Operational Risk Management Module...

IBM OpenPages GRC PlatformVersion 7.0.0

Operational Risk Management ModuleOverview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 67.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Document Release and Update Information . . . . . . . . . . . . . . . . . . . . v

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What's New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1About IBM Algo FIRST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. IBM OpenPages Operational Risk Management module . . . . . . . . . . 3Loss Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Risk and Control Self Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Key Risk Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Key Performance Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Scenario Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11External Loss Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Issue Management and Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4. Computed fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Scenario Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25KRI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25KPI Value Creation utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Completion helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Process Alignment helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26RCSA Launch Utility helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27RCSA Site Sync helper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27RCSA Helpers Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 6. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 31KRI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KRI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KPI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32KPI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 7. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35ORM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Loss Event Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Issue Management and Remediation reports . . . . . . . . . . . . . . . . . . . . . . . 35Scenario Analysis reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Risk Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Risk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Testing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Indicator Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Visualization Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

iii

Chapter 8. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41ORM-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Loss Event Lifecycle triggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Issue Management and Remediation trigger . . . . . . . . . . . . . . . . . . . . . . . 44KRI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44KPI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . . 46Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 9. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51OpenPages ORM 7.0.0 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ORM Operational Risk Team profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ORM Business User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52ORM Simplified User profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58OpenPages FIRST Loss 7.0.0 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 10. Role templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

iv IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 7.0.0

Document Published: December, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

GRC Platform Knowledge Center (http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html).

v

http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.htmlhttp://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html

vi IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Chapter 1. Introduction

Use this guide with the IBM OpenPages Operational Risk Management module.

Finding information

To find IBM OpenPages GRC Platform product documentation on the web,including all translated documentation, access the IBM OpenPages GRC PlatformKnowledge Center (http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html). Release Notes arepublished directly to the Knowledge Center, and include links to the latesttechnotes and APARs.

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products.

IBM HTML documentation has accessibility features. PDF documents aresupplemental and, as such, include no added accessibility features.

What's NewThe following information highlights the major new features and enhancementsthat were made to the IBM OpenPages Operational Risk Management module.

Enriched ORM Functionality

New workflow, automation, and reports are added to the Operational RiskManagement module to provide standard approaches for the following ORMpractices:v Loss Eventsv Risk and Control Self Assessmentv Key Risk Indicatorsv Key Performance Indicatorsv Scenario Analysisv External Loss Data Analysisv Issue Management and Remediation

Object Type Licensing

For the IBM OpenPages Operational Risk Management module, you are licensed touse the object types listed in Chapter 3, “Object Types,” on page 17. Use of anyother object types is prohibited without prior written approval from IBM.

About IBM Algo FIRSTThe IBM Algo FIRST® database is a collection of external, public operational riskloss events in the form of risk case studies.

1

http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.htmlhttp://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html

Algo FIRST events are targeted at the financial sector and contain over 20 years’worth of events, which have been indexed to 13 keyword hierarchies, includingBasel category and business line. Other hierarchies include control factor, eventtrigger, business unit type, entity type. Algo FIRST cases include detaileddescriptions that break down the event to analyze root cause, identify controlbreakdowns, lessons learned, management response and aftermath of the event.Events can also include sections with supporting detail that provide a timeline forthe event, relevant information about the institution that it happened to, or otherdetail about loss impacts.

Most events in Algo FIRST capture quantitative information as well as detailedqualitative analysis. This quantitative information takes the form of loss amountsthat are captured at the time of the event.

IBM Algo FIRST offers a subscription to a data add-on refreshed daily with theIBM Algo FIRST database in a format that is compatible with the IBM OpenPagesFastMap feature. IBM OpenPages GRC Platform customers can use the IBM AlgoFIRST FastMap data add-on to provide end users with access to Algo FIRST casestudies within the IBM OpenPages application. After the data is loaded into IBMOpenPages, end users are able to browse and associate Algo FIRST case studies toGRC objects like Scenario Analyses, Risks, and Loss Events. Consult your IBMaccount representative for details on obtaining the IBM Algo FIRST dataadd-on for IBM OpenPages.

If you subscribe to the IBM Algo FIRST database service, Algo FIRST provides acompatible FastMap file for a seamless load of Algo FIRST data to the IBMOpenPages Operational Risk Management module.

By default, the IBM OpenPages Operational Risk Management module includes theOpenPages FIRST Loss 7.0.0 profile. Users with this profile can load FIRST Lossdata through the IBM OpenPages FastMap feature. For more information aboutthis profile, see “OpenPages FIRST Loss 7.0.0 Profile” on page 59.

2 IBM OpenPages GRC Platform Version 7.0.0: Operational Risk Management Module Overview

Chapter 2. IBM OpenPages Operational Risk Managementmodule

IBM OpenPages Operational Risk Management combines document and processmanagement with a monitoring and decision support system that enablesorganizations to analyze, manage, and mitigate risk in a simple and efficientmanner.

IBM OpenPages Operational Risk Management automates the process ofidentifying, measuring, and monitoring operational risk. It combines all risk data,including risk and control self assessments, loss events, scenario analysis, externallosses, and key risk indicators (KRI), into a single integrated module.

OpenPages Operational Risk Management includes the following key features:v Loss Events, which include the following activities:

– Tracking, assessing, and managing both internal and external events thatcould result in operational loss.

– Managing multiple impact events and recoveries that are associated withoperational losses.

v Risk and Control Self Assessments (RCSA), which include the followingactivities:– Identification, measurement, and mitigation of risks.– Testing and documentation of internal controls.

v Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), which cantrack performance metrics to potentially show the presence or state of a riskcondition or trend.

v Scenario Analysis, which is an assessment technique that is used to identify andmeasure specific kinds of risks, in particular, low frequency, high-severity events.

v External Loss Events provide the ability to import loss data from IBM Algo®FIRST, ORX, and ORIC loss databases into OpenPages Operational RiskManagement for scenario analysis, benchmarking, and reports generation. Youcan also export loss data to analytic tools or capital allocation applications.

v Issue Management and Remediation (IMR), which includes the followingactivities:– Issue Creation and Assignment– Action Creation and Assignment– Remediation Performance– Issue closedown– Reporting

v Reporting, monitoring, and analytics.

Loss EventsIBM OpenPages Loss Event capability enables the collection, classification, andmaintenance of operational risk loss events within the business hierarchy.

It ensures that information about loss events is collected consistently across theorganization, the most important data about each Event is entered, and appropriate

3

approval and actions are undertaken. Functions include Data Capture, Approvalworkflow and notification, Interface with RCSA and Issue & Action Management,and Standardized reporting.

The process for managing Loss Events includes the following three stages:1. Capture

Following the identification of a Loss Event, any licensed OpenPages user canadd a Loss Event by performing the following actions:a. From the menu of the appropriate Business Entity, select Loss Events.b. Click Actions > Add a new Loss event.c. Complete the form with as much data as is known.

v Mandatory fields include Description, Event Owner, Discovery Date,Estimated Loss.

v The Loss Event status field is set to Open.d. If known by the Event Owner, Impacts and Recoveries can be added to the

Loss Event by clicking Add a new recovery or Add a new Impact from theActions button on the Loss Event screen.

2. Management and EnrichmentWhen a Loss event has been created, it appears on the Loss event owners homepage under the filter My Open Losses. From this filtered list the event ownercan update the Event as it moves through its lifecycle. The followingenrichment activities are possible:a. Create more impacts and recoveries.b. Update the Event details.c. Update the Event categorizations (Basel Risk Category, Causal category and

subcategory, Business line).d. Associate the Event to appropriate risks within OpenPages.

v Management of the Loss Events is aided by an Activity view that allowsthe user to see and update key fields. The activity view includes the LossEvent, its Impacts, Recoveries, and any associated Issues.

v Management and enrichment of the Loss event is not restricted to theLoss Event owner and can be done by any user with appropriate accessrights.

3. ApprovalAs an event reaches the end of its lifecycle, it enters the approval stage.To approve an event, the Event Owner, or other user with the appropriatepermissions, saves the Loss Event with the Submit for Approval field set toYes. This activates the Loss Event Submission trigger, which instructs theprogram to complete the following actions:a. Validate that the data in the Event is complete and accurate. For example,

the Event start date is before the Event end date.b. Return an error message if there is invalid data.c. Check if Gross loss is less than a set auto approval threshold for the

Business Entity. The threshold is defined in the object preferences.d. If Gross Loss is less than Threshold 1, then the event status is set to

Approved and the Event, Impacts, and Recoveries are locked.e. If Gross Loss is greater than Threshold 1, then the event status is set to

Awaiting Approval, and the approval process continues.


As a Loss Event moves through its lifecycle, a status field monitors its progress.The following statuses are available:1. Open

The following information applies to this status:v An event is open at the point of first capture within OpenPages.v Impacts are added at this stage of the Loss Event cycle.v The Loss Event can be reviewed or amended by the Risk Team before it is

submitted for approval.v Amendments include description, more impacts, and Event categorization.v The Event is included in Loss Event Reporting.

2. Awaiting Approval or Awaiting Approval - Level 2The following information applies to this status:v The Event is displayed on the home page of the appropriate approver.v The Event core details are made read only in this state.v If Gross Loss is less than Threshold, then the approval is automatic.v If Gross Loss is greater than Threshold 1, and Threshold 1 is less than

Threshold 2, then approval 1 is necessary.v If Gross is greater than Threshold 2, then approvals 1 and 2 are required.v The Event is included in Loss Event Reporting.

3. Approved

The following information applies to this status:v The Event is finalized.v The Event and its associated impact and recovery are locked, unless the

event needs to be reopened.v The Event can be reopened by a user with the appropriate permissions.v The Event is included in Loss Event Reporting.

Risk and Control Self AssessmentsRisk assessments are often the core processes that an organization uses whendetermining operational risk.

The following objectives are available:v Identify, assess, and quantify a risk profile for a business.v Establish consistency to enable a broad view of risk across an organization.v Apply structure, definition, and quantification to an organization's tolerance for

risk.v Provide management with information that will result in better decisions.

Risk assessment objects are used to organize the content of a Risk and Control SelfAssessments and to manage the work that is associated with the Risk and ControlSelf Assessments. Risk objects include the following dimensions:v Inherent and residual measurementsv Qualitative and quantitative assessmentv Risk categorization

By default, the risk categorization is set to use Basel Level 1 and 2 categories.

Chapter 2. IBM OpenPages Operational Risk Management module 5

Within OpenPages Operational Risk Management, the following cycle of Risk andControl Self Assessments is maintained:v IBM OpenPages structures Risk and Control Self Assessments along an entity,

process, subprocess basis with risks being assessed for each process.v Each risk is assessed on either a qualitative or quantitative basis. Customers

make a decision as to their approach. The choice of assessment approach is asystem-wide setting that is defined at installation but can be adjusted later ifrequired.

v Controls are assessed at the same time as risks. Controls are assessed on aqualitative basis and marked as effective or ineffective on a design andoperating effectiveness basis.

v Subprocesses can be used to aid in the risk identification activity, but there is nosignoff or approval at a subprocess level.

v Approval or review is undertaken on the following basis:– The risk owner assesses the risk and controls for their given risks.– The process owner will approve or reject each risk and control within their

process.– The Risk and Control Self Assessments coordinator can approve or reject the

signoff that is made by the process owner and finalize the approval of therisk assessment within an entity as a whole.

v The risk assessment object is used to scope and collate appropriate processes forRisk and Control Self Assessments. A new risk assessment object is created foreach assessment of a process or a group of processes.

The risk assessment, process, risk and control objects are all managed through theRisk and Control Self Assessments lifecycle by a series of status fields.

Library Managements (Optional)

If the data is available, you can establish a series of process, risk, and controllibraries for use in the operational risk cycle. Data can be entered into a suitablespreadsheet and uploaded through Fastmap or updated manually by theoperational risk team and appropriately privileged administrators. You cansynchronize changes made to fields within the library to the instance of theprocesses, risk, and controls within the business data structure. You work with anIBM OpenPages services team to configure the synchronization utility. You candecide if and when to use the Library Management capability (Phase I, Phase II,near future, or not all).

Scope or Setup Assessment

The operational risk team applies its internal methods to determine which entitiesare regarded as in scope for Risk and Control Self Assessments. In scope entitiesare updated through an Activity view where the user marks an entity as in scopeor out of scope for Risk and Control Self Assessments. Other updates can includethe name of the Risk and Control Self Assessments coordinator and Risk andControl Self Assessments owner. After the data is updated, the administrator runsthe Risk and Control Self Assessments launch utility. The utility performs thefollowing actions:v Enables the administrator to enter common data across all Risk and Control Self

Assessments for that cycle, such as period or year of assessment, start andexpected end date, and any instructions that the operational risk team wants toimpart to all risk coordinators, such as guidance or instructions.


v Identifies all entities that are marked as in scope.v Creates a risk assessment object as a child of the in scope entities (status = not

started) and populates more data (dates, and so on) to the risk assessmentobject.

v Emails the Risk and Control Self Assessments coordinator to request that he orshe commence the Risk and Control Self Assessments.

Identify or Review

In this stage, the Risk and Control Self Assessments coordinator’s objective is toensure that the following actions occur:1. The risk assessment is associated to the correct processes.2. The process includes the appropriate risks and controls.3. The risks and controls within OpenPages are documented correctly.

To achieve this objective, the Risk and Control Self Assessments coordinatorlaunches the Risk and Control Self Assessments alignment helper. The helperappears in a window. In addition to the helper screen, the risk coordinator will besupported by reports, including a risk and control matrix report.

At the last step of the helper, the Risk and Control Self Assessments coordinatorcan choose to start the assessment stage by selecting Yes. The helper then updatesthe status of the risk assessment and each process, risk, and control to AwaitingAssessment. A batched email is then sent to the risk owners to request them tocomplete the assessment of each risk.

Assessment

The following methods are used to notify risk owners about their risks:1. Email (with a link directly to each risk).2. Homepage Filter (My Risks to Assess).

From the homepage filter, the risk owner can use an activity view to complete therisk assessment.

The activity view shows the risk and the following items:1. Any associated controls2. Any associated key risk Indicators3. Any associated loss events4. Any associated Open issues

Each control should be marked as effective or ineffective from both a design andoperating effectiveness viewpoint. Risks are evaluated on either a quantitative orqualitative basis. Initially, use a qualitative approach with a risk owner selectingthe risk impact and likelihood on a 1-4 scale.

The selection of the number of intervals for the scale is set at installation and issystem wide. The range of the intervals is stored on a preference record object andis flexible so that it can be set per business entity. For example, a risk can be givena rating of 3 for impact, which could equate to $2,000,000,000. However, this couldmap to a risk impact of only 1 on a global scale.


When the risk and its controls have been assessed, the risk owner can submit therisk for approval. The risk is submitted saving the risk with a submit for approvalcheck box that is set to Yes. An initial validation confirms that all appropriate datafields have been completed on the risk and that all controls have been assessed. Ifthe validation is successful, the status of both the risk and its controls changes toAwaiting Approval.

The risk and control approval trigger checks if all the risks for a process are set toAwaiting Approval. If so, then the trigger sets the process status to AwaitingApproval and the process owner is notified by email and on the Homepage.

Approval

Approval of assessment is made by a process owner, who confirms the assessmentof each risk and control, and a Risk and Control Self Assessments coordinator, whoconfirms the process owner's approval.

From the homepage, the process owner can go to the processes awaiting approvalor use the Process Approval Activity view.

From this view, the process owner can review the assessment of each risk andcontrol. Each risk must be approved or rejected. If the process owner chooses toreject the assessment of the risk, then the process owner must complete a rejectioncomment field. The status of the risk returns to Awaiting Assessment.

If the process owner approves the risk, then when the assessment is saved, the riskand control status is updated to Approved.

A trigger sets the process status to Approved, which confirms that all processes forthe assessment are approved. If all processes for an assessment are approved, thenthe risk assessment status updates to Awaiting Approval.

From the homepage, the Risk and Control Self Assessments coordinator cannavigate to the Risk and Control Self Assessments that are awaiting approval anduse the risk assessment approval activity view.

From this view, the coordinator can review the assessment of the processes (and itsrisks) and then finalize the assessment. A trigger will do the following things:1. Update the risk assessment status to Assessed.2. Create an evaluation record tree (linked risk assessment evaluation, process

evaluation, risk evaluation, and control evaluation records).3. Populate assessment date on the evaluation records.

Action

Throughout the Risk and Control Self Assessment cycle, all users can create new orassociate existing issues and actions to the process, risk or control. There is noautomated creation of issues or actions, they must be created manually.

Key Risk IndicatorsThe main stages within the IBM OpenPages Key Risk Indicator (KRI) lifecycle are:definition, value creation, value capture, and reporting.


KRI Definition

In the definition stage, the risk owner creates a KRI as a child of the appropriatebusiness entity object. The KRI object must have the following data attributescaptured:v Name of the KRI owner (person responsible for defining the KRI value data and

approving values if required).v Name of the KRI capturer (person responsible for collecting values).v Threshold information (amber and red threshold).v Frequency of the collection.v Frequency offset (a numeric value to determine the due date for collection). For

example, if the frequency is monthly and the frequency offset is set to 5, thenthe KRI owner is prompted to enter a KRI value on the fifth day of each month.

v KRI active status (set to Active if values are to be generated).v KRI value approval required (set to Yes if the entry of the value should be

reviewed by the KRI owner).

KRI Value Creation

After the KRI is defined, the system determines if a KRI value is required to begenerated with a KRI value object as a child of the KRI. If the KRI is marked asActive, the KRI helper generates values. If the KRI is marked as Inactive, theutility will not generate a blank value. The value object is initially set up as aplaceholder with a status of Awaiting Collection.

The KRI values are created by a system batch job. The batch job creates a KRIvalue with limited details, such as ID, description, expected capture date, KRIcapturer, KRI owner.

The KRI value creation utility can be run by an administrator if necessary, such aswhen the automatic scheduled job fails to run.

KRI Value Capture (and optional approval)

The following methods of notification are used to request a KRI value to beentered by the KRI capturer:1. Weekly email notifications (to request the user to log in to OpenPages).2. Homepage screen filter that is based on the KRI value status (Awaiting

Collection) and the KRI collector (logged in user).

From the homepage filter, the user can select a KRI, which takes the KRI capturerto the KRI entry screen. The entry screen is a single object activity view.

When the user clicks Save, the system looks to see whether the trigger launchconditions have been met. The trigger launches if the KRI Value changes fromblank to ‘any value’ and the value date is completed. If the trigger launchconditions are met, then the KRI lifecycle trigger fires. The trigger does thefollowing things:1. Check if the KRI is set for approval.

a. If Yes, update the status to Awaiting Approval and complete steps 2, 3, 4,and 6.

b. If No, update the status from Awaiting Collection to Collected andcomplete steps, 2, 3, 4, and 5.


2. Copy the current threshold information from the KRI to the child KRI value.3. Compute the breach status.4. Copy the KRI value, value date, collection status, and breach status to the

parent KRI.5. Email the risk owner if the KRI breach status moves to red from green or

amber to inform them of the breach.6. If status is set to Awaiting Approval, the KRI value appears on the KRI owners

homepage. The KRI owner can approve or reject the value.a. If the KRI owner rejects and saves the record, then the KRI value and value

date is made blank and the KRI value status is set to Awaiting Collection.b. If the KRI owner approves and saves the record, then the collection status

changes on the value and on the KRI to Collected.

Note: Approval of KRIs is an optional setting that is determined by the KRIowner at the time of the KRI definition.

KRI Reporting

A selection of KRI reports are available.

Key Performance IndicatorsThere are four main stages within the OpenPages Key Performance Indicator (KPI)lifecycle: definition, value creation, value capture, and reporting.

KPI Definition

In the definition stage, the risk owner creates a KPI as a child of the appropriatebusiness entity object. The KPI object must have the following data attributescaptured:v Name of the KPI owner (person responsible for defining the KPI value data and

approving values if required).v Name of the KPI capturer (person responsible for collecting values).v Threshold information (amber and red threshold).v Frequency of the collection.v Frequency offset (a numeric value to determine the due date for collection). For

example, if the frequency is monthly and the frequency offset is set to 5, thenthe KPI owner is prompted to enter a KPI value on the fifth day of each month.

v KPI active status (set to Active if values are to be generated).v KPI value approval required (set to Yes if the entry of the value should be

reviewed by the KPI owner).

KPI Value Creation

After the KPI is defined, the system determines if a KPI value is required to begenerated a KPI value object as a child of the KPI. If the KPI is marked as Active,the KPI helper generates values. If the KPI is marked as Inactive, the utility willnot generate a blank value. The value object is initially set up as a placeholderwith a status of Awaiting Collection.

The KPI values are created by a system batch job. The batch job creates a KPIvalue with limited details, such as ID, description, expected capture date, KPIcapturer, KPI owner.


The KPI value creation utility can be run by an administrator if necessary, such aswhen the automatic scheduled job fails to run.

KPI Value Capture (and optional approval)

The following methods of notification are used to request a KPI value to beentered by the KPI capturer:1. Weekly email notifications (to request the user to log in to OpenPages).2. Homepage screen filter that is based on the KPI value status (Awaiting

Collection) and the KPI collector (logged in user) the KPI value appears on theusers homepage.

From the homepage filter, the user can select a KPI, which takes the KPI capturerto the KPI entry screen. The entry screen is a single object activity view.

When the user clicks Save, the system looks to see whether the trigger launchconditions have been met. The trigger launches if the KPI Value changes fromblank to ‘any value’ and the value date is completed. If the trigger launchconditions are met, then the KPI lifecycle trigger fires. The trigger does thefollowing things:1. Check if the KPI is set for approval.

a. If Yes, update the status to Awaiting Approval and complete steps 2, 3, 4,and 6.

b. If No, update the status from Awaiting Collection to Collected andcomplete steps, 2, 3, 4, and 5.

2. Copy the current threshold information from the KPI to the child KPI value.3. Compute the breach status.4. Copy the KPI value, value date, collection status, and breach status to the

parent KPI.5. Email the risk owner if the KPI breach status moves to red from green or

amber to inform them of the breach.6. If status is set to Awaiting Approval, the KPI value appears on the KPI owners

homepage. The KPI owner can approve or reject the value.a. If the KPI owner rejects and saves the record, then the KPI value and value

date is made blank and the KPI value status is set to Awaiting Collection.b. If the KPI owner approves and saves the record, then the collection status

changes on the value and on the KPI to Collected.

Note: Approval of KPIs is an optional setting that is determined by the KPIowner at the time of the KPI definition.

KPI Reporting

A selection of KPI reports are available.

Scenario AnalysisScenarios involve the quantification of significant events that might occur at anorganization (impacts and frequencies for potential events).

Scenario analysis provides what-if scenarios related to an organization's losses. Itcan assess the potential frequency of an event and the potential costs. The intent isto predict the losses that are not included in internal historical data, for example


events that are low in frequency but high in severity. Scenario analysis is useful forunderstanding risk profiles and capital modeling. It can be applied to externaldata, expert opinion from within the organization, internal data, risk assessments,control evaluations, and so on.

The approach lends itself to a workshop-based approach; however it can also beapplied by a desk-based or individual subject matter expert who is performing theanalysis. Activities that support scenario analysis are performed by the operationalrisk team.

Scenario analysis can be broken down into the following stages:1. Scenario Library Population (optional)2. Scenario Applicability Review3. Scenario Preparation and Distribution4. Workshop Performance5. Reporting

Scenario Library Population (Optional)

To encourage a standardized approach to scenario analysis, it can be beneficial tocreate a library of prepared templates. The library is a set of scenarios that arepre-populated with basic data. Data that is typically set at the library level includesscenario description, scope, risk categorization, and library ID. When copied fromthe library, the local business units update the scenario to reflect their scenariospecification. Library maintenance is restricted to the operational risk team andadministrators, with other users having read-only access to the scenario library.

Scenario Applicability Review

At this stage, the operational risk team will complete the following tasks:v Review the existing scenarios in place for each business unity (supported by the

scenario summary report).v If coverage gaps exist, copy from the library or create a new scenario to bridge

the gap.v Mark each scenario as applicable or non-applicable through an activity view.v Set the scenario status to draft.

Scenario Preparation & Distribution

In preparation for the workshop, the operational risk team can update details onthe scenario object such as workshop dates. In addition to updating the scenarioobject the operational risk team or scenario should do the following:v Associate any pertinent risks or issues to the scenario.v Run the events by category report and scenario summary reports (preferably as

PDF files to distribute to workshop attendees through email).v Set the scenario status to Awaiting Analysis.

Workshop Performance

At the completion of or during the scenario workshop, the operational risk team orscenario owner updates the scenario findings or outcomes on the scenario object.To finalize the scenario, the owner runs the Scenario Completion Helper. Thehelper performs basic data validation, creates a scenario results object, populates a


key field from the scenario to the scenario results object, and runs and attaches acopy of the events by category and scenario details object to the scenario result.

Reporting

The following key reports are available for scenario analysis:1. Scenario Summary2. Scenario Details3. Event by Category

External Loss Data AnalysisExternal loss data is available to organizations from public data sources, such asIBM Algo FIRST, or by joining a consortium of other institutions, where eachinstitution shares its own loss data.

OpenPages functions that support Loss Events include the following:v Capability to Import and store External Loss data from multiple sources (Algo

FIRST, ORX, ORIC)v Ability to link pertinent events to Scenariosv Reporting of Loss Events

External Loss Import

An administrator receives the external loss data from a data supplier and convertsthe received file into a Fastmap Import file which is then uploaded throughFastmap.

Note: Depending on the supplier the file needs some transformation to beimported into OpenPages.

Issue Management and RemediationThe Issue Management and Remediation (IMR) process is an essential componentto any risk management program. A sound IMR framework provides awareness,validation, and transparency to the risk management program that it supports.

When successfully implemented, it provides high value with minimal overheadand serves as the underlying stimulus for the continuous improvement of a riskmanagement program. An effective IMR framework effectively documents,monitors, remediates, and audits identified issues.

Issues are items that are deemed as negatively affecting the ability to accuratelymanage and report risk. They are items that are identified against the documentedframework. Issues can be associated to various objects within the framework andcommonly have attributes to identify the area of focus, ownership, scheduling, andremediation status. An issue can be associated to multiple parents. For example, ifan issue is discovered through the occurrence of a loss event, the issue can beassociated to the loss event, the risk that occurred, and any failing controls ifdocumented.

Within IBM OpenPages Operational Risk Management, the IMR process operatesin the following key activities:1. Issue Creation and Assignment


2. Action Creation and Assignment3. Remediation Performance4. Issue closedown5. Reporting

Issue Creation and Assignment

Issues arise as a result of various risk management activities, such as a loss event,KRI threshold breach, or control weakness identification. Throughout theseactivities, users can create an issue within IBM OpenPages.

Issues are added through the standard user interface; they are not createdautomatically as a result of a causal factor.

At creation, the issue has a status of open. The creator must enter a value to thecurrent due date field. The first time that you save an issue, the current due date iscopied to a read-only field that contains the original due date. When an issue iscreated, the issue owner (who cannot be the creator) is notified by email.

Action Creation and Assignment

It is the responsibility of the issue owner to establish and record the appropriateactions to resolve the identified issue. Actions are created manually through thestandard user interface. The following data is captured on an action item:description, assignee, start date, due date, actual closure date, status (read-only)and comments.

Action assignees are notified that they must complete an action through My OpenAction Items or by email.

Remediation Performance

After being notified, the assignee completes the assigned action. Some actions cantake time to complete, so the assignee uses the Comment field to track progress.

When the action is complete, the assignee sets the Submit for Closure field to Yes,which copies the issue owner field from the parent issue to the action and sets theaction status to Awaiting Approval.

The change of status takes the action to the issue owner's homepage for reviewand approval.

Issue closedown

The issue owner accesses a list of actions to be approved for closure from thehomepage or by email.

If the action is rejected and saved, the status reverts to open and the action returnsto the action assignee. If the action is accepted for closure and saved, the actionstatus changes to closed and the field Closure date is populated with the currentdate.

When actions are completed, the issue owner reviews the issue and updates thestatus to Closed.


Reporting

A selection of issue and action reports is available to all users. In addition, allemail notifications are included in a consolidated issue and action bulletin to users,including the following information:v Issues assigned to the recipient in the past X days.v Actions assigned to recipient in the past X days.v Issues due for closure in the next X days.v Actions due for closure in the next X days.v Overdue issues.v Overdue actions.v Actions awaiting closure approval.


Chapter 3. Object Types

The IBM OpenPages Operational Risk Management module includes various objecttypes that are enabled or disabled by default and subcomponents.

Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages OperationalRisk Management configuration and are enabled by default.

Table 1. Object types enabled by default

Object Type Label Description

Business Entity Business entities are abstract representations of your businessstructure. A Business Entity object type can contain Sub-Entityobjects (such as departments, business units, geographiclocations). The entity structure that you create depends on yourbusiness needs. For example, you could create a parent entity foryour business headquarters then a subentity for each location ordepartment. You can also represent both a legal entity structureand a business entity structure.

Business Entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).

When you set up the Business Entity hierarchy, you should workwith your IBM consultant as the structure of your businessentities will greatly impact the type and quality of the informationthat can be extracted from the application.

Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,and information security.

Sub-Process A Sub-Process is a component of a Process. It is used to divideprocesses into smaller units for assessment purposes.

Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each risk has one or more controls that areassociated with it. Controls provide safeguards against the riskand help mitigate any consequences that may result from the risk.You can use the Risk object to categorize risks; capture thefrequency, rating, and severity of inherent and residual risk data;and view reports that help identify your top risk items.

Control Controls are typically policies and procedures (procedures areactions that implement the policies) to help ensure that riskmitigation responses are carried out.

After you identify the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications)that remove, limit, or transfer these risks.

Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.

17

Table 1. Object types enabled by default (continued)


Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of themechanisms that are used to determine whether a control iseffective.

Test Result A Test Result is the information that is obtained from running aTest Plan.

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Youcan use the Risk Assessment object to manage your riskself-assessment process. The Risk Assessment object contains thenames of the assessor and reviewer, the time frames for theassessment, and the status of the assessment.

Scenario Analysis Scenario Analysis is an assessment technique that is used toidentify and measure specific kinds of risks, in particular, lowfrequency, high-impact events such as earthquakes, recessions, orpower grid failures.

ORX Loss ORX Loss objects can be imported from the ORX external lossdatabase, for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.

ORIC Loss ORIC Loss objects can be imported from the ORIC external lossdatabase for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.

FIRST Loss FIRST Loss objects can be imported from the IBM Algo FIRSTexternal loss database, for use with scenario analysis,benchmarking and reports generation, and to export loss data toanalytic tools or capital allocation applications.

Loss Event Loss Events are used to track operational losses that may occur inany part of an organization. Loss Events are typically storedunder the Business Entity where the loss occurred. The LossEvent objects are used to track, assess, and manage the relatedinternal loss data. You can add multiple impacts and recoveriesfor each Loss Event by using the Loss Impact and Loss Recoveryobjects.

Loss Impact A loss impact is a financial or non-financial consequence thatresults from a loss event. Loss Impacts track different types ofimpacts that are triggered by a Loss Event, such as legal liability,asset loss and damage, or business interruption. There can bemultiple Loss Impacts associated with each Loss Event.

Loss Recovery Loss Recovery objects are used to track the processes that areassociated with recouping damages that result from Loss Events.

KPI, KPI Value KPIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KPI within the organization canhave unique target and threshold limits.

KRI, KRI Value KRIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KRI within the organization canhave unique target and threshold limits.




Signature A Signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers and does notprevent the item from being modified after approval is given. Anobject with a signature has a signature icon next to the signer'sname on the Signatures tab.

Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:

v Manually from the detail page of an object.v Automatically through a workflow task.v A combination of both automatic and manual.

If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.

Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern that is associated with anyobject type.

An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.

File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in theOpenPages system and associate it to one or more relevantobjects.

Preference Group,Preference

The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities. The group object helps tominimize the associated maintenance.

The Preference object type is a child of Business Entity, and isused for holding variable values that can drive reports,workflows, and computed fields. The Preference object hasentity-specific variable values that enable different behavior forthe same workflows such as to determine the behavior for reviewand approval workflows. That is, who the appropriate users arefor each level of review and approval, and what the thresholdsare for determining how many levels of review and approval arerequired.

Chapter 3. Object Types 19



Process Diagram A Process Diagram is a child object of the Process and can havemany diagrams per process. It is used to store the sequence ofsub-processes or activities within a process with associated Risksand Controls along with any annotations such as decision nodes.All attributes of the Business Process visualization are stored inthe Process Diagram object.

Risk Eval Risk Eval (Evaluation) object types are children of Risk objectsand are used to capture risk measurement values for trendingpurposes. When the reporting periods do not align with the riskevaluation cycles, you can use Risk Eval objects to capturemultiple evaluation cycles within a single reporting period.

Control Eval Control Eval (Evaluation) objects are similar to Risk Evaluationobjects except that they are instantiated as children of Controls.They store control assessment data.

Risk Assessment Eval Risk Assessment Eval (Evaluation) objects are similar to RiskEvaluation objects except that they are instantiated as children ofRisk Assessments. They store risk assessment data.

Process Eval Process Eval (Evaluation) objects are children of Process objectsand they are used to capture process measurement values fortrending purposes.

When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.

Scenario Result Scenario Result objects are children of Scenario Analysis objectsand they are used to capture the results of Scenario Analysisworkshops for comparison and trending purposes.

Data Input, DataOutput

The Data Input Object and Data Output Object are child objects ofthe Process and can have associations only to existing Risks. Theyrepresent elements of a flow to depict an Input into the BusinessFlow or an Output from various activities within a process, suchas running a report or updating a CRM system or getting anexternal data source feed.

Object Types Disabled by DefaultThe following object types are available in the IBM OpenPages Operational RiskManagement configuration and are disabled by default.

Table 2. Object types disabled by default

Object type label Description

Questionnaire, Section,Question

Questionnaire, Section, and Question are three objects that areused together to implement questionnaires.


Table 2. Object types disabled by default (continued)

Object type label Description

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.

A Milestone Action Item object type is a specific objective thatmust be completed to reach a milestone. In general, all MilestoneAction Item objects that are associated with a Milestone objectmust be completed to reach a milestone. When you are assigned aMilestone Action Item object, it is displayed (if configured) in theMy Milestone Action Items section of your My Work tab.

Control Objective A Control Objective is an assessment object type that helps definethe risk categories for a Process or Sub-Process object. For eachProcess or Sub-Process object, an organization sets the controlobjectives.

Control objectives define the COSO compliance categories that thecontrols associated with the risks are intended to mitigate. Forexample, Control Objective objects can be classified into one ormore categories such as Compliance, Financial Reporting,Strategic, Operations, or Unknown.

Once a control objective is identified, the Risk objects associatedto a Control Objective object can then be identified and defined.In most cases, each Control Objective object has one Risk objectthat is associated with it. However, Control Objectives can havemore than one Risk that is associated with them, so they areseparated into their own object type.

Cost Center Cost Center object types are used to group loss events under abusiness entity. In many cases, companies want to track whereloss events occur at a fine granularity (that is, cost center level)but do not want to represent all of the organizational layers asbusiness entities.

SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages Operational RiskManagement module.

Table 3. Subcomponents shared with other modules

Subcomponent Object Types

Organization Business Entity

Preference Preference Group, Preference

Risk Assessment Risk Assessment, Risk Assessment Eval

Process Process, Process Eval, Sub-Process, Control Objective

Risk Risk, Risk Eval

Control Control, Control Eval

Test Test Plan, Test Result

Chapter 3. Object Types 21

Table 3. Subcomponents shared with other modules (continued)


Issue Issue, Action Item

Questionnaire Questionnaire, Section, Question

Milestone Milestone, Milestone Action Item

KRI KRI, KRI Value

KPI KPI, KPI Value

Visualization Process Diagram, Data Input, Data Output

Table 4. ORM-specific subcomponents


Scenario Analysis Scenario Analysis, Scenario Result

External Loss ORX Loss, ORIC Loss, FIRST Loss

Loss Event Loss Event, Loss Impact, Loss Recovery, Cost Center

In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link


Chapter 4. Computed fields

By default, the IBM OpenPages Operational Risk Management module includescomputed fields. Computed fields can contain data types such as Boolean, date,decimal, integer, and simple strings.

The following are computed fields that are associated with Helpers:v RCSA Process Alignment Helper

The computed field, which is available from the Risk Assessment Detail page,contains the URL that starts the helper.

v RCSA Completion HelperThe computed field, which is available from the Risk Assessment Detail page,contains the URL that starts the helper.

v Scenario Completion HelperThe computed field, which is available from the Scenario Detail page, containsthe URL that starts the helper. The Scenario Owner or the IBM OpenPages Riskteam can manually start the helper when the scenario analysis is complete.

23

Chapter 5. Helpers

IBM OpenPages Operational Risk Management module provides Helpers to assistowners or coordinators in various stages of core processes, such as in Risk andControl Assessments and Key Risk Indicators (KRI).

Helpers can assist coordinators with identifying and reviewing a risk profile orensuring that a process includes the appropriate risks and controls. Helpers canalso help identify any KRIs that must be collected in a specified time frame.

Scenario Completion helperWhen the Scenario Workshop is complete, the Operational risk team or theScenario Owner updates the Scenario outcomes on the Scenario Object. To finalizethe Scenario, the Owner runs the Scenario Completion Helper.

As facilitators of the Scenario Analysis process, the Operational Risk Teamcompletes most of the activities in IBM OpenPages. The helper completes thefollowing steps in the process:1. Validates data.2. Creates a Scenario Results object.3. Populates Scenario Result fields from the Scenario Analysis.4. Runs the Scenario Result Detail report and attaches it to the Scenario result.

KRI Value Creation utilityAfter the Key Risk Indicator (KRI) is defined, the KRI Value Creation utilitydetermines whether it must generate a KRI Value object as a child of the KRI.

The KRI Value Creation utility generates blank KRI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.

The utility reviews the KRIs and identifies any KRIs that are due for collection inthe next seven days. The KRIs are identified based on the KRI Frequency and theFrequency Offset data values. If the KRI is marked as Active, the KRI ValueCreation utility generates a child KRI value and populates the value with thefollowing data:v IDv Description, which is based on the parent KRIv KRI owner, which is based on the parent KRI.

The owner is the user who records the KRI value in the IBM OpenPages system.v Expected capture date

This date is a read-only field and is based on the Frequency and FrequencyOffset values.

v Status of KRI Value, which is set to Awaiting Collection.If the KRI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

25

KPI Value Creation utilityAfter the KPI is defined, the IBM OpenPages Helper function determines whetherit must generate a KPI Value object as a child of the KPI.

The KPI Value Creation utility generates blank KPI Value objects that must becaptured in the following week. The utility is started as a weekly task that isscheduled to run overnight. However, an administrator can manually start it if thescheduled task does not start automatically.

The utility reviews the KPIs and identifies any KPIs that are due for collection inthe next seven days. The KPIs are identified based on the KPI Frequency and theFrequency Offset data values. If the KPI is marked as Active, the KPI ValueCreation utility generates a child KPI value and populates the value with thefollowing data:v IDv Description, which is based on the parent KPIv KPI owner, which is based on the parent KPI.

The owner is the user who records the KPI value in the IBM OpenPages system.v Expected capture date

This date is a read-only field, which is based on the Frequency and FrequencyOffset values.

v Status of KPI Value, which is set to Awaiting Collection.If the KPI is marked as Inactive, the utility does not generate a blank value. Thevalue object is initially set up as a placeholder with a status of AwaitingCollection.

RCSA Completion helperThe RCSA Completion helper allows the RCSA Coordinator to complete the RiskAssessment and create an evaluation tree for historical referencing.

The RCSA Coordinators receive a message that asks whether they want to proceed.When the coordinator confirms the message, the helper completes the followingactions:1. Sets the Risk Assessment status field to Approved.2. Creates the following linked structure for the child Evaluation record:

v Risk Assessment Evaluationv Process Evaluationv Risk Evaluationv Control Evaluation

3. Copies key data to the new Evaluation records and makes secondaryassociationsYou must specify which fields to copy (Settings menu).

RCSA Process Alignment helperThe RCSA Process Alignment helper allows the RCSA Coordinator to review theassociate Processes, Risks, and Controls, and create further associations. The helperalso sets the Processes, Risks, and Controls to a status of Awaiting Assessment.


When the RCSA coordinator wants to begin the RCSA cycle, the coordinator canstart the helper from a URL link on the Risk Assessment Detail Page.

The task-driven helper completes the following actions when it is started:1. Adds or removes Processes, Risks, and Controls2. Reviews Process, Risk, and Control Ownership3. Asks if the RCSA Coordinator wants to start the Assessment

v If Yes, the helper continues with the following processes– Sets all Risk and Controls to Awaiting Assessment.– Sets the Submit for Approval field on the Risk object to No.– Sets the Approve/Reject field on the Risk object to a blank value..– Sets the Rejection Comments field on the Risk object to a blank value.

v If No, save and close the Assessment.

RCSA Launch Utility helperThe RCSA Launch Utility helper generates Risk Assessment objects for In scopeentities.

The Launch Utility helper assists the administrator with starting the RCSA processin the following ways:1. Creates a Risk Assessment under the Business Entity and associates all

processes that are under that Business Entity to the Risk Assessment.2. Asks for Risk Assessment details.

The administrator must provide values to fields on all generated Riskassessments, such as Start Date, End Date, and Instructions / Guidance.

3. Identifies all In-scope entities.4. Generates a Risk Assessment object for all In scope entities.5. Populates the Risk Assessment object with the values provided in step 1.6. Sets the Risk Assessment status to Not Started and the RCSA Administrator

field is populated with the appropriate user name.7. Sends the RCSA coordinator an email that informs the coordinator that the

RCSA cycle can start.The administrator can specify the content of the email through the Settingspage. The Risk Coordinator email uses information from the nearest Preferencerecord that has the specified RCSA Coordinator.

RCSA Site Sync helperThe RCSA Site Sync helper synchronizes Business instances of object data withvalues in a Library data structure.

When the helper starts, it identifies all changes to the Master/Library object. Thehelper uses a Library reference field as a common key and synchronizes all localinstances of the object with the Master.

The following steps are required to execute the RCSA Site Sync Helper:1. Specify the source entity library where master objects are available, for example

/RCSA Library.2. Specify the target entity to sync, for example, /Global Financial

Services//North America/Retail Banking.

Chapter 5. Helpers 27

3. Select the objects to sync from the list.4. Set the Sync On field to Name.5. In the Library ID field, list the fields to sync on, using the following syntax:

field group.field name. For example, use the definition: OPSS-Process.Additional Description.

6. In the Properties field, list the fields to be synced from the source in thefollowing syntax: field group.field name. For example, use the definitionOPSS-Process.Additional Description.

RCSA Helpers ConfigurationIf you are using the RCSA business process, the administrator must configureRCSA after you install the IBM OpenPages GRC Modules.

Data

The RCSA Process Alignment helper and the RCSA Site Sync helper require the useof library and staging hierarchies.

Library HierarchyTo have the full functionality of the RCSA helper, you must create a libraryhierarchy.

The Library root object is a business entity and the structure contains thecommon business Processes, Risks, and Controls that are to be used in theRCSA process.

For example: Library Entity: /RCSA Library

Staging HierarchyTo have the full functionality of the RCSA Helpers, you must create astaging hierarchy.

The Staging root object is a business entity and the structure contains astaging process and risk. The hierarchy is used to store the processes, risks,and controls that are removed from the business as part of the RCSAprocess.

An example of a staging Entity: /RCSA Staging Hierarchy

An example of a staging Process: /RCSA Staging Hierarchy/StagingProcess

An example of a staging Risk: /RCSA Staging Hierarchy/Staging Risk

To create these hierarchies, load them by using the Fast Map template that issupplied with the installation.

Complete the following procedure to create these hierarchies:1. Click Reporting > Fast Map > Fast Map Import.2. On the Modules Media, browse to optional\RCSA_Staging_Data3. Select RCSA-PAHelper-Staging-Data.xls.4. Click Import Data.

Settings

The Library and Staging areas have corresponding settings that you must configurefor the RCSA Helpers to register the structures.


To configure these settings:1. Log in as an administrator.2. Click Administration > Settings.3. Expand the options for the following entries and set the values to the staging

hierarchy that you created.v COMMONv RCSA PROCESS ALIGNMENT HELPERv RCSA SITESYNCv RCSA TRIGGERS

Common

/OpenPages/Solutions/ORM/Common/Library PathThis value must be set to the root Library entity object, for example,/RCSA Library.

Used for the RCSA Site Sync helper and the RCSA Process AlignmentHelper.

RCSA Process Alignment Helper

Path Description

/OpenPages/Solutions/ORM/Helpers/RCSA/Alignment/Removed Control Path

Used by the Process Alignment Helper forstoring removed Controls. This value mustbe a path to a Risk in the system, forexample, /RCSA Staging Hierarchy/StagingRisk.

/OpenPages/Solutions/ORM/Helpers/RCSA/Removed Process Path

Used by the Process Alignment Helper forstoring removed Processes. This value mustbe a path to an Entity in the system, forexample, /RCSA Staging Hierarchy.

/OpenPages/Solutions/ORM/Helpers/RCSA/Removed Risk Path

Used by the Process Alignment Helper forstoring removed Risks. This value must be apath to a Process in the system, for example,/RCSA Staging Hierarchy /Staging Process.

RCSA Site Sync Helper

Path Description

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Exclude object

Used by the RCSA Site Sync helper toexclude the objects that are not required tobe synced.

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Standalone offset

Used by the RCSA Site Sync helper to lookback a number of days. For example, 1 isyesterday.

/OpenPages/Solutions/ORM/Helpers/RCSA/SiteSync/Standalone target entity

Used by the RCSA Site Sync helper as theroot Organizational Hierarchy, for example,/BANK ORG.

Chapter 5. Helpers 29

Chapter 6. Notifications

Notifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger.

All notifications that are sent from IBM OpenPages ORM use the following senderaddress. Configure the email address and server settings:v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

Notifications are part of the KRI lifecycle, the KPI lifecycle, and the IssueManagement and Remediation process.

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and Actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

When the Issue is defined, its status is Open and the user must enter a value inthe Current due date field. The due date is copied to a read-only field thatcontains the original due date. When the user creates an Issue, the Issue Owner(who might not be the same person who created the Issue) receives an emailnotification.

The Issue Owner must record the appropriate actions to resolve an identified Issue.The following data is captured in an Action Item:v Descriptionv Assigneev Start Datev Due Datev Actual Closure datev Status (Read Only)v A comment field to record the latest updates

The Issue Owner receives an email that summarizes the Actions that must beapproved for closure. The owner can either Accept Closure or Reject Closure.When Actions are completed, the Issue Owner must review the Issue and updatethe status to Closed. If any child actions are Open or Awaiting Approval, theIssue Owner cannot close the issue.

Users receive email notifications through the consolidated Issue and Actionbulletins. The bulletin consolidates the following information in an email:

31

v Issues Assigned to the recipient in the past number daysv Actions Assigned to recipient in the past number daysv Issues due for Closure in the next number daysv Actions due for Closure in the next number daysv Overdue Issuesv Overdue Actionsv Actions awaiting closure approval

KRI Reminder notificationThe KRI Reminder notification is an email sent to the KRI owner that contains alist of all KRI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Risk Indicator (KRI), the IBM OpenPagessystem determines whether it must generate a KRI Value object as a child of theKRI. If the KRI is set as Active, the KRI helper generates the values. If the KRI isset as Inactive, a batch utility sets up the KRI Value object as a placeholder with astatus of Awaiting collection.

The administrator can run the KRI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KRI Values withdetails, such as ID, Description, Expected Capture date, KRI Capturer, and KRIOwner.

A notification that requests the KRI Capturer enters a KRI value is presented inone of the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KRI Value (Awaiting Collection) and the KRI Capturer

(logged-in user), the KRI Value is shown on the user's home page.

The email notification that is sent to the KRI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KRI status that is set to Awaiting Collection.

KRI Breach notificationThe KRI Breach notification sends an email to the Risk Owner when a KRI breachstatus changes from Green to Red or from Amber to Red.

The KRI Breach notification is started by the KRI Lifecycle trigger. The emailnotification contains a link to the KRI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

KPI Reminder notificationThe KPI Reminder notification is an email sent to the KPI owner that contains alist of all KPI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Performance Indicator (KPI), the IBMOpenPages system determines whether it must generate a KPI Value object as a


child object of the KPI. If the KPI is set as Active, the KPI helper generates thevalues. If the KPI is set as Inactive, a batch utility sets up the KPI Value object as aplaceholder with a status of Awaiting collection.

The administrator can run the KPI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KPI Values withdetails, such as ID, Description, Expected Capture date, KPI Capturer, and KPIOwner.

A notification that requests the KPI Capturer enters a KPI value is presented in oneof the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KPI Value (Awaiting Collection) and the KPI Capturer

(logged-in user), the KPI Value is shown on the user's home page.

The email notification that is sent to the KPI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KPI status that is set to Awaiting Collection.

KPI Breach notificationThe KPI Breach notification sends an email to the Risk Owner when a KPI breachstatus changes from Green to Red or from Amber to Red.

The KPI Breach notification is started by the KPI Lifecycle trigger. The emailnotification contains a link to the KPI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

Chapter 6. Notifications 33

Chapter 7. Reports

Standard reports are available for the IBM OpenPages Operational RiskManagement module.

For a description of more reports that are installed with the IBM OpenPages GRCPlatform and available to all modules, see the IBM OpenPages GRC PlatformAdministrator's Guide.

ORM-Specific ReportsThe ORM-specific reports are standardized reports that you can run specifically totrack, monitor, and maintain the various stages of the Operational RiskManagement processes. These processes include Key Risk Indicators, scenarioanalysis, loss events, loss data, and issues and action items.

Loss Event ReportsThe IBM OpenPages Loss Event function ensures that information about lossevents is collected consistently across the organization. The Loss Event functionrequires that the most important data about each Event is entered, appropriatelyapproved, and actions are undertaken. One of the stages for managing loss eventsis reporting.

The following loss event reports are specific to the IBM OpenPages OperationalRisk Management module. Users can drill through from some reports to detailinformation.

Table 5. Loss Event Reports

Name Description Drill-Through Report

Loss EventDashboard

Displays the count of Loss Events for theselected Business Entity and itsdescendants, which are broken out byStatus and Risk Category.

Loss Event DashboardDetail

Loss EventSummary

Displays a column chart (representingentities) showing Net Loss that is brokenout by Risk Category. A drill-throughreport shows Loss Event details.

Loss Event Detail

Loss Event Trend Displays the trend of Net Loss by RiskCategory for a specified Business Entity.

Loss Event Trend Detail

Risk vs Loss Displays the annual Net Loss of aBusiness Entity for a specified date that iscompared with the current Residual RiskExposure.

Issue Management and Remediation reportsIssues are items that are identified against the documented framework. They aredeemed as negatively affecting the ability to accurately manage and report risk. Aselection of Issue and Action reports are available to all users.

35

The following issue management and remediation reports are specific to the IBMOpenPages Operational Risk Management module.

Table 6. Issue Management and Remediation reports

Name Description Drill-through Report

Issue Dashboard Provides a graphical representationof the number of issues by status.The report is scoped on the entityobject and date range.

Issue Dashboard Detail

Issues and Action Items Variant of the Issue Dashboard Detailreport. Provides summaryinformation on the associated actionitems.

Scenario Analysis reportsThe Scenario Analysis reports support the review of existing scenarios for eachBusiness unit.

Scenarios involve the quantification of significant events (impacts and frequenciesfor potential events) that can be realized for an organization. The analysis capturesthe what-if scenarios of losses.

The following Scenario Analysis reports are specific to the IBM OpenPagesOperational Risk Management module.

Table 7. Scenario Analysis reports

Report Description Drill-through Report

Scenario Summary A list report that displays allScenarios by Entity. Detailsinclude ID, Description, Status,and Owner.

Scenario Result Detail

Reports Shared with Other ModulesThe IBM OpenPages Operational Risk Management module contains a number ofreports that are shared with other IBM OpenPages GRC Platform modules.

Risk Assessment ReportsRisk Assessment reports provide support for management by driving betterdecision-making that leads to action. These reports are a part of the action stage ofthe Risk and Control Self-assessment (RCSA) process.

The following risk assessment reports are shared with other IBM OpenPages GRCPlatform modules.

Table 8. Risk Assessment Reports

Name Drill-Through Report Description

Risk Assessment List Shows Risk Assessment details for aspecified Business Entity and all ofits descendants.


Table 8. Risk Assessment Reports (continued)

Name Drill-Through Report Description

Risk Assessment Status Risk Assessment StatusDetail

Shows a stacked column chart thatshows the status of RiskAssessments for the specifiedBusiness Entity and its directdescendents.

Risk AssessmentSummary

Risk Assessment Issuesand Action Items

Shows Risk Assessment detailsalong with all associated Risks andControls. A drill through reportshows Issues and Action Items thatare related to the Risk Assessments,Risks, or Controls.

Risk Assessment Issuesand Action Items

Shows all Issues and Action Itemsthat are related to the selected RiskAssessment and its associated Risksand controls. Parent Object showsonly the Risk Assessment, Risk, andControl parents.

The report prompts for two values:Business Entity and RiskAssessment. Data is filtered on theselected entity. Users can select fromall Risk Assessments that areassociated, whether directly orindirectly, to the selected businessentity.

Risk ReportsThe IBM OpenPages GRC Platform provides risk reports that are shared with othermodules. These reports include links or drill-throughs to different subreports forthe same data item.

Table 9. Risk Reports

Name Description Drill-through Report

Risk Analysis Shows Risks that are grouped by Processfor a specified Business Entity.

Risk Heat Map Shows a table that aggregates Risks byResidual Impact and Likelihood for aspecified Business Entity.

Risk Detail

Risk Rating by Entity Shows Residual Risk Rating summaryinformation for the selected BusinessEntity and its descendants

Risk Rating by EntityDetail

Risk Rating byCategory

Shows Risk Category and Residual RiskRating summary information for theselected Business Entity.

Risk Rating byCategory Detail

Top Risks Shows a summary of the top Risks thatare ranked by Residual Risk Exposure andthe Inherent Risk Exposure.

Chapter 7. Reports 37

Control ReportsThe following control reports are shared with other IBM OpenPages GRC Platformmodules.

Table 10. Control Reports

Name Description Drill-Through Report

Risk and ControlMatrix

Shows Risk and Control data for specifiedBusiness Entity and Processes.

Control EffectivenessMap

Shows counts of Controls grouped byProcesses and Operating Effectiveness.

Control EffectivenessDetail

Testing ReportsThe following testing report is shared with other IBM OpenPages GRC Platformmodules.

Table 11. Testing Reports

Name DescriptionDrill-ThroughReport

Testing Dashboard Displays summary Test Result information forthe selected Business Entity, with the abilityto drill-through to detail and trendinformation.

Testing DashboardDetail

Indicator ReportsReporting is the final stage of the IBM OpenPages Key Risk Indicator (KRI) or KeyPredictor Indicator (KPI) cycle. After the KRI owner defines the KRIs or KPIs, andcaptures their values, standard indicator reports are provided for summaryinformation for the selected business entities.

The following indicator reports are shared with other IBM OpenPages GRCPlatform modules.

Table 12. Indicator Reports

Name DescriptionDrill-ThroughReport

KRI Dashboard Summary KRI information is displayed forthe selected Business Entity and itsdescendants.

KRI DashboardDetail

KPI Dashboard Summary KPI information is displayed forthe selected Business Entity and itsdescendants.

KPI DashboardDetail

Visualization ReportsThe following visualization report is shared with other IBM OpenPages GRCPlatform modules.


Table 13. Visualization reports

Name Description

Process Analysis Displays Risk and Controls in the context of a processdiagram. Provides an aggregated view of Risk andControls with risk rating and control effectiveness at theProcess and Business Entity level.

Chapter 7. Reports 39

Chapter 8. Triggers

The IBM OpenPages Operational Risk Management module contains severalavailable triggers.

IBM OpenPages Operational Risk Management Modules Trigger Details providesadditional details on the triggers described here.

Before you use the Object Manager tool to load XML instance data, you mustdisable triggers on any object types for which you will be loading data.

Object types that are configured for the IBM OpenPages Operational RiskManagement module to have triggers by default include:v Riskv Action Itemv Issuev Loss Eventv Loss Impactv Loss Recoveryv KRI Valuev KPI Valuev Data Inputv Data Output

Object types that are configured for other IBM OpenPages GRC Platform modulesto have triggers by default include:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv File (SOXDocument)v Policy

ORM-Specific TriggersSeveral triggers are specific to the IBM OpenPages Operational Risk Managementmodule.

Loss Event Lifecycle triggersThe Loss Event Lifecycle triggers calculate and persist three fields on the LossEvent object, when related fields are created or changed on any descendant LossImpact and Loss Recovery objects.

41

The triggers automate the approval process and remediation performance of LossEvent as described in the triggers for Loss Event Approval Submission and LossEvent Approval.

Loss Event Computation triggerThe Loss Event Computation trigger computes summary values in system basecurrency on a Loss Event that is based on associated Loss Impact and Recoveries.

When a Loss Impact or Loss Recovery object is updated, associated, disassociated,or deleted, the trigger completes the following actions:v Obtains the parent Loss Event object that retrieves a list of its Loss Impact child

objects.The Gross Loss converts all the Actual Loss amounts of the Loss Impact childobjects to Base Currency and calculates the Sum. The parent Loss Event GrossLoss field is updated with the Sum.

v Obtains the parent Loss Event object that retrieves a list of its Loss Recoverychild objects.The Recovery Amount converts all the Actual Recovery Amounts of the Loss

Operational Risk Management Module...

Documents

Transcript of Operational Risk Management Module...