Aris Governance Risk Compliance[1]

www.ids-scheer.com

ARIS Platform - White Paper

White PaperJune 2008

Governance, Risk &Compliance Management with ARIS

White Paper

Table of Content

1 Increasingly complex requirements demand implementation of a GRC platform . . . . . . . . . 3

1.1 Why GRC? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4German Supervision and Transparency in the Area of Enterprise Act(Gesetz zur Kontrolle und Transparenz im

Unternehmensbereich - KonTraG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Minimum requirements for bank equity (Basel II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4The 8th EU Directive (EURO-SOX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Markets in Financial Instruments Directive (MiFID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Solvency II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Setting up a QM system to comply with DIN ISO 9000:2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Draft statement of minimum requirements for risk management in banks as of February 2, 2005 . . . . . . . . . . . . . . . . 6Combating money laundering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2 Added value through international standards for setting up internal control systems . . . . . . . . . . . . . . . 7CObIT (Control Objectives for Information and Related Technology) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7COSO Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7SAS 70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3 Applying standards - not reinventing the wheel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Well equipped for integrated GRC management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.1 Acting, not reacting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Integrated GRC architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3 ARIS Solution for GRC – seamless and integrated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11ARIS Business Architect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12ARIS Risk & Compliance Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13ARIS Business Publisher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16ARIS Process Risk Scout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.4 Interaction with other external applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Document management systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Directory services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Operational systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Authorization systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 From nightmare to competitive advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2

Governance, Risk & Compliance Management with ARIS

1

3

Increasingly complex requirements demand implementation of a GRCplatformGRC aims to align a company with the requirements of its interest groups and help identify changes in thoserequirements. It focuses on sustainable, risk- and value-based, ethical, and legally compliant corporate man-agement. All relevant expectations of the interest groups result from the requirements of the three elements ofcorporate governance, risk management and compliance.

Corporate governance refers to a framework for goal-oriented, responsible, ethical and legally compliant man-age ment and control of a company.

Risk management refers to handling risks that pose a threat to the achievement of strategic and operationalcorporate goals.

Compliance refers to meeting all relevant internal and external requirements, both binding and non-binding, ofall interest groups.

Non-compliance with these requirements is a risk for companies and affects numerous corporate processes.This raises the fundamental question of how compliance with all relevant requirements can be ensured.

Governance, risk and compliance management comprises risk-oriented corporate management within aframe work of principles for goal-oriented, responsible, ethical, controlling and legally compliant management.It also includes the documented incorporation of all relevant internal and external, current and future, bindingand non-binding regulations and requirements into the design of business processes in a way that can beaudited at any time.

Fig. 1:Various GRC requirements that companies face

Many companies have taken initial steps in the right direction.Individual control systems have been put in place for specificdivisions and legal regulations. In most cases, however, thesecontrol systems do not access a shared database and many lacka uniform conceptual basis. A decentralized approach, combinedwith other factors such as time pressure, have led to the creationof isolated applications in different company areas, which rely ondifferent IT support systems and are incompatible or cannot beevaluated.

The risk-based definition of effective controls, documentation ofthese and monitoring of how up-to-date and effective they are ina constantly changing, dynamic GRC and business environment isa major challenge facing companies today.

As activities that do not directly add value, controls must be kept to a necessary minimum. Integrated GRCmanagement therefore affords companies an opportunity to ensure the efficiency and effectiveness not onlyof the processes themselves but also of the actual controls implemented.

Many laws and directives require a company’s internal control system to be ready for audit at any time. Thiscalls for complete and audit-acceptable documentation and monitoring of controls, as well as the definition ofprocesses and responsibilities for dealing with deficiencies and for releasing documents and test intervals.

In addition, test data must be processed for external or internal auditors or management at certain times in anappropriate form for the relevant target group. For all these tasks, it is extremely important for companies toestablish a central GRC strategy. This ensures that the various activities can be combined into a consolidatedGRC management system and that all synergies (personnel resources, data, IT, and existing knowledge) canbe efficiently exploited.

��

��

� ��

��

��

��

��

��

��

��

��

��

��

��

�� !""#

White Paper

1.1 Why GRC? Continually developing systems lead to increasingly complex corporate processes. While many work steps andinspections were still performed manually twenty years ago, today’s systems can order materials and also car-ry out the corresponding payments and postings of business transactions. Against this background of growingprocess complexity, the creation and monitoring of an appropriate and effective internal control system isessential to ensuring a company’s lasting success.

The large number of accounting scandals in recent years has led to international and national legislation thatobliges companies to set up (accounting-related) internal auditing systems and to implement technical stan-dards and recommendations to restore confidence in financial reporting. Some of these regulations are brieflydiscussed below.

German Supervision and Transparency in the Area of Enterprise Act(Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - KonTraG)

Passed eight years ago, this law requires companies to implement and operate a company-wide early warn-ing system for business risks. As a minimum, this system must be able to identify and evaluate risks that threat-en the company’s existence, define measures to monitor risks and verify that the defined measures have beentaken. These may be strategic risks (e.g. market developments/new competitors), IT risks (e.g. system failures,data losses), or operational risks (e.g. production outages). Suitable measures for controlling these risks mustthen be taken to prevent situations that threaten the company’s existence. Finally, the implementation of thedefined risk-control actions should be tested and a cost-benefit analysis carried out.

Minimum requirements for bank equity (Basel II)

In its current revision of the minimum requirements for bank equity (Basel II), the Basel Committee of the Bankfor International Settlement (with headquarters in Basel, Switzerland) requires dedicated handling of opera-tional risks (OpRisk) for the first time. Banks must maintain sufficient equity for their OpRisk to ensure sufficientreserves in case of losses due to these risks.

This framework is not legally binding in itself but national central banks have generally implemented it withoutany changes in binding legal standards. The framework is currently being implemented under European lawunder the EuroCAD 3 directive. Basel II is therefore legally binding.

Sarbanes-Oxley Act

Following numerous accounting scandals and company crashes, the Sarbanes-Oxley Act (SOX) was passed in2002 with a view to improving the quality of risk management and control systems in companies. Section 404regulates the implementation and monitoring of processes to guarantee an efficient (accounting-related) inter-nal control system. The act requires that companies and their subsidiaries listed on the American stockexchange are able to prove the efficiency of internal control systems for financial reporting. Within the scopeof numerous Sarbanes-Oxley projects, companies are currently checking their internal control systems forweak points. Process flows and internal controls are systematically recorded and documented, existing weak-nesses are eliminated and the effectiveness of these controls is repeatedly tested.

4


5

The 8th EU Directive (EURO-SOX)

The purpose of the 8th EU Directive, or Audit Directive, is to tighten up the requirements to be met by publishedcompany accounts, along the lines of the US Sarbanes-Oxley Act. On September 28, 2005, the EuropeanParliament adopted the proposed compromise text of the directive at its first reading. Internal control systemswill therefore need to comply with higher standards in the EU in the future. All processes and their controlsmust be documented to provide reliable proof that all business transactions have been handled correctly. Withreference to IT, this means that the security and availability of IT systems must be verifiable. The key changefor companies of public interest is the requirement to set up an audit committee. The duties of such a commit-tee include monitoring the effectiveness of internal audit activities, the risk management system, and internalcontrol system.

The 8th EU Directive will be implemented in national law by June 28, 2008.

Markets in Financial Instruments Directive (MiFID)

The Markets in Financial Instruments Directive (MiFID) is an EU Directive designed to harmonize the financialmarkets within the European internal market. The Directive was officially adopted under the title “Directive2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instrumentsamending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament andof the Council and repealing Council Directive 93/22/EEC.”

In early February 2006, the European Commission published draft documents covering implementation of theDirective. The European Parliament consented to an extension of the deadline for implementation, accordingto which Member States had to put MiFID, together with the Implementation Directive, into force no later thanJanuary 31, 2007. The regulations themselves must be applied no later than November 1, 2007. The Directive isimplemented in German law by the “Act Implementing MiFID” (FRUG), in conjunction with the “Ordinance onSpecifying the Rules of Conduct and Organizational Requirements for Companies providing SecuritiesServices” (WpDVerOV).

Solvency II

The Solvency II directive aims to establish a risk-based solvency system to enable risk-oriented evaluation ofpremium regulations and to take account of dependencies between assets and liabilities, as well as recentconcepts in the fields of risk management, insurance mathematics, financing methods, and financial reporting.Actuarial, operational, market and credit risk are to be taken into account, as well as the risk of incongruitybetween assets and liabilities. Sophisticated methods of risk analysis and capital allocation are available toensure a more accurate determination of a company’s realistic equity-to-assets ratio. Solvency II is closelyassociated with Basel II, the legal supervisory basis for banks, and IFRS, the new accounting principles.

Setting up a QM system to comply with DIN ISO 9000:2000

DIN ISO 9000:2000 requires a company to set up process-oriented QM systems. Implementing a quality man-agement system should enhance a company’s efficiency by speeding up improvement processes, reducingfrictional losses and boosting employee motivation through clear structures and well-defined instructions.Furthermore, customer and employee confidence in the quality of the company’s goods and services is rein-forced in a sustainable manner. The main requirement of this standard is the process-oriented alignment of thecompany and thus also the QM system. This means that all departments and functions within the companymust be examined to determine how they interact because quality is the responsibility of the company as awhole, rather than of individual departments.

White Paper

Draft statement of minimum requirements for risk management in banks as ofFebruary 2, 2005

With the publication of the draft statement of the German Federal Financial Supervisory Authority (BaFin) onthe minimum requirements for risk management in banks dated February 2, 2005, the BaFin considers essen-tial elements of the second pillar of the Basel Accord – the Supervisory Review Process (SRP) – and the essen-tial guidelines for implementation.

A key element of the SRP is the ”Internal Capital Adequacy Assessment Process” (ICAAP). According toICAAP, institutions must ensure that sufficient ”internal capital” is available to cover all major risks, based onthe individual risk profile. This assessment, which is based on an ”integrated risk examination”, requires theinstitutions to have implemented appropriate management, control and monitoring processes. In this respect,the statement represents a basis for assessment by the supervisory body. Specifically, the statement is basedon Section 25a, paragraph 1 of the German Banking Act (KWG), under which every institution must have a busi-ness organization that complies with the regulations.

Combating money laundering

Prevention of money laundering is an essential part of banking supervisory law. It particularly affects banksand financial service institutions as defined in Section 1 of the German Banking Act (KWG), which are subjectto supervision by the Federal Financial Supervisory Authority (BaFin). However, industrial companies are alsoobliged to implement the provisions of the German Money Laundering Act (GwG). The following key elementsof money laundering prevention warrant special mention:

� Know Your Customer Principle (Know the Source of the Money Principle)

� Identification obligations and obligation to determine the true owner

� Obligation to record results and keep records. The prosecuting authorities can access these records inthe course of investigations and trace the flow of money that may have been involved in crime (referredto as the “paper trail”).

In particular, complying with and implementing these obligations requires the development of internal princi-ples, as well as appropriate business and customer-related security systems. Appropriate business and cus-tomer-related security systems are usually set up using software that enables extensive data pools to be eval-uated and linked by customer, turnover and business type. The processes and the controlling environmentmust be adapted accordingly. The BaFin states that not only customer groups, but also business processesmust be subject to money laundering control activities.

6


1.2

7

Added value through international standards for setting up internal controlsystems

CObIT (Control Objectives for Information and Related Technology)

Unlike the regulations discussed above, CObIT is an internationally acknowledged framework for strategic ITmanagement, rather than a binding law. It helps companies to comply with various legislation and internation-al standards. CObIT is published by the IT Governance Institute (ITGI). The ITGI’s role is to produce an interna-tionally recognized set of IT control targets for managers and auditors.

CObIT makes a company’s IT measurable and therefore manageable in terms of business goals. The frameworkcombines 41 national and international standards dealing with quality, safety and compliance with regulations:

� Technical standards, such as ISO, EDIFACT

� Codes of conduct, published by the EU, OECD, ISACA

� Qualification criteria for IT systems and processes, including ITSEC, TCSEC, ISO 9000, ISO 17799, ITIL

� Professional standards in terms of internal control and auditing: COSO report, IFAC, AICPA, IIA, ISACA,PCIE, GAO

� Industrial practices and requirements of industrial committees

� Requirements from the banking, electronic commerce, and IT sectors

Requirements relating to the Sarbanes-Oxley Act

Effective IT control plays an important role in the context of Sarbanes-Oxley. The underlying auditing standard(PCAOB Auditing Standard No. 2) requires the setting up of controls for IT systems that “have a significanteffect on financial reporting”.

In 2004, the IT Governance Institute (ITGI) published the ”IT Control Objectives for Sarbanes-Oxley” . In thispublication, 12 of the 34 existing CObIT processes are identified as relevant for Sarbanes-Oxley. Companiesthat successfully implement CObIT therefore already meet a majority of the IT-related requirements from theSarbanes-Oxley Act.

COSO Framework

Like CObIT, the COSO Framework is an internationally recognized framework for the adequate definition of aninternal control system and related goals, rather than a binding law. It was developed by the TreadwayCommission’s ”Committee of Sponsoring Organizations”.

Fig. 2:Elements of an adequate ICS according toCOSO II

Once an internal control system contains all thecomponents described in the COSO Framework, itcan be declared appropriate for the purposes ofmeeting statutory requirements. This is expressed,for example, in PCAOB Auditing Standard No. 2 by anexplicit reference to the COSO Framework. Nationaland international standards for auditors have alsoadopted the elements of the COSO Framework (forexample, see IDW (German Institute of Auditors) PS260).

SAS 70

”SAS 70” (Statement on Auditing Standard 70) reporting has become the de facto international standard forauditing in (IT) service organizations. SAS 70 is the internationally recognized AICPA Standard (AmericanInstitution of Certified Public Accountants) for compliance with Section 404 of the Sarbanes-Oxley Act.

�� $�%��&��'� ��(��)*��+

&,-� �.��&,-� �.��

��

��

� � ��

� � ��

&,-� �.��

��

� � ��

�� .��

��/�0��

�� 0 �.� ��

1$�� )��

��

�� .��

��/�0��

�� 0 �.� ��

1$�� )��

��

��

��

��

��

��

��

&��

&��

&��

��

��

��

��

��

��

��

�� 2��

�� 2��

��

��

��

��

��

��

�� 2��

��

��

White Paper

1.3 Applying standards - not reinventing the wheelThe standards mentioned in this section help companies set up comprehensive control frameworks and meetthe requirements of a wide variety of regulations. As a result of risk or quality management requirements, manycompanies have already adopted one of these approaches and therefore only need to supplement their exist-ing structures. In any case, the right choice and appropriate use of standards can considerably reduce roll-outtimes and costs, provide a guarantee of the completeness and quality of a GRC solution, and ensure thereusability of structures and data for future requirements.

2 Well equipped for integrated GRC managementDefinitive regulations as to the form that an internal control system should take and the necessary componentsfor it to be classified as appropriate are not specified in the Sarbanes-Oxley Act, the national IDW profession-al regulations or other laws and standards.

As far as regulations exist, they specify the obligation to set up an appropriate internal control system basedon generally accepted management principles. How to design such a system is not defined, but left to the dis-cretion of individual companies. This allows sufficient scope to reflect specific aspects of each company’sorganization and business activities.

So, how can companies best tackle the complex issue of GRC management? How can companies make surethat they are complying with current requirements while remaining sufficiently well equipped and flexible todeal with future demands? How do companies protect the investment in a company-wide GRC managementsystem that will undoubtedly be necessary?

The regulated economic environment represents a new challenge for management. On the one hand, compa-nies do business in a dynamic and complex economic environment that requires fast responses and flexibilitybut also the maintenance of a consistently high standard of quality. On the other hand, they have to meet therequirements of the regulatory environment, which calls for a very strict procedure so that proof and docu-mentation can be presented in the required manner. Yet even in this regulated economic environment, the con-stant increase in legal and regulatory requirements makes a dynamic and flexible response to change essen-tial to survival.

Fig. 3:The regulated economic environment as a challenge formanagement

Business processes must be organized in such a way that theyare not only appropriate for the economic environment, but alsocomply with the requirements of laws, standards and ethicalprinciples. Companies must be able to integrate new regulatoryrequirements efficiently into corporate processes withoutobstructing the economic environment. It is precisely thisrequire ment that most companies have to date regarded as aburden.

��

��

��

8


2.1

9

Acting, not reactingIDS Scheer provides a framework for integrating GRC requirements into business processes. According to anIDS survey conducted in 2005, half of those polled saw potential for competitive advantage in an integrated,process-based GRC solution.

IT analysts such as Forrester see an important milestone towards the setting up of a functioning GRC systemin the decision not to react to every law and regulation with independent, stand-alone responses, but to con-trol the GRC Management issue centrally and define a company-wide GRC strategy: ”Move compliance from tactical reaction to strategic imperative. Firms can no longer afford to approach com-pliance as a periodic and tactical project like meeting the Sarbanes-Oxley 404 deadline.”Forrester, Business Complexity Challenges Compliance, 14 July 2005

Regardless of how reassuring it is to receive Sarbanes-Oxley certification, companies will still be very awarethat the next audit date has already been set and that much more is involved than merely complying with theSarbanes-Oxley Act. This means moving away from one-off actions and adopting a recurring GRC cycle with-in the company: “Because the requirement to be compliant with regulations never ends, having a cyclical framework to guidethe compliance activity is important.” Gartner, The IT Executive’s Best Practice Guide to Sarbanes-Oxley, 31 August 2005

Since GRC requirements partially overlap, companies need a comprehensive architecture that covers a widerange of aspects. In terms of software-based solutions, a company must have the ability to implement therequirements of several sets of regulations at the same time. This is precisely why companies should opt forcomprehensive and proven standards and then tailor these to meet company-specific requirements. ”Use peer-reviewed, publicly available internal control frameworks [such as COSO and COBIT] to improvecorporate and IT governance.”Gartner, The IT Executive’s Best Practice Guide to Sarbanes-Oxley, 31 August 2005

IT systems can then be implemented that play a critical role in successful and sustained compliance projectsby providing the best possible support for meeting the demands placed on companies by the economic andregulatory environment. ”Compliance, corporate governance and public policy issue management will become competitive differen-tiators dependent on IT in much the same way as is e-business.”Gartner, The IT Executive’s Best Practice Guide to Sarbanes-Oxley, 31 August 2005

White Paper

2.2 Integrated GRC architectureWhat would the architecture of an integrated GRC system that met the requirements outlined above actuallylook like?

GRC management is only worthwhile if a company uses the opportunity to optimize and harmonize processesand put in place an efficient organization with clear goals, integrated methods and coordinated system sup-port. Our response to this was to develop a three-tier GRC architecture (see figure 4).

Fig. 4:Integrated GRC architecture

If a strategy is to have any potential forsuccess, it must be geared towardsboth the regulatory and economic envi-ronment of a company. It is thereforeimportant to begin by clarifying whichlaws, regulations, or standards are rel-evant for a company and to whatextent. In addition, a successful projectoutcome requires the integration of aGRC organization with clearly definedcompetencies and tasks (see examplein figure 5) into the company’s organiza-tional model.

Fig. 5:Example of a GRC organization

The next step is to define the necessarylevels, functions, and inputs/outputs ofa GRC system based on standardframeworks such as COSO (Section1.2.9) or CObIT (Section 1.2.8). Thisincludes identifying the divisions andprocesses in the company that areaffected by the requirements, identify-ing and evaluating the specific riskswithin the affected processes anddefining and implementing actions /controls to optimize the risk portfolio.Based on this, tests are defined to mon-

itor whether the specified actions / controls are implemented and to verify on a regular basis the effectivenessand design of the control itself. This allows outdated, redundant or inefficient controls to be identified and sub-sequently optimized or eliminated.

Finally, the GRC organization is supplemented by testing, escalation, and release hierarchies that must beseamlessly integrated into the process to ultimately create complete control system documentation that canbe signed off and meets the demands of external auditors.

The lowest level of the GRC architecture relates to operational GRC processes. This is where the testing, doc-umentation, evaluation and reporting are carried out. Furthermore, both internal and external audits can beprepared from these data pools.

IDS Scheer provides its customers with software support for these tasks in the form of the integrated tools andmethods of the ARIS Solution for GRC. Another important aspect is the project procedure. IDS Scheer hasdeveloped the ARIS Value Engineering consulting approach, which can be used for this purpose.

Compliance OperationsCompliance Operations

Design of methodDesign of method

Control Framework (COSO, COBIT, etc.)Control Framework (COSO, COBIT, etc.)

Regulated Economic Environment (SOX, ICS, etc.)Regulated Economic Environment (SOX, ICS, etc.)

Definition of Compliance Portfolios

Utilisation of Compliance Solution

Interpretation of legislation and regulations on strategic level

Implementation of frameworks on business unit level

Execution on operational level

Risk Mgmt. – Audit – Documentation – ICS – IT

Implementation of solutionImplementation of solution

BPM-OfficeOrganization &ResponsibilitiesProjectsProcessFrameworkConventions

BPMBPM CM-OfficeOrganization &ResponsibilitiesCM-FrameworkAudits / ReportsAssessmentsConventions

CMCM

ITIT

BPM OwnerBPM OwnerCIOCIO CM OwnerCM OwnerCFOCFO

ProcessOwner

ProcessOwner

ProcessesProcesses

ProcessOwner

ProcessOwner

ProcessesProcessesProcessesProcessesManagement + Governance Processes

10


11

Fig. 6:ARIS ValueEngineering

With ARIS Value Engineering, IDS Scheer provides an innovative procedural model. The individual componentsof the BPM lifecycle can be combined flexibly rather than sequentially as in a waterfall model. ARIS ValueEngineering can be deployed for end-to-end projects, such as the complete rollout of a process-orientedorganization or optimizing entire value chains. However, ARIS Value Engineering also offers solutions for spe-cific tasks, such as introducing process controlling or implementing a company-wide GRC system. ARIS ValueEngineering is a toolkit consisting of services, methods, tools and know-how.

Compliance Management – Roadmap

Execute & monitor Execute & monitor compliance processcompliance process

ExecuteExecuteprojectprojectauditaudit

ControlControlserviceservice--levellevelagreementsagreements

ControllingControlling

Execute Execute modelingmodeling

Validate & Validate & publish datapublish data

Set up Set up support & support &

maintenancemaintenance

ImplementationImplementation

Define reportsDefine reports

Define Define customization customization requirementsrequirements

Define Define technical technical

infrastructureinfrastructure

Design Design compliance compliance

workflowworkflow

Define Define conventionsconventions

DesignDesignAssess Assess

compliance compliance situationsituation

Define Define business casebusiness case

Define project Define project scopescope

Set up project Set up project planplan

Assess Assess modeling modeling

statusstatus

Set up project Set up project contractcontract

StrategyStrategy

Customize & Customize & int. accept. int. accept.

testtest

Install Install solutionsolution

Implement Implement compliance compliance

workflowworkflow

Train usersTrain users

Maintain & monitor Maintain & monitor ARIS Solution for ARIS Solution for

GRCGRCTechnical Technical

acceptanceacceptance

Assess risk Assess risk management management

situationsituation Design risk Design risk mgmt mgmt

workflowworkflow

Implement Implement risk mgmt risk mgmt workflowworkflow

ARIS Solution for GRC – seamless and integrated The ARIS Solution for GRC covers the entire lifecycle, from identification of the processes that are relevant forrisks and the affected items to the definition of risks, design of controls and tests and their implementation anddocumentation, right through to monitoring and re-testing of the improvement measures.

Fig. 7:ARISSolutionfor GRC

��

��

��

��

��

��

!�� "��#�� $�� %�#�� "��& ��

��#��'��%�� (��%��#��)��*��*��+��,

��&�� "��&��

��#��

��"��

2.3

White Paper

ARIS Business Architect

ARIS Business Architect is used to document both the processes and risks and the entire master data for theGRC system (controls, resources, tests, etc.), which can then provide a basis for continuous monitoring of thesuitability and effectiveness of internal controls in ARIS Risk & Compliance Manager.

Fig. 8:GRC master datain ARIS BusinessArchitect

A key feature of an effective GRC system is the ability to link processes to risks and controls. This allows aprocess-oriented risk/control approach, which can be used across all organizational areas within a company.Risks in processes are identified and assigned controls. These controls are, in turn, assigned control tests.

ARIS Risk & Compliance Manager is configured using the following data:

� Documentation of a company’s processes, hierarchies, organizational structures, IT systems

� Identification of relevant risks and assignment within the business processes

� Definition and description of risks, including classification, date of the last evaluation, early warning sig-nals and KPIs for risk monitoring with intervention thresholds, control processes, emergency processes,risk owners

� Risk assessment: Risk analysis includes not only the identification of risks, but also the assessment ofrisks in terms of potential losses. This assessment provides the data necessary for subsequent phases,in particular the planned design of internal controls and risk reporting. Without an assessment of therisks, it is impossible to perform a meaningful cost-benefit analysis for any possible actions, as the costsof risk-reducing actions have to be compared with the potential for mitigating the risk.

� Definition of actions/controls to minimize the risks (assignment of internal controls specifying the controltargets and the person responsible for the control). Assignment to the risk that the internal control isdesigned to prevent, reduce, uncover and correct; link between the control and the components of theCOSO Framework.

� Definition of tests to monitor the controls implemented, including all relevant information: who tests what,how often and at what time, to what extent, etc.

This documentation is used to feed data into ARIS Risk & Compliance Manager, which is then the workflowsystem for operational monitoring of all internal controls.

12


13

ARIS Risk & Compliance Manager

As an internal control and monitoring system component, ARIS Risk & Compliance Manager helps companiescreate an audit-ready control environment with an audit workflow for continuous monitoring and optimizationof the risk-based internal control system.

Fig. 9:ARIS Risk & ComplianceManager

Once ARIS Risk & Compliance Manager has automatically synchronized the risk, control and test data fromARIS Business Architect, it performs a test run with a workflow which starts by automatically addressing thepeople responsible for the test and ends with sign-off and preparation of the data for external audits.

Test workflow

In ARIS Risk & Compliance Manager, all test owners can display an overview of all tests assigned to them anda date by which the tests must be completed. The test workflow system provides testers with all the necessaryinformation, guides them through the test and the associated documentation and triggers necessary follow-upactions depending on the test results.

Fig. 10:List of test casesincluding results

The control test procedure must follow the ”dual purpose test” principle, in which the control must beassessed in terms of both its suitability and its effectiveness. Both results are stored in the ARIS Risk &Compliance Manager database.

During processing, the system documents and logs any additional changes. Tests cannot be changed oncethey have been closed by the system or the user, thus ensuring that they cannot be manipulated.

White Paper

Deficiency management – defined change management processes for control systemflaws

An escalation process is triggered for all tests not completed on time and thus automatically closed by the sys-tem, which ensures that the owner is informed. A deficiency management process is triggered for all testsshowing that certain controls are ineffective, which ensures that action is taken to restore the integrity of theinternal control system. The system documents and logs all processes so that they can be tracked by man-agement and prepared for an external auditor without a great deal of extra work.

Sign-off management – organization of release processes

A second instance evaluates all completed tests in terms of their execution and quality. In addition, as prepa-ration for a final check (audit), for example, at the end of the fiscal year, an extra confirmation is performed forindividual areas to verify that the internal control system can be regarded as adequate and effective and cantherefore be released. ARIS Risk & Compliance Manager provides a workflow-based release process for this.

ARIS Risk & Compliance Manager also offers the option of a release for each financial statement item orprocess. These various elements can be structured using a hierarchy. After checking and release, all releas-es for the individual elements are bundled and transferred for release to the next level in the hierarchy, untilapproval is granted by senior management.

Survey management

The option of performing self-assessments based on integrated questionnaires (e.g. a COSO questionnaire)enables the implementation of appropriate and adequate controls for a risk.

Fig. 11:Example of an ARIS Risk &Compliance Manager question-naire

ARIS Risk & Compliance Manager provides the functionality to create and manage questionnaires with a verywide range of content. In addition, ARIS Risk & Compliance Manager provides functionalities for conductingsurveys and provides support in the form of automatic evaluations and production of customized reports.

14


15

Compliance Process Dashboard

ARIS Risk & Compliance Manager features a Web-based Dashboard, with KPIs that provide a quick overviewof the status of all GRC activities. For example, the proportion of still open test cases or deficiencies found ina business process can be displayed.

Fig. 12:Example of the evaluation oftest cases by type and effect inthe Monitoring Dashboard

In addition to this configurable overview, a powerful front-end is provided, in which detailed interactive analy-sis options are available for the various features (dimensions). This enables the easy compilation of analysesusing Drag and Drop, for example, to list the number of deficiencies by region and status.

Process owners and department managers benefit from a detailed, ongoing overview of test activity status, sothat internal control system shortcomings can be detected and resolved at an early stage.

For companies seeking to leverage improvement potential and eliminate bottlenecks, Compliance ProcessPerformance Manager provides more in-depth analysis functions, such as structural analysis and automatedsearch functionality (data mining).

Fig. 13:Aggregated process sequence,automatically generated fromprocess instances

In addition, every single test and deficiency process can be analyzed and displayed as a process chain.Aggregated process displays (e.g., an EPC of the test flow in the first quarter) with probabilities and KPIs revealstructural weaknesses in process execution and enable optimization potential to be identified in the compli-ance processes. The data mining functionality automatically flags up potential weaknesses.

White Paper

ARIS Business Publisher

Linking the control system to the relevant processes is an essential requirement, which is fulfilled by the ARISSolution for GRC. All internal controls and associated tests are linked to processes in which risks were identi-fied. Web-based risk portals provide employees with role-based access to the relevant information, allowingthem to find all data relating to the required process details, risk data or emergency plans at the click of amouse.

ARIS Process Risk Scout

ARIS Process Risk Scout supports companies in the fast, effective rollout of a risk management system. Thisincludes a project procedure description in the form of an ARIS Scout Assistant, the ARIS Scout Factory forcustomization or creation of a company-specific ARIS Scout Assistant, and all components needed to createan ARIS Risk Portal.

Procedural model in the ARIS Scout Assistant

The ARIS Scout Assistant is a detailed procedural model that provides specific instructions to guide compa-nies through the individual phases, work packages and activities in their risk management project. To help youcomplete the various activities, you will also find relevant checklists, sample forms, reference data and manyother helpful tools. All this helps reduce total project runtime, improve communication within the project andassure the quality of results.

Companies can use the integrated ARIS Scout Factory to customize the ARIS Scout Assistant to meet their spe-cific requirements and thus produce a tailored guide for their projects. For example, they can define addition-al activities or hide existing activities, include their own forms and define owners for individual project phas-es.

Communication, reporting, and risk monitoring with the ARIS Risk Portal

As a result of the risk analysis, a role- and user-based ARIS Risk Portal is automatically set up from within ARIS.This user portal enables company-wide analysis and communication of the identified risks. Based on the ARISmodels and the risk analysis, the ARIS Risk Portal is configured in such a way that each user is shown only therisk information for which they are responsible. In addition to risk and process data, emergency, alternativeand control processes that are necessary for maintaining operations are made transparent for all risk owners.Combined with the easy, convenient option of monitoring and reviewing existing risks and identifying newones, this significantly increases acceptance of the risk management system in all areas of a company.

Employees can also use the ARIS Risk Portal to report back to the relevant risk manager on risks and riskreviews. Risk managers synchronize the risks or the results of a risk review sent back to them with the ARISdatabase after they have checked the data thoroughly or edited it in the ARIS Risk Portal.

A loss database can be integrated at any time for collecting and evaluating risk events. It is also possible tointegrate ARIS Process Performance Manager into the ARIS Risk Portal, so that the key risk indicators for thebusiness processes in a company (e.g. process run times, cancellation or complaint rates) are automaticallyanalyzed. ARIS Process Performance Manager then becomes an automatic early warning system for yourprocess risks. Other risk performance indicators that have to be reported manually can be maintained easilywith ARIS Business Optimizer for KIM (Key Indicator Management), even in the largest corporate structures.

16


2.4

17

Interaction with other external applicationsIn addition to ARIS Platform products, other programs and applications can be integrated into the ARISSolution for GRC to handle additional tasks or act as a data source.

Document management systems

Document management systems (DMS) play an important role in GRC management. Apart from the issue ofarchiving, conducting test cases may require not only the completion of forms, but also the production of oth-er documents containing detailed information. Documents may also be used for conducting test cases, eitheras templates or additional documentation. ARIS products can easily be connected to document managementsystems. This ensures that testers have all the information they need for carrying out tests and auditors havethe information they need for tracking conducted tests.

Directory services

Directory services, such as LDAP (Lightweight Directory Access Protocol) are generally used on the Internetand corporate intranets as a central store for user data and to provide applications. ARIS Risk & ComplianceManager supports this standard and thus facilitates central and consolidated user administration and privilegeassignment.

Operational systems

Operational systems supply the data to be audited in GRC management. For example, document data can beused as the basis for auditing risk management mechanisms (compliance with the dual control principle, etc.).

Operational systems must also be examined as a cause of risks. System-inherent risks must be described with-in the GRC solution and suitable control mechanisms (IT controls) must be defined.

In addition, risks and the definition of control structures can be described in operational systems or GRC-relat-ed functions may have to be integrated into an overall solution. This information can be transferred via inter-faces either as a basis or a result (for example, in terms of automated tests).

Functions such as supplying a random sample suitable for testing can also be integrated into the test processvia operational systems. Evaluations of samples taken during the test can in turn provide information about thequality of the test.

Authorization systems

Depending on the configuration in question, role conflicts may arise in operational systems. Functions in whichsegregation of duties is required may be carried out by the same person in different roles. Authorization sys-tems that provide tools for analyzing and configuring operational systems can supply information about risksin systems that must be taken into consideration in a GRC solution. This information should, in turn, be trans-ferred to the GRC solution.

White Paper

3 From nightmare to competitive advantage The ARIS Solution for GRC turns the governance, risk and compliance nightmare (which is viewed by many asmerely a cost driver) into an important component of strategic corporate control and a tool for increasing andsustaining a competitive advantage. Optimized and consolidated business processes, transparent corporatestructures and an efficient internal control system that can react quickly and flexibly to changing requirementsprovides management with the assurance that all necessary standards and legal requirements are fulfilled inthe company.

IDS Scheer stands for end-to-end professional business process management, from strategy through designand implementation to process control with the highly integrated ARIS Platform tools. With this approach andby linking up with other operational systems (ERP, DMS, MIS), ARIS Risk & Compliance Manager and ARISProcess Performance Manager close the loop - the tools allow operational processes to be monitored andgenerate timely alerts via their alarm and escalation functions, thus informing the user about weaknesses inthe control system and the potential for optimization in the company.

ARIS Risk & Compliance Manager was developed with this focus in mind and is part of a highly integrated solu-tion that, by implementing an end-to-end business process management system, helps companies achievetheir business goals and goes above and beyond the issue of GRC.

18


4

19

BibliographyMichael Rasmussen with Laurie Orlov and Samuel Bright:Business Complexity Challenges ComplianceForrester, 14 July 2005

French Caldwell, Lane Leskela, Debra Logan, John Bace, Carol Rozwell, Bill Kirwin, Richard J. De Lotto, RichMogull:The IT Executive’s Best Practice Guide to Sarbanes-OxleyGartner, 31 August 2005

John Hagerty, Jennifer Hackbush, Dennis Gaughan, and Simon Jacobson:The Governance, Risk Management, and Compliance Spending Report, 2008-2009: Inside the $32B GRCMarketAMR Research 2008

IDS Scheer AG

HeadquartersAltenkesseler Str. 1766115 SaarbrueckenPhone: 49 681 210-0 Fax: 49 681 210-1000E-mail: [email protected]

www.ids-scheer.com

© Copyright IDS Scheer AG, Saarbruecken, 2007. All rights reserved. The contents of this document are subject to copyright. Any changes, modifications, additionsor amendments require prior written consent from IDS Scheer AG, Saarbruecken. Reproduction in any form is only permitted on the condition that the copyright notice remains on the actual document. Publication or translation in any form requires prior written consent from IDS Scheer AG, Saarbruecken. “ARIS”, “IDS” ,“ProcessWorld”, “PPM”, ARIS with Platform symbol and Y symbol are trademarks or registered trademarks of IDS Scheer AG in Germany and in many other countries worldwide. “SAP NetWeaver” is a trademark of SAP AG, Walldorf. All other trademarks are the property of their respective owners.

ID-Number: WP-GRC-0608-E

Aris Governance Risk Compliance[1]

Documents

Transcript of Aris Governance Risk Compliance[1]