If the KRIis marked as Active, the KRIhelper generates values. Ifthe KRI value is set toInactive, the utility does notgenerate a blank value. Thevalue object is initially setup as a placeholder with astatus of Awaitingcollection.

X X

Event

Loss EventManagement

Loss Event capabilityenables the collection,classification, andmaintenance of operationalrisk loss events within thebusiness hierarchy. Itensures that informationabout loss events iscollected consistently acrossthe organization byrequiring that the mostimportant data about eachEvent is entered and thatappropriate approval andactions are undertaken.

X X X

Process

Process RCSAView

Facilitates conducting RiskAssessment-based Risk andControl Self Assessments.

X X X X X

KPI Value

KPI ValueApproval

Used to approve KPI values. X X X

Risk Assessment

RCSA View

Facilitates conducting RiskAssessment-based Risk andControl Self Assessments.

X X X

Scenario

Scenario Approval

Used to approve a Scenario. X



Object type


Risk

Risk and ControlAssessment

Risk Assessments are oftenthe core process anorganization uses inOperational Risk. Itidentifies, assesses, andquantifies a risk profile. Itestablishes consistency andenables a broad view of riskacross an organization. Itprovides Decision Supportfor management, drivesbetter decisions, and leadsto Action.

X X X

Attestation

Attestation

Provides a simplified viewof the Attestation object.Serves as a pattern for aview that can be used as thedefault view for appropriateusers such as policyattesters.

X

Mandate

Regulatory ChangeOverview

Provides a consolidatedview of the RegulatoryChanges for a Mandate, andthe correspondingRegulatory Tasks requiredas a result of the change.Enables user to trackprogress and status of thetasks.

X

Policy

Campaign StatusOverview

View outstandingattestations for a campaign.

X

Policy

Employee PolicyException Requests

View Employee ExceptionRequests.

X

Policy

Policy

Provides a simplified viewof the Policy object. Servesas a pattern for a view thatcan be used as the defaultview for appropriate userssuch as policy attesters.

X

RegulatorInteraction

Regulatory Exams

Provides a consolidatedview of the InteractionCategories and detailedRequests for a complexRegulator Interaction.

X

Audit

Audit Overview

Select each Audit Section toview all of its Workpapersand Findings, and thenupdate key information.

X



Object type


Audit

Scope Matrix

Identify the activities withinthe Auditable Entity anddecide whether each one isin or out of scope for thisaudit. Refer to the risks foreach activity to help makingthe scope decision.

X

Audit

Scope Matrix View

Scope Matrix Activity Viewwith all fields configured asread only.

X

Audit

Section EditChecklist

Provides a consolidatedview of the work programand facilitates rapid auditsection update for an audit.

X

Audit

Workpaper EditChecklist

Provides a consolidatedview of the workpapers andfacilitates rapid workpaperupdate for an audit.

X

Auditable Entity

All ReviewComments

View Review Commentsassociated to the selectedAudit and its Sections,Workpapers and Findings.

X

Auditable Entity

Audits andSections

View the sections for anaudit and update ScheduledStart and End Dates.

X

Auditable Entity

Section Checklist

Provides an at-a-glance readonly view of the Sections inthe work program.

X

Auditable Entity

WorkpaperChecklist

Provides an at-a-glance readonly view of theWorkpapers in the workprogram.

X

Business Entity

Audit Planning

Allows for entry ofSchedule Dates andEstimated Hours and T&Efor each audit in theUniverse. Filtered to 2008and beyond Audits whereStatus is any exceptCompleted.

X

Workpaper

Project MgmtUpdate

Used when finalizingworkpaper status.

X

Workpaper

Project MgmtPlanning

Used when finalizingworkpaper status.

X



Object type


Workpaper

Review andApproval

Used when reviewingworkpapers.

X

Workpaper

Test Execution

Used when executingworkpaper tests during fieldwork.

X

Workpaper

Test Planning

Used when planningworkpapers.

X

Baseline

Assess Risk

Used for performing riskassessments on Baselines inthe IT OperatingEnvironment.

X

Baseline

Assess Baseline

Used for performing riskassessments on Baselines inthe IT OperatingEnvironment.

X

Business Entity

Deloitte Mandates

Shows all the Requirementsthat are driven from eachMandate supplied byDeloitte.

X

Business Entity

Mandate Controls

For the selected Mandate,see all of the associatedControls in the IT OperatingEnvironment. Providescorporate wide view ofControl Effectiveness for agiven Mandate. Filters outControls in the Library, andonly includes Ineffective orNot Determined Controls.

Should be run from aBusiness Entity in theLibrary.

X

Business Entity

UCF Mandates

Shows all the Requirementsthat are driven from eachMandate that is supplied byUCF.

X

Control Plan

Assess ControlPlan

Used for performing riskassessments on ControlPlans in the IT OperatingEnvironment.

X

Mandate

Deloitte MandateOverview

Shows all theSub-Mandates, and for eachSub-Mandate shows itsRequirements. Mostappropriate for Deloittecontent.

X



Object type


Mandate

UCF MandateOverview

Shows all theSub-Mandates, and for eachSub-Mandate shows itsRequirements. Mostappropriate for UCFcontent.

X

Table 39. Activity views to drive the Add New wizard

Object type


Risk

Add New

Used by the Add Newwizard

X X X X

Control

Add New


X X X X

Workpaper

Add New


X

Grid viewsThe grid views defined for each profile are identified in this topic.


The IBM OpenPages Operational Risk Management profile supports all the gridviews for the following solution-specific profiles:v ORM Operational Risk Team profilev ORM Business User profilev ORM Simplified User profilev ORM Master profile

Table 40. Grid views for each solution

Object type

Grid view Description FCM ORM PCM ITG IAM

KPI, KPI Value

Enter KPI Values

Used to enter KPI Values.Before using this view, createKPI Value objects.

X X X


Table 40. Grid views for each solution (continued)

Object type

Grid view Description FCM ORM PCM ITG IAM

KRI, KRI Value

Approve KRI Values

Used to review and approveKRI values. Before using thisview, create KRI Value objectsand enter the values.

X X X

KRI, KRI Value

Enter KRI Values

Used to enter KRI values.Before using this view, createKRI Value objects.

X X X

KPI, KPI Value

Approve KPI Values

Used to review and approveKPI values. Before using thisview, create KPI Value objectsand enter the values.

X X X

Process, Risk, Control

PRSA Review

Used to review Process RiskSelf Assessments.

X X

Process, Risk, Control

PRSA Update

Used to update Process RiskSelf Assessments.

X X


Chapter 9. Role templates

A role template defines the privileges that a user is granted to access each objecttype. IBM OpenPages GRC Platform solutions include several role templates. Roletemplates give Application Permissions and grant access to features and functions.They also give Object ACLs (RWDA).

When permission rights are assigned to a solution role template, those rights arealso assigned to the All Modules Master template.

By default, two role templates are included with each solution. The template calledAll Permissions provides administrative rights and permissions to all object typesthat are available for the solution. The template called All Data - No Adminprovides permissions to all object types that are available for the solution but doesnot provide administrative rights.

For more information on permissions provided with role templates, see “Roletemplate permissions.”

Role template permissionsEach role template defines access permissions that are enabled for each object type.

For each solution, a role template called All Permissions is provided. It includesfull administrator rights. It also provides full read, write, delete, associate (RWDA)access to all object types that are included in the solution.

In addition, each solution includes a role template called All Data - No Admin. Thetemplate provides no administrator rights except for object types that areassociated with workflows, files, and folders. The templates provide full read,write, delete, associate (RWDA) access to all default object types enabled by defaultfor the solution.

For more information on access permissions that are granted to object types in roletemplates, see “Object type permissions assigned by role templates.”

Object type permissions assigned by role templatesA role template defines the read, write, delete, and associate access to object typesenabled in each solution.

When permission rights are assigned to a role template, those rights are alsoassigned to the All Modules Master template.

The following permissions describe the rights that are assigned to object types inrole templates. In the following table, the abbreviations identify the permissionsthat are enabled for each object type.

R Groups or users are granted the right to browse and view the details ofobjects.

W Groups or users are granted the right to create or modify objects within theselected folder. They cannot delete objects.

75

D Groups or users are granted the right to delete objects within the folderstructure.

A groups or users are granted the right to create associations between objects.

The following acronyms represent the role templates in the following table:v FCM = IBM OpenPages Financial Controls Management role templatev ORM = IBM OpenPages Operational Risk Management role templatev Risk = IBM OpenPages Operational Risk Team role templatev BU = IBM OpenPages ORM Business User role templatev SU = IBM OpenPages ORM Simplified User role templatev PCM = IBM OpenPages Policy and Compliance Management role templatev ITG = IBM OpenPages IT Governance role templatev IAM = IBM OpenPages Internal Audit Management role template

The following table lists the object type permissions that are granted for thetemplate in each solution. Each solution includes two master templates: the AllPermissions template and All Data - No Admin template. If a cell is blank, theobject type is not available for the solution.

Table 41. Object type permissions for OpenPages GRC role templates

Object name

Object type label FCM ORM Risk BU SU PCM ITG IAM

Attestation

Attestation

RWDA

AuditableEntity

Audit Entity

RWDA

Auditor

Auditor

RWDA

AuditPhase

Audit Section

RWDA

AuditProgram

Audit

RWDA

Campaign

Campaign

RWDA

CapitalModel

Capital Model

RWDA

CtlEval

Control Eval

RWDA RWA RWA RWDA

DataInput

Data Input

RWDA RWDA RWDA RWDA RWDA RWDA RWDA RWDA

DataOutput

Data Output



Table 41. Object type permissions for OpenPages GRC role templates (continued)

Object name


Employee

Employee

RWDA

Finding

Finding

RWDA

FIRSTLoss

FIRST Loss

* indicates that the W and Arights are unspecified

RWDA R* R*

Incident

Incident

RWDA RWDA

KeyPerfIndicator

KPI

RWDA RWDA RWDA RWDA RWDA RWDA

KeyPerfIndicatorValue

KPI Value

RWDA RWA RWA RWA RWDA

KeyRiskIndicator

KRI

RWDA RWA RWA RWA RWDA

KeyRiskIndicatorValue

KPI Value

RWDA RWA RA RWDA

LossEvent

Loss Event

RWDA RWA RWA RWA

LossImpact

Loss Impact

RWDA RWA RWA RWA

LossRecovery RWDA RWA RWA RWA

Mandate

Mandate

RWDA RWDA

ModelResult

Model Result

RWDA

ORICLoss

ORIC Loss


RWDA R* R*

ORXLoss

ORX Loss


RWDA R* R*

Chapter 9. Role templates 77


Object name


Plan

Plan

RWDA

Policy

Policy

RWDA RWDA

PolicyReviewComment


RWDA

Preference

Preference

RWDA RWA RA RA RWDA

PrefGrp

Preference Group

RWDA RWDA

Procedure

Procedure

RWDA RWDA

ProcessDiagram

Process Diagram


ProcessEval

Process Eval

RWDA RWA RWA RWA

ProjectActionItem

Milestone Action Item

Qsection RWDA RWDA

Quest

Question

RWDA RWDA

Questionnaire

Questionnaire

RWDA RWDA

RAEval

Risk Assessment Eval

RWDA RWA RWA RWA

RegApp

Regulation Applicability

RWDA

RegChange

Regulatory Change

RWDA

RegInt

Regulator Interaction

RWDA

RegTask

Regulatory Task

RWDA



Object name


Regulator

Regulator

RWDA

Requirement

Requirement

RWDA RWDA

Resource

Resource

RWDA

ResourceLink

Resource Link

RWDA

ReviewComment

Audit Review Comment

RWDA

RICat

RI Category

RWDA

RIReq

RI Request

RWDA

RiskAssessment

Risk Assessment

RWDA RWDA RWA RWA RWA RWDA RWDA RWDA

RiskEntity

Control Plan

RWDA

RiskEval

Risk Eval

RWDA RWA RWA RWA

RiskSubEntity

Baseline

RWDA

ScenarioAnalysis

Scenario Analysis

* indicates that the W rightsare unspecified

RWDA RWA RA*

ScenarioResult

Scenario Result

* indicates that the W rightsare unspecified

RWDA RWA RA*

SOXAccount

Account

RWDA

SOXBusEntity

Business Entity

RWDA RWDA RWA RA RA RWDA RWDA RWDA



Object name


SOXControl

Control


SOXControlObjective

Control Objective

SOXDocument

File


SOXExternalDocument

Link


SOXIssue

Issue


SOXMilestone

Milestone

SOXProcess

Process


SOXRisk

Risk


SOXSignature

Signature


SOXSubaccount

Sub-Account

RWDA

SOXSubprocess

Sub-Process


SOXTask

Action Item


SOXTest

Test Plan

RWDA RWDA RWDA RWDA RWDA

SOXTestResult

Test Result

RWDA RWDA RWDA RWDA RWDA

Submandate

Sub-mandate

RWDA RWDA

Timesheet

Timesheet

RWDA

Waiver

Waiver

RWDA RWDA



Object name


Workpaper

Workpaper

RWDA


Notices

This information was developed for products and services offered worldwide.

This material may be available from IBM in other languages. However, you may berequired to own a copy of the product or product version in that language in orderto access it.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

83

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.


This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2015.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

The following terms are trademarks or registered trademarks of other companies:v Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 85

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

AAction items 52Activity view 67Attestation Creation Report helper 35

BBusiness Entity

association to Risk Assessments 32

DData Input trigger 54Data Output trigger 54

Ggrid views 73

Hhelpers

Key Indicators 30RCSA helpers 31, 32risk assessment 32Scenario Analysis 30

Home page filtered list 63

IIssue (object type) 53Issue and Action Bulletin notification 38Issue Lifecycle trigger 53Issues

management 52

KKey Indicators helpers 30KPI Breach notification 38KPI Capturer

KPI Reminder notification 38KPI Lifecycle trigger

Breach notification 38KPI Reminder notification 38KPI Value

KPI Reminder notification 38KRI Breach notification 38KRI Capturer

KRI Reminder notification 38KRI Lifecycle trigger 54

Breach notification 38KRI Reminder notification 38KRI Value

KRI Reminder notification 38

LLoss Event (object type) 55Loss Event Approval Submissions trigger 55Loss Event Approval trigger 55Loss Event Computation trigger 55Loss Impact (object type) 55Loss Recovery (object type) 55

Nnotifications 37

Issue and Action Bulletin 38KPI Breach notification 38KPI Reminder notification 38KRI Breach notification 38KRI Reminder notification 38

Oobject types

Issue 53Loss Event 55Loss Impact 55Loss Recovery 55

OpenPages Policy and Compliance Management viiOperation Risk Team profile 60Operational Risk Team profile 60

PPolicy Awareness View Helper 34Policy unlock helper 33Policy viewers 32Profiles, activity views 67Profiles, home page filtered list 63publishing batch notification helper 34

RRCSA helpers 31, 32RCSA triggers 53Risk and Control Self-assessments triggers

See RCSA triggersrisk assessment helpers

See RCSA helpersRisk Assessments

association to Business Entity 32

SScenario Analysis helpers 30Simplified user profile 61

Ttriggers

Issue Lifecycle 53KRI Lifecycle 54

87

triggers (continued)Loss Event Approval 55Loss Event Approval Submission 55Loss Event Computation 55visualization 54

Vvisualization triggers 54

Wwhat's new 1
