Financial Controls Management Module Overview · Financial Controls Management Module Overview. Note Before using this information and the product it supports, read the information

IBM OpenPages GRC PlatformVersion 7.0.0

Financial Controls ManagementModule Overview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 29.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Document Release and Update Information . . . . . . . . . . . . . . . . . . . . v

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 4. Helpers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 5. Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1313Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 6. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15FCM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17FCM-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Issue Management and Remediation trigger . . . . . . . . . . . . . . . . . . . . . . . 18Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . . 18Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25OpenPages FCM 7.0.0 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

iii

iv IBM OpenPages GRC Platform Version 7.0.0: Financial Controls Management Module Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 7.0.0

Document Published: December, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).

v

http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp


vi IBM OpenPages GRC Platform Version 7.0.0: Financial Controls Management Module Overview

Chapter 1. Introduction

Use this guide with the IBM OpenPages Financial Controls Management module.

Finding information

To find IBM OpenPages GRC Platform product documentation on the web,including all translated documentation, access the IBM OpenPages GRC PlatformInformation Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).Release Notes are published directly to the Information Center, and include linksto the latest technotes and APARs.

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products.

IBM HTML documentation has accessibility features. PDF documents aresupplemental and, as such, include no added accessibility features.

Module DescriptionIBM OpenPages Financial Controls Management reduces the time and resourcecosts associated with ongoing compliance for financial reporting regulations.

IBM OpenPages Financial Controls Management combines powerful document andprocess management with rich interactive reporting capabilities in a flexible,adaptable easy-to-use environment, enabling CEOs, CFOs, managers, independentauditors and audit committees to perform all the necessary activities for complyingwith financial reporting regulations in a simple and efficient manner.

IBM OpenPages Financial Controls Management allows users to easily see thestatus of their financial controls documentation project, and provides a securerepository for the storage of their internal controls documentation.

Key features include:v Financial Controls Management Repository, which logically presents processes,

risks and controls in many-to-many and shared relationships at multiple levels,and enables file attachment capability and action plans for processes, risks,controls and tests at all levels.

v Flexible automation, which provides notification and completion of financialcontrols management activities, such as design review, operating review andcertification.

v Reporting, monitoring and analytics.

Object Type Licensing

For the IBM OpenPages Financial Controls Management module, you are licensedto use the object types listed in Chapter 2, “Object Types,” on page 3. Use of anyother object types is prohibited without prior written approval from IBM.

1



2 IBM OpenPages GRC Platform Version 7.0.0: Financial Controls Management Module Overview

Chapter 2. Object Types

The IBM OpenPages Financial Controls Management module includes variousobject types that are enabled or disabled by default, and subcomponents.

Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages FinancialControls Management configuration and are enabled by default.

Table 1. Object types enabled by default

Object type label Description

Business Entity Business entities are abstract representations of your businessstructure. A business entity can contain sub-entities (such asdepartments, business units, or geographic locations). The entitystructure that you create depends on your business needs. Forexample, you could create a parent entity for your businessheadquarters then a sub-entity for each location or department.You may also want to represent both a legal entity structure and abusiness entity structure.

Business entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).

When setting up your business entity hierarchy, you should workwith your IBM OpenPages consultant as the structure of yourbusiness entities will greatly impact the type and quality of theinformation that can be extracted from the application.

Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,information security, and so forth.

Sub-Process A sub-process is a component of a Process. It is used todecompose processes into smaller granularity units for assessmentpurposes.

Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each risk has one or more controlsassociated with it that provide safeguards against the risk andhelp mitigate any consequences that may result from the risk. Youcan use the Risk object to categorize risks; capture the frequency,rating, and severity of inherent and residual risk data; and viewreports that help identify your top risk items.

Control Controls are typically policies and procedures (procedures areactions that implement the policies), to help ensure that riskmitigation responses are carried out.

Once you have identified the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications,and so forth) that remove, limit, or transfer these potential risks.

Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.

3

Table 1. Object types enabled by default (continued)


Preference Group,Preference

The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities. The group object helps tominimize the associated maintenance.

The Preference object is a child of Business Entity, and is used forholding variable values that can drive reports, workflows, andcomputed fields (it has entity-specific variable values that enabledifferent behavior for the same workflows). For example, todetermine the behavior for review and approval workflows (e.g.who the appropriate users are for each level of review andapproval, and what the thresholds are for determining how manylevels of review and approval are required).

Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of themechanisms that are used to determine whether or not a controlis effective.

Test Result A Test Result is the information that is obtained from running aTest Plan.

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Tomanage your risk self-assessment process, use the RiskAssessment object, which contains the names of the assessor andreviewer, the time frames for the assessment, and the status of theassessment.

Account Generally, Accounts correspond to the line items on a financialreport, although not necessarily on a one-to-one basis. EachAccount is affected by recurring Processes. These Processes canintroduce Risks that must be documented during the financialcontrols documentation project.

Sub-Account A Sub-Account represents a smaller, more targeted line item thatis part of a larger parent Account (or of another Sub-Account).Each Sub-Account object can be associated with parent Account orSub-Account objects.

Signature A signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers, and does notprevent the item from being modified after approval is given. Anobject with a signature has a signature icon next to the signer'sname on the Signatures tab.

Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:

v Manually from the detail page of an object.

v Automatically through a workflow task.

v Some combination of both automatic and manual.

If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.


Table 1. Object types enabled by default (continued)


Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern that is associated with anyobject type.

An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.

File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevantobjects.

Process Diagram A Process Diagram is a child object of the Process and can havemany diagrams per process. It is used to store the sequence ofsub-processes or activities within a process with associated Risksand Controls along with any annotations such as decision nodes.All attributes of the Business Process visualization are stored inthe Process Diagram object.

Data Input, DataOutput

The Data Input Object and Data Output Object are child objects ofthe Process and can have associations only to existing Risks. Theyrepresent elements of a flow to depict an Input into the BusinessFlow or an Output from various activities within a process, suchas running a report or updating a CRM system or getting anexternal data source feed.

Object Types Disabled by DefaultThe following object types are available in the default IBM OpenPages FinancialControls Management configuration and are disabled by default.

Table 2. Object types disabled by default


Questionnaire, Section,Question

Questionnaire, Section and Question are three objects that areused together to implement questionnaires.

Chapter 2. Object Types 5

Table 2. Object types disabled by default (continued)


Control Objective A Control Objective is an assessment object that helps define therisk categories for a Process or Sub-Process. For each Process orSub-Process, an organization sets the Control Objectives.

Control Objectives define the COSO compliance categories thatthe Controls associated with the Risks are intended to mitigate.For example, Control Objectives can be classified into one or morecategories such as Compliance, Financial Reporting, Strategic,Operations, or Unknown.

Once a Control Objective is identified, the Risks belonging to thatControl Objective can then be identified and defined. In mostcases, each Control Objective will have one Risk associated withit. However, Control Objectives can have more than one Riskassociated with them, so they are separated into their own objecttype.

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.

A Milestone Action Item is a specific objective that must becompleted in order to reach a Milestone. In general, all MilestoneAction Items associated with a Milestone must be completed inorder to reach a Milestone. When you are assigned a MilestoneAction Item object, it is displayed (if configured) in the MyMilestone Action Items section of your My Work tab.

Assertion The Assertion object is used to link Control objects to Account (orSub-Account) objects. A common practice is to store the “type” ofassertion that the Control is covering as a data field on theAssertion object.

Risk Eval Risk Evaluation objects are children of Risk objects and they areused to capture risk measurement values for trending purposes.Often reporting periods do not line up with risk evaluation cyclesand so Risk Eval objects can be used to capture multipleevaluation cycles within a single reporting period.

Control Eval Control Evaluation objects are similar to Risk Evaluation objectsexcept that they are instantiated as children of Controls. Theystore control assessment data.

Risk Assessment Eval Risk Assessment Evaluation objects are similar to Risk Evaluationobjects except that they are instantiated as children of RiskAssessments. They store risk assessment data.

Process Eval Process Evaluation objects are children of Process objects and theyare used to capture process measurement values for trendingpurposes.

When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.


SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages Financial ControlsManagement module.

Table 3. Subcomponents shared with other modules

Subcomponent Object Types

Organization Business Entity

Preference Preference Group, Preference

Risk Assessment Risk Assessment, Risk Assessment Eval

Process Process, Process Eval, Sub-Process, Control Objective

Risk Risk, Risk Eval

Control Control, Control Eval

Issue Issue, Action Item

Questionnaire Questionnaire, Section, Question

Milestone Milestone, Milestone Action Item

Visualization Process Diagram, Data Input, Data Output

Table 4. FCM-specific subcomponents

Subcomponent Object Types

Account Account, Sub-Account, Assertion

In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link

Chapter 2. Object Types 7


Chapter 3. Computed Fields

By default, the IBM OpenPages Financial Controls Management module does notinclude any computed fields.

9


Chapter 4. Helpers

By default, the IBM OpenPages Financial Controls Management module does notinclude any helper applications.

11


Chapter 5. Notification

Notifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger. All notifications that are sent from IBM OpenPages FCM use thesender address identified below. Configure the email address and server setting.v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

Notifications are part of the Issue Management and Remediation process.

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and Actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

When the Issue is defined, its status is Open and the user must enter a value inthe Current due date field. The due date is copied to a read-only field thatcontains the original due date. When the user creates an Issue, the Issue Owner(who might not be the same person who created the Issue) receives an emailnotification.

The Issue Owner must record the appropriate actions to resolve an identified Issue.The following data is captured in an Action Item:v Descriptionv Assigneev Start Datev Due Datev Actual Closure datev Status (Read Only)v A comment field to record the latest updates

The Issue Owner receives an email that summarizes the Actions that must beapproved for closure. The owner can either Accept Closure or Reject Closure.When Actions are completed, the Issue Owner must review the Issue and updatethe status to Closed. If any child actions are Open or Awaiting Approval, theIssue Owner cannot close the issue.

Users receive email notifications through the consolidated Issue and Actionbulletins. The bulletin consolidates the following information in an email:v Issues Assigned to the recipient in the past number daysv Actions Assigned to recipient in the past number days

13

v Issues due for Closure in the next number daysv Actions due for Closure in the next number daysv Overdue Issuesv Overdue Actionsv Actions awaiting closure approval


Chapter 6. Reports

This section describes the reports that are available for the IBM OpenPagesFinancial Controls Management module.

The IBM OpenPages GRC Platform Modules Report Details document providesadditional details on the reports described here.

For a description of additional reports installed with the IBM OpenPages GRCPlatform and available to all modules, see the IBM OpenPages GRC PlatformAdministrator's Guide.

FCM-Specific ReportsThe IBM OpenPages Financial Controls Management module does not include anyFCM-specific reports.

Reports Shared with Other ModulesThe IBM OpenPages Financial Controls Management module contains a number ofreports that are shared with other IBM OpenPages GRC Platform modules.

Table 5. Risk Assessment Reports

Name Drill-Through Description

Risk Assessment List Shows Risk Assessment details for aspecified Business Entity and all of itsdescendents.

Risk AssessmentStatus

Risk Assessment StatusDetail

Displays a stacked column chartshowing the status of Risk Assessmentsfor the specified Business Entity and itsdirect descendents.

Risk AssessmentSummary

Risk Assessment Issuesand Action Items

Displays Risk Assessment details alongwith all associated Risks and Controls.A drill through report displays Issuesand Action Items that are related to theRisk Assessments, Risks, or Controls.

Risk AssessmentIssues and ActionItems

Shows all Issues and Action Items thatare related to the selected RiskAssessment and its associated Risksand controls. Parent Object shows onlythe Risk Assessment, Risk, and Controlparents. The report prompts for twovalues: Business Entity and RiskAssessment.

Data is filtered on the selected entity.Users can select from all RiskAssessments that are associated,whether directly or indirectly, to theselected business entity.

15

Table 6. Risk Reports


Risk Analysis Shows Risks grouped by Process for aspecified Business Entity.

Risk Heat Map Risk Detail Displays a table that aggregates Risksby Residual Impact and Likelihood fora specified Business Entity.

Risk Rating by Entity Risk Rating by EntityDetail

Displays Residual Risk Ratingsummary information for the selectedBusiness Entity and its descendents,with the ability to drill-through to riskdetails.

Risk Rating byCategory

Risk Rating by CategoryDetail

Displays Risk Category and ResidualRisk Rating summary information forthe selected Business Entity, with theability to drill-through to Risk details.

Top Risks Summary of the top Risks ranked byResidual Risk Exposure, and alsoshows the Inherent Risk Exposure. Bydefault, Risk quantitative assessmentfields are not included in IBMOpenPages FCM, so this report maynot be appropriate for IBM OpenPagesFCM users.

Table 7. Control Reports


Risk and ControlMatrix

Shows Risk and Control data forspecified Business Entity andProcess(es).

Control EffectivenessMap

Control EffectivenessDetail

Control map shows counts of Controlsgrouped by Process(es) and OperatingEffectiveness, with the ability todrill-through to a sub-report for detailinformation.

Table 8. Testing Reports


Testing Dashboard Testing Details Displays summary Test Resultinformation for the selected BusinessEntity, with the ability to drill-throughto detail and trend information.

Table 9. Visualization reports

Name Description

Process Analysis Displays Risk and Controls in the context of a processdiagram. Provides an aggregated view of Risk andControls with risk rating and control effectiveness at theProcess and Business Entity level.


Chapter 7. Triggers

The IBM OpenPages Financial Controls Management module contains severalavailable triggers.

The IBM OpenPages Modules Trigger Details document provides more informationabout the triggers described here.

Before you use the ObjectManager tool to load XML instance data, you mustdisable triggers on object types for which you will be loading data.

Object types that are configured for the IBM OpenPages Financial ControlsManagement module to have triggers by default include:v Riskv Action Itemv Issuev Data Inputv Data Output

Object types that are configured for other IBM OpenPages GRC Platform modulesto have triggers by default include:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv Loss Eventv Loss Impactv Loss Recoveryv KRI Valuev KPI Valuev File (SOXDocument)v Policy

FCM-Specific TriggersThe IBM OpenPages Financial Controls Management module does not include anyFCM-specific triggers.

Triggers Shared with Other ModulesSeveral triggers are shared with other IBM OpenPages GRC Platform modules.

17

Issue Management and Remediation triggerIn an Issue Management and Remediation (IMR) framework, you can effectivelydocument, monitor, remediate, and audit identified Issues.

Issues are items that are identified against the documented framework and aredeemed to negatively affect the ability to accurately manage and report risk. In itslifecycle, an issue can have only one of two states: Open or Closed.

To resolve the identified Issue, the Issue Owner establishes and records theappropriate actions. When the Action is complete, the Assignee sets the Submit forClosure field to Yes. When this field is saved, a trigger is started and completesthe following actions:v Copies the value in the Issue Owner field from the parent Issue to the Actionv Sets the Action field to Awaiting Approval

The Issue owner reviews the Action and can specify to either Accept Closure orReject Closure. If the Action is saved with Reject Closure, the status reverts toOpen and the Action returns to the Action Assignee.

Several triggers are used to automate the Issue management process.

Issue Lifecycle triggerThe Issue Lifecycle trigger sets the Original Due date on the first instance of Saveof Issue and checks for any Open Actions when the Issue is saved with a status ofClosed.

When an Issue object type is created or updated, and the status of the Issue objecttype is set to Closed, the trigger completes the following actions:v The trigger checks all direct child Actions and determines whether they are all

closed. If any Actions have a status of Open or Awaiting Approval, the triggergenerates an error message. If all Actions are closed, the trigger saves thechanges.

Note: As an administrator, you can configure the error message under theAdministrator > Settings menu.

v If the Original Due date field on the Issue is blank, the trigger populates theOriginal Due date with the Current Due date value.

Risk and Control Self-assessments triggersThe Risk Assessments process is used to identify, assess, and quantify a risk profileof the business. Each Risk is assessed on either a Qualitative or Quantitative basis.

When a Risk is saved, the Qualitative risk rating trigger determines a Risk Ratingof Low, Medium, High, or Very High. The trigger also populates the hiddenQuantitative fields: Severity, Frequency, and Exposure.

When a Risk is saved, the Quantitative risk rating trigger completes the followingactions:1. Computes the Exposure (Frequency x Severity)2. Computes the Risk Rating as Low, Medium, High, or Very High3. Derives the Impact value (1 - 10) based on a mapping table for each Business

Unit that is stored in its Preference record.


4. Derives the Likelihood value (1 - 10) based on a mapping table for eachBusiness Unit that is stored in its Preference record

RCSA Quantitative triggerThe Risk and Control Self-assessments (RCSA) Quantitative trigger sets the RiskRating and establishes impact, likelihood, and exposure for risks that are enteredby using the Quantitative method. The trigger occurs only if the values for theImpact or Likelihood fields for Risk were modified.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose qualitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Obtains the parent Preference object.

The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Determines the Impact fields of the Risk object.The Impact is calculated by identifying the threshold range in which the SeverityValue falls. If any Severity value is null, the previous value is managed as theMAX Severity.

Table 10. Impact value based on severity value

Severity value Impact value

>= 0 and <= Severity 1 1

> Severity 1 and <= Severity 2 2


> Severity 3 and <= to Severity 4 4




> Severity 7 and<= Severity 8 8


> Severity 9 10

v Determines the Liklihood fields on the SOXRisk object.The Likelihood is calculated by identifying the threshold range in which theFrequency value falls. If any Frequency value is null, the previous value ismanaged as the MAX frequency.

Table 11. Likelihood value based on frequency value

Frequency value Likelihood value

>= 0 and <= Frequency 1 1

> Frequency 1 and <= Frequency 2 2


Chapter 7. Triggers 19

Table 11. Likelihood value based on frequency value (continued)

Frequency value Likelihood value







> Frequency 9 10

v Calculates the Exposure as Severity multiplied by Frequencyv Where the Impact value is X and the Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 12. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

RCSA Qualitative triggerThe Risk and Control Self-assessments (RCSA) Qualitative trigger sets the RiskRating and establishes severity, frequency, and exposure for risks that are enteredby using the Qualitative method.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose quantitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Evaluates the Preference record for the entity, or its parent entity if no Preference

record exists.The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preference


object that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Evaluates the Severity fields of the Risk object.The Severity is determined by the Impact Value mappings that are specified inthe Preference object.

Table 13. Severity based on impact values

Impact value Severity

1 Severity 1

2 Severity 2

3 Severity 3

4 Severity 4

5 Severity 5

6 Severity 6

7 Severity 7

8 Severity 8

9 Severity 9

10 Severity 10

v Based on the Likelihood, evaluates the Frequency fields of the Risk object.The Frequency is determined by the Likelihood Value mappings that arespecified in the Preference object.

Table 14. Frequency based on Likelihood values

Likelihood value Frequency

1 Frequency 1

2 Frequency 2

3 Frequency 3

4 Frequency 4

5 Frequency 5

6 Frequency 6

7 Frequency 7

8 Frequency 8

9 Frequency 9

10 Frequency 10

v Calculates the Exposure as Severity multiplied by Frequency.v Where the Impact value is X, Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:


((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 15. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

Risk Approval Submission triggerThe Risk Approval Submission trigger updates the Status field on Risk andControls so that the Process Owner can process the Approval.

When a Risk object is created or updated, and the Submit for Approval field valueis set to Yes, the trigger completes the following actions:v Obtains all associated child Control objects and applies validation rules.

All child Control objects are assessed and the Status field is set to AwaitingAssessment.

v Updates the Status field on the Risk object and all associated control objectsfrom Awaiting Assessment to Awaiting Approval.

v Obtains the parent Process object to obtain all Risk objects and checks whetherall risks for a Process are Awaiting Approval.

v Determines whether all risks for a Process are awaiting approval, and continuesbased on the following status:– If the status is Yes, the trigger ends its process.– If the status is No, the trigger sets the Status of the parent Process object to

Awaiting Approval, and sends an email notification to the Process Owner.

RCSA Risk and Control Approval triggerThe RCSA Risk and Control Approval trigger allows the Process Owner to approveor reject an assessment of a risk and its controls.

When a Risk object Approve/Reject field is set to Approve or Reject, the triggercompletes the following actions:v If the Approve/Reject field is set to Reject, the trigger updates the Status field

value of the Risk and associated Controls to Awaiting Assessment, and sends anemail notification to the Risk Owner.

v If the Approve/Reject field is set to Approve, the trigger continues with thefollowing processes:– Updates the Status field value of the Risk and associated Controls to

Approved.– Updates the Process status to Approved, sets the Approval Date, and sends

an email notification to the RCSA coordinator.

Visualization triggersThe Visualization triggers prevent the user from adding new Risks as children ofthe Data Input and Data Output object types.


Risks can only be made children of these object types by associating existing Risksto them. Data Input and Data Output object types are not allowed to be primaryparents of Risks.



Chapter 8. Profiles

The IBM OpenPages Financial Controls Management module includes theOpenPages FCM 7.0.0 Master profile by default.

OpenPages FCM 7.0.0 Master ProfileThe OpenPages FCM 7.0.0 Master Profile includes the fields and configuration forall of IBM OpenPages Financial Controls Management.

This profile includes:v Filtersv My Work Home page and Home page tabsv Dependent fields and dependent picklistsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views

Subsets of this profile that are appropriate for a Process Owner, Control Tester, andso on, are created during the implementation project.

Home Page Filtered ListsBy default, the IBM OpenPages Financial Controls Management module containsfiltered lists that are defined for the My Work tab on the Home page for users ofthe OpenPages FCM 7.0.0 Master profile.

Table 16. My Work tab filtered lists for the OpenPages FCM 7.0.0 Master profile

Filter Description Object Type

My Open Issues Home Page access to your open Issues. Issue

Failed Test Results Home Page access to Test Results that havefailed.

Test Result

Activity ViewsBy default, the IBM OpenPages Financial Controls Management module containsseveral activity views that are defined for users of the OpenPages FCM 7.0.0Master profile.

Table 17. Activity views for the OpenPages FCM 7.0.0 Master profile

Activity View Name Description

Control Testing Summary Used to indicate Control Operating Effectiveness. Provides TestPlan and Test Result information that informs the OperatingEffectiveness decision.

Questionnaire Set Up Used to create and modify questionnaires using theQuestionnaire, Section, Question object model.

Questionnaire Used to respond to questionnaires using the Questionnaire,Section, Question object model.

Control Assessment Facilitates conducting process-based Risk and Control SelfAssessments.

25

Table 17. Activity views for the OpenPages FCM 7.0.0 Master profile (continued)

Activity View Name Description

Process Approval Used by the Process Owner to confirm the assessment of eachRisk and Control.

RCSA Approval Used by Risk Coordinator to approve Risk and Control SelfAssessments.

Grid ViewsThere are no grid views defined for users of the OpenPages FCM 7.0.0 MasterProfile.


Chapter 9. Role Templates

By default, the following role templates are available for the IBM OpenPagesFinancial Controls Management module.

OpenPages FCM 7.0 - All PermissionsFull Read, Write, Delete, Associate (R/W/D/A) access to all default FCMobject types that are present and enabled by default. Full administratorrights.

OpenPages FCM 7.0 - All Data - No AdminFull Read, Write, Delete, Associate (R/W/D/A) access to all default FCMobject types that are present and enabled by default. No administratorrights except those associated with workflows, files and folders.

The above role templates provide read, write, delete and associate access to thefollowing object types.

Table 18. Object types

Object type name Object type label

DataInput Data Input

DataOutput Data Output

ProcessDiagram Process Diagram

RiskAssessment Risk Assessment

SOXAccount Account

SOXBusEntity Business Entity

SOXControl Control

SOXDocument, SOXExternalDocument File, Link

SOXIssue Issue

SOXProcess Process

SOXRisk Risk

SOXSignature Signature

SOXSubaccount Sub-Account

SOXSubprocess Sub-Process

SOXTask Action Item

SOXTest Test Plan

SOXTestResult Test Result

27


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

29

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.


Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 31

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml


Index

AAction items 18

DData Input trigger 23Data Output trigger 23

IImpact values 19, 20Issue (object type) 18Issue and Action Bulletin notification 13Issue Lifecycle trigger 18Issues

management 18

LLikelihood values 20Liklihood values 19

Nnotifications 13

Issue and Action Bulletin 13

Oobject types

Issue 18SOXRisk 19

RRCSA Qualitative trigger 20RCSA Quantitative trigger 19RCSA Risk and Control Approval trigger 22RCSA triggers 18Risk and Control Self-assessments triggers

See RCSA triggersRisk Approval Submission trigger 22

SSeverity values 20SOXRisk (object type) 19

Ttriggers

Issue Lifecycle 18RCSA Qualitative 20RCSA Quantitative 19RCSA Risk and Control Approval 22Risk Approval Submission 22visualization 23

Vvisualization triggers 23

33

Documents

Financial Controls Management Module Overview · Financial Controls Management Module Overview. Note Before using this information and the product it supports, read the information