ibm openpages grc platform version 6.2.1: modules...

IBM OpenPages GRC PlatformVersion 6.2.1

Modules Overview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 39.

Product Information

This document applies to IBM OpenPages GRC Platform Version 6.2.1 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1IBM OpenPages Financial Controls Management module . . . . . . . . . . . . . . . . . . . . 1IBM OpenPages Operational Risk Management module . . . . . . . . . . . . . . . . . . . . . 1IBM OpenPages Policy and Compliance Management module . . . . . . . . . . . . . . . . . . . 2IBM OpenPages IT Governance module . . . . . . . . . . . . . . . . . . . . . . . . . . 3IBM OpenPages Internal Audit Management module . . . . . . . . . . . . . . . . . . . . . . 3Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Object Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 5. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Reports Shared by All Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Reports Shared by ORM, PCM and ITG . . . . . . . . . . . . . . . . . . . . . . . . . . 24FCM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24ORM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24PCM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25ITG-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25IAM-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 6. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 7. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Profiles available by default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Chapter 8. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

iii

iv IBM OpenPages GRC Platform Version 6.2.1: Modules Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 6.2.1

Document Published: April, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

Platform documentation library IBM OpenPages GRC Platform documentationlibrary on the IBM support website (http://www.ibm.com/support/docview.wss?uid=swg27028308).

v

http://ibm.com/support/docview.wss?uid=swg27028308

http://ibm.com/support/docview.wss?uid=swg27028308

vi IBM OpenPages GRC Platform Version 6.2.1: Modules Overview

Chapter 1. Introduction

This chapter describes the modules in the IBM OpenPages GRC Platform.

IBM OpenPages Financial Controls Management moduleThe IBM OpenPages Financial Controls Management module reduces the time andresource costs that are associated with ongoing compliance for financial reportingregulations.

IBM OpenPages Financial Controls Management combines powerful document andprocess management with rich interactive reporting capabilities in a flexible,adaptable easy-to-use environment, enabling CEOs, CFOs, managers, independentauditors, and audit committees to perform all the necessary activities forcomplying with financial reporting regulations in a simple and efficient manner.

IBM OpenPages Financial Controls Management allows users to easily see thestatus of their financial controls documentation project, and provides a securerepository for the storage of their internal controls documentation.

Key features include:v A Financial Controls Management Repository, which logically presents processes,

risks and controls in many-to-many and shared relationships at multiple levels,and enables file attachment capability and action plans for processes, risks,controls, and tests at all levels.

v Flexible automation, which provides notification and completion of financialcontrols management activities, such as design review, operating review, andcertification.

v Reporting, monitoring, and analytics.

IBM OpenPages Operational Risk Management moduleThe IBM OpenPages Operational Risk Management module automates the processof identifying, measuring and monitoring operational risk, combining all risk data– risk and control self assessments, loss events, scenario analysis, external losses,and key risk indicators (KRI) – into a single integrated module.

IBM OpenPages Operational Risk Management combines powerful document andprocess management with a monitoring and decision support system that enablesorganizations to analyze, manage and mitigate risk in a simple and efficientmanner.

Key features include:v Risk and Control Self Assessments (RCSA)

– Identification, measurement, and mitigation of risks.– Testing and documentation of internal controls.

v Loss Events– Tracking, assessing, and managing both internal and external events that may

result in operational loss.

1

– Managing multiple impact events and recoveries associated with operationallosses.

v External Loss Events from IBM Algo FIRST, ORX and ORIC loss databasesThese databases can be used to import loss data from the external loss databaseinto the IBM OpenPages Operational Risk Management module for scenarioanalysis, benchmarking, and reports generation and to export loss data toanalytic tools or capital allocation applications.

v Key Risk Indicators (KRIs)KRIs can track performance metrics to potentially show the presence or state ofa risk condition or trend.

v Scenario AnalysisScenario Analysis includes an assessment technique used to identify andmeasure specific kinds of risks, in particular, low frequency, high-severity events.

v Reporting, monitoring and analytics

IBM OpenPages Policy and Compliance Management moduleThe IBM OpenPages Policy and Compliance Management module is an enterprisecompliance management software solution that reduces the cost, complexity andcumbersome nature of compliance with multiple regulatory mandates andcorporate policies.

IBM OpenPages Policy and Compliance Management enables companies tomanage and monitor compliance activities through a full set of integratedfunctionality including:v Regulatory Libraries and Change Managementv Risk and Control Assessmentsv Policy Management, including Policy Creation, Review & Approval and Policy

Awarenessv Control Testing and Issue Remediationv Regulator Interaction Managementv Incident Trackingv Key Performance Indicatorsv Reporting, monitoring, and analytics

Within Policy Management, OpenPages supports three approaches:

DatacentricPolicy attributes are stored as meta data in the Policy object. Policy andProcedure content is created, stored, edited and reviewed in OpenPages viaPolicy Viewers. Red-lined track changes within draft iterations are notsupported.

DocucentricPolicy attributes are stored as meta data in the Policy object. Policy andProcedure content is created outside of OpenPages and the entiredocument is attached to the Policy Object. Policy and Procedure content isnever imported nor stored in OpenPages.

HybridPolicy attributes are stored as meta data in the Policy object. Policy andProcedure content is created and edited in Word documents then importedand stored in OpenPages. Native Word Track Changes functionality isutilized for tracking red-line changes within draft iterations.

2 IBM OpenPages GRC Platform Version 6.2.1: Modules Overview

IBM OpenPages IT Governance moduleThe IBM OpenPages IT Governance Management module aligns IT services, risks,and policies with corporate business initiatives, strategy, and operational standards.

IBM OpenPages IT Governance Management allows you to manage internal ITcontrol and risk according to the business processes they support. In addition, IBMOpenPages IT Governance Management unites multiple silos of IT risk andcompliance to deliver improved visibility, better decision support, and ultimatelyenhanced corporate performance.

Key features include:v IT Regulatory and Policy Compliancev Risk and Control Assessmentsv Control Testing and Issue Remediationv IT Resource Managementv Incident Trackingv Key Performance and Key Risk Indicatorsv Reporting, monitoring, and analytics

IBM OpenPages Internal Audit Management moduleThe IBM OpenPages Internal Audit Management module provides internalauditors with a uniquely configured view into organizational governance, risk, andcompliance (GRC), affording audit the chance to supplement and coexist withbroader risk and compliance management activities.

As with all modules, IBM OpenPages Internal Audit Management is completelyintegrated with financial controls management, IT governance, policy andcompliance efforts and operational risk management programs. The internal auditteam has the capability to work as a fully integrated partner to businessstakeholders, completely independently, or anywhere in between, as determined bythe specific needs of the audit department or a particular audit being undertaken.

Key features include:v The capability to risk rank the audit universe, configured according to your

audit methodology– Powerful support for your risk assessment methodology.– Full reporting across the entire audit universe.

v The ability to define, plan, execute, and report on audits across your business– Track and manage audits, audit sections, workpapers, and audit resource

requirements and allocations.– Automate operations through fully configurable reporting and workflow.

v The ability to provide independent assurance to the business or work as anintegrated part of GRC efforts– Opine on management's GRC efforts independently.– Control access to confidential audits, fields, and audit-only views.

Chapter 1. Introduction 3

Object Type Licensing

You are licensed to use the object types as indicated in Chapter 2, “Object Types,”on page 5. Use of any other object type not indicated for that module is prohibitedwithout prior written approval from IBM.


Chapter 2. Object Types

This topic describes the object types that are available in the default configuration.

IBM OpenPages GRC Platform 6.2.1 Modules Object Model Details providesinformation about the relationships between objects for each module.

In the Object types table that follows:v An A in a cell indicates that the object type is available to the associated

module.v An E in a cell indicates that the object type is enabled by default for that

module.v The acronyms that are used in the table header are defined as follows:

– FCM = IBM OpenPages Financial Controls Management– ORM = IBM OpenPages Operational Risk Management– PCM = IBM OpenPages Policy and Compliance Management– ITG = IBM OpenPages IT Governance Management– IAM = IBM OpenPages Internal Audit Management

Table 1. Object types

Icon Object Name Singular Label FCM ORM PCM ITG IAM

SOXProject Project AE AE AE AE AE

SOXSignature Signature AE AE AE AE AE

SOXMilestone Milestone AE AE AE AE AE

ProjectActionItem Milestone ActionItem

AE AE AE AE AE

SOXIssue Issue AE AE AE AE AE

SOXTask Action Item AE AE AE AE AE

SOXDocument File AE AE AE AE AE

SOXExternalDocument Link AE AE AE AE AE

SOXBusEntity Business Entity AE AE AE AE AE

SOXProcess Process AE AE AE AE AE

SOXSubprocess Sub-Process AE AE AE AE AE

SOXControlObjective Control Objective AE AE AE AE AE

SOXRisk Risk AE AE AE AE AE

SOXControl Control AE AE AE AE AE

SOXTest Test Plan AE AE AE AE AE

SOXTestResult Test Result AE AE AE AE AE

5

Table 1. Object types (continued)


RiskAssessment Risk Assessment AE AE AE AE AE

SOXAccount Account AE

SOXSubaccount Sub-Account AE

Assertion Assertion A

ScenarioAnalysis Scenario Analysis AE

ScenarioResult Scenario Result A

ORXLoss ORX Loss AE

ORICLoss ORIC Loss AE

FIRSTLoss FIRST Loss AE

LossEvent Loss Event AE

LossImpact Loss Impact AE

LossRecovery Loss Recovery AE

CostCenter Cost Center A

ProcessEval Process Eval A A A A A

RiskEval Risk Eval A A A A A

CtlEval Control Eval A A A A A

RAEval Risk AssessmentEval

A A A A A

KeyRiskIndicator KRI AE A AE

KeyRiskIndicatorValue KRI Value AE A AE

RiskEntity Control Plan AE

RiskSubEntity Baseline AE

Resource Resource AE

ResourceLink Resource Link AE

Incident Incident AE AE

KeyPerfIndicator KPI A AE AE

KeyPerfIndicatorValue KPI Value A AE AE

Waiver Waiver AE AE

Mandate Mandate AE AE

Submandate Sub-Mandate AE AE




Requirement Requirement AE AE

Policy Policy AE AE

Procedure Procedure AE AE

Attestation Attestation AE

Campaign Campaign AE

Employee Employee AE

Regulator Regulator AE

RegInt RegulatorInteraction

AE

RICat RI Category AE

RIReq RI Request AE

RegApp RegulationApplicability

AE

RegChange Regulatory Change AE

RegTask Regulatory Task AE

PolicyReviewComment Policy ReviewComment

AE

Questionnaire Questionnaire A A AE A A

Qsection Section A A AE A A

Quest Question A A AE A A

PrefGrp Preference Group A A A A AE

Preference Preference A A A A AE

AuditableEntity Auditable Entity AE

AuditProgram Audit AE

AuditPhase Audit Section AE

Workpaper Workpaper AE

Finding Finding AE

Plan Plan AE

Timesheet Timesheet AE

Auditor Auditor AE

ReviewComment Audit ReviewComment

AE

Chapter 2. Object Types 7

Object DescriptionsThis section provides short descriptions of object types.

Table 2. Object type descriptions

Object Type Label Description

Account Generally, Accounts correspond to the line items on a financialreport, although not necessarily on a one-to-one basis. EachAccount is affected by recurring Processes. These Processes canintroduce Risks that must be documented during the financialcontrols documentation project.

Assertion The Assertion object is used to link Control objects to Account (orSub-Account) objects. A common practice is to store the “type” ofassertion that the Control is covering as a data field on theAssertion object.

Attestation The Attestation object is part of the Policy Awareness capabilityand is used to capture an employee's affirmation that they haveread and understood a policy. An attestation's primary parent isthe Employee record and the secondary parent is the associatedCampaign.

Audit An Audit represents each execution of an “audit” against anAuditable Entity. For example, if an Auditable Entity will beaudited every two years, there would be separate child Auditinstances for 2006, 2008, 2010, and so on.

The Audit object is configured to be a self-contained object type,meaning that a folder will be automatically created for eachinstance of it. This facilitates the ability to copy template auditsand audit components from a library to the audit hierarchywithout object naming conflicts.

Planning and Scheduling of the Audit Resources is typically doneat the Audit level.

High level Audit progress can be tracked by monitoring theStatus values and Date values on the Audit. Key audit milestonescan be tracked by adding fields on the Audit that representcompletion dates for each of the key milestones they wish totrack.

You use the Audit object to manage the audit process across yourenterprise. The Audit object identifies a holding point where youcan capture information such as scope, objectives, timinginformation, review, execution and approval roles. If wanted, youcould track only those audits you will be undertaking in a givenplanning horizon, or all audits in the audit universe.

Auditor Resource planning and allocating requires key information abouteach individual who may perform audit work. The Auditor objectis used to create a pool of Auditors who can be assigned toAudits.

Each user who may be assigned to audit work is represented asan Auditor instance. Auditors are then available for resourceallocation. The Auditor object includes attributes for which youevaluate and select Auditors for audit engagements, such asspecialties, languages, and certifications. Typically, Auditor objectsare associated with the relevant component of the Internal Auditorganizational hierarchy. It is a best practice that the Name fieldon the Auditor object matches the user's username.


Table 2. Object type descriptions (continued)


Audit ReviewComment

The Audit Review Comment object type is used to providefeedback during the review process for an audit and itscomponents. It is associated as a child to the instance of theAudit, Section, Workpaper or Finding for which feedback is beingprovided.

Audit Section Audit Sections can be used to represent the phases of the audit,work programs within the audit, or other components of theaudit at the desired level of granularity.

Typically organizations have a number of standard componentsfor each audit. Template audits that include Sections for each ofthese standard components can be created in a Library. Plannedand Actual Start and End Dates for these sections can be used toreport progress on key milestones in the audits.

Detailed Audit progress can be tracked by including an AuditSection that represents each milestone. Alternatively, someorganizations may choose to add fields on the Audit thatrepresent completion dates for each of the key milestones theywish to track.

Although Audit Sections can be used as the basis for planningand scheduling Audit resources, most organizations will find thisto be too detailed.

Baseline Object name is RiskSubEntity; label is Baseline. Baseline is a selfcontained object type; this means that folders are created for eachBaseline. Baselines in the Library are representative of types ofelements of the IT Operating Environment. They are linked toRequirements in the Library to indicate what must be compliedwith for that type of element.

When a Baseline is copied from the library to the businesshierarchy (using a helper which is part of ITG) it copies theBaseline, creates an association back to the Requirement in thelibrary, creates the descendent Risk, Control and Test andpre-populates the Risk/Control/Test as appropriate with datafrom the Requirement. A Baseline can represent the assessment ofelement(s) of the IT Operating Environment, instead of or inaddition to representing the actual element. Process, Resource,and so on can represent the actual elements.

Business Entity Business entities are abstract representations of your businessstructure. A business entity can contain sub-entities (such asdepartments, business units, or geographic locations). The entitystructure that you create depends on your business needs. Forexample, you could create a parent entity for your businessheadquarters then a sub-entity for each location or department.You may also want to represent both a legal entity structure and abusiness entity structure.

Business entities are also used to organize library data such asrisk and control libraries, or regulatory content (for example,laws, regulations, and standards).

When setting up your business entity hierarchy, you should workwith your OpenPages consultant as the structure of your businessentities will greatly impact the type and quality of the informationthat can be extracted from the application.




Campaign The Campaign object is part of the Policy Awareness capabilityand is used to manage the project management aspects of anawareness campaign. It is also used to define therequirements/criteria that identifies which employees need toread and attest to each Policy. This is done through a series offields. Campaigns are typically created in the Published PolicyHierarchy.

Control Controls are typically policies and procedures (procedures areactions that implement the policies), to help ensure that riskmitigation responses are carried out.

Once you have identified the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications,and so forth) that remove, limit, or transfer these potential risks.

Controls should be designed to provide either prevention ordetection of risks. Controls are usually associated with tests thatensure a control is effective.

Control Eval Control Evaluation objects are similar to Risk Evaluation objectsexcept that they are instantiated as children of Controls. Theystore control assessment data.

Control Objective A Control Objective is an assessment object that helps define therisk categories for a Process or Sub-Process. For each Process orSub-Process, an organization sets the Control Objectives.

Control Objectives define the COSO compliance categories thatthe Controls associated with the Risks are intended to mitigate.For example, Control Objectives can be classified into one or morecategories such as Compliance, Financial Reporting, Strategic,Operations, or Unknown.

Once a Control Objective is identified, the Risks belonging to thatControl Objective can then be identified and defined. In mostcases, each Control Objective will have one Risk associated withit. However, Control Objectives can have more than one Riskassociated with them, so they are separated into their own objecttype.

Control Plan Object name is RiskEntity; label is Control Plan. Control Plan is aself contained object type; this means that folders are created foreach Control Plan. Used to group multiple Baselines to representelements in your operating environment that can be assessed forrisk.

Cost Center Cost center objects are used to group loss events under a businessentity. In many cases, firms want to track where loss events occurat a fine granularity (i.e. cost center level) but do not want torepresent all of the organizational layers as business entities.

Employee The Employee object is part of the Policy Awareness Capability. Itis used to capture information about individual employees suchas the name, title, email, region, department, status, etc.Information from the employee profile is then matched againstthe Attestation Requirements defined on a Campaign todetermine which Employees need to attest to each Policy.Employee data is typically derived from an HR system export,loaded via Online FastMap, and resides in the reference EmployeeBusiness Entity. It is a best practice that the Employee Name fieldmatches the user's username.




File The File object type is used to embed a reference to a file (such asa document, flow chart or spreadsheet) in the OpenPages system,and associate it to one or more relevant objects.

Finding Findings can be used to represent observations which arereportable to the business, to the Audit Committee, or both.Alternatively, Findings can be used to represent individual factualobservations, while Issues are used to represent consolidatedthemes/systemic problems, which are then reported to thebusiness, to the Audit Committee, or both.

A Finding represents anything uncovered in the course of anaudit that needs to be accounted for and addressed bymanagement. You can use a finding to track management’sprogress in addressing the underlying issue identified. The Issueobject can be used in place of, or in conjunction with, the Findingobject.

FIRST Loss FIRST Loss objects can be imported from the FIRST external lossdatabase, for use with scenario analysis, benchmarking, andreports generation, and to export loss data to analytic tools orcapital allocation applications.

Incident Incidents are used to capture, track and manage events that occurin the organization and IT Operating Environment. Incidents aretypically stored under the Business Entity or IT Resource wherethe event occurred and associated secondarily to an impactedMandate or Policy. They may be created by hand, or viaintegration with other systems (i.e. IT monitoring system.) and arecommonly of type Regulatory Compliance, Legal Compliance,Information Security, or IT. Incidents can be a child of BusinessEntity, Mandate, Sub-Mandate, Requirement, Policy, Risk,Resource and Risk Sub-Entity. If ORM is also installed, Incident isalso the parent of Loss Event.

Issue, Action Item Although issues typically result from areas where internalcontrols are not properly implemented or designed, you can usethe Issue object to document a concern associated with any objecttype.

An issue is resolved through one or more Action Items. You canuse an Action Item object or a series of related Action Item objectsto form an action plan. Each Action Item can be assigned to auser for resolution, and progress can be tracked from the detailpage of the parent Issue. Once all Action Items for an Issue arecomplete (an assignee sets the value to 100%), you can close theIssue.

KRI, KRI Value KRIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KRI within the organization canhave unique target and threshold limits.

KPI, KPI Value KPIs are components of the risk monitoring process and are usedto provide leading or lagging indicators for potential riskconditions. Each instance of a KPI within the organization canhave unique target and threshold limits.

Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevantobjects.




Loss Event Loss Events are used to track operational losses that may occur inany part of an organization. Loss Events are typically storedunder the Business Entity where the loss occurred. The LossEvent objects are used to track, assess, and manage the relatedinternal loss data. You can add multiple impacts and recoveriesfor each Loss Event using the Loss Impact and Loss Recoveryobjects.

Loss Impact A loss impact is a financial and/or non-financial consequenceresulting from a loss event. Loss Impacts track different types ofimpacts triggered by a Loss Event, such as legal liability, assetloss and damage, or business interruption. There can be multipleLoss Impacts associated with each Loss Event.

Loss Recovery Loss Recovery objects are used to track the processes associatedwith recouping damages that result from Loss Events.

Mandate Mandates represent external items with which organizations needto comply, such as laws, regulations, and standards. Out of thebox the configuration directly supports content provided byDeloitte and UCF, and can be adapted to support content fromother vendors. Typically, Mandates are represented in a LibraryBusiness Entity structure, and are not replicated throughout thesystem.

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use themto signify the completion of a portion of the entire project.Milestones can contain other Milestones or Milestone ActionItems. You cannot associate a Milestone with other objects in theobject hierarchy.

A Milestone Action Item is a specific objective that must becompleted in order to reach a Milestone. In general, all MilestoneAction Items associated with a Milestone must be completed inorder to reach a Milestone. When you are assigned a MilestoneAction Item object, it is displayed (if configured) in the MyMilestone Action Items section of your Classic Home Page.

ORIC Loss ORIC Loss objects can be imported from the ORIC external lossdatabase, for use with scenario analysis, benchmarking, andreports generation, and to export loss data to analytic tools orcapital allocation applications.

ORX Loss ORX Loss objects can be imported from the ORX external lossdatabase, for use with scenario analysis, benchmarking, andreports generation, and to export loss data to analytic tools orcapital allocation applications.




Plan, Timesheet A Plan object type facilitates audit resource scheduling andallocation at any level. For example, you can create a single Planobject for an entire audit, or you can create one Plan object pertask for each auditor involved with the audit. Plan objects areused to determine the availability, skills, and experience requiredof the desired resource. OpenPages Audit Activity Views, reports,etc. are aligned with Planning at the Audit level. Plans caninstead be associated to Audit Sections, in which case thesecomponents would need to be modified.

Plan objects also drive time tracking – all time is tracked againstPlans. A Timesheet object type is used to record weekly actualhours and expenses expended against a Plan object for an Audit.Because Timesheet objects are associated with Plans, it is easy totrack deviations between planned and actual time and expenses.The Timesheet Entry interactive report should always be used toenter or modify time and expense data. For this reason, there isno Timesheet top menu item in the default IAM configuration.

You typically create or modify a Plan object using the Add orModify Plans helper, accessed from a link on the Audit detailpage.

Policy Policies represent internal guidelines generally adopted by theBoard of Directors or senior governance body within anorganization. The text of a Policy can either be stored instandardized fields on the object or as an attachment to the object.Policies typically have a distinct lifecycle from Draft to Publishedto Expired, as well as a review and approval process. Draftpolicies typically reside in the Organizational Business Hierarchy,while Published and Expired Policies typically reside in referenceLibrary entities. Policies are also often mapped to applicableMandates in the Library to which they relate.

Policy ReviewComment

Policy Review Comments support and facilitate the review andapproval process of Policies and Procedures by Subject MatterExperts and Compliance Personnel.

Preference Group,Preference

The Preference Group object is used for grouping Preferenceobject instances together. Without this grouping object, eachPreference object instance would need to be associated separatelyto each of the relevant Business Entities. The group object helps tominimize the associated maintenance.

The Preference object is a child of Business Entity, and is used forholding variable values that can drive reports, workflows andcomputed fields (it has entity-specific variable values whichenable different behavior for the same workflows). For example,to determine the behavior for review and approval workflows(e.g. who the appropriate users are for each level of review andapproval, and what the thresholds are for determining how manylevels of review and approval are required).

Procedure Procedures represent the 'what', 'where', 'when', and ‘how’ of howpolicies are implemented in an organization. The text ofProcedures is typically stored in the fields on the object. Typically,Procedures are represented as children of a Policy and reside inthe same entity structure as its parent Policy.




Process Processes represent the major end-to-end business activitieswithin a business entity that are subject to risk. The processes willtypically reside in areas such as financial reporting, compliance,information security, and so forth.

Process Eval Process Evaluation objects are children of Process objects and theyare used to capture process measurement values for trendingpurposes.

When the reporting periods do not align with the evaluationcycles, you can use Process Eval objects to capture multipleevaluation cycles within a single reporting period.

Questionnaire, Section,Question

Questionnaire, Section and Question are three objects that areused together to implement questionnaires.

RegulationApplicability

The Regulation Applicability object is the child of Business Entityand parent of Mandate. It typically resides in the OrganizationalBusiness Hierarchy and is used to assess and track the RegulatoryImpact of a Mandate in the Library on a Business Entity.

Regulator The Regulator object is part of the Regulator InteractionManagement capability and provides the ability to fororganizations to create a single inventory of all Regulators withwhich they interact. Regulators are typically created in a referenceLibrary Business Entity. The object is a child of Business Entityand can be associated to Mandates and Regulator Interactions.

Regulator Interaction The Regulator Interaction object is part of the RegulatorInteraction Management capability and provides the ability tomanage the interactions, communication, internal work, reviewand approvals associated with external regulators such asinquiries, submissions, filings, exams and audits. For complexinteractions such as exams and audits, customers can use athree-tier object structure (Regulator Interaction, RI Category andRI Request) to manage and track the overall interaction, eachsection of the interaction, and the individual requests. For simplerrequests and inquiries, customers can use the RegulatorInteraction object by itself to manage the request details andresponse details.

Regulatory Change The Regulatory Change object is part of the Regulatory ChangeManagement capability. It supports the ability to track regulatorychanges (change or guidance to an existing regulation or a newregulatory requirement), assess the impact of a change on theorganization, communicate the change internally to theappropriate people and drive internal processes in response to thechange. Regulatory Changes typically reside in the LibraryBusiness Entity, and are associated directly to the Mandate thatchanged. It then has multiple Regulatory Tasks associated to it;one for each Business Entity impacted by the respective Mandate.

Regulatory Task The Regulatory Task object is part of the Regulatory ChangeManagement capability. It facilitates the change managementprocess associated with a Regulatory Change. A Regulatory Taskis created in the Organizational Business Hierarchy and assignedto an individual in each of the Business Entities impacted by theMandate that was changed. The object is then used to track andmonitor if an action is required as a result of the change (i.e.revise policy, control assessment, training, etc) and the progress ofthe action.




Requirement Requirements represent the normalized “things you need toaccomplish” in order to comply with all of their associatedSub-Mandates. Requirements accomplish two primary purposes:They translate the often difficult and wordy legalese ofMandates/Sub-Mandates into plain English, and they leverage thecommonality across multiple Sub-Mandates. For example, theremay be many Sub-Mandates across numerous Mandates whichare all telling you to have strong passwords. A singleRequirement can document the details of the strong passwordneeds. By complying with this single Requirement, IT can satisfymany Mandates/Sub-Mandates.

Out of the box the configuration directly supports contentprovided by Deloitte and UCF, and can be adapted to supportcontent from other vendors. Typically, Requirements arerepresented in a Library Business Entity structure, and are notreplicated throughout the system.

Resource CobiT suggests that there are four types of IT assets, whilepractitioners often include additional types as well. The Resourceobject is sub-typed using dependent fields to represent any ofthese types of IT assets. Resources are typically created as a poolassociated to the owning or responsible IT Business Entity, thenassociated to the relevant operating elements (Baselines, Processes,etc.) in the IT Operating Environment, and potentially associatedto relevant Business Entities for the Business as well. AlthoughResources can represent individual IT Assets (e.g. a particularMicrosoft Windows 2003 server) they will more often represent agroup of assets (e.g. a pool of Windows 2003 Application Serversused for a particular application).

Resource Link CobiT suggests that IT assets have complicated relationships.They indicate that assets of type People, Process, Infrastructureand Information can each be parents and can each be children ofeach other. In addition, Resources of the same type often need tobe related to each other. A Resource Link can be used to linkResources in a many-to-many fashion, but the practice (supportedby the User Interface helper) is to link exactly two Resources.Note that if the names or attributes of either of the parentresources are changed, the Resource Link name and attributes willbe “out of sync” with its parent Resources.

RI Category The RI Category object is part of the Regulator InteractionManagement capability and is used as the middle tier of thethree-tier object model (Regulator Interaction, RI Category and RIRequest). The object is used to organize and track the progress ofindividual sections or categories of a complex interaction such asan exam or audit.

RI Request The RI Request object is part of the Regulator InteractionManagement capability and is used as the bottom tier of thethree-tier object model (Regulator Interaction, RI Category and RIRequest). The object is used to organize and track the individualrequests, reviews and approvals of pre-work and onsite tasks aspart of a complex interaction such as an exam or audit.




Risk Risks are potential liabilities. Risks can be associated with, forexample, business processes, business entities, or compliance witha particular mandate. Each risk has one or more controlsassociated with it that provide safeguards against the risk andhelp mitigate any consequences that may result from the risk. Youcan use the Risk object to categorize risks; capture the frequency,rating, and severity of inherent and residual risk data; and viewreports that help identify your top risk items.

Risk Eval Risk Evaluation objects are children of Risk objects and they areused to capture risk measurement values for trending purposes.Often reporting periods do not line up with risk evaluation cyclesand so Risk Eval objects can be used to capture multipleevaluation cycles within a single reporting period.

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. Youcan use the Risk Assessment object – which contains the names ofthe assessor and reviewer, the time frames for the assessment, andthe status of the assessment – to manage your risk self-assessmentprocess.

Risk Assessment Eval Risk Assessment Evaluation objects are similar to Risk Evaluationobjects except that they are instantiated as children of RiskAssessments. They store risk assessment data.

Scenario Analysis Scenario Analysis is an assessment technique used to identify andmeasure specific kinds of risks, in particular, low frequency,high-impact events such as earthquakes, recessions, or power gridfailures.

Scenario Result Scenario Result objects are children of Scenario Analysis objectsand they are used to capture the results of Scenario Analysisworkshops for comparison and trending purposes.

Signature A signature generally indicates agreement that the object meetsyour approval. It has no enforcement powers, and does notprevent the item from being modified after approval has beengiven. An object with a signature has a signature icon next to thesigner’s name on the Signatures tab.

Depending on your system configuration, signatures (with orwithout associated locks) can be applied to an object in thefollowing ways:

v Manually from the detail page of an object.

v Automatically through a workflow task.

v Some combination of both automatic and manual.

If signature locks are configured on your system, when you signoff on an object, the object and all its associated child objects arelocked and cannot be modified until you either revoke yoursignature or an administrator unlocks the object.

Sub-Account A Sub-Account represents a smaller, more targeted line item thatis part of a larger parent Account (or of another Sub-Account).Each Sub-Account object can be associated with parent Account orSub-Account objects.




Sub-Mandate Sub-Mandates represent external (or internal) sub-items withwhich the organization needs to comply. Out of the box theconfiguration directly supports content provided by Deloitte andUCF, and the configuration can be adapted to support contentfrom other vendors. Typically, Sub-Mandates are represented in aLibrary Business Entity structure, and are not replicatedthroughout the system. Sub-Mandate is recursive, but Deloitteand UCF content use exactly one level of Sub-Mandate.

Sub-Process A sub-process is a component of a Process. It is used todecompose processes into smaller granularity units for assessmentpurposes.

Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of themechanisms used to determine whether or not a control iseffective.

Test Result A test result is the information obtained from running a test plan.

Waiver Waivers give you the ability to document, process and managethe lifecycle of exceptions to Corporate Policies, InfoSec Policies,IT Policies or Regulatory Compliance Requirements. Waivers canbe associated to Business Entities, Policies, Procedures,Requirements, Risks, Controls, Baselines and Resources.

Workpaper A workpaper is any artifact or deliverable you want to track inthe scope of an audit. It can represent an engagement letter, atesting matrix, interview notes or anything else appropriate to theaudit in question. The workpaper itself can be attributes stored onthe Workpaper object, or it can be a Word, Excel or other type offile attached to a Workpaper object. When Workpaper is used fortest evidence, it documents both the test planning and the testresults.

Typically, you create a Workpaper object from the detail page ofan Audit Section. Workpaper objects can also be copied from alibrary, where they represent templates of different types ofworkpapers generated by an internal audit department.

SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of objects types that support a logical function within the module.

The acronyms that are used in the table header are defined as follows:v FCM = IBM OpenPages Financial Controls Managementv ORM = IBM OpenPages Operational Risk Managementv PCM = IBM OpenPages Policy and Compliance Managementv ITG = IBM OpenPages IT Governance Managementv IAM = IBM OpenPages Internal Audit Management

Table 3. Subcomponents for modules

Subcomponent Object Types FCM ORM PCM ITG IAM

Organization Business Entity X X X X X


Table 3. Subcomponents for modules (continued)

Subcomponent Object Types FCM ORM PCM ITG IAM

Preference Preference Group, Preference X X X X X

Risk Assessment Risk Assessment, RiskAssessment Eval

X X X X X

Process Process, Process Eval,Sub-Process, Control Objective

X X X X X

Risk Risk, Risk Eval X X X X X

Control Control, Control Eval X X X X X

Test Test Plan, Test Result X X X X X

Issue Issue, Action Item X X X X X

Questionnaire Questionnaire, Section, Question X X X X X

Milestone Milestone, Milestone Action Item X X X X X

Account Account, Sub-Account, Assertion X

Scenario Analysis Scenario Analysis, Scenario Result X

External Loss ORX Loss, ORIC Loss, FIRSTLoss

X

Loss Event Loss Event, Loss Impact, LossRecovery, Cost Center

X

KRI KRI, KRI Value X X X

KPI KPI, KPI Value X X X

Regulatory Library Mandate, Sub-Mandate,Requirement

X X

Incident Incident X X

Waiver Waiver X X

ITG Policy Policy, Procedure X

Control Plan Control Plan, Baseline X

Resource Resource, Resource Link X

Policy Policy, Procedure, Policy ReviewComment

X

Policy Attestation Policy, Procedure, Attestation X

Campaign Campaign, Employee Attestation X

RegulatorInteraction

Regulator Interaction, Regulator,RI Category, RI

X

Regulatory Change Regulatory Change, RegulationApplicability, Regulatory Task

X

Annual Plan Auditable Entity, Audit X

Engagement Plan Plan, Timesheet, Auditor X

Findings Finding X

Field Work Audit Section, Workpaper, AuditReview Comment

X


Chapter 3. Computed Fields

The following computed fields are included by default with the indicated modules.


Table 4. Computed fields

FCM ORM PCM ITG IAM Object Type Field Name Label Description

X Attestation Policy Attestation Creates a link thatlaunches the PolicyAwareness Viewhelper.

X Policy Modify Policy Creates a link thatlaunches the PolicyEditor helper.

X Policy View Policy Creates a link thatlaunches the PolicyViewer helper.

X Policy Open Policy for newRevision Cycle

Creates a link thatlaunches the PolicyUnlock helper.

X Policy Re-Open Policy forAdditional Changes

Creates a link thatlaunches the PolicyUnlock helper.

X Policy ReviewComment

Review Policy Creates a link thatlaunches the ReviewPolicy helper.

X Control Plan Baselines Creates a link tolaunch the GetBaselines helper.

X Resource Resource Links Creates a link tolaunch the Add aResource Link helper.

X Auditable Entity Weighted Risk Score Calculates the sum ofthe products of eachrelevant Risk Factorvalue and itsassociated RiskFactor Weight. RiskFactor values areentered on theAuditable Entity.Risk Factor Weightsare from the "nearest"Audit Risk FactorPreference object,matching the AuditType specified on theAuditable Entity.

19

Table 4. Computed fields (continued)

FCM ORM PCM ITG IAM Object Type Field Name Label Description

X Audit Close Audit Creates a link tolaunch the CloseAudit helper.

X Audit Plans Creates a link tolaunch the AuditPlans helper.

X Audit Actual T&E Calculates the sum ofthe T&E entries onall of the Timesheetsfor all of the Plansfor this Audit.

X Audit Actual Hours Calculates the sum ofthe Hours entries onall of the Timesheetsfor all of the Plansfor this Audit.

X Plan Actual Hours Calculates the sum ofthe Hours entries onall of the Timesheetsfor this Plan.

X Plan Plan Actual T&E Calculates the sum ofthe T&E entries onall of the Timesheetsfor this Plan.

Note: The six computed fields indicated for PCM-only are implemented as URLfields, which are used to launch helpers.


Chapter 4. Helpers

The following helpers are included by default with the indicated modules.


Table 5. Helper descriptions

FCM ORM PCM ITG IAM Helper Description

X Modify Policy Launched from a Policy object, Modify Policyis an editable view that allows a PolicyAuthor and Owner to create and edit a Policyand its associated Procedures. Utilized only aspart of the Datacentric approach to PolicyManagement.

X View Policy Launched from a Policy object, View Policy isa read-only view that allows users to see aPolicy and its Procedures in a formatted,narrative view (Datacentric and Hybrid) orvia a link to the Policy Attachment(Docucentric).

X Review Policy Launched from a Policy Review Commentobject, Review Policy is a role-based view thatfacilitates the review and approval process. Inaddition to displaying the Policy andProcedures, or the Policy Attachment, itincludes Policy Review Comments that allowReviewers and Approvers to submit feedbackby either editing the Policy directly or via theComment form. Reviewers are presented witheither an editable or read-only view,depending on the parameter set in a RegistrySetting. Approvers are presented with aread-only view of the Policy.

X Policy Awareness The Policy Awareness View is an intuitiveview that allows employees (high volume,low touch users) to easily read a Policy andits associated Procedures in a narrative formatand then attest to having read andunderstood the policy.

X AttestationCreation

The Attestation Creation Report helper is anotification report which supports the PolicyAwareness capability.

X Publishing The Publishing Batch Notification helper is anotification report which facilitates the processof promoting an approved draft policy to thePublished Library, and moving the currentpublished version to the Expired Library. Italso supports retiring a policy by moving thepublished policy to the Published Library anddeleting the draft. It supports Datacentric,Docucentric and Hybrid policy approaches.

21

Table 5. Helper descriptions (continued)

FCM ORM PCM ITG IAM Helper Description

X Policy Unlock Launched from the Policy object once thePolicy has been moved into the Review andApproval phase, the Policy Unlock Helperunlocks and readies the Policy and itscomponents (Procedures, Attachments, PolicyReview Comments) for revision. It supportsall three policy approaches: Datacentric,Docucentric and Hybrid.

X Compare Policy The Compare Policy View enables users toview red-lined differences from one version ofa policy to another. For example, a user canvisually see the differences between a currentdraft of a policy and the published policy, orpast expired versions. The Compare PolicyView is utilized with Datacentric and Hybridapproaches.

X Get Baselines Invoked via a computed field link on ControlPlan, the helper copies the selected Baselinefrom the Library to the IT OperatingEnvironment, and copies, or creates andpre-populates, descendent Risks, Controls andTest Plans.

X Create ResourceLinks

Invoked via a computed field link onResource, the helper creates a Resource Linkas a child of the “starting” Resource, and as achild of the selected Resource. The helperpre-populates fields on the created ResourceLink object.

X Close Audit Launched from a computed field link on theAudit object, this helper facilitates automationof the Audit Close process.

X Add or ModifyPlans

Launched from a computed field link on theAudit object, this helper facilitates creatingand editing Audit Plans, and finding andpopulating Auditors to assign to the Plans.

X Timesheet EntryReport

Launched from the reporting menu, thishelper allows an Auditor to enter or reviewtheir time.

X AdministratorTimesheet EntryReport

Launched from the reporting menu, thishelper is an extension to the Timesheet EntryReport helper which includes a scoping pagethat allows a user with access to this report toselect a different user for whom to enter time.


Chapter 5. Reports

The following reports are included by default with the indicated modules.

IBM OpenPages GRC Platform 6.2.0 Modules Report Details provides additionaldetails on the reports described here. There are additional reports installed withthe OpenPages Platform and available to all Modules, which are described in theIBM OpenPages GRC Platform Administrators Guide.

Reports Shared by All ModulesThis section outlines the reports common among all modules.

Risk Assessment Reports

Table 6. Risk assessment reports

Name Description

Risk Assessment List Shows Risk Assessment details for a specified Business Entityand all of its descendents.

Risk Assessment Status Displays a stacked column chart showing the status of RiskAssessments for the specified Business Entity and its directdescendents.

Risk AssessmentSummary

Displays Risk Assessment details along with all associated Risksand Controls. A drill through report displays Issues and ActionItems that are related to the Risk Assessments, Risks, or Controls.

Risk Reports

Table 7. Risk reports

Name Description

Risk Analysis Shows Risks grouped by Process for a specified Business Entity.

Risk Heat Map Displays a table that aggregates Risks by Residual Impact andLikelihood for a specified Business Entity.

Risk Rating by Entity Displays Residual Risk Rating summary information for theselected Business Entity and its descendents, with the ability todrill through to Risk details

Risk Rating by Category Displays Risk Category and Residual Risk Rating summaryinformation for the selected Business Entity, with the ability todrill through to Risk details.

Top Risks Summary of the top Risks ranked by Residual Risk Exposure,and also shows the Inherent Risk Exposure.

Control Reports

Table 8. Control reports

Name Description

Risk and Control Matrix Shows Risk and Control data for specified Business Entity andProcess(es).

23

Table 8. Control reports (continued)

Name Description

Control EffectivenessMap

Control map shows counts of Controls grouped by Process(es)and Operating Effectiveness, with the ability to drill through to asubreport for detail information.

Testing Reports

Table 9. Testing reports

Name Description

Testing Dashboard Displays summary Test Result information for theselected Business Entity, with the ability to drill throughto detail and trend information.

Reports Shared by ORM, PCM and ITGThe following reports are shared by the IBM OpenPages Operational RiskManagement, IBM OpenPages Policy and Compliance Management, and IBMOpenPages IT Governance Management modules.

Indicator Reports

Table 10. Indicator reports

Name Description

KRI Dashboard Displays summary KRI information for the selectedBusiness Entity and its descendents, with the ability todrill through to detail and trend information.

KPI Dashboard Displays summary KPI information for the selectedBusiness Entity and its descendents, with the ability todrill through to detail and trend information.

FCM-Specific ReportsThe IBM OpenPages Financial Controls Management module does not include anyFCM-specific reports.

ORM-Specific ReportsThis section contains reports specific to the IBM OpenPages Operational RiskManagement module.

Loss Event Reports

Table 11. Loss Event reports

Name Description

Loss EventDashboard

Displays the count of Loss Events for the selected Business Entityand its descendents, broken out by Status and Risk Category, withthe ability to drill through to detail information.

Loss Event Summary Displays a column chart (representing entities) showing Net Lossbroken out by Risk Category. A drill-through report shows LossEvent details.


Table 11. Loss Event reports (continued)

Name Description

Loss Event Trend Displays the trend of Net Loss by Risk Category for a specifiedBusiness Entity.

Risk vs Loss Displays the annual Net Loss of a Business Entity for a specifieddate compared with the current Residual Risk Exposure.

PCM-Specific ReportsThis section contains reports specific to the IBM OpenPages Policy and ComplianceManagement module.

Regulatory Compliance Reports

Table 12. Regulatory Compliance reports

Name Description

Process Control Effectiveness byMandate

For a selected Business Entity, the report showsassociated Mandates with the % of Effective Controlsassociated to Processes. The report has the ability to drillthrough to a subreport for detail information.

Regulatory Applicability Matrix Displays a Matrix View of the Mandates and the BusinessEntities for which they apply.

ITG-Specific ReportsThis section contains reports specific to the IBM OpenPages IT GovernanceManagement module.

IT Asset Reports

Table 13. IT Asset reports

Name Description

Baseline Shows key attributes of the selected Baseline, along withassociated Requirements, and recommended ControlActivities and Test Procedures.

Control Plan Shows key attributes of the selected Control Plan, alongwith associated Baselines, their Requirements, andrecommended and implemented Control Activities andTest Procedures.

IT Compliance Reports

Table 14. IT Compliance reports

Name Description

IT Control Effectiveness byMandate

For a selected Business Entity, the report showsassociated Mandates with the % of Effective Controlsassociated to Control Plans. The report has the ability todrill through to a subreport for detail information.

Requirements Library For the selected Requirements, this report shows allapplicable laws and regulations.

Chapter 5. Reports 25

Table 14. IT Compliance reports (continued)

Name Description

UCF Requirements Library For the selected UCF Harmonized Control(s), this reportshows all applicable Authority Documents.

IAM-Specific ReportsThis section contains reports specific to the IBM OpenPages Internal AuditManagement module.

Audit Management Reports

Table 15. Audit Management reports

Name Description

Audit Universe For the selected audit organization, view AuditableEntities, including information about risk ranking andprevious audit results.

Audit Plan For the selected audit organization and date range,provides a GANTT chart view of the Audit Plan.

Auditor Plan For the selected audit organization, Auditors and daterange, provides a GANTT chart view of Plans.

Audit Overview For the selected Audit, view the status of its AuditSections and Workpapers, and view associated Findings,Issues and Audit Review Comments.

Internal Audit Report Complete report for the selected Audit, including anexecutive summary and associated Findings and Issues.

Audit Deviation For the selected Audit, view its Plans and Audit Sections,including schedule and budget information, withhighlights for significant deviations.

Auditor Deviation For the selected Auditors, view their planned and actualdates, hours and expenses.

Timesheet Entry See Timesheet Entry helper.

Administrator Timesheet Entry See Administrator Timesheet Entry helper.


Chapter 6. Triggers

This section describes the triggers which are available for the indicated modules.

IBM OpenPages GRC Platform 6.2.0 Module Trigger Details provides additional detailson the triggers described here.


Table 16. Trigger descriptions

FCM ORM PCM ITG IAM Trigger Description

X X X X X Risk RatingComputations

The Risk Rating Computations triggercalculates and persists the Inherent andResidual Risk Rating, and Inherent andResidual Risk Exposure field values on theRisk object.

X X X KRI Life Cycle The KRI Life Cycle trigger is configured tocalculate and persist field values on the KRIand KRI Value object types when a KRI Valueobject is created or updated.

X X X KPI Life Cycle The KPI Life Cycle trigger is configured tocalculate and persist field values on the KPIand KPI Value object types when a KPI Valueobject is created or updated.

X Loss Event LifeCycle

The Loss Event Life Cycle triggers areconfigured to calculate and persist four fieldson the Loss Event object, when related fieldsare created or changed on any descendentLoss Impact and Loss Recovery objects.

X Policy Import The Policy Import Trigger imports Policy andProcedure content from a structured .doc or.docx Word document into OpenPages Policyand Procedure fields by parsing the differentsections of the document. It is triggered bychecking in an attachment to the Policy object.

The trigger is designed to support the Hybridapproach to Policy Management, but alsosupports updating version number in theDocucentric approach when a new policydocument is checked in. As part of the importprocess, the trigger also performs extensivevalidation to ensure the structure of the Worddocument adheres to the defined PolicyTemplate.

27

Table 16. Trigger descriptions (continued)

FCM ORM PCM ITG IAM Trigger Description

X Policy Lock The Policy Lock Trigger locks the Policyand/or components (Procedures, Attachments,Policy Review Comments) at different pointsin the Review and Approval Process. Thistrigger supports all three approaches to PolicyManagement: Datacentric, Hybrid andDocucentric.

The Lock Trigger supports two use cases:

v Locking Policy Attachments in support of apolicy being put into a review andapproval cycle to ensure that the policycontent cannot be changed duringapprovals. (Applicable for Hybrid andDocucentric approaches.)

v Locking the entire Draft Policy hierarchy(Policy, Procedures, Attachments and PolicyReview Comments) once the Policy hasbeen given final approval and is ready forpublishing. (Applicable for all three policyapproaches.)

X Audit Risk RatingComputations

The Audit Risk Rating Computations triggercalculates and persists the Audit Inherent andResidual Risk Rating field values on the Riskobject.

X Audit CloseAutomation

The Audit Close Automation trigger assessesclose readiness for each of the configuredcomponents of an audit. By default, thetrigger is configured for the following objecttypes: Audit, Audit Section, Workpaper,Finding, Audit Review Comment, Plan andTimesheet.


Chapter 7. Profiles

This section describes the profiles which are available for the indicated modules.

Profiles available by defaultEach of these profiles includes configuration for default Filters, Classic Home Pagetab and Home Page tabs, Dependent Fields, Dependent Picklists, Computed Fields;and Activity, Detail, Context, Folder, Overview, Filtered List and List Views.

Subsets of these profiles that are appropriate for a Lead Auditor, Control Tester,Compliance Manager, etc. are created during the implementation project.

When all OpenPages default modules are installed, the OpenPages Modules 6.2.1Master profile is available .


Table 17. Profiles available by default

FCM ORM PCM ITG IAM Profile Description

X X X X X OpenPages Modules 6.2.1Master

Includes the fields and configurationfor all default modules.

X OpenPages FCM 6.2.1 Master Includes the fields and configurationfor all of IBM OpenPages FinancialControls Management.

X OpenPages ORM 6.2.1 Master Includes the fields and configurationfor all of IBM OpenPagesOperational Risk Management.

X OpenPages FIRST Loss 6.2.1 Includes only the fields andconfiguration that facilitate theloading of FIRST Loss data throughthe OpenPages FastMap feature toIBM OpenPages Operational RiskManagement.

X OpenPages PCM 6.2.1 Master Includes the fields and configurationfor all of IBM OpenPages Policy andCompliance Management.

X OpenPages ITG 6.2.1 Master Includes the fields and configurationfor all of IBM OpenPages ITGovernance.

X OpenPages IAM 6.2.1 Master Includes the fields and configurationfor all of IBM OpenPages InternalAudit Management.

29

Home Page Filtered ListsThe following filtered lists are defined for the Classic home page for the indicatedMaster profiles.


Table 18. Home Page Filter list

FCM ORM PCM ITG IAM Filter Description Object type

X X X X X My Open Issues Home Page access to your openIssues.

Issue

X Failed TestResults

Home Page access to Test Resultsthat have failed.

Test Result

X Open LossEvents Over 1M

Home Page access to large openLoss Events.

Loss Event

X My RiskAssessments

Home Page access to RiskAssessments where you are theAssessor.

Risk Assessment

X X KRI Breaches Home Page access to KRIs thathave a breach status of red.

KRI

X Control PlansUnderDevelopment

Home Page access to ControlPlans being developed.

Control Plan

X Critical ITIncidents

Home Page access to opencritical IT-related Incidents.

Incident

X ExpiringWaivers

Home Page access to approvedWaivers that will expire in thenext 3 months.

Waiver

X My WaiverApprovals

Home Page access to Waiversthat are being reviewed that youneed to approve.

Waiver

X X KPI Breaches Home Page access to KPIs thathave a breach status of red.

KPI

X AttestationExceptionRequests

Home Page access to requestedAttestation exceptions requiringreview.

Attestation

X My Attestations Home Page access to your PolicyAttestations due for completion.Includes link to launch the PolicyAwareness View.

Attestation

X CriticalComplianceIncidents

Home Page access to ComplianceIncidents with a Priority ratingof Critical.

Incident

X My PolicyReviewComments

Home Page access to your openPolicy Review Comments.Includes link to launch theReview Policy View.


X Policies Waitingfor MyApproval

Home Page access to your openrequests for Policy Approval.Includes link to launch theReview Policy View.



Table 18. Home Page Filter list (continued)

FCM ORM PCM ITG IAM Filter Description Object type

X Policies Waitingfor My Review

Home Page access to your openrequests for Policy Review.


X MyQuestionnairesDue ForCompletion

Home Page access to yourQuestionnaires due forcompletion.

Questionnaire

X My Open HighImpactRegulatoryChanges

Home Page access to your openRegulatory Changes assessed tobe high impact.

RegulatoryChange

X My RegulatoryTasks

Home Page access to yourRegulatory Tasks requiringattention.

Regulatory Task

X MeetingRequests

Home Page access to yourRegulatory Meeting Requests forwhich you are the businessowner.

RI Request

X On-SiteRequests

Home Page access to yourRegulatory On-Site Requests forwhich you are the businessowner.

RI Request

X Pre-WorkRequests

Home Page access to yourRegulatory Pre-Work Requestsfor which you are the businessowner.

RI Request

X My DraftPolicies

Home Page access to DraftPolicies for which you are theAuthor. Includes link to launchthe Create Policy Helper.

Policy

X My PublishedPolicies

Home Page access to PublishedPolicies for which you are theAuthor. Includes link to launchthe View Policy Helper.

Policy

X My Audits InProgress

Home Page access to the Auditsyou own which you are likely tobe working on now.

Audit

X My Open AuditReviewComments

Home Page access to AuditReview Comments requiringaction, where you are the Owner.

Audit ReviewComment

X My Findings forReview

Home Page access to OpenFindings where you are theReviewer.

Finding

X My OpenFindings

Home Page access to OpenFindings where you are thePreparer.

Finding

X My WorkpapersIn Progress

Home Page access to Workpapersrequiring action, where you arethe Preparer.

Workpaper

X WorkpapersReady for MyReview

Home Page access to Workpapersrequiring action, where you arethe Reviewer.

Workpaper

Chapter 7. Profiles 31

Activity ViewsThe following Activity Views are defined by default for the indicated Masterprofiles.


Table 19. Activity views

FCM ORM PCM ITG IAM Activity View Description Object type

X X X X X Control TestingSummary

Used to indicate ControlOperating Effectiveness.Provides Test Plan and TestResult information thatinforms the OperatingEffectiveness decision.

Control

X X X X X Questionnaire SetUp

Used to create and modifyquestionnaires using theQuestionnaire, Section,Question object model.

Questionnaire

X X X X X Questionnaire Used to respond toquestionnaires using theQuestionnaire, Section,Question object model.

Questionnaire

X ControlAssessment

Facilitates conductingprocess-based Risk andControl Self Assessments.

Process

X X X X Process RCSAView

Facilitates conductingprocess-based Risk andControl Self Assessments.

Process

X X X X RCSA View Facilitates conducting RiskAssessment-based Risk andControl Self Assessments.

RiskAssessment

X Regulatory Exams Provides a consolidated viewof the Interaction Categoriesand detailed Requests for acomplex Regulator Interaction.

RegulatorInteraction

X Employee PolicyExceptionRequests

View Employee ExceptionRequests.

Policy

X Campaign StatusOverview

View outstanding attestationsfor a campaign.

Policy

X RegulatoryChange Overview

Provides a consolidated viewof the Regulatory Changes fora Mandate, and thecorresponding RegulatoryTasks required as a result ofthe change. Enables user totrack progress and status ofthe tasks.

Mandate


Table 19. Activity views (continued)


X Policy Provides a simplified view ofthe Policy object. Serves as apattern for a view which canbe used as the default viewfor appropriate users such aspolicy attesters.

Policy

X Attestation Provides a simplified view ofthe Attestation object. Servesas a pattern for a view whichcan be used as the defaultview for appropriate userssuch as policy attesters.

Attestation

X UCF Mandates Shows all of the Requirementsdriven from each Mandatesupplied by UCF.

Business Entity

X DeloitteMandates

Shows all of the Requirementsdriven from each Mandatesupplied by Deloitte.

Business Entity

X Deloitte MandateOverview

Shows all of theSub-Mandates, and for eachSub-Mandate shows itsRequirements. Mostappropriate for Deloittecontent.

Mandate

X UCF MandateOverview

Shows all of theSub-Mandates, and for eachSub-Mandate shows itsRequirements. Mostappropriate for UCF content.

Mandate

X Assess Risk Used for performing riskassessments on Baselines inthe IT Operating Environment.

Baseline

X Assess ControlPlan

Used for performing riskassessments on Control Plansin the IT OperatingEnvironment.

Control Plan

X Assess Baseline Used for performing riskassessments on Baselines inthe IT Operating Environment.

Baseline

X Mandate Controls For the selected Mandate, seeall of the associated Controlsin the IT OperatingEnvironment. Providescorporate wide view ofControl Effectiveness for agiven Mandate. Filters outControls in the Library, andonly includes Ineffective orNot Determined.

Business Entity

X WorkpaperChecklist

Provides an at-a-glance readonly view of the Workpapersin the work program.

AuditableEntity

X Workpaper EditChecklist

Provides a consolidated viewof the workpapers andfacilitates rapid workpaperupdate for an audit.

Audit

X Section Checklist Provides an at-a-glance readonly view of the Sections inthe work program.

AuditableEntity

Chapter 7. Profiles 33

Table 19. Activity views (continued)


X Section EditChecklist

Provides a consolidated viewof the work program andfacilitates rapid audit sectionupdate for an audit.

Audit

X Audit Planning Allows for entry of ScheduleDates and Estimated Hoursand T&E for each audit in theUniverse.

Business Entity

X Audit Overview See all the Workpapers andFindings for the Audit,Update Workpaper Status,Audit Section Expected Startand End Dates, FindingStatus.

Audit

X All ReviewComments

View Review Commentsassociated to the selectedAudit and its Sections,Workpapers and Findings.

AuditableEntity

X Audits andSections

View the sections for an auditand update Scheduled Startand End Dates.

AuditableEntity

X Scope Matrix Identify the activities withinthe Auditable Entity anddecide whether each one is inor out of scope for this audit.Refer to the risks for eachactivity to assist in making thescope decision.

Audit

X Scope MatrixView

Scope Matrix Activity Viewwith all fields configured asread only.

Audit


Chapter 8. Role Templates

The following role templates are defined by default for the indicated modules.

The OpenPages Modules 6.2 - All Permissions and OpenPages Modules 6.2 - AllData - No Admin role templates are available when all default modules areinstalled.

All of the role templates have full R/W/D/A access to all object types that arepresent and enabled by default.


Table 20. Role templates

FCM ORM PCM ITG IAM Role Template Description

X X X X X OpenPages Modules6.2 - All Permissions

Full admin rights.

X X X X X OpenPages Modules6.2 - All Data - NoAdmin

No admin rights except thoseassociated with workflows, filesand folders.

X OpenPages FCM 6.2 -All Permissions

Full admin rights.

X OpenPages FCM 6.2 -All Data - No Admin


X OpenPages ORM 6.2 -All Permissions

Full admin rights.

X OpenPages ORM 6.2 -All Data - No Admin


X OpenPages PCM 6.2 -All Permissions

Full admin rights.

X OpenPages PCM 6.2 -All Data - No Admin


X OpenPages ITG 6.2 -All Permissions

Full admin rights.

X OpenPages ITG 6.2 -All Data - No Admin


X OpenPages IAM 6.2 -All Permissions

Full admin rights.

35

Table 20. Role templates (continued)

FCM ORM PCM ITG IAM Role Template Description

X OpenPages IAM 6.2 -All Data - No Admin


The role templates listed in Role templates table above provide read, write, deleteand associate access to the object types listed in Table 21.

In the Object types table below:v An A in a cell indicates that the object type is available to the associated

module.v A G in a cell indicates that R/W/D/A rights are granted to that object type in

the role templates associated to that module.

Table 21. Object types

Icon Object Name Singular Label Modules FCM ORM PCM ITG IAM

SOXProject Project AG AG AG AG AG AG

SOXSignature Signature AG AG AG AG AG AG

SOXMilestone Milestone AG AG AG AG AG AG

ProjectActionItem MilestoneAction Item

AG AG AG AG AG AG

SOXIssue Issue AG AG AG AG AG AG

SOXTask Action Item AG AG AG AG AG AG

SOXDocument File AG AG AG AG AG AG

SOXExternalDocument Link AG AG AG AG AG AG

SOXBusEntity Business Entity AG AG AG AG AG AG

SOXProcess Process AG AG AG AG AG AG

SOXSubprocess Sub-Process AG AG AG AG AG AG

SOXControlObjective ControlObjective

AG AG AG AG AG AG

SOXRisk Risk AG AG AG AG AG AG

SOXControl Control AG AG AG AG AG AG

SOXTest Test Plan AG AG AG AG AG AG

SOXTestResult Test Result AG AG AG AG AG AG




RiskAssessment RiskAssessment

AG AG AG AG AG AG

SOXAccount Account AG AG

SOXSubaccount Sub-Account AG AG

Assertion Assertion A A

ScenarioAnalysis ScenarioAnalysis

AG AG

ScenarioResult Scenario Result A A

ORXLoss ORX Loss AG AG

ORICLoss ORIC Loss AG AG

FIRSTLoss FIRST Loss AG AG

LossEvent Loss Event AG AG

LossImpact Loss Impact AG AG

LossRecovery Loss Recovery AG AG

CostCenter Cost Center A A

ProcessEval Process Eval A A A A A A

RiskEval Risk Eval A A A A A A

CtlEval Control Eval A A A A A A

RAEval RiskAssessmentEval

A A A A A A

KeyRiskIndicator KRI AG AG A AG

KeyRiskIndicatorValue KRI Value AG AG A AG

RiskEntity Control Plan AG AG

RiskSubEntity Baseline AG AG

Resource Resource AG AG

ResourceLink Resource Link AG AG

Incident Incident AG AG AG

KeyPerfIndicator KPI AG A AG AG

KeyPerfIndicatorValue KPI Value AG A AG AG

Waiver Waiver AG AG AG

Mandate Mandate AG AG AG

Submandate Sub-Mandate AG AG AG

Chapter 8. Role Templates 37



Requirement Requirement AG AG AG

Policy Policy AG AG AG

Procedure Procedure AG AG AG

Attestation Attestation AG AG

Campaign Campaign AG AG

Employee Employee AG AG

Regulator Regulator AG AG

RegInt RegulatorInteraction

AG AG

RICat RI Category AG AG

RIReq RI Request AG AG

RegApp RegulationApplicability

AG AG

RegChange RegulatoryChange

AG AG

RegTask Regulatory Task AG AG

PolicyReviewComment Policy ReviewComment

AG AG

Questionnaire Questionnaire AG A A AG A A

Qsection Section AG A A AG A A

Quest Question AG A A AG A A

PrefGrp PreferenceGroup

AG A A A A AG

Preference Preference AG A A A A AG

AuditableEntity AuditableEntity

AG AG

AuditProgram Audit AG AG

AuditPhase Audit Section AG AG

Workpaper Workpaper AG AG

Finding Finding AG AG

Plan Plan AG AG

Timesheet Timesheet AG AG

Auditor Auditor AG AG

ReviewComment Audit ReviewComment

AG AG


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

39

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA 01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only. Thisinformation is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.


Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

The following terms are trademarks or registered trademarks of other companies:v Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 41

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml