IBM OpenPages GRC PlatformVersion 6.2.1
Operational Risk Management ModuleOverview
���
NoteBefore using this information and the product it supports, read the information in “Notices” on page 25.
Product Information
This document applies to IBM OpenPages GRC Platform Version 6.2.1 and may also apply to subsequent releases.
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Contents
Document Release and Update Information . . . . . . . . . . . . . . . . . . . . v
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What's New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2About IBM Algo FIRST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 4. Helpers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 5. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13ORM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Loss Event Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Risk Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Risk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Control Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Testing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Indicator Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 6. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17ORM-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Loss Event Life Cycle Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Risk Rating Computations Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . 18KRI Life Cycle Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18KPI Life Cycle Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 7. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21OpenPages ORM 6.2.1 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
OpenPages FIRST Loss 6.2.1 Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 8. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
iii
iv IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Document Release and Update Information
This topic lists information about this document and where updates to thisdocument can be found.
Document Release Information
Software Version: 6.2.1
Document Published: April, 2013
Document Updates
Supplemental documentation is available on the web. Go to the IBM® OpenPages®
Platform documentation library IBM OpenPages GRC Platform documentationlibrary on the IBM support website (http://www.ibm.com/support/docview.wss?uid=swg27028308).
v
vi IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 1. Introduction
Use this guide with the IBM OpenPages Operational Risk Management module.
What's NewThe following information highlights the major new features and enhancementsthat were made to the IBM OpenPages Version 6.2.1 IBM OpenPages OperationalRisk Management module.
IBM Algo FIRST® Database Supportv The IBM OpenPages Operational Risk Management module now supports the
IBM Algo FIRST database service. If you subscribe to this service, IBM AlgoFIRST provides a compatible FastMap file for a seamless load of FIRST data tothe IBM OpenPages Operational Risk Management environment. For moreinformation about FIRST, see “About IBM Algo FIRST” on page 2.
v The IBM OpenPages Operational Risk Management module now includes a newOpenPages FIRST Loss 6.2.1 profile. Subscribers of the IBM® Algo® FIRSTdatabase service can use this profile to load FIRST Loss data through theOpenPages FastMap feature. For more information about this profile, see“OpenPages FIRST Loss 6.2.1 Profile” on page 22.
Module DescriptionIBM OpenPages Operational Risk Management combines powerful document andprocess management with a monitoring and decision support system that enablesorganizations to analyze, manage, and mitigate risk in a simple and efficientmanner.
IBM OpenPages Operational Risk Management automates the process ofidentifying, measuring, and monitoring operational risk, combining all risk data –risk and control self assessments, loss events, scenario analysis, external losses, andkey risk indicators (KRI) – into a single integrated module.
Key features include:v Risk and Control Self Assessments (RCSA), which include:
– Identification, measurement, and mitigation of risks.– Testing and documentation of internal controls.
v Loss Events, which include:– Tracking, assessing, and managing both internal and external events that may
result in operational loss.– Managing multiple impact events and recoveries that are associated with
operational losses.v External Loss Events, from IBM Algo, ORX, and ORIC loss databases, which can
be used to import loss data from the external loss databases into IBMOpenPages ORM for scenario analysis, benchmarking and reports generation,and to export loss data to analytic tools or capital allocation applications.
v Key Risk Indicators (KRIs), which can track performance metrics to potentiallyshow the presence or state of a risk condition or trend.
1
v Scenario Analysis, which is an assessment technique used to identify andmeasure specific kinds of risks, in particular, low frequency, high-severity events.
v Reporting, monitoring, and analytics.
Object Type Licensing
For the IBM OpenPages Operational Risk Management module, you are licensed touse the object types listed in Chapter 2, “Object Types,” on page 3. Use of anyother object types is prohibited without prior written approval from IBM.
About IBM Algo FIRSTThe IBM Algo FIRST database is a collection of external, public operational riskloss events in the form of risk case studies.
Algo FIRST events are targeted at the financial sector and contain over 20 years’worth of events, which have been indexed to 13 keyword hierarchies, includingBasel category and business line. Other hierarchies include control factor, eventtrigger, business unit type, entity type. Algo FIRST cases include detaileddescriptions that break down the event to analyze root cause, identify controlbreakdowns, lessons learned, management response and aftermath of the event.Events can also include sections with supporting detail that timeline the event,relevant information about the institution that it happened to, or other detail aboutloss impacts.
The bulk of events in FIRST capture quantitative information as well as detailedqualitative analysis. This quantitative information takes the form of loss amountsthat are captured at the time of the event.
IBM Algo FIRST offers a subscription to a data add-on refreshed daily with theIBM Algo FIRST database in a format compatible with the IBM OpenPagesFastMap feature. IBM OpenPages GRC Platform customers can leverage the IBMAlgo FIRST FastMap data add-on to provide end users access to Algo FIRST casestudies within the IBM OpenPages application. After the data is loaded into IBMOpenPages, end users are able to browse and associate Algo FIRST case studies toGRC objects like Scenario Analyses, Risks, and Loss Events. Consult your IBMaccount representative for details on obtaining the IBM Algo FIRST dataadd-on for IBM OpenPages.
If you subscribe to the IBM Algo FIRST database service, Algo FIRST provides acompatible FastMap file for a seamless load of Algo FIRST data to the IBMOpenPages Operational Risk Management module.
By default, the IBM OpenPages Operational Risk Management module includes theOpenPages FIRST Loss 6.2.1 profile. Users with this profile can load FIRST Lossdata through the IBM OpenPages FastMap feature. For more information aboutthis profile, see “OpenPages FIRST Loss 6.2.1 Profile” on page 22.
2 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 2. Object Types
The IBM OpenPages Operational Risk Management module includes various objecttypes that are enabled or disabled by default, and subcomponents.
Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages OperationalRisk Management configuration and are enabled by default.
Table 1. Object types enabled by default
Object Type Label Description
Business Entity Business entities are abstract representations of your businessstructure. A Business Entity object type can contain Sub-Entityobjects (such as departments, business units, geographiclocations). The entity structure that you create depends on yourbusiness needs. For example, you could create a parent entity foryour business headquarters then a subentity for each location ordepartment. You may also want to represent both a legal entitystructure and a business entity structure.
Business Entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).
When you set up the Business Entity hierarchy, you should workwith your IBM consultant as the structure of your businessentities will greatly impact the type and quality of the informationthat can be extracted from the application.
Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,and information security.
Sub-Process A Sub-Process is a component of a Process. It is used todecompose processes into smaller granularity units for assessmentpurposes.
Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each risk has one or more controls that areassociated with it. Controls provide safeguards against the riskand help mitigate any consequences that may result from the risk.You can use the Risk object to categorize risks; capture thefrequency, rating, and severity of inherent and residual risk data;and view reports that help identify your top risk items.
Control Controls are typically policies and procedures (procedures areactions that implement the policies) to help ensure that riskmitigation responses are carried out.
Once you identify the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications)that remove, limit, or transfer these potential risks.
Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.
3
Table 1. Object types enabled by default (continued)
Object Type Label Description
Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of themechanisms that are used to determine whether a control iseffective.
Test Result A Test Result is the information that is obtained from running aTest Plan.
Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Youcan use the Risk Assessment object – which contains the names ofthe assessor and reviewer, the time frames for the assessment, andthe status of the assessment – to manage your risk self-assessmentprocess.
Scenario Analysis Scenario Analysis is an assessment technique that is used toidentify and measure specific kinds of risks, in particular, lowfrequency, high-impact events such as earthquakes, recessions, orpower grid failures.
ORX Loss ORX Loss objects can be imported from the ORX external lossdatabase, for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.
ORIC Loss ORIC Loss objects can be imported from the ORIC external lossdatabase, for use with scenario analysis, benchmarking andreports generation, and to export loss data to analytic tools orcapital allocation applications.
FIRST Loss FIRST Loss objects can be imported from the IBM Algo FIRSTexternal loss database, for use with scenario analysis,benchmarking and reports generation, and to export loss data toanalytic tools or capital allocation applications.
Loss Event Loss Events are used to track operational losses that may occur inany part of an organization. Loss Events are typically storedunder the Business Entity where the loss occurred. The LossEvent objects are used to track, assess, and manage the relatedinternal loss data. You can add multiple impacts and recoveriesfor each Loss Event by using the Loss Impact and Loss Recoveryobjects.
Loss Impact A loss impact is a financial and/or non-financial consequence thatresults from a loss event. Loss Impacts track different types ofimpacts that are triggered by a Loss Event, such as legal liability,asset loss and damage, or business interruption. There can bemultiple Loss Impacts associated with each Loss Event.
Loss Recovery Loss Recovery objects are used to track the processes that areassociated with recouping damages that result from Loss Events.
KRI, KRI Value KRIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KRI within the organization canhave unique target and threshold limits.
4 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Table 1. Object types enabled by default (continued)
Object Type Label Description
Signature A Signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers, and does notprevent the item from being modified after approval is given. Anobject with a signature has a signature icon next to the signer'sname on the Signatures tab.
Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:
v Manually from the detail page of an object.
v Automatically through a workflow task.
v Some combination of both automatic and manual.
If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.
Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern that is associated with anyobject type.
An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.
File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.
Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevantobjects.
Object Types Disabled by DefaultThe following object types are available in the IBM OpenPages Operational RiskManagement configuration and are disabled by default.
Table 2. Object types disabled by default
Object type label Description
KPI, KPI Value KPIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KPI within the organization canhave unique target and threshold limits.
Questionnaire, Section,Question
Questionnaire, Section, and Question are three objects that areused together to implement questionnaires.
Chapter 2. Object Types 5
Table 2. Object types disabled by default (continued)
Object type label Description
Preference Group,Preference
The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities. The group object helps tominimize the associated maintenance.
The Preference object type is a child of Business Entity, and isused for holding variable values that can drive reports,workflows, and computed fields. The Preference object hasentity-specific variable values that enable different behavior forthe same workflows such as to determine the behavior for reviewand approval workflows. That is, who the appropriate users arefor each level of review and approval, and what the thresholdsare for determining how many levels of review and approval arerequired.
Milestone, MilestoneAction Item
A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.
A Milestone Action Item object type is a specific objective thatmust be completed to reach a milestone. In general, all MilestoneAction Item objects that are associated with a Milestone objectmust be completed to reach a milestone. When you are assigned aMilestone Action Item object, it is displayed (if configured) in theMy Milestone Action Items section of your Classic Home page.
Control Objective A Control Objective is an assessment object type that helps definethe risk categories for a Process or Sub-Process object. For eachProcess or Sub-Process object, an organization sets the controlobjectives.
Control objectives define the COSO compliance categories that thecontrols associated with the risks are intended to mitigate. Forexample, Control Objective objects can be classified into one ormore categories such as Compliance, Financial Reporting,Strategic, Operations, or Unknown.
Once a control objective is identified, the Risk objects associatedto a Control Objective object can then be identified and defined.In most cases, each Control Objective object has one Risk objectthat is associated with it. However, Control Objectives can havemore than one Risk that is associated with them, so they areseparated into their own object type.
Cost Center Cost Center object types are used to group loss events under abusiness entity. In many cases, firms want to track where lossevents occur at a fine granularity (that is, cost center level) but donot want to represent all of the organizational layers as businessentities.
Risk Eval Risk Eval (Evaluation) object types are children of Risk objectsand are used to capture risk measurement values for trendingpurposes. When the reporting periods do not align with the riskevaluation cycles, you can use Risk Eval objects to capturemultiple evaluation cycles within a single reporting period.
6 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Table 2. Object types disabled by default (continued)
Object type label Description
Control Eval Control Eval (Evaluation) objects are similar to Risk Evaluationobjects except that they are instantiated as children of Controls.They store control assessment data.
Risk Assessment Eval Risk Assessment Eval (Evaluation) objects are similar to RiskEvaluation objects except that they are instantiated as children ofRisk Assessments. They store risk assessment data.
Process Eval Process Eval (Evaluation) objects are children of Process objectsand they are used to capture process measurement values fortrending purposes.
When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.
Scenario Result Scenario Result objects are children of Scenario Analysis objectsand they are used to capture the results of Scenario Analysisworkshops for comparison and trending purposes.
SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages Operational RiskManagement module.
Table 3. Subcomponents shared with other modules
Subcomponent Object Types
Organization Business Entity
Preference Preference Group, Preference
Risk Assessment Risk Assessment, Risk Assessment Eval
Process Process, Process Eval, Sub-Process, Control Objective
Risk Risk, Risk Eval
Control Control, Control Eval
Test Test Plan, Test Result
Issue Issue, Action Item
Questionnaire Questionnaire, Section, Question
Milestone Milestone, Milestone Action Item
Table 4. ORM-specific subcomponents
Subcomponent Object Types
Scenario Analysis Scenario Analysis, Scenario Result
External Loss ORX Loss, ORIC Loss, FIRST Loss
Loss Event Loss Event, Loss Impact, Loss Recovery,Cost Center
KRI KRI, KRI Value
KPI KPI, KPI Value
Chapter 2. Object Types 7
In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link
8 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 3. Computed Fields
By default, the IBM OpenPages Operational Risk Management module does notinclude any computed fields.
9
10 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 4. Helpers
By default, the IBM OpenPages Operational Risk Management module does notinclude any helper applications.
11
12 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 5. Reports
This section describes the reports that are available for the IBM OpenPagesOperational Risk Management module.
The IBM OpenPages GRC Platform 6.2.0 Report Details document provides moredetails on the reports described here.
For a description of additional reports installed with the IBM OpenPages GRCPlatform and available to all modules, see the IBM OpenPages GRC PlatformAdministrator's Guide.
ORM-Specific ReportsThis section contains reports that are specific to the IBM OpenPages OperationalRisk Management module.
Loss Event ReportsThe following loss event reports are specific to the IBM OpenPages OperationalRisk Management module.
Table 5. Loss Event Reports
Name Drill-Through Description
Loss EventDashboard
Loss EventDashboard Detail
Displays the count of Loss Events for theselected Business Entity and its descendants,broken out by Status and Risk Category, withthe ability to drill-through to detail information.
Loss EventSummary
Loss Event Detail Displays a column chart (representing entities)showing Net Loss that is broken out by RiskCategory. A drill through report shows LossEvent details.
Loss Event Trend Loss Event TrendDetail
Displays the trend of Net Loss by Risk Categoryfor a specified Business Entity.
Risk vs Loss Displays the annual Net Loss of a BusinessEntity for a specified date that is compared withthe current Residual Risk Exposure.
Reports Shared with Other ModulesThe IBM OpenPages Operational Risk Management module contains a number ofreports that are shared with other IBM OpenPages GRC Platform modules.
Risk Assessment ReportsThe following risk assessment reports are shared with other IBM OpenPages GRCPlatform modules.
13
Table 6. Risk Assessment Reports
Name Drill-Through Description
Risk Assessment List Shows Risk Assessment details for aspecified Business Entity and all of itsdescendents.
Risk AssessmentStatus
Risk Assessment StatusDetail
Displays a stacked column chart thatshows the status of Risk Assessmentsfor the specified Business Entity and itsdirect descendents.
Risk AssessmentSummary
Risk Assessment Issuesand Action Items
Displays Risk Assessment details alongwith all associated Risks and Controls.A drill through report displays Issuesand Action Items that are related to theRisk Assessments, Risks, or Controls.
Risk ReportsThe following risk reports are shared with other IBM OpenPages GRC Platformmodules.
Table 7. Risk Reports
Name Drill-Through Description
Risk Analysis Shows Risks grouped by Process for a specifiedBusiness Entity.
Risk Heat Map Risk Detail Displays a table that aggregates Risks by ResidualImpact and Likelihood for a specified Business Entity.
Risk Rating byEntity
Risk Rating byEntity Detail
Displays Residual Risk Rating summary informationfor the selected Business Entity and its descendents,with the ability to drill-through to risk details.
Risk Rating byCategory
Risk Rating byCategory Detail
Displays Risk Category and Residual Risk Ratingsummary information for the selected Business Entity,with the ability to drill-through to Risk details.
Top Risks Summary of the top Risks ranked by Residual RiskExposure, and also shows the Inherent RiskExposure.
Control ReportsThe following control reports are shared with other IBM OpenPages GRC Platformmodules.
Table 8. Control Reports
Name Drill-Through Description
Risk and ControlMatrix
Shows Risk and Control data for specified BusinessEntity and Process(es).
ControlEffectivenessMap
ControlEffectivenessDetail
Control map shows counts of Controls grouped byProcess(es) and Operating Effectiveness, with theability to drill-through to a sub-report for detailinformation.
14 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Testing ReportsThe following testing report is shared with other IBM OpenPages GRC Platformmodules.
Table 9. Testing Reports
NameDrill-Through Description
TestingDashboard
TestingDetails
Displays summary Test Result information for the selectedBusiness Entity, with the ability to drill-through to detail andtrend information.
Indicator ReportsThe following indicator reports are shared with other IBM OpenPages GRCPlatform modules.
Table 10. Indicator Reports
NameDrill-Through Description
KRIDashboard
KRI Details Displays summary KRI information for the selectedBusiness Entity and its descendents, with the ability todrill-through to detail and trend information.
KPIDashboard
KPI Details Displays summary KPI information for the selectedBusiness Entity and its descendents, with the ability todrill-through to detail and trend information.
Chapter 5. Reports 15
16 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 6. Triggers
The IBM OpenPages Operational Risk Management module contains severalavailable triggers.
The IBM OpenPages 6.2.0 Modules Trigger Details document provides moreinformation about the triggers described here.
Before you use the ObjectManager tool to load XML instance data, you mustdisable triggers on any object types for which you will be loading data.
Object types that are configured for the IBM OpenPages Operational RiskManagement module to have triggers by default include:v Riskv Loss Impactv Loss Recoveryv KRI Valuev KPI Value
Object types that are configured for other IBM OpenPages GRC Platform modulesto have triggers by default include:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv File (SOXDocument)v Policy
ORM-Specific TriggersThis section describes triggers that are specific to the IBM OpenPages OperationalRisk Management module.
Loss Event Life Cycle TriggersThe Loss Event Life Cycle triggers are configured to calculate and persist fourfields on the Loss Event object, when related fields are created or changed on anydescendent Loss Impact and Loss Recovery objects.
The triggers operate only on a Loss Impact or Loss Recovery object, but persisttheir calculated values on the antecedent Loss Event object. Field values from otherdescendents of the Loss Event object are also inputs into the calculations. The fourfields and a description of their computations follows:
Estimated Gross LossConverts all Estimated Loss amounts on Loss Impact children objects toBase Currency, and then adds them together
17
Gross LossConverts all Actual Loss amounts on Loss Impact children objects to BaseCurrency, and then adds them together.
Recovery AmountConverts all Actual Recovery Amount amounts on Loss Recovery childrento Base Currency, and then adds them together.
Net LossSubtracts Recovery Amount from Gross Loss.
Triggers Shared with Other ModulesThis section outlines the triggers shared with other IBM OpenPages GRC Platformmodules.
Risk Rating Computations TriggerThe Risk Rating Computations trigger calculates and persists the Inherent andResidual Risk Rating, and Inherent and Residual Risk Exposure field values onthe Risk object. The calculations are performed on a Risk object instance wheneverthat instance is created or updated.
The calculations are performed as follows:
Risk Rating Fields (Inherent and Residual)Impact and Likelihood values of High, Medium and Low are combined togive rating values of High, Medium, Low or Not Determined. If either orboth input values are Low, then the rating is Low. If both are Medium, orone is Low and the other is High, the rating is Medium. If both are Highor one is High and the other is Medium, the rating is High. If either orboth values are missing or are another value that has been added to theconfiguration, then the rating is Not Determined.
Risk Exposure Fields (Inherent and Residual)Frequency and Severity values are multiplied together to give an Exposurecurrency amount, expressed in Base Currency.
KRI Life Cycle TriggerThe KRI Life Cycle trigger is configured to calculate and persist field values on theKRI and KRI Value object types.
When a KRI Value object is created or updated, the following occurs:v The Red Threshold, Yellow Threshold, and Direction Information values are
copied from the parent KRI object to the KRI Value object.v The Collection Status, Value, and Value Date field values from the most recent
KRI Value object are copied from the KRI Value object to the parent KRI object.v Breach Status (Red, Yellow, Green or Not Determined) is calculated by
comparing the number in the Value field on the KRI Value with the Red andYellow Thresholds and the Direction Information. Breach Status is then copied tothe KRI Value object, and if this is the most recent KRI Value object, then it isalso copied to the parent KRI object.
v If there are more than one KRI Value children for the parent KRI, the IndicatorTrend (Better, Steady, Worse, Not Determined) is calculated by comparing thetwo most recent KRI Values, and then the calculated Trend Indicator value ispersisted on the KRI.
18 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
KPI Life Cycle TriggerThe KPI Life Cycle trigger is configured to calculate and persist field values on theKPI and KPI Value object types.
When a KPI Value object is created or updated, the following occurs:v The Red Threshold, Yellow Threshold, and Direction Information values are
copied from the parent KPI object to the KPI Value object.v The Collection Status, Value, and Value Date field values from the most recent
KPI Value object are copied from the KPI Value object to the parent KPI object.v Breach Status (Red, Yellow, Green or Not Determined) is calculated by
comparing the number in the Value field on the KPI Value with the Red andYellow Thresholds and the Direction Information. Breach Status is then copied tothe KPI Value object, and if this is the most recent KPI Value object, then it isalso copied to the parent KPI object.
v If there are more than one KPI Value children for the parent KPI, the IndicatorTrend (Better, Steady, Worse, Not Determined) is calculated by comparing thetwo most recent KPI Values, and then the calculated Trend Indicator value ispersisted on the KPI.
Chapter 6. Triggers 19
20 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 7. Profiles
The IBM OpenPages Operational Risk Management module includes theOpenPages ORM 6.2.1 Master and the OpenPages FIRST Loss 6.2.1 profiles bydefault.
OpenPages ORM 6.2.1 Master ProfileThe OpenPages ORM 6.2.1 Master profile includes the fields and configuration forall of IBM OpenPages Operational Risk Management.
This profile includes:v Filtersv Classic Home page and Home page tabsv Dependent fields and dependent picklistsv Activity, Detail, Context, Folder, Overview, Filtered List, and List Views
Subsets of this profile that are appropriate for an ORM Manager, BU Risk Manager,and so on, are created during the implementation project.
Home Page Filtered ListsBy default, the IBM OpenPages Operational Risk Management module containsfiltered lists that are defined for the Classic tab on the Home page for users of theOpenPages ORM 6.2.1 Master profile.
Table 11. Classic tab filtered lists for the OpenPages ORM 6.2.1 Master profile
Filter Description Object Type
My Open Issues Home Page access to your open Issues. Issue
KRI Breaches Home Page access to KRIs that have a breachstatus of red.
KRI
Open Loss EventsOver 1M
Home Page access to large open Loss Events. Loss Event
My RiskAssessments
Home Page access to Risk Assessments whereyou are the Assessor.
Risk Assessment
Activity ViewsBy default, the IBM OpenPages Operational Risk Management module containsseveral activity views that are defined for users of the OpenPages ORM 6.2.1Master profile.
Table 12. Activity views for the OpenPages ORM 6.2.1 Master profile
Activity View Name Description
Control Testing Summary Used to indicate Control Operating Effectiveness. ProvidesTest Plan and Test Result information that informs theOperating Effectiveness decision.
Questionnaire Set Up Used to create and modify questionnaires that use theQuestionnaire, Section, Question object model.
21
Table 12. Activity views for the OpenPages ORM 6.2.1 Master profile (continued)
Activity View Name Description
Questionnaire Used to respond to questionnaires that use the Questionnaire,Section, Question object model.
Process RCSA View Facilitates conducting process-based Risk and Control SelfAssessments.
RCSA View Facilitates conducting Risk Assessment-based Risk andControl Self Assessments.
OpenPages FIRST Loss 6.2.1 ProfileThe OpenPages FIRST Loss 6.2.1 profile includes the fields and configuration thatfacilitate the loading of FIRST Loss data through the OpenPages FastMap featureto IBM OpenPages Operational Risk Management.
This profile includes the following:v Classic Home page and Home page tabsv Dependent picklistsv Detail, Context, Folder, Overview, Filtered List, and List Views
The OpenPages FIRST Loss 6.2.1 profile makes all fields in FIRST Loss objectseditable to users with this profile so data can be loaded. This profile should beonly assigned to users who are responsible for loading FIRST Loss data throughFastMap. All other users should have read-only access to FIRST Loss objects.
Home Page Filtered ListsThere are no home page filtered lists defined for users of the OpenPages FIRSTLoss 6.2.1 profile.
Activity ViewsThere are no activity views defined for users of the OpenPages FIRST Loss 6.2.1profile.
22 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Chapter 8. Role Templates
The following two role templates are available, by default, for the IBM OpenPagesOperational Risk Management module.
OpenPages ORM 6.2 - All PermissionsFull R/W/D/A access to all ORM object types that are present andenabled by default. Full administrator rights.
OpenPages ORM 6.2 - All Data - No AdminFull R/W/D/A access to all ORM object types that are present andenabled by default. No administrator rights except those associated withworkflows, files and folders.
The above role templates provide read, write, delete and associate access to thefollowing object types.
Table 13. Role template object types
Object Type Name Object Type Label
FIRSTLoss FIRST Loss
KeyRiskindicator KRI
KeyRiskindicatorValue KRI Value
LossEvent Loss Event
LossImpact Loss Impact
LossRecovery Loss Recovery
ORICLoss ORIC Loss
ORXLoss ORX Loss
ProcessEval Process Eval
RiskAssessment Risk Assessment
ScenarioAnalysis Scenario Analysis
ScenarioResult Scenario Result
SOXBusEntity Business Entity
SOXControl Control
SOXDocument, SOXExternalDocument File, Link
SOXIssue Issue
SOXProcess Process
SOXRisk Risk
SOXSignature Signature
SOXSubprocess Sub-Process
SOXTask Action Item
SOXTest Test Plan
SOXTestResult Test Result
23
24 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.
IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.
25
IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:
IBM CorporationLocation Code FT0550 King StreetLittleton, MA 01460-1250U.S.A.
Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.
The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.
Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.
All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only. Thisinformation is for planning purposes only. The information herein is subject tochange before the products described become available.
This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and colorillustrations may not appear.
26 IBM OpenPages GRC Platform Version 6.2.1: Operational Risk Management Module Overview
Copyright
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.
This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.
These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.
Trademarks
IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.
Notices 27