the most typical use case for risk & control effectiveness-related Process Analysis would be via the integration to the ARIS product ARIS Risk & Compliance Manager (-> category "Governance Risk & Compliance").
In a nutshell, it provides a simple workflow to make sure your controls are working effectively & your risk management system is working properly
Besides using the models in conjunction with ARIS Risk & Compliance Manager, they can also be simulated with ARIS Business Simulator in order to evaluate the financial and performance impact of risks and controls.
We use this method to document our internal control system. we created a individual process-report and in an separate chapter we get most of the informations from the BCD in a table named 'risk-overvew'. As we numbred every risk we use the risk-number to sort the risk-descriptions.
We do not use the 'Governance Risk & Compliance'-Modul, but we set up the BCD-Models so, that we can use it later, if needed.
I hope that helps.
In general your approach is ok.
Last year we start the implementation of our Enterprise Risk Management (including ISAE,SII etc) using ARCM. You can also add the object "Testplan": a testdescription for testing the control.
To manage the testactivities (including the sign-off of the processowners) use ARCM.