We have our Business processes modeled using VACDs & EPCs and are now looking to model the associated risks & controls.
After reviewing the Method Manual, UMG DemoDB and related content, the recommended approach seem to be:
- Use "Risk Diagram" to model the risks & risk categories (as appropriate)
- Associate risk objects to related Process Functions in corresponding EPCs
- Use "Business Controls Diagram" to model the controls that are in place for each risk identified
- Is this all? Or is there more to it?
- Is this the right approach? Or is a different approach recommended?
- Once risks & controls are modeled, how can they be used in Process Analysis?
- What out-of-the-box reports can be leveraged once the Risks & Controls are modeled, for further Process Analysis ?
- How do you typically use these information once you model in ARIS?
I also read that these objects / models as used in ARIS - SAP integation / synchronization... Are they relevant only if the modeled processes are implemented in SAP or managed using ARIS GRC?
Looking forward to hear your responses on ideas, suggestions, recommendations & experiences.
Thanks & Regards,
Shankar
Hi Shankar,
the most typical use case for risk & control effectiveness-related Process Analysis would be via the integration to the ARIS product ARIS Risk & Compliance Manager (-> category "Governance Risk & Compliance").
In a nutshell, it provides a simple workflow to make sure your controls are working effectively & your risk management system is working properly
Hello Shankar,
We use this method to document our internal control system. we created a individual process-report and in an separate chapter we get most of the informations from the BCD in a table named 'risk-overvew'. As we numbred every risk we use the risk-number to sort the risk-descriptions.
We do not use the 'Governance Risk & Compliance'-Modul, but we set up the BCD-Models so, that we can use it later, if needed.
I hope that helps.
regards, roman
Hi Shankar,
In general your approach is ok.
Last year we start the implementation of our Enterprise Risk Management (including ISAE,SII etc) using ARCM. You can also add the object "Testplan": a testdescription for testing the control.
To manage the testactivities (including the sign-off of the processowners) use ARCM.