Operational Risk Management Module Overview€¦ · Chapter 1. Introduction Use this guide with the...

IBM OpenPages GRC PlatformVersion 7.0.0

Operational Risk Management ModuleOverview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 67.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Document Release and Update Information . . . . . . . . . . . . . . . . . . . . v

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What's New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1About IBM Algo FIRST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. IBM OpenPages Operational Risk Management module . . . . . . . . . . 3Loss Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Risk and Control Self Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Key Risk Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Scenario Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11External Loss Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Issue Management and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4. Computed fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Scenario Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25KRI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25KPI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Process Alignment helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Launch Utility helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27RCSA Site Sync helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27RCSA Helpers Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 6. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 31KRI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KRI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KPI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KPI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 7. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35ORM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Loss Event Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Issue Management and Remediation reports . . . . . . . . . . . . . . . . . . . . . . . 35Scenario Analysis reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Risk Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Risk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Testing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Indicator Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Visualization Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

iii

Chapter 8. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41ORM-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Loss Event Lifecycle triggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Issue Management and Remediation trigger . . . . . . . . . . . . . . . . . . . . . . . 44KRI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44KPI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . . 46Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 9. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51OpenPages ORM 7.0.0 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ORM Operational Risk Team profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ORM Business User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52ORM Simplified User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58OpenPages FIRST Loss 7.0.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 10. Role templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

iv IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 7.0.0

Document Published: December, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).

v

http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp


vi IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Chapter 1. Introduction

Use this guide with the IBM OpenPages Operational Risk Management module.

Finding information

To find IBM OpenPages GRC Platform product documentation on the web,including all translated documentation, access the IBM OpenPages GRC PlatformInformation Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).Release Notes are published directly to the Information Center, and include linksto the latest technotes and APARs.

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products.

IBM HTML documentation has accessibility features. PDF documents aresupplemental and, as such, include no added accessibility features.

What's NewThe following information highlights the major new features and enhancementsthat were made to the IBM OpenPages Operational Risk Management module.

Enriched ORM Functionality

New workflow, automation, and reports are added to the Operational RiskManagement module to provide standard approaches for the following ORMpractices:v Loss Eventsv Risk and Control Self Assessmentv Key Risk Indicatorsv Key Performance Indicatorsv Scenario Analysisv External Loss Data Analysisv Issue Management and Remediation

Object Type Licensing

For the IBM OpenPages Operational Risk Management module, you are licensed touse the object types listed in Chapter 3, “Object Types,” on page 17. Use of anyother object types is prohibited without prior written approval from IBM.

About IBM Algo FIRSTThe IBM Algo FIRST® database is a collection of external, public operational riskloss events in the form of risk case studies.

1



Algo FIRST events are targeted at the financial sector and contain over 20 years’worth of events, which have been indexed to 13 keyword hierarchies, includingBasel category and business line. Other hierarchies include control factor, eventtrigger, business unit type, entity type. Algo FIRST cases include detaileddescriptions that break down the event to analyze root cause, identify controlbreakdowns, lessons learned, management response and aftermath of the event.Events can also include sections with supporting detail that provide a timeline forthe event, relevant information about the institution that it happened to, or otherdetail about loss impacts.

Most events in Algo FIRST capture quantitative information as well as detailedqualitative analysis. This quantitative information takes the form of loss amountsthat are captured at the time of the event.

IBM Algo FIRST offers a subscription to a data add-on refreshed daily with theIBM Algo FIRST database in a format that is compatible with the IBM OpenPagesFastMap feature. IBM OpenPages GRC Platform customers can use the IBM AlgoFIRST FastMap data add-on to provide end users with access to Algo FIRST casestudies within the IBM OpenPages application. After the data is loaded into IBMOpenPages, end users are able to browse and associate Algo FIRST case studies toGRC objects like Scenario Analyses, Risks, and Loss Events. Consult your IBMaccount representative for details on obtaining the IBM Algo FIRST dataadd-on for IBM OpenPages.

If you subscribe to the IBM Algo FIRST database service, Algo FIRST provides acompatible FastMap file for a seamless load of Algo FIRST data to the IBMOpenPages Operational Risk Management module.

By default, the IBM OpenPages Operational Risk Management module includes theOpenPages FIRST Loss 7.0.0 profile. Users with this profile can load FIRST Lossdata through the IBM OpenPages FastMap feature. For more information aboutthis profile, see “OpenPages FIRST Loss 7.0.0 Profile” on page 59.

2 IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Chapter 2. IBM OpenPages Operational Risk Managementmodule

IBM OpenPages Operational Risk Management combines document and processmanagement with a monitoring and decision support system that enablesorganizations to analyze, manage, and mitigate risk in a simple and efficientmanner.

IBM OpenPages Operational Risk Management automates the process ofidentifying, measuring, and monitoring operational risk. It combines all risk data,including risk and control self assessments, loss events, scenario analysis, externallosses, and key risk indicators (KRI), into a single integrated module.

OpenPages Operational Risk Management includes the following key features:v Loss Events, which include the following activities:

– Tracking, assessing, and managing both internal and external events thatcould result in operational loss.

– Managing multiple impact events and recoveries that are associated withoperational losses.

v Risk and Control Self Assessments (RCSA), which include the followingactivities:– Identification, measurement, and mitigation of risks.– Testing and documentation of internal controls.

v Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), which cantrack performance metrics to potentially show the presence or state of a riskcondition or trend.

v Scenario Analysis, which is an assessment technique that is used to identify andmeasure specific kinds of risks, in particular, low frequency, high-severity events.

v External Loss Events provide the ability to import loss data from IBM Algo®

FIRST, ORX, and ORIC loss databases into OpenPages Operational RiskManagement for scenario analysis, benchmarking, and reports generation. Youcan also export loss data to analytic tools or capital allocation applications.

v Issue Management and Remediation (IMR), which includes the followingactivities:– Issue Creation and Assignment– Action Creation and Assignment– Remediation Performance– Issue closedown– Reporting

v Reporting, monitoring, and analytics.

Loss EventsIBM OpenPages Loss Event capability enables the collection, classification, andmaintenance of operational risk loss events within the business hierarchy.

It ensures that information about loss events is collected consistently across theorganization, the most important data about each Event is entered, and appropriate

3

approval and actions are undertaken. Functions include Data Capture, Approvalworkflow and notification, Interface with RCSA and Issue & Action Management,and Standardized reporting.

The process for managing Loss Events includes the following three stages:1. Capture

Following the identification of a Loss Event, any licensed OpenPages user canadd a Loss Event by performing the following actions:a. From the menu of the appropriate Business Entity, select Loss Events.b. Click Actions > Add a new Loss event.c. Complete the form with as much data as is known.

v Mandatory fields include Description, Event Owner, Discovery Date,Estimated Loss.

v The Loss Event status field is set to Open.d. If known by the Event Owner, Impacts and Recoveries can be added to the

Loss Event by clicking Add a new recovery or Add a new Impact from theActions button on the Loss Event screen.

2. Management and EnrichmentWhen a Loss event has been created, it appears on the Loss event owners homepage under the filter My Open Losses. From this filtered list the event ownercan update the Event as it moves through its lifecycle. The followingenrichment activities are possible:a. Create more impacts and recoveries.b. Update the Event details.c. Update the Event categorizations (Basel Risk Category, Causal category and

subcategory, Business line).d. Associate the Event to appropriate risks within OpenPages.

v Management of the Loss Events is aided by an Activity view that allowsthe user to see and update key fields. The activity view includes the LossEvent, its Impacts, Recoveries, and any associated Issues.

v Management and enrichment of the Loss event is not restricted to theLoss Event owner and can be done by any user with appropriate accessrights.

3. ApprovalAs an event reaches the end of its lifecycle, it enters the approval stage.To approve an event, the Event Owner, or other user with the appropriatepermissions, saves the Loss Event with the Submit for Approval field set toYes. This activates the Loss Event Submission trigger, which instructs theprogram to complete the following actions:a. Validate that the data in the Event is complete and accurate. For example,

the Event start date is before the Event end date.b. Return an error message if there is invalid data.c. Check if Gross loss is less than a set auto approval threshold for the

Business Entity. The threshold is defined in the object preferences.d. If Gross Loss is less than Threshold 1, then the event status is set to

Approved and the Event, Impacts, and Recoveries are locked.e. If Gross Loss is greater than Threshold 1, then the event status is set to

Awaiting Approval, and the approval process continues.


As a Loss Event moves through its lifecycle, a status field monitors its progress.The following statuses are available:1. Open

The following information applies to this status:v An event is open at the point of first capture within OpenPages.v Impacts are added at this stage of the Loss Event cycle.v The Loss Event can be reviewed or amended by the Risk Team before it is

submitted for approval.v Amendments include description, more impacts, and Event categorization.v The Event is included in Loss Event Reporting.

2. Awaiting Approval or Awaiting Approval - Level 2

The following information applies to this status:v The Event is displayed on the home page of the appropriate approver.v The Event core details are made read only in this state.v If Gross Loss is less than Threshold, then the approval is automatic.v If Gross Loss is greater than Threshold 1, and Threshold 1 is less than

Threshold 2, then approval 1 is necessary.v If Gross is greater than Threshold 2, then approvals 1 and 2 are required.v The Event is included in Loss Event Reporting.

3. Approved

The following information applies to this status:v The Event is finalized.v The Event and its associated impact and recovery are locked, unless the

event needs to be reopened.v The Event can be reopened by a user with the appropriate permissions.v The Event is included in Loss Event Reporting.

Risk and Control Self AssessmentsRisk assessments are often the core processes that an organization uses whendetermining operational risk.

The following objectives are available:v Identify, assess, and quantify a risk profile for a business.v Establish consistency to enable a broad view of risk across an organization.v Apply structure, definition, and quantification to an organization's tolerance for

risk.v Provide management with information that will result in better decisions.

Risk assessment objects are used to organize the content of a Risk and Control SelfAssessments and to manage the work that is associated with the Risk and ControlSelf Assessments. Risk objects include the following dimensions:v Inherent and residual measurementsv Qualitative and quantitative assessmentv Risk categorization

By default, the risk categorization is set to use Basel Level 1 and 2 categories.

Chapter 2. IBM OpenPages Operational Risk Management module 5

Within OpenPages, the following cycle of Risk and Control Self Assessments ismaintained:v IBM OpenPages structures Risk and Control Self Assessments along an entity,

process, subprocess basis with risks being assessed for each process.v Each risk is assessed on either a qualitative or quantitative basis. Customers

make a decision as to their approach. The choice of assessment approach is asystem-wide setting that is defined at installation but can be adjusted later ifrequired.

v Controls are assessed at the same time as risks. Controls are assessed on aqualitative basis and marked as effective or ineffective on a design andoperating effectiveness basis.

v Subprocesses can be used to aid in the risk identification activity, but there is nosignoff or approval at a subprocess level.

v Approval or review is undertaken on the following basis:– The risk owner assesses the risk and controls for their given risks.– The process owner will approve or reject each risk and control within their

process.– The Risk and Control Self Assessments coordinator can approve or reject the

signoff that is made by the process owner and finalize the approval of therisk assessment within an entity as a whole.

v The risk assessment object is used to scope and collate appropriate processes forRisk and Control Self Assessments. A new risk assessment object is created foreach assessment of a process or a group of processes.

The risk assessment, process, risk and control objects are all managed through theRisk and Control Self Assessments lifecycle by a series of status fields.

Library Managements (Optional)

If the data is available, you can establish a series of process, risk, and controllibraries for use in the operational risk cycle. Data can be entered into a suitablespreadsheet and uploaded through Fastmap or updated manually by theoperational risk team and appropriately privileged administrators. You cansynchronize changes made to fields within the library to the instance of theprocesses, risk, and controls within the business data structure. You work with anIBM OpenPages services team to configure the synchronization utility. You candecide if and when to use the Library Management capability (Phase I, Phase II,near future, or not all).

Scope or Setup Assessment

The operational risk team applies its internal methods to determine which entitiesare regarded as in scope for Risk and Control Self Assessments. In scope entitiesare updated through an Activity view where the user marks an entity as in scopeor out of scope for Risk and Control Self Assessments. Other updates can includethe name of the Risk and Control Self Assessments coordinator and Risk andControl Self Assessments owner. After the data is updated, the administrator runsthe Risk and Control Self Assessments launch utility. The utility performs thefollowing actions:v Enables the administrator to enter common data across all Risk and Control Self

Assessments for that cycle, such as period or year of assessment, start andexpected end date, and any instructions that the operational risk team wants toimpart to all risk coordinators, such as guidance or instructions.


v Identifies all entities that are marked as in scope.v Creates a risk assessment object as a child of the in scope entities (status = not

started) and populates more data (dates, and so on) to the risk assessmentobject.

v Emails the Risk and Control Self Assessments coordinator to request that he orshe commence the Risk and Control Self Assessments.

Identify or Review

In this stage, the Risk and Control Self Assessments coordinator’s objective is toensure that the following actions occur:1. The risk assessment is associated to the correct processes.2. The process includes the appropriate risks and controls.3. The risks and controls within OpenPages are documented correctly.

To achieve this objective, the Risk and Control Self Assessments coordinatorlaunches the Risk and Control Self Assessments alignment helper. The helperappears in a window. In addition to the helper screen, the risk coordinator will besupported by reports, including a risk and control matrix report.

At the last step of the helper, the Risk and Control Self Assessments coordinatorcan choose to start the assessment stage by selecting Yes. The helper then updatesthe status of the risk assessment and each process, risk, and control to AwaitingAssessment. A batched email is then sent to the risk owners to request them tocomplete the assessment of each risk.

Assessment

The following methods are used to notify risk owners about their risks:1. Email (with a link directly to each risk).2. Homepage Filter (My Risks to Assess).

From the homepage filter, the risk owner can use an activity view to complete therisk assessment.

The activity view shows the risk and the following items:1. Any associated controls2. Any associated key risk Indicators3. Any associated loss events4. Any associated Open issues

Each control should be marked as effective or ineffective from both a design andoperating effectiveness viewpoint. Risks are evaluated on either a quantitative orqualitative basis. Initially, use a qualitative approach with a risk owner selectingthe risk impact and likelihood on a 1-4 scale.

The selection of the number of intervals for the scale is set at installation and issystem wide. The range of the intervals is stored on a preference record object andis flexible so that it can be set per business entity. For example, a risk can be givena rating of 3 for impact, which could equate to $2,000,000,000. However, this couldmap to a risk impact of only 1 on a global scale.


When the risk and its controls have been assessed, the risk owner can submit therisk for approval. The risk is submitted saving the risk with a submit for approvalcheck box that is set to Yes. An initial validation confirms that all appropriate datafields have been completed on the risk and that all controls have been assessed. Ifthe validation is successful, the status of both the risk and its controls changes toAwaiting Approval.

The risk and control approval trigger checks if all the risks for a process are set toAwaiting Approval. If so, then the trigger sets the process status to AwaitingApproval and the process owner is notified by email and on the Homepage.

Approval

Approval of assessment is made by a process owner, who confirms the assessmentof each risk and control, and a Risk and Control Self Assessments coordinator, whoconfirms the process owner's approval.

From the homepage, the process owner can go to the processes awaiting approvalor use the Process Approval Activity view.

From this view, the process owner can review the assessment of each risk andcontrol. Each risk must be approved or rejected. If the process owner chooses toreject the assessment of the risk, then the process owner must complete a rejectioncomment field. The status of the risk returns to Awaiting Assessment.

If the process owner approves the risk, then when the assessment is saved, the riskand control status is updated to Approved.

A trigger sets the process status to Approved, which confirms that all processes forthe assessment are approved. If all processes for an assessment are approved, thenthe risk assessment status updates to Awaiting Approval.

From the homepage, the Risk and Control Self Assessments coordinator cannavigate to the Risk and Control Self Assessments that are awaiting approval anduse the risk assessment approval activity view.

From this view, the coordinator can review the assessment of the processes (and itsrisks) and then finalize the assessment. A trigger will do the following things:1. Update the risk assessment status to Assessed.2. Create an evaluation record tree (linked risk assessment evaluation, process

evaluation, risk evaluation, and control evaluation records).3. Populate assessment date on the evaluation records.

Action

Throughout the Risk and Control Self Assessment cycle, all users can create new orassociate existing issues and actions to the process, risk or control. There is noautomated creation of issues or actions, they must be created manually.

Key Risk IndicatorsThe main stages within the IBM OpenPages Key Risk Indicator (KRI) lifecycle are:definition, value creation, value capture, and reporting.


KRI Definition

In the definition stage, the risk owner creates a KRI as a child of the appropriatebusiness entity object. The KRI object must have the following data attributescaptured:v Name of the KRI owner (person responsible for defining the KRI value data and

approving values if required).v Name of the KRI capturer (person responsible for collecting values).v Threshold information (amber and red threshold).v Frequency of the collection.v Frequency offset (a numeric value to determine the due date for collection). For

example, if the frequency is monthly and the frequency offset is set to 5, thenthe KRI owner is prompted to enter a KRI value on the fifth day of each month.

v KRI active status (set to Active if values are to be generated).v KRI value approval required (set to Yes if the entry of the value should be

reviewed by the KRI owner).

KRI Value Creation

After the KRI is defined, the system determines if a KRI value is required to begenerated with a KRI value object as a child of the KRI. If the KRI is marked asActive, the KRI helper generates values. If the KRI is marked as Inactive, theutility will not generate a blank value. The value object is initially set up as aplaceholder with a status of Awaiting Collection.

The KRI values are created by a system batch job. The batch job creates a KRIvalue with limited details, such as ID, description, expected capture date, KRIcapturer, KRI owner.

The KRI value creation utility can be run by an administrator if necessary, such aswhen the automatic scheduled job fails to run.

KRI Value Capture (and optional approval)

The following methods of notification are used to request a KRI value to beentered by the KRI capturer:1. Weekly email notifications (to request the user to log in to OpenPages).2. Homepage screen filter that is based on the KRI value status (Awaiting

Collection) and the KRI collector (logged in user).

From the homepage filter, the user can select a KRI, which takes the KRI capturerto the KRI entry screen. The entry screen is a single object activity view.

When the user clicks Save, the system looks to see whether the trigger launchconditions have been met. The trigger launches if the KRI Value changes fromblank to ‘any value’ and the value date is completed. If the trigger launchconditions are met, then the KRI lifecycle trigger fires. The trigger does thefollowing things:1. Check if the KRI is set for approval.

a. If Yes, update the status to Awaiting Approval and complete steps 2, 3, 4,and 6.

b. If No, update the status from Awaiting Collection to Collected andcomplete steps, 2, 3, 4, and 5.


2. Copy the current threshold information from the KRI to the child KRI value.3. Compute the breach status.4. Copy the KRI value, value date, collection status, and breach status to the

parent KRI.5. Email the risk owner if the KRI breach status moves to red from green or

amber to inform them of the breach.6. If status is set to Awaiting Approval, the KRI value appears on the KRI owners

homepage. The KRI owner can approve or reject the value.a. If the KRI owner rejects and saves the record, then the KRI value and value

date is made blank and the KRI value status is set to Awaiting Collection.b. If the KRI owner approves and saves the record, then the collection status

changes on the value and on the KRI to Collected.

Note: Approval of KRIs is an optional setting that is determined by the KRIowner at the time of the KRI definition.

KRI Reporting

A selection of KRI reports are available.

Key Performance IndicatorsThere are four main stages within the OpenPages Key Performance Indicator (KPI)lifecycle: definition, value creation, value capture, and reporting.

KPI Definition

In the definition stage, the risk owner creates a KPI as a child of the appropriatebusiness entity object. The KPI object must have the following data attributescaptured:v Name of the KPI owner (person responsible for defining the KPI value data and

approving values if required).v Name of the KPI capturer (person responsible for collecting values).v Threshold information (amber and red threshold).v Frequency of the collection.v Frequency offset (a numeric value to determine the due date for collection). For

example, if the frequency is monthly and the frequency offset is set to 5, thenthe KPI owner is prompted to enter a KPI value on the fifth day of each month.

v KPI active status (set to Active if values are to be generated).v KPI value approval required (set to Yes if the entry of the value should be

reviewed by the KPI owner).

KPI Value Creation

After the KPI is defined, the system determines if a KPI value is required to begenerated a KPI value object as a child of the KPI. If the KPI is marked as Active,the KPI helper generates values. If the KPI is marked as Inactive, the utility willnot generate a blank value. The value object is initially set up as a placeholderwith a status of Awaiting Collection.

The KPI values are created by a system batch job. The batch job creates a KPIvalue with limited details, such as ID, description, expected capture date, KPIcapturer, KPI owner.


The KPI value creation utility can be run by an administrator if necessary, such aswhen the automatic scheduled job fails to run.

KPI Value Capture (and optional approval)

The following methods of notification are used to request a KPI value to beentered by the KPI capturer:1. Weekly email notifications (to request the user to log in to OpenPages).2. Homepage screen filter that is based on the KPI value status (Awaiting

Collection) and the KPI collector (logged in user) the KPI value appears on theusers homepage.

From the homepage filter, the user can select a KPI, which takes the KPI capturerto the KPI entry screen. The entry screen is a single object activity view.

When the user clicks Save, the system looks to see whether the trigger launchconditions have been met. The trigger launches if the KPI Value changes fromblank to ‘any value’ and the value date is completed. If the trigger launchconditions are met, then the KPI lifecycle trigger fires. The trigger does thefollowing things:1. Check if the KPI is set for approval.

a. If Yes, update the status to Awaiting Approval and complete steps 2, 3, 4,and 6.

b. If No, update the status from Awaiting Collection to Collected andcomplete steps, 2, 3, 4, and 5.

2. Copy the current threshold information from the KPI to the child KPI value.3. Compute the breach status.4. Copy the KPI value, value date, collection status, and breach status to the

parent KPI.5. Email the risk owner if the KPI breach status moves to red from green or

amber to inform them of the breach.6. If status is set to Awaiting Approval, the KPI value appears on the KPI owners

homepage. The KPI owner can approve or reject the value.a. If the KPI owner rejects and saves the record, then the KPI value and value

date is made blank and the KPI value status is set to Awaiting Collection.b. If the KPI owner approves and saves the record, then the collection status

changes on the value and on the KPI to Collected.

Note: Approval of KPIs is an optional setting that is determined by the KPIowner at the time of the KPI definition.

KPI Reporting

A selection of KPI reports are available.

Scenario AnalysisScenarios involve the quantification of significant events that might occur at anorganization (impacts and frequencies for potential events).

Scenario analysis provides what-if scenarios related to an organization's losses. Itcan assess the potential frequency of an event and the potential costs. The intent isto predict the losses that are not included in internal historical data, for example


events that are low in frequency but high in severity. Scenario analysis is useful forunderstanding risk profiles and capital modeling. It can be applied to externaldata, expert opinion from within the organization, internal data, risk assessments,control evaluations, and so on.

The approach lends itself to a workshop-based approach; however it can also beapplied by a desk-based or individual subject matter expert who is performing theanalysis. Activities that support scenario analysis are performed by the operationalrisk team.

Scenario analysis can be broken down into the following stages:1. Scenario Library Population (optional)2. Scenario Applicability Review3. Scenario Preparation and Distribution4. Workshop Performance5. Reporting

Scenario Library Population (Optional)

To encourage a standardized approach to scenario analysis, it can be beneficial tocreate a library of prepared templates. The library is a set of scenarios that arepre-populated with basic data. Data that is typically set at the library level includesscenario description, scope, risk categorization, and library ID. When copied fromthe library, the local business units update the scenario to reflect their scenariospecification. Library maintenance is restricted to the operational risk team andadministrators, with other users having read-only access to the scenario library.

Scenario Applicability Review

At this stage, the operational risk team will complete the following tasks:v Review the existing scenarios in place for each business unity (supported by the

scenario summary report).v If coverage gaps exist, copy from the library or create a new scenario to bridge

the gap.v Mark each scenario as applicable or non-applicable through an activity view.v Set the scenario status to draft.

Scenario Preparation & Distribution

In preparation for the workshop, the operational risk team can update details onthe scenario object such as workshop dates. In addition to updating the scenarioobject the operational risk team or scenario should do the following:v Associate any pertinent risks or issues to the scenario.v Run the events by category report and scenario summary reports (preferably as

PDF files to distribute to workshop attendees through email).v Set the scenario status to Awaiting Analysis.

Workshop Performance

At the completion of or during the scenario workshop, the operational risk team orscenario owner updates the scenario findings or outcomes on the scenario object.To finalize the scenario, the owner runs the Scenario Completion Helper. Thehelper performs basic data validation, creates a scenario results object, populates a


key field from the scenario to the scenario results object, and runs and attaches acopy of the events by category and scenario details object to the scenario result.

Reporting

The following key reports are available for scenario analysis:1. Scenario Summary2. Scenario Details3. Event by Category

External Loss Data AnalysisExternal loss data is available to organizations from public data sources, such asIBM Algo FIRST, or by joining a consortium of other institutions, where eachinstitution shares its own loss data.

OpenPages functions that support Loss Events include the following:v Capability to Import and store External Loss data from multiple sources (Algo

FIRST, ORX, ORIC)v Ability to link pertinent events to Scenariosv Reporting of Loss Events

External Loss Import

An administrator receives the external loss data from a data supplier and convertsthe received file into a Fastmap Import file which is then uploaded throughFastmap.

Note: Depending on the supplier the file needs some transformation to beimported into OpenPages.

Issue Management and RemediationThe Issue Management and Remediation (IMR) process is an essential componentto any risk management program. A sound IMR framework provides awareness,validation, and transparency to the risk management program that it supports.

When successfully implemented, it provides high value with minimal overheadand serves as the underlying stimulus for the continuous improvement of a riskmanagement program. An effective IMR framework effectively documents,monitors, remediates, and audits identified issues.

Issues are items that are deemed as negatively affecting the ability to accuratelymanage and report risk. They are items that are identified against the documentedframework. Issues can be associated to various objects within the framework andcommonly have attributes to identify the area of focus, ownership, scheduling, andremediation status. An issue can be associated to multiple parents. For example, ifan issue is discovered through the occurrence of a loss event, the issue can beassociated to the loss event, the risk that occurred, and any failing controls ifdocumented.

Within IBM OpenPages Operational Risk Management, the IMR process operatesin the following key activities:1. Issue Creation and Assignment


2. Action Creation and Assignment3. Remediation Performance4. Issue closedown5. Reporting

Issue Creation and Assignment

Issues arise as a result of various risk management activities, such as a loss event,KRI threshold breach, or control weakness identification. Throughout theseactivities, users can create an issue within IBM OpenPages.

Issues are added through the standard user interface; they are not createdautomatically as a result of a causal factor.

At creation, the issue has a status of open. The creator must enter a value to thecurrent due date field. The first time that you save an issue, the current due date iscopied to a read-only field that contains the original due date. When an issue iscreated, the issue owner (who cannot be the creator) is notified by email.

Action Creation and Assignment

It is the responsibility of the issue owner to establish and record the appropriateactions to resolve the identified issue. Actions are created manually through thestandard user interface. The following data is captured on an action item:description, assignee, start date, due date, actual closure date, status (read-only)and comments.

Action assignees are notified that they must complete an action through My OpenAction Items or by email.

Remediation Performance

After being notified, the assignee completes the assigned action. Some actions cantake time to complete, so the assignee uses the Comment field to track progress.

When the action is complete, the assignee sets the Submit for Closure field to Yes,which copies the issue owner field from the parent issue to the action and sets theaction status to Awaiting Approval.

The change of status takes the action to the issue owner's homepage for reviewand approval.

Issue closedown

The issue owner accesses a list of actions to be approved for closure from thehomepage or by email.

If the action is rejected and saved, the status reverts to open and the action returnsto the action assignee. If the action is accepted for closure and saved, the actionstatus changes to closed and the field Closure date is populated with the currentdate.

When actions are completed, the issue owner reviews the issue and updates thestatus to Closed.


Reporting

A selection of issue and action reports is available to all users. In addition, allemail notifications are included in a consolidated issue and action bulletin to users,including the following information:v Issues assigned to the recipient in the past X days.v Actions assigned to recipient in the past X days.v Issues due for closure in the next X days.v Actions due for closure in the next X days.v Overdue issues.v Overdue actions.v Actions awaiting closure approval.


Chapter 3. Object Types

The IBM OpenPages Operational Risk Management module includes various objecttypes that are enabled or disabled by default and subcomponents.

Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages OperationalRisk Management configuration and are enabled by default.

Table 1. Object types enabled by default

Object Type Label Description

Business Entity Business entities are abstract representations of your businessstructure. A Business Entity object type can contain Sub-Entityobjects (such as departments, business units, geographiclocations). The entity structure that you create depends on yourbusiness needs. For example, you could create a parent entity foryour business headquarters then a subentity for each location ordepartment. You can also represent both a legal entity structureand a business entity structure.

Business Entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).

When you set up the Business Entity hierarchy, you should workwith your IBM consultant as the structure of your businessentities will greatly impact the type and quality of the informationthat can be extracted from the application.

Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,and information security.

Sub-Process A Sub-Process is a component of a Process. It is used to divideprocesses into smaller units for assessment purposes.

Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each risk has one or more controls that areassociated with it. Controls provide safeguards against the riskand help mitigate any consequences that may result from the risk.You can use the Risk object to categorize risks; capture thefrequency, rating, and severity of inherent and residual risk data;and view reports that help identify your top risk items.

Control Controls are typically policies and procedures (procedures areactions that implement the policies) to help ensure that riskmitigation responses are carried out.

After you identify the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications)that remove, limit, or transfer these risks.

Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.

17

Table 1. Object types enabled by default (continued)


Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of themechanisms that are used to determine whether a control iseffective.

Test Result A Test Result is the information that is obtained from running aTest Plan.

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Youcan use the Risk Assessment object to manage your riskself-assessment process. The Risk Assessment object contains thenames of the assessor and reviewer, the time frames for theassessment, and the status of the assessment.

Scenario Analysis Scenario Analysis is an assessment technique that is used toidentify and measure specific kinds of risks, in particular, lowfrequency, high-impact events such as earthquakes, recessions, orpower grid failures.

ORX Loss ORX Loss objects can be imported from the ORX external lossdatabase, for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.

ORIC Loss ORIC Loss objects can be imported from the ORIC external lossdatabase for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.

FIRST Loss FIRST Loss objects can be imported from the IBM Algo FIRSTexternal loss database, for use with scenario analysis,benchmarking and reports generation, and to export loss data toanalytic tools or capital allocation applications.

Loss Event Loss Events are used to track operational losses that may occur inany part of an organization. Loss Events are typically storedunder the Business Entity where the loss occurred. The LossEvent objects are used to track, assess, and manage the relatedinternal loss data. You can add multiple impacts and recoveriesfor each Loss Event by using the Loss Impact and Loss Recoveryobjects.

Loss Impact A loss impact is a financial or non-financial consequence thatresults from a loss event. Loss Impacts track different types ofimpacts that are triggered by a Loss Event, such as legal liability,asset loss and damage, or business interruption. There can bemultiple Loss Impacts associated with each Loss Event.

Loss Recovery Loss Recovery objects are used to track the processes that areassociated with recouping damages that result from Loss Events.

KPI, KPI Value KPIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KPI within the organization canhave unique target and threshold limits.

KRI, KRI Value KRIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KRI within the organization canhave unique target and threshold limits.




Signature A Signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers and does notprevent the item from being modified after approval is given. Anobject with a signature has a signature icon next to the signer'sname on the Signatures tab.

Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:

v Manually from the detail page of an object.

v Automatically through a workflow task.

v A combination of both automatic and manual.

If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.

Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern that is associated with anyobject type.

An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.

File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in theOpenPages system and associate it to one or more relevantobjects.

Preference Group,Preference

The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities. The group object helps tominimize the associated maintenance.

The Preference object type is a child of Business Entity, and isused for holding variable values that can drive reports,workflows, and computed fields. The Preference object hasentity-specific variable values that enable different behavior forthe same workflows such as to determine the behavior for reviewand approval workflows. That is, who the appropriate users arefor each level of review and approval, and what the thresholdsare for determining how many levels of review and approval arerequired.

Chapter 3. Object Types 19



Process Diagram A Process Diagram is a child object of the Process and can havemany diagrams per process. It is used to store the sequence ofsub-processes or activities within a process with associated Risksand Controls along with any annotations such as decision nodes.All attributes of the Business Process visualization are stored inthe Process Diagram object.

Risk Eval Risk Eval (Evaluation) object types are children of Risk objectsand are used to capture risk measurement values for trendingpurposes. When the reporting periods do not align with the riskevaluation cycles, you can use Risk Eval objects to capturemultiple evaluation cycles within a single reporting period.

Control Eval Control Eval (Evaluation) objects are similar to Risk Evaluationobjects except that they are instantiated as children of Controls.They store control assessment data.

Risk Assessment Eval Risk Assessment Eval (Evaluation) objects are similar to RiskEvaluation objects except that they are instantiated as children ofRisk Assessments. They store risk assessment data.

Process Eval Process Eval (Evaluation) objects are children of Process objectsand they are used to capture process measurement values fortrending purposes.

When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.

Scenario Result Scenario Result objects are children of Scenario Analysis objectsand they are used to capture the results of Scenario Analysisworkshops for comparison and trending purposes.

Data Input, DataOutput

The Data Input Object and Data Output Object are child objects ofthe Process and can have associations only to existing Risks. Theyrepresent elements of a flow to depict an Input into the BusinessFlow or an Output from various activities within a process, suchas running a report or updating a CRM system or getting anexternal data source feed.

Object Types Disabled by DefaultThe following object types are available in the IBM OpenPages Operational RiskManagement configuration and are disabled by default.

Table 2. Object types disabled by default

Object type label Description

Questionnaire, Section,Question

Questionnaire, Section, and Question are three objects that areused together to implement questionnaires.


Table 2. Object types disabled by default (continued)

Object type label Description

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.

A Milestone Action Item object type is a specific objective thatmust be completed to reach a milestone. In general, all MilestoneAction Item objects that are associated with a Milestone objectmust be completed to reach a milestone. When you are assigned aMilestone Action Item object, it is displayed (if configured) in theMy Milestone Action Items section of your My Work tab.

Control Objective A Control Objective is an assessment object type that helps definethe risk categories for a Process or Sub-Process object. For eachProcess or Sub-Process object, an organization sets the controlobjectives.

Control objectives define the COSO compliance categories that thecontrols associated with the risks are intended to mitigate. Forexample, Control Objective objects can be classified into one ormore categories such as Compliance, Financial Reporting,Strategic, Operations, or Unknown.

Once a control objective is identified, the Risk objects associatedto a Control Objective object can then be identified and defined.In most cases, each Control Objective object has one Risk objectthat is associated with it. However, Control Objectives can havemore than one Risk that is associated with them, so they areseparated into their own object type.

Cost Center Cost Center object types are used to group loss events under abusiness entity. In many cases, companies want to track whereloss events occur at a fine granularity (that is, cost center level)but do not want to represent all of the organizational layers asbusiness entities.

SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages Operational RiskManagement module.

Table 3. Subcomponents shared with other modules

Subcomponent Object Types

Organization Business Entity

Preference Preference Group, Preference

Risk Assessment Risk Assessment, Risk Assessment Eval

Process Process, Process Eval, Sub-Process, Control Objective

Risk Risk, Risk Eval

Control Control, Control Eval

Test Test Plan, Test Result

Chapter 3. Object Types 21

Table 3. Subcomponents shared with other modules (continued)


Issue Issue, Action Item

Questionnaire Questionnaire, Section, Question

Milestone Milestone, Milestone Action Item

KRI KRI, KRI Value

KPI KPI, KPI Value

Visualization Process Diagram, Data Input, Data Output

Table 4. ORM-specific subcomponents


Scenario Analysis Scenario Analysis, Scenario Result

External Loss ORX Loss, ORIC Loss, FIRST Loss

Loss Event Loss Event, Loss Impact, Loss Recovery, Cost Center

In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link


Chapter 4. Computed fields

By default, the IBM OpenPages Operational Risk Management module includescomputed fields. Computed fields can contain data types such as Boolean, date,decimal, integer, and simple strings.

The following are computed fields that are associated with Helpers:v RCSA Process Alignment Helper

The computed field, which is available from the Risk Assessment Detail page,contains the URL that starts the helper.

v RCSA Completion HelperThe computed field, which is available from the Risk Assessment Detail page,contains the URL that starts the helper.

v Scenario Completion HelperThe computed field, which is available from the Scenario Detail page, containsthe URL that starts the helper. The Scenario Owner or the IBM OpenPages Riskteam can manually start the helper when the scenario analysis is complete.

23

Chapter 5. Helpers

IBM OpenPages Operational Risk Management module provides Helpers to assistowners or coordinators in various stages of core processes, such as in Risk andControl Assessments and Key Risk Indicators (KRI).

Helpers can assist coordinators with identifying and reviewing a risk profile orensuring that a process includes the appropriate risks and controls. Helpers canalso help identify any KRIs that must be collected in a specified time frame.

Scenario Completion helperWhen the Scenario Workshop is complete, the Operational risk team or theScenario Owner updates the Scenario outcomes on the Scenario Object. To finalizethe Scenario, the Owner runs the Scenario Completion Helper.

As facilitators of the Scenario Analysis process, the Operational Risk Teamcompletes most of the activities in IBM OpenPages. The helper completes thefollowing steps in the process:1. Validates data.2. Creates a Scenario Results object.3. Populates Scenario Result fields from the Scenario Analysis.4. Runs the Scenario Result Detail report and attaches it to the Scenario result.

KRI Value Creation utilityAfter the Key Risk Indicator (KRI) is defined, the KRI Value Creation utilitydetermines whether it must generate a KRI Value object as a child of the KRI.

The KRI Value Creation utility generates blank KRI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.

The utility reviews the KRIs and identifies any KRIs that are due for collection inthe next seven days. The KRIs are identified based on the KRI Frequency and theFrequency Offset data values. If the KRI is marked as Active, the KRI ValueCreation utility generates a child KRI value and populates the value with thefollowing data:v IDv Description, which is based on the parent KRIv KRI owner, which is based on the parent KRI.

The owner is the user who records the KRI value in the IBM OpenPages system.v Expected capture date

This date is a read-only field and is based on the Frequency and FrequencyOffset values.

v Status of KRI Value, which is set to Awaiting Collection.If the KRI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

25

KPI Value Creation utilityAfter the KPI is defined, the IBM OpenPages Helper function determines whetherit must generate a KPI Value object as a child of the KPI.

The KPI Value Creation utility generates blank KPI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.

The utility reviews the KPIs and identifies any KPIs that are due for collection inthe next seven days. The KPIs are identified based on the KPI Frequency and theFrequency Offset data values. If the KPI is marked as Active, the KPI ValueCreation utility generates a child KPI value and populates the value with thefollowing data:v IDv Description, which is based on the parent KPIv KPI owner, which is based on the parent KPI.

The owner is the user who records the KPI value in the IBM OpenPages system.v Expected capture date

This date is a read-only field, which is based on the Frequency and FrequencyOffset values.

v Status of KPI Value, which is set to Awaiting Collection.If the KPI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

RCSA Completion helperThe RCSA Completion helper allows the RCSA Coordinator to complete the RiskAssessment and create an evaluation tree for historical referencing.

The RCSA Coordinators receive a message that asks whether they want to proceed.When the coordinator confirms the message, the helper completes the followingactions:1. Sets the Risk Assessment status field to Approved.2. Creates the following linked structure for the child Evaluation record:

v Risk Assessment Evaluationv Process Evaluationv Risk Evaluationv Control Evaluation

3. Copies key data to the new Evaluation records and makes secondaryassociationsYou must specify which fields to copy (Settings menu).

RCSA Process Alignment helperThe RCSA Process Alignment helper allows the RCSA Coordinator to review theassociate Processes, Risks, and Controls, and create further associations. The helperalso sets the Processes, Risks, and Controls to a status of Awaiting Assessment.


When the RCSA coordinator wants to begin the RCSA cycle, the coordinator canstart the helper from a URL link on the Risk Assessment Detail Page.

The task-driven helper completes the following actions when it is started:1. Adds or removes Processes, Risks, and Controls2. Reviews Process, Risk, and Control Ownership3. Asks if the RCSA Coordinator wants to start the Assessment

v If Yes, the helper continues with the following processes– Sets all Risk and Controls to Awaiting Assessment.– Sets the Submit for Approval field on the Risk object to No.– Sets the Approve/Reject field on the Risk object to a blank value..– Sets the Rejection Comments field on the Risk object to a blank value.

v If No, save and close the Assessment.

RCSA Launch Utility helperThe RCSA Launch Utility helper generates Risk Assessment objects for In scopeentities.

The Launch Utility helper assists the administrator with starting the RCSA processin the following ways:1. Creates a Risk Assessment under the Business Entity and associates all

processes that are under that Business Entity to the Risk Assessment.2. Asks for Risk Assessment details.

The administrator must provide values to fields on all generated Riskassessments, such as Start Date, End Date, and Instructions / Guidance.

3. Identifies all In-scope entities.4. Generates a Risk Assessment object for all In scope entities.5. Populates the Risk Assessment object with the values provided in step 1.6. Sets the Risk Assessment status to Not Started and the RCSA Administrator

field is populated with the appropriate user name.7. Sends the RCSA coordinator an email that informs the coordinator that the

RCSA cycle can start.The administrator can specify the content of the email through the Settingspage. The Risk Coordinator email uses information from the nearest Preferencerecord that has the specified RCSA Coordinator.

RCSA Site Sync helperThe RCSA Site Sync helper synchronizes Business instances of object data withvalues in a Library data structure.

When the helper starts, it identifies all changes to the Master/Library object. Thehelper uses a Library reference field as a common key and synchronizes all localinstances of the object with the Master.

The following steps are required to execute the RCSA Site Sync Helper:1. Specify the source entity library where master objects are available, for example

/RCSA Library.2. Specify the target entity to sync, for example, /Global Financial

Services//North America/Retail Banking.

Chapter 5. Helpers 27

3. Select the objects to sync from the list.4. Set the Sync On field to Name.5. In the Library ID field, list the fields to sync on, using the following syntax:

field group.field name. For example, use the definition: OPSS-Process.Additional Description.

6. In the Properties field, list the fields to be synced from the source in thefollowing syntax: field group.field name. For example, use the definitionOPSS-Process.Additional Description.

RCSA Helpers ConfigurationIf you are using the RCSA business process, the administrator must configureRCSA after you install the IBM OpenPages GRC Modules.

Data

The RCSA Process Alignment helper and the RCSA Site Sync helper require the useof library and staging hierarchies.

Library HierarchyTo have the full functionality of the RCSA helper, you must create a libraryhierarchy.

The Library root object is a business entity and the structure contains thecommon business Processes, Risks, and Controls that are to be used in theRCSA process.

For example: Library Entity: /RCSA Library

Staging HierarchyTo have the full functionality of the RCSA Helpers, you must create astaging hierarchy.

The Staging root object is a business entity and the structure contains astaging process and risk. The hierarchy is used to store the processes, risks,and controls that are removed from the business as part of the RCSAprocess.

An example of a staging Entity: /RCSA Staging Hierarchy

An example of a staging Process: /RCSA Staging Hierarchy/StagingProcess

An example of a staging Risk: /RCSA Staging Hierarchy/Staging Risk

To create these hierarchies, load them by using the Fast Map template that issupplied with the installation.

Complete the following procedure to create these hierarchies:1. Click Reporting > Fast Map > Fast Map Import.2. On the Modules Media, browse to optional\RCSA_Staging_Data

3. Select RCSA-PAHelper-Staging-Data.xls.4. Click Import Data.

Settings

The Library and Staging areas have corresponding settings that you must configurefor the RCSA Helpers to register the structures.


To configure these settings:1. Log in as an administrator.2. Click Administration > Settings.3. Expand the options for the following entries and set the values to the staging

hierarchy that you created.v COMMONv RCSA PROCESS ALIGNMENT HELPERv RCSA SITESYNCv RCSA TRIGGERS

Common

/OpenPages/Solutions/ORM/Common/Library PathThis value must be set to the root Library entity object, for example,/RCSA Library.

Used for the RCSA Site Sync helper and the RCSA Process AlignmentHelper.

RCSA Process Alignment Helper

Path Description

/OpenPages/Solutions/ORM/Helpers/RCSA/Alignment/Removed Control Path

Used by the Process Alignment Helper forstoring removed Controls. This value mustbe a path to a Risk in the system, forexample, /RCSA Staging Hierarchy/StagingRisk.

/OpenPages/Solutions/ORM/Helpers/RCSA/Removed Process Path

Used by the Process Alignment Helper forstoring removed Processes. This value mustbe a path to an Entity in the system, forexample, /RCSA Staging Hierarchy.

/OpenPages/Solutions/ORM/Helpers/RCSA/Removed Risk Path

Used by the Process Alignment Helper forstoring removed Risks. This value must be apath to a Process in the system, for example,/RCSA Staging Hierarchy /Staging Process.

RCSA Site Sync Helper

Path Description

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Exclude object

Used by the RCSA Site Sync helper toexclude the objects that are not required tobe synced.

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Standalone offset

Used by the RCSA Site Sync helper to lookback a number of days. For example, 1 isyesterday.

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Standalone target entity

Used by the RCSA Site Sync helper as theroot Organizational Hierarchy, for example,/BANK ORG.

Chapter 5. Helpers 29

Chapter 6. Notifications

Notifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger.

All notifications that are sent from IBM OpenPages ORM use the following senderaddress. Configure the email address and server settings:v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

"Notifications are part of the KRI lifecycle, the KPI lifecycle, and the IssueManagement and Remediation process.

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and Actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

When the Issue is defined, its status is Open and the user must enter a value inthe Current due date field. The due date is copied to a read-only field thatcontains the original due date. When the user creates an Issue, the Issue Owner(who might not be the same person who created the Issue) receives an emailnotification.

The Issue Owner must record the appropriate actions to resolve an identified Issue.The following data is captured in an Action Item:v Descriptionv Assigneev Start Datev Due Datev Actual Closure datev Status (Read Only)v A comment field to record the latest updates

The Issue Owner receives an email that summarizes the Actions that must beapproved for closure. The owner can either Accept Closure or Reject Closure.When Actions are completed, the Issue Owner must review the Issue and updatethe status to Closed. If any child actions are Open or Awaiting Approval, theIssue Owner cannot close the issue.

Users receive email notifications through the consolidated Issue and Actionbulletins. The bulletin consolidates the following information in an email:

31

v Issues Assigned to the recipient in the past number daysv Actions Assigned to recipient in the past number daysv Issues due for Closure in the next number daysv Actions due for Closure in the next number daysv Overdue Issuesv Overdue Actionsv Actions awaiting closure approval

KRI Reminder notificationThe KRI Reminder notification is an email sent to the KRI owner that contains alist of all KRI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Risk Indicator (KRI), the IBM OpenPagessystem determines whether it must generate a KRI Value object as a child of theKRI. If the KRI is set as Active, the KRI helper generates the values. If the KRI isset as Inactive, a batch utility sets up the KRI Value object as a placeholder with astatus of Awaiting collection.

The administrator can run the KRI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KRI Values withdetails, such as ID, Description, Expected Capture date, KRI Capturer, and KRIOwner.

A notification that requests the KRI Capturer enters a KRI value is presented inone of the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KRI Value (Awaiting Collection) and the KRI Capturer

(logged-in user), the KRI Value is shown on the user's home page.

The email notification that is sent to the KRI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KRI status that is set to Awaiting Collection.

KRI Breach notificationThe KRI Breach notification sends an email to the Risk Owner when a KRI breachstatus changes from Green to Red or from Amber to Red.

The KRI Breach notification is started by the KRI Lifecycle trigger. The emailnotification contains a link to the KRI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

KPI Reminder notificationThe KPI Reminder notification is an email sent to the KPI owner that contains alist of all KPI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Performance Indicator (KPI), the IBMOpenPages system determines whether it must generate a KPI Value object as a


child object of the KPI. If the KPI is set as Active, the KPI helper generates thevalues. If the KPI is set as Inactive, a batch utility sets up the KPI Value object as aplaceholder with a status of Awaiting collection.

The administrator can run the KPI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KPI Values withdetails, such as ID, Description, Expected Capture date, KPI Capturer, and KPIOwner.

A notification that requests the KPI Capturer enters a KPI value is presented in oneof the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KPI Value (Awaiting Collection) and the KPI Capturer

(logged-in user), the KPI Value is shown on the user's home page.

The email notification that is sent to the KPI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KPI status that is set to Awaiting Collection.

KPI Breach notificationThe KPI Breach notification sends an email to the Risk Owner when a KPI breachstatus changes from Green to Red or from Amber to Red.

The KPI Breach notification is started by the KPI Lifecycle trigger. The emailnotification contains a link to the KPI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

Chapter 6. Notifications 33

Chapter 7. Reports

Standard reports are available for the IBM OpenPages Operational RiskManagement module.

For a description of more reports that are installed with the IBM OpenPages GRCPlatform and available to all modules, see the IBM OpenPages GRC PlatformAdministrator's Guide.

ORM-Specific ReportsThe ORM-specific reports are standardized reports that you can run specifically totrack, monitor, and maintain the various stages of the Operational RiskManagement processes. These processes include Key Risk Indicators, scenarioanalysis, loss events, loss data, and issues and action items.

Loss Event ReportsThe IBM OpenPages Loss Event function ensures that information about lossevents is collected consistently across the organization. The Loss Event functionrequires that the most important data about each Event is entered, appropriatelyapproved, and actions are undertaken. One of the stages for managing loss eventsis reporting.

The following loss event reports are specific to the IBM OpenPages OperationalRisk Management module. Users can drill through from some reports to detailinformation.

Table 5. Loss Event Reports

Name Description Drill-Through Report

Loss EventDashboard

Displays the count of Loss Events for theselected Business Entity and itsdescendants, which are broken out byStatus and Risk Category.

Loss Event DashboardDetail

Loss EventSummary

Displays a column chart (representingentities) showing Net Loss that is brokenout by Risk Category. A drill-throughreport shows Loss Event details.

Loss Event Detail

Loss Event Trend Displays the trend of Net Loss by RiskCategory for a specified Business Entity.

Loss Event Trend Detail

Risk vs Loss Displays the annual Net Loss of aBusiness Entity for a specified date that iscompared with the current Residual RiskExposure.

Issue Management and Remediation reportsIssues are items that are identified against the documented framework. They aredeemed as negatively affecting the ability to accurately manage and report risk. Aselection of Issue and Action reports are available to all users.

35

The following issue management and remediation reports are specific to the IBMOpenPages Operational Risk Management module.

Table 6. Issue Management and Remediation reports

Name Description Drill-through Report

Issue Dashboard Provides a graphical representationof the number of issues by status.The report is scoped on the entityobject and date range.

Issue Dashboard Detail

Issues and Action Items Variant of the Issue Dashboard Detailreport. Provides summaryinformation on the associated actionitems.

Scenario Analysis reportsThe Scenario Analysis reports support the review of existing scenarios for eachBusiness unit.

Scenarios involve the quantification of significant events (impacts and frequenciesfor potential events) that can be realized for an organization. The analysis capturesthe what-if scenarios of losses.

The following Scenario Analysis reports are specific to the IBM OpenPagesOperational Risk Management module.

Table 7. Scenario Analysis reports

Report Description Drill-through Report

Scenario Summary A list report that displays allScenarios by Entity. Detailsinclude ID, Description, Status,and Owner.

Scenario Result Detail

Reports Shared with Other ModulesThe IBM OpenPages Operational Risk Management module contains a number ofreports that are shared with other IBM OpenPages GRC Platform modules.

Risk Assessment ReportsRisk Assessment reports provide support for management by driving betterdecision-making that leads to action. These reports are a part of the action stage ofthe Risk and Control Self-assessment (RCSA) process.

The following risk assessment reports are shared with other IBM OpenPages GRCPlatform modules.

Table 8. Risk Assessment Reports

Name Drill-Through Report Description

Risk Assessment List Shows Risk Assessment details for aspecified Business Entity and all ofits descendants.


Table 8. Risk Assessment Reports (continued)

Name Drill-Through Report Description

Risk Assessment Status Risk Assessment StatusDetail

Shows a stacked column chart thatshows the status of RiskAssessments for the specifiedBusiness Entity and its directdescendents.

Risk AssessmentSummary

Risk Assessment Issuesand Action Items

Shows Risk Assessment detailsalong with all associated Risks andControls. A drill through reportshows Issues and Action Items thatare related to the Risk Assessments,Risks, or Controls.

Risk Assessment Issuesand Action Items

Shows all Issues and Action Itemsthat are related to the selected RiskAssessment and its associated Risksand controls. Parent Object showsonly the Risk Assessment, Risk, andControl parents.

The report prompts for two values:Business Entity and RiskAssessment. Data is filtered on theselected entity. Users can select fromall Risk Assessments that areassociated, whether directly orindirectly, to the selected businessentity.

Risk ReportsThe IBM OpenPages GRC Platform provides risk reports that are shared with othermodules. These reports include links or drill-throughs to different subreports forthe same data item.

Table 9. Risk Reports

Name Description Drill-through Report

Risk Analysis Shows Risks that are grouped by Processfor a specified Business Entity.

Risk Heat Map Shows a table that aggregates Risks byResidual Impact and Likelihood for aspecified Business Entity.

Risk Detail

Risk Rating by Entity Shows Residual Risk Rating summaryinformation for the selected BusinessEntity and its descendants

Risk Rating by EntityDetail

Risk Rating byCategory

Shows Risk Category and Residual RiskRating summary information for theselected Business Entity.

Risk Rating byCategory Detail

Top Risks Shows a summary of the top Risks thatare ranked by Residual Risk Exposure andthe Inherent Risk Exposure.

Chapter 7. Reports 37

Control ReportsThe following control reports are shared with other IBM OpenPages GRC Platformmodules.

Table 10. Control Reports

Name Description Drill-Through Report

Risk and ControlMatrix

Shows Risk and Control data for specifiedBusiness Entity and Processes.

Control EffectivenessMap

Shows counts of Controls grouped byProcesses and Operating Effectiveness.

Control EffectivenessDetail

Testing ReportsThe following testing report is shared with other IBM OpenPages GRC Platformmodules.

Table 11. Testing Reports

Name DescriptionDrill-ThroughReport

Testing Dashboard Displays summary Test Result information forthe selected Business Entity, with the abilityto drill-through to detail and trendinformation.

Testing DashboardDetail

Indicator ReportsReporting is the final stage of the IBM OpenPages Key Risk Indicator (KRI) or KeyPredictor Indicator (KPI) cycle. After the KRI owner defines the KRIs or KPIs, andcaptures their values, standard indicator reports are provided for summaryinformation for the selected business entities.

The following indicator reports are shared with other IBM OpenPages GRCPlatform modules.

Table 12. Indicator Reports

Name DescriptionDrill-ThroughReport

KRI Dashboard Summary KRI information is displayed forthe selected Business Entity and itsdescendants.

KRI DashboardDetail

KPI Dashboard Summary KPI information is displayed forthe selected Business Entity and itsdescendants.

KPI DashboardDetail

Visualization ReportsThe following visualization report is shared with other IBM OpenPages GRCPlatform modules.


Table 13. Visualization reports

Name Description

Process Analysis Displays Risk and Controls in the context of a processdiagram. Provides an aggregated view of Risk andControls with risk rating and control effectiveness at theProcess and Business Entity level.

Chapter 7. Reports 39

Chapter 8. Triggers

The IBM OpenPages Operational Risk Management module contains severalavailable triggers.

IBM OpenPages Operational Risk Management Modules Trigger Details providesadditional details on the triggers described here.

Before you use the Object Manager tool to load XML instance data, you mustdisable triggers on any object types for which you will be loading data.

Object types that are configured for the IBM OpenPages Operational RiskManagement module to have triggers by default include:v Riskv Action Itemv Issuev Loss Eventv Loss Impactv Loss Recoveryv KRI Valuev KPI Valuev Data Inputv Data Output

Object types that are configured for other IBM OpenPages GRC Platform modulesto have triggers by default include:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv File (SOXDocument)v Policy

ORM-Specific TriggersSeveral triggers are specific to the IBM OpenPages Operational Risk Managementmodule.

Loss Event Lifecycle triggersThe Loss Event Lifecycle triggers calculate and persist three fields on the LossEvent object, when related fields are created or changed on any descendant LossImpact and Loss Recovery objects.

41

The triggers automate the approval process and remediation performance of LossEvent as described in the triggers for Loss Event Approval Submission and LossEvent Approval.

Loss Event Computation triggerThe Loss Event Computation trigger computes summary values in system basecurrency on a Loss Event that is based on associated Loss Impact and Recoveries.

When a Loss Impact or Loss Recovery object is updated, associated, disassociated,or deleted, the trigger completes the following actions:v Obtains the parent Loss Event object that retrieves a list of its Loss Impact child

objects.The Gross Loss converts all the Actual Loss amounts of the Loss Impact childobjects to Base Currency and calculates the Sum. The parent Loss Event GrossLoss field is updated with the Sum.

v Obtains the parent Loss Event object that retrieves a list of its Loss Recoverychild objects.The Recovery Amount converts all the Actual Recovery Amounts of the LossRecovery child object to Base Currency and calculates the Sum. The parent LossEvent Recovery Amount field is updated with the Sum.

v To calculate the Net Loss, the trigger subtracts the Recovery Amount fromGross Loss and updates the Net Loss field on the parent LossEvent.

Loss Event Approval Submission triggerThe Loss Event Approval Submission trigger changes a Loss Event from an Openevent to the Approval stage of its lifecycle. The trigger validates data.

The trigger occurs when the user saves a Loss Event with a Status field that is setto Open and the Submit for Approval field is set to Yes.

When a Loss Event object is created or updated, the trigger completes thefollowing actions:v Ensures that the data in the Event is complete and accurate, and validates the

following dates:– For Loss Event

The following dates must be less than or equal to the current date:- Loss Event Discovery date is greater than or equal to Occurrence start date- Occurrence Start date is less than or equal to Occurrence End Date- Recognition is greater than or equal to Occurrence start date

– For Loss Impact- Discovery date is greater than or equal to Occurrence date

v Determines whether Gross Loss is less than a specified Approval threshold forthe Business Entity.For Loss Events, the preference record holds two Gross Loss thresholds and thenames of the appropriate Approvers. Event Approvers are the system user orgroups of users who are notified of their requirement to approve a loss event.


Table 14. Event thresholds

Threshold Action on submission for approval

Threshold 1 v If Gross Loss is less than Threshold 1, the Status field for theEvent is set to Approved and the Event, Impacts, andRecoveries are locked.

v If Gross Loss is greater than Threshold 1, the Status field forthe Event is set to Awaiting Approval.

v If Gross Loss is greater than or equal to Threshold 1 and lessthan Threshold 2, the status of LossEvent is set to AwaitingApproval, and the Approvers for Threshold 1 are notified.

Threshold 2 If Gross Loss is greater than or equal to Threshold 2, the statusof the Loss Event is set to Awaiting Approval and the Approversfor both Threshold 1 and Threshold 2 are notified.

Loss Event Approval triggerThe Loss Event Approval trigger approves or rejects Loss Events. The trigger isstarted when the Status field is set to anything other than Open or Closed andSubmit for Approval is set to Yes. Options for Approve/Reject are Approve orReject.

When a Loss Event object type is created or updated, the trigger completes thefollowing actions:

Table 15. Trigger actions when Loss Event is saved

Status field Actions

Open Opens the Loss Event.

Awaiting Approval If Gross Loss is less than Threshold 2, the trigger completes thefollowing actions:

v Updates the status of Loss Event to Approved

v Resets the value for the Submit for Approval field to No

v Locks the Loss Event and its associated child Impacts andRecoveries

Awaiting Approval If Gross Loss is greater than Threshold 2, the trigger completesthe following actions:

v Updates the status of the Loss Event to Awaiting Approval L2


v Resets the value for the Approve/Reject field to blank

Awaiting Approval L2 v Updates the status for the Loss Event to Approved


v Locks the Loss Event and its associated child Impacts andRecoveries

Awaiting Approval orAwaiting Approval L2

v Updates that status of the Loss Event status to Open

v Resets the value of the Submit for Approval field to No

v Sends an email notification to the Event Owner indicating thatthe Loss Event was rejected.

Closed Closes the Loss Event.

Chapter 8. Triggers 43

Triggers Shared with Other ModulesSeveral triggers are shared with other IBM OpenPages GRC Platform modules.

Issue Management and Remediation triggerIn an Issue Management and Remediation (IMR) framework, you can effectivelydocument, monitor, remediate, and audit identified Issues.

Issues are items that are identified against the documented framework and aredeemed to negatively affect the ability to accurately manage and report risk. In itslifecycle, an issue can have only one of two states: Open or Closed.

To resolve the identified Issue, the Issue Owner establishes and records theappropriate actions. When the Action is complete, the Assignee sets the Submit forClosure field to Yes. When this field is saved, a trigger is started and completesthe following actions:v Copies the value in the Issue Owner field from the parent Issue to the Actionv Sets the Action field to Awaiting Approval

The Issue owner reviews the Action and can specify to either Accept Closure orReject Closure. If the Action is saved with Reject Closure, the status reverts toOpen and the Action returns to the Action Assignee.

Several triggers are used to automate the Issue management process.

Issue Lifecycle triggerThe Issue Lifecycle trigger sets the Original Due date on the first instance of Saveof Issue and checks for any Open Actions when the Issue is saved with a status ofClosed.

When an Issue object type is created or updated, and the status of the Issue objecttype is set to Closed, the trigger completes the following actions:v The trigger checks all direct child Actions and determines whether they are all

closed. If any Actions have a status of Open or Awaiting Approval, the triggergenerates an error message. If all Actions are closed, the trigger saves thechanges.

Note: As an administrator, you can configure the error message under theAdministrator > Settings menu.

v If the Original Due date field on the Issue is blank, the trigger populates theOriginal Due date with the Current Due date value.

KRI Lifecycle triggerThe KRI Lifecycle trigger calculates and persists field values on the KRI and KRIValue object types. The trigger occurs only if the Collection status of the KRI valueis set to Collected.

When a KRI Value object is updated, associated, or disassociated, the triggercompletes the following steps:1. Determines whether KRI is set for approval.

v If the status is Yes, the trigger updates the status to Awaiting Approval andproceeds with steps 2, 3, 4, and 6.


v If the status is No, the trigger updates the status from Awaiting Collectionto Collected and proceeds with steps 2, 3, 4, and 5.

2. Copies the current threshold information from the KRI to the child KRI Value.3. Evaluates the Breach status.4. Copies the KRI Value, Value Date, Collection, and Breach status to the parent

KRI.5. If the status of the KRI Breach field changed from Green or Amber to Red, the

trigger sends an email notification to the Risk Owner to inform the owner ofthe breach.

6. If the status is set to Awaiting Approval, the KRI Value is displayed on thehome page of the KRI Owner. The KRI Owner can approve or reject the value:v If the KRI Owner saves the record with a Reject status, the KRI Value and

Value Date are changed to a blank and the KRI Value status is set toAwaiting Collection.

v If the KRI Owner saves the record with an Approved status, the Collectionstatus changes to Collected on the Value field and on the KRI.

Note: When the KRI Owner defines the KRI, the owner can specify the detailsregarding the Approval of the KRI.

KPI Lifecycle triggerThe KPI Lifecycle trigger calculates and persists field values on the KPI and KPIValue object types. The trigger occurs when if the KPI Value changed from a blankstate to a value and the status of Value Date is Completed.

When a KPI Value object is updated, associated, or disassociated, the triggercompletes the following actions:1. Determines whether KPI is set for approval.

v If the status is Yes, the trigger updates the status to Awaiting Approval andproceeds with steps 2, 3, 4, and 6.

v If the status is No, the trigger updates the status from Awaiting Collectionto Collected and proceeds with steps 2, 3, 4, and 5.

2. Copies the current threshold information from the KPI to the child KPI Value.3. Evaluates the Breach status.4. Copies the KPI Value, Value Date, Collection, and Breach status to the parent

KPI.5. If the status of the KPI Breach field changed from Green or Amber to Red, the

trigger sends an email notification to the Risk Owner to inform the owner ofthe breach.

6. If the status is set to Awaiting Approval, the KPI Value is displayed on thehome page of the KPI Owner. The KPI Owner can approve or reject the value.v If the KPI Owner saves the record with a Reject status, the KPI Value and

Value Date are changed to a blank and the KPI Value status is set toAwaiting Collection.

v If the KPI Owner saves the record with an Approved status, the Collectionstatus changes to Collected on the Value field and on the KPI.

Note: When the KPI Owner defines the KPI, the owner can specify the detailsof the Approval of the KPI.


Risk and Control Self-assessments triggersThe Risk Assessments process is used to identify, assess, and quantify a risk profileof the business. Each Risk is assessed on either a Qualitative or Quantitative basis.

When a Risk is saved, the Qualitative risk rating trigger determines a Risk Ratingof Low, Medium, High, or Very High. The trigger also populates the hiddenQuantitative fields: Severity, Frequency, and Exposure.

When a Risk is saved, the Quantitative risk rating trigger completes the followingactions:1. Computes the Exposure (Frequency x Severity)2. Computes the Risk Rating as Low, Medium, High, or Very High3. Derives the Impact value (1 - 10) based on a mapping table for each Business

Unit that is stored in its Preference record.4. Derives the Likelihood value (1 - 10) based on a mapping table for each

Business Unit that is stored in its Preference record

RCSA Quantitative triggerThe Risk and Control Self-assessments (RCSA) Quantitative trigger sets the RiskRating and establishes impact, likelihood, and exposure for risks that are enteredby using the Quantitative method. The trigger occurs only if the values for theImpact or Likelihood fields for Risk were modified.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose qualitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Obtains the parent Preference object.

The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Determines the Impact fields of the Risk object.The Impact is calculated by identifying the threshold range in which the SeverityValue falls. If any Severity value is null, the previous value is managed as theMAX Severity.

Table 16. Impact value based on severity value

Severity value Impact value

>= 0 and <= Severity 1 1

> Severity 1 and <= Severity 2 2


> Severity 3 and <= to Severity 4 4




> Severity 7 and<= Severity 8 8


Table 16. Impact value based on severity value (continued)

Severity value Impact value


> Severity 9 10

v Determines the Liklihood fields on the SOXRisk object.The Likelihood is calculated by identifying the threshold range in which theFrequency value falls. If any Frequency value is null, the previous value ismanaged as the MAX frequency.

Table 17. Likelihood value based on frequency value

Frequency value Likelihood value

>= 0 and <= Frequency 1 1

> Frequency 1 and <= Frequency 2 2








> Frequency 9 10

v Calculates the Exposure as Severity multiplied by Frequencyv Where the Impact value is X and the Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 18. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)


RCSA Qualitative triggerThe Risk and Control Self-assessments (RCSA) Qualitative trigger sets the RiskRating and establishes severity, frequency, and exposure for risks that are enteredby using the Qualitative method.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose quantitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Evaluates the Preference record for the entity, or its parent entity if no Preference

record exists.The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Evaluates the Severity fields of the Risk object.The Severity is determined by the Impact Value mappings that are specified inthe Preference object.

Table 19. Severity based on impact values

Impact value Severity

1 Severity 1

2 Severity 2

3 Severity 3

4 Severity 4

5 Severity 5

6 Severity 6

7 Severity 7

8 Severity 8

9 Severity 9

10 Severity 10

v Based on the Likelihood, evaluates the Frequency fields of the Risk object.The Frequency is determined by the Likelihood Value mappings that arespecified in the Preference object.

Table 20. Frequency based on Likelihood values

Likelihood value Frequency

1 Frequency 1

2 Frequency 2

3 Frequency 3

4 Frequency 4

5 Frequency 5

6 Frequency 6

7 Frequency 7


Table 20. Frequency based on Likelihood values (continued)

Likelihood value Frequency

8 Frequency 8

9 Frequency 9

10 Frequency 10

v Calculates the Exposure as Severity multiplied by Frequency.v Where the Impact value is X, Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 21. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

Risk Approval Submission triggerThe Risk Approval Submission trigger updates the Status field on Risk andControls so that the Process Owner can process the Approval.

When a Risk object is created or updated, and the Submit for Approval field valueis set to Yes, the trigger completes the following actions:v Obtains all associated child Control objects and applies validation rules.

All child Control objects are assessed and the Status field is set to AwaitingAssessment.

v Updates the Status field on the Risk object and all associated control objectsfrom Awaiting Assessment to Awaiting Approval.

v Obtains the parent Process object to obtain all Risk objects and checks whetherall risks for a Process are Awaiting Approval.

v Determines whether all risks for a Process are awaiting approval, and continuesbased on the following status:– If the status is Yes, the trigger ends its process.– If the status is No, the trigger sets the Status of the parent Process object to

Awaiting Approval, and sends an email notification to the Process Owner.

RCSA Risk and Control Approval triggerThe RCSA Risk and Control Approval trigger allows the Process Owner to approveor reject an assessment of a risk and its controls.


When a Risk object Approve/Reject field is set to Approve or Reject, the triggercompletes the following actions:v If the Approve/Reject field is set to Reject, the trigger updates the Status field

value of the Risk and associated Controls to Awaiting Assessment, and sends anemail notification to the Risk Owner.

v If the Approve/Reject field is set to Approve, the trigger continues with thefollowing processes:– Updates the Status field value of the Risk and associated Controls to

Approved.– Updates the Process status to Approved, sets the Approval Date, and sends

an email notification to the RCSA coordinator.

Visualization triggersThe Visualization triggers prevent the user from adding new Risks as children ofthe Data Input and Data Output object types.

Risks can only be made children of these object types by associating existing Risksto them. Data Input and Data Output object types are not allowed to be primaryparents of Risks.


Chapter 9. Profiles

The IBM OpenPages Operational Risk Management module includes severalprofiles by default.

Profiles include the following components:v Filtersv My Work Home page and Home page tabsv Dependent fields and dependent picklistsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid, and List Views

OpenPages ORM 7.0.0 Master ProfileThe OpenPages ORM 7.0.0 Master profile includes the fields and configuration forall of IBM OpenPages Operational Risk Management.

Home Page filtered list

For a list of the Home Page filters that are available for the OpenPages ORM 7.0.0Master profile, see “Home Page Filtered Lists” on page 53.

Activity Views

For a list of the Activity Views that are available for the OpenPages ORM 7.0.0Master profile, see “Activity Views” on page 55.

Grid Views

For a list of the Grid Views that are available for the OpenPages ORM 7.0.0Master profile, see “Grid Views” on page 58.

ORM Operational Risk Team profileThe ORM Operational Risk Team profile includes the configuration for a poweruser who uses most capabilities of OpenPages but does not have read access toLibrary IDs and object status fields.

A user of this profile has the ability to modify the following items:v Maintain Processesv Manage Risk & Control Librariesv Perform RCSA Scopingv Perform and oversee the RCSA processv Administer, review, and oversee Loss Eventv Define and capture KRIsv Manage Issue and Action closurev Coordinate Scenario Analysis

51


For a list of the Home Page filters that are available for the ORM OperationalRisk Team profile, see “Home Page Filtered Lists” on page 53.

Activity Views

For a list of the Activity Views that are available for the ORM Operational RiskTeam profile, see “Activity Views” on page 55.

Grid Views

For a list of the Grid Views that are available for the ORM Operational Risk Teamprofile, see “Grid Views” on page 58.

ORM Business User profileThe ORM Business User profile includes the fields and configuration for a riskmanager to use in the operations of the business. This user is an active participantin almost all Operational Risk Management activities.

A user of this profile has the ability to modify the following items:v Log a Loss Eventv Perform RCSA Scopingv Approve Risk Assessmentsv Capture Key Risk Indicatorsv Manage Issue and Action closurev Participate in scenario workshops


For a list of the Home Page filters that are available for the ORM Business Userprofile, see “Home Page Filtered Lists” on page 53.

Activity Views

For a list of the Activity Views that are available for the ORM Business Userprofile, see “Activity Views” on page 55.

Grid Views

For a list of the Grid Views that are available for the ORM Business User profile,see “Grid Views” on page 58.

ORM Simplified User profileThe ORM Simplified User profile allows a user to focus on Loss Events, KRIvalue capture, and issue management.


For a list of the Home Page filters that are available for the ORM Simplified Userprofile, see “Home Page Filtered Lists” on page 53.


Activity Views

For a list of the Activity Views that are available for the ORM Simplified Userprofile, see “Activity Views” on page 55.

Grid Views

For a list of the Grid Views that are available for the ORM Simplified Userprofile, see “Grid Views” on page 58.

Home Page Filtered ListsBy default, filtered lists are defined for the My Work tab on the Home page forusers of the ORM 7.0.0 Master profile, the ORM Operational Risk Team profile,the ORM Business User profile, and the ORM Simplified User profile.

Table 22. Home Page filtered lists

Filter Description Object Type Profile

Open Issues Home Page access to yourissues.

Issue OpenPages ORM 7.0.0Master profile

ORM Operational Risk Teamprofile

ORM Business User profile

My OpenIssues

List of Open issues that areowned by the logged in userand require remediation.

Issue OpenPages ORM 7.0.0Master profile



ORM Simplified User profile

My ActionItems

Home Page access to actionitems.

Action Item OpenPages ORM 7.0.0Master profile




RemediationPendingApproval

Home Page access to yourremediation items that arewaiting for approval.

The user is notified of itemsthat a pending approval andthe action to perform. If anaction requires time tocomplete, the use theComment field to track thelatest updates. When theAction is complete, set theSubmit for Closure field toYes.

Action Item OpenPages ORM 7.0.0Master profile




Chapter 9. Profiles 53

Table 22. Home Page filtered lists (continued)


My OpenEvents

Displays a list of LossEvents where the status isOpen and the Event Owneris logged in user.

Loss Event OpenPages ORM 7.0.0Master profile




EventsAwaitingApproval

Home Page displays LossEvents with a status ofAwaiting approval orAwaiting Approval L2 andthe Approver L1 or L2 is alogged in user.




Open LossEvents Over$1M

Home Page access to largeopen loss events.




ProcessAwaitingApproval

Returns a list of all Processesthat are owned by thelogged in user and have astatus of Awaiting Approval.

Process OpenPages ORM 7.0.0Master profile



RisksAwaitingAssessment

Returns a list of all risks thatare owned by the logged inuser with a status ofAwaiting Assessment.

Risk OpenPages ORM 7.0.0Master profile



My RiskAssessments

Home Page access to yourrisk assessments.

RiskAssessment

OpenPages ORM 7.0.0Master profile



KRIs AwaitingEntry

Returns a list of KRI valuesthat have a status ofawaiting collection and anexpected collection dateeither in the next 7 days orin the last 365 days. It alsorequires that KRI Collector =logged in user.

KRI value OpenPages ORM 7.0.0Master profile




Table 22. Home Page filtered lists (continued)


My KRIs inBreach

Returns any KRIs owned bythe logged in user with aBreach status of Red




My KRIsAwaitingApproval

Returns KRI values thatmatch the collection statusof Awaiting Approval andthe KRI Owner is equal tologged user.




KPIs AwaitingEntry

Returns a list of KPI valuesthat have a status ofawaiting collection and anexpected collection dateeither in the next 7 days orin the last 365 days. It alsorequires that KPI Collector =logged in user.

KPI value OpenPages ORM 7.0.0Master profile



My KPIs inBreach

Returns any KPIs owned bythe logged in user with aBreach status of Red




My KPIsAwaitingApproval

Returns KPI values thatmatch the collection statusof Awaiting Approval andthe KPI Owner is equal tologged user.




Activity ViewsBy default, the IBM OpenPages Operational Risk Management module containsseveral activity views that are defined for users of the OpenPages ORM 7.0.0Master profile, the ORM Operational Risk Team profile, the ORM Business Userprofile, and the ORM Simplified User profile.

Table 23. Activity views

Activity ViewName Description Profile

Control TestingSummary

Use to indicate Control OperatingEffectiveness. Provides Test Planand Test Result information thatinforms the Operating Effectivenessdecision.

OpenPages ORM 7.0.0 Masterprofile



Table 23. Activity views (continued)


QuestionnaireSet Up

Use to create and modifyquestionnaires that use theQuestionnaire, Section, Questionobject model.


Questionnaire Use to respond to questionnairesthat use the Questionnaire, Section,Question object model.


Process RCSAView

Facilitates conducting process-basedRisk and Control Self Assessments.



ProcessApproval

From the Home page, the Processowner can navigate to Processesthat are awaiting Approval, usingthe Process Approval Activity view.

ORM Operational Risk Team profile



RCSA View Facilitates conducting RiskAssessment-based Risk and ControlSelf Assessments.



RCSA Approval Used by Risk Coordinator toapprove Risk and Control SelfAssessments.

Risk andControlAssessment

Risk Assessments are often the coreprocess an organization uses inOperational Risk. It identifies,assesses, and quantifies a riskprofile. It establishes consistencyand enables a broad view of riskacross an organization. It providesDecision Support for management,drives better decisions, and leads toAction.




Loss EventApproval

If an Event is submitted forApproval and it is valid and aboveLoss Event threshold 1, the statuschanges to Awaiting approval. TheApprover is notified to review andapprove or reject the event.





Loss EventManagement

Loss Event capability enables thecollection, classification, andmaintenance of operational risk lossevents within the businesshierarchy. It ensures thatinformation about loss events iscollected consistently across theorganization by requiring that themost important data about eachEvent is entered and thatappropriate approval and actionsare undertaken.





Table 23. Activity views (continued)


ScenarioManagement

Use to indicate applicability of aScenario.

Scenarios quantify significantevents that an organization couldrealize, such as impacts andfrequencies for potential events.They capture the "what if" scenariosof losses for an organization.




ScenarioApproval

Use to approve a Scenario. ORM Operational Risk Team profile

KPI Value Entry Use to enter KPI values and changethe status to collected.



KPI ValueApproval

Use to approve KPI values. OpenPages ORM 7.0.0 Masterprofile


KRI Value Entry Use to enter KRI values and changethe status to collected.

After the KRI is defined, the systemdetermines if a KRI value isrequired. If the KRI is marked asActive, the KRI helper generatesvalues. If the KRI value is set toInactive, the utility does notgenerate a blank value. The valueobject is initially set up as aplaceholder with a status ofAwaiting collection.





KRI ValueApproval

Determines whether the KRI Valueapproval is required. Set to Yes ifthe entry of the Value must bereviewed by the KRI owner.





KRI Value After the KRI is defined, the systemdetermines if a KRI value isrequired. If the KRI is marked asActive, the KRI helper generatesvalues. If the KRI value is set toInactive, the utility does notgenerate a blank value. The valueobject is initially set up as aplaceholder with a status ofAwaiting collection.




Grid ViewsBy default, grid views are defined for users of the ORM 7.0.0 Master profile, theORM Operational Risk Team profile, the ORM Business User profile, and theORM Simplified User profile.

Table 24. Grid Views

Grid View Description Object Type Profile

Enter KRIValues

Use to enter KRI Values.Before using this view,create KRI Value objects.

KRI, KRIValue





Approve KRIValues

Use to review and approveKRI Values. Before using thisview, create KRI Valueobjects and enter the values.

KRI, KRIValue





Enter KPIValues

Use to enter KPI Values.Before using this view,create KPI Value objects.

KPI, KPIValue





Approve KPIValues

Use to review and approveKPI Values. Before using thisview, create KPI Valueobjects and enter the values.

KPI, KPIValue





PRSA Update Use to update Process RiskSelf Assessments.

Process, Risk,Control






Table 24. Grid Views (continued)

Grid View Description Object Type Profile

PRSA Review Use to review Process RiskSelf Assessments.

Process, Risk,Control





OpenPages FIRST Loss 7.0.0 ProfileThe OpenPages FIRST Loss 7.0.0 profile includes the fields and configuration thatfacilitate the loading of FIRST Loss data through the OpenPages FastMap featureto IBM OpenPages Operational Risk Management.

The OpenPages FIRST Loss 7.0.0. profile makes all fields in FIRST Loss objectseditable to users with this profile so data can be loaded. This profile should beonly assigned to users who are responsible for loading FIRST Loss data throughFastMap. All other users should have read-only access to FIRST Loss objects.

Home Page Filtered Lists

There are no home page filtered lists defined for users of the OpenPages FIRSTLoss 7.0.0 profile.

Activity Views

There are no activity views defined for users of the OpenPages FIRST Loss 7.0.0profile.

Grid Views

There are no grid views defined for users of the OpenPages FIRST Loss 7.0.0profile.


Chapter 10. Role templates

A Role Template describes the privileges that a user is granted to access each objecttype. A template defines the objects that a user can Read, Write, Delete, andAssociate.

By default, the following role templates are available for the IBM OpenPagesOperational Risk Management module.v OpenPages ORM 7.0 - All Permissionsv OpenPages ORM 7.0 - All Data - No Adminv Operational Risk Teamv Business Userv Simplified User

The role templates provide Read, Write, Delete, and Associate access to thefollowing object types.

Table 25. Role Template object types

Object Type Name Object Type

DataInput Data Input

DataOutput Data Output

FIRSTLoss FIRST Loss

KeyPerformanceindicator KPI

KeyPerformanceindicatorValue KPI Value

KeyRiskindicator KRI

KeyRiskindicatorValue KRI Value

LossEvent Loss Event

LossImpact Loss Impact

LossRecovery Loss Recovery

ORICLoss ORIC Loss

ORXLoss ORX Loss

ProcessDiagram Process Diagram

ProcessEval Process Evaluation

Questionnaire Questionnaire

RiskAssessment Risk Assessment

ScenarioAnalysis Scenario Analysis

ScenarioResult Scenario Result

SOXBusEntity Business Entity

SOXControl Control

SOXDocument, SOXExternalDocument File, Link

SOXIssue Issue

SOXProcess Process

SOXRisk Risk

61

Table 25. Role Template object types (continued)

Object Type Name Object Type

SOXSignature Signature

SOXSubprocess Sub-Process

SOXTask Action Item

SOXTest Test Plan

SOXTestResult Test Result

Access Permissions

The following permissions describe the level of security.

Read Any groups or users that are assigned to this role can browse to and viewthe details of objects (parent and child) contained in the folder. Theycannot modify any object data unless other permissions are explicitly set.

Write The groups or users that are assigned to this role can modify the details ofobjects within the selected folder. They cannot delete objects. Write accessto a folder is required for creating new objects within the folder.

Delete The group or user that is assigned to this role can delete objects within thefolder structure.

AssociateThe group or user that is assigned to this role can create associationsbetween objects.

UnspecifiedBy default, no access is granted to the user or group for the correspondingobject through this role. The Unspecified setting does not override anyaccess that is granted on an object through other roles or access that isinherited through a role on higher-level security context points. If youwant less restrictive access, use this value instead of Denied.

GrantedThis setting gives a user or group full access to the specified action, suchas Write, Delete, or Associate. The user can modify or delete the file orfolder that is based on the permission.

DeniedThis setting does not allow a user or group to Write, Delete, or Associate.The Denied setting overrides any access that is granted on the objectthrough other roles.

ORM Master Role Templates object permissions

The following table defines the role template object for the OpenPages ORM 7.0 -All Permissions, and the OpenPages ORM 7.0 - All Data - No Admin roletemplates.

Table 26. ORM Master Role Templates role access to object types

Object Type Read Write Delete Associate

Business Entity Granted Granted Granted Granted

Preference Record Granted Granted Granted Granted

Process Granted Granted Granted Granted


Table 26. ORM Master Role Templates role access to object types (continued)


Process Evaluation Granted Granted Granted Granted

Sub Process Granted Granted Granted Granted

Risk Granted Granted Granted Granted

Risk Assessment Granted Granted Granted Granted

Risk AssessmentEvaluation

Granted Granted Granted Granted

Risk Evaluation Granted Granted Granted Granted

Control Granted Granted Granted Granted

Control Evaluation Granted Granted Granted Granted

KPI Granted Granted Granted Granted

KPI Value Granted Granted Granted Granted

KRI Granted Granted Granted Granted

KRI Value Granted Granted Granted Granted

Loss Event Granted Granted Granted Granted

Loss Impact Granted Granted Granted Granted

Loss Recovery Granted Granted Granted Granted

Issue Granted Granted Granted Granted

Action Item Granted Granted Granted Granted

Scenario Analysis Granted Granted Granted Granted

Scenario Result Granted Granted Granted Granted

ORIC Loss Granted Granted Granted Granted

ORX Loss Granted Granted Granted Granted

FIRST Loss Granted Granted Granted Granted

Questionnaire Granted Granted Granted Granted

Operational Risk Team object permissions

The following table defines the Operational Risk Team role template objectpermissions.

Table 27. Operational Risk Team role access to object types


Business Entity Granted Granted Denied Granted

Preference Record Granted Granted Denied Granted

Process Granted Granted Denied Granted

Process Evaluation Granted Granted Denied Granted

Sub Process Granted Granted Denied Granted

Risk Granted Granted Denied Granted

Risk Assessment Granted Granted Denied Granted


Granted Granted Denied Granted

Risk Evaluation Granted Granted Denied Granted

Chapter 10. Role templates 63

Table 27. Operational Risk Team role access to object types (continued)


Control Granted Granted Denied Granted

Control Evaluation Granted Granted Denied Granted

KPI Granted Granted Denied Granted

KPI Value Granted Granted Denied Granted

KRI Granted Granted Denied Granted

KRI Value Granted Granted Denied Granted

Loss Event Granted Granted Denied Granted

Loss Impact Granted Granted Denied Granted

Loss Recovery Granted Granted Denied Granted

Issue Granted Granted Denied Granted

Action Item Granted Granted Denied Granted

Scenario Analysis Granted Granted Denied Granted

Scenario Result Granted Granted Denied Granted

ORIC Loss Granted Unspecified Denied Unspecified

ORX Loss Granted Unspecified Denied Unspecified

FIRST Loss Granted Unspecified Denied Unspecified

Business User object permissions

The following table defines the Business User role template object permissions.

Table 28. Business User role access to object types


Business Entity Granted Denied Denied Granted

Preference Record Granted Denied Denied Granted











KPI Granted Granted Denied Granted

KPI Value Granted Granted Denied Granted






Table 28. Business User role access to object types (continued)





Scenario Analysis Granted Unspecified Denied Granted

Scenario Result Granted Unspecified Denied Granted

ORIC Loss Granted Unspecified Denied Unspecified

ORX Loss Granted Unspecified Denied Unspecified

FIRST Loss Granted Unspecified Denied Unspecified

Simplified User object permissions

The following table defines the Simplified User role template object permissions.

Table 29. Simplified User role access to object types


Business Entity Granted Denied Denied Granted

Preference Record Granted Denied Denied Granted











KPI Granted Denied Denied Granted

KPI Value Granted Denied Denied Granted








Scenario Analysis Denied Denied Denied Denied

Scenario Result Denied Denied Denied Denied

ORIC Loss Denied Denied Denied Denied

ORX Loss Denied Denied Denied Denied

FIRST Loss Denied Denied Denied Denied

Chapter 10. Role templates 65

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

67

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.


Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 69

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

Aaccess permissions

object types 61Action items 44Administrator (role template) 61

BBusiness Entity

association to Risk Assessments 27Business User (role template) 61

Ccomputed fields 23

DData Input trigger 50Data Output trigger 50

Ggrid views 58

Hhelpers

computed fields 23Key Indicators 25, 26RCSA helpers 26, 27risk assessment helpers 27, 28Scenario Analysis helpers 25

Home Page filtered list 53

IImpact values 46, 48indicator reports 38Issue (object type) 44Issue and Action Bulletin notification 31Issue Dashboard report 36Issue Lifecycle trigger 44Issue List report 36Issues

management 44

KKey Indicators helpers 25, 26KPI Breach notification 33KPI Capturer

KPI Reminder notification 32KPI Lifecycle trigger 45

Breach notification 33KPI Reminder notification 32

KPI ValueKPI Reminder notification 32

KRI Breach notification 32KRI Capturer

KRI Reminder notification 32KRI Lifecycle trigger 44

Breach notification 32KRI Reminder notification 32KRI Value

KRI Reminder notification 32

LLikelihood values 48Liklihood values 46Loss Event (object type) 42, 43Loss Event Approval Submissions trigger 42Loss Event Approval trigger 43Loss Event Computation trigger 42Loss Event reports 35Loss Impact (object type) 42Loss Recovery (object type) 42

Nnotifications 31

Issue and Action Bulletin 31KPI Breach notification 33KPI Reminder notification 32KRI Breach notification 32KRI Reminder notification 32

Oobject types

access permissions 61Issue 44Loss Event 42, 43Loss Impact 42Loss Recovery 42SOXRisk 46

Operation Risk Team profile 52Operational Risk Team (role template) 61Operational Risk Team profile 51

RRCSA helpers 26, 27, 28

computed fields 23RCSA Qualitative trigger 48RCSA Quantitative trigger 46RCSA Risk and Control Approval trigger 50RCSA triggers 46Read Only (role template) 61reports

indicator 38Issue Dashboard 36Loss Event 35risk assessments 36

71

reports (continued)Scenario Analysis 36visualization 39

Risk and Control Self-assessments triggersSee RCSA triggers

Risk Approval Submission trigger 49risk assessment helpers

See RCSA helpersrisk assessment reports 36Risk Assessments

association to Business Entity 27role templates 61

SScenario Analysis helpers 25Scenario Analysis reports 36Severity values 48Simplified User (role template) 61Simplified user profile 52SOXRisk (object type) 46

Ttriggers

Issue Lifecycle 44KPI Lifecycle 45KRI Lifecycle 44Loss Event Approval 43Loss Event Approval Submission 42Loss Event Computation 42RCSA Qualitative 48RCSA Quantitative 46RCSA Risk and Control Approval 50Risk Approval Submission 49visualization 50

Vvisualization reports 39visualization triggers 50


Operational Risk Management Module Overview€¦ · Chapter 1. Introduction Use this guide with the...

Documents

Transcript of Operational Risk Management Module Overview€¦ · Chapter 1. Introduction Use this guide with the...