it governance module overview - ibmpublic.dhe.ibm.com/.../op_itg_module_overview.pdfibm html...

IBM OpenPages GRC PlatformVersion 7.0.0

IT Governance Module Overview

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 37.

Product Information

This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Object Type Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Enabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Object Types Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Subcomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3. Computed Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 5. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Issue and Action Bulletin notification . . . . . . . . . . . . . . . . . . . . . . . . . . . 15KPI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16KPI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16KRI Reminder notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16KRI Breach notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 6. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19ITG-Specific Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Reports Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23ITG-Specific Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Triggers Shared with Other Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Issue Management and Remediation trigger . . . . . . . . . . . . . . . . . . . . . . . 23KRI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24KPI Lifecycle trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Risk and Control Self-assessments triggers . . . . . . . . . . . . . . . . . . . . . . . . 25Visualization triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31OpenPages ITG 7.0.0 Master Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Home Page Filtered Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Activity Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Grid Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

iii

iv IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview

Document Release and Update Information

This topic lists information about this document and where updates to thisdocument can be found.

Document Release Information

Software Version: 7.0.0

Document Published: December, 2013

Document Updates

Supplemental documentation is available on the web. Go to the IBM® OpenPages®

GRC Platform Knowledge Center (http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html).

v

http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html


vi IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview

Chapter 1. Introduction

Use this guide with the IBM OpenPages IT Governance module.

Finding information

To find IBM OpenPages GRC Platform product documentation on the web,including all translated documentation, access the IBM OpenPages GRC PlatformKnowledge Center (http://www.ibm.com/support/knowledgecenter/SSFUEU_7.0.0/com.ibm.swg.ba.cognos.op.doc/welcome.html). Release Notes arepublished directly to the Knowledge Center, and include links to the latesttechnotes and APARs.

Accessibility features

Accessibility features help users who have a physical disability, such as restrictedmobility or limited vision, to use information technology products.

IBM HTML documentation has accessibility features. PDF documents aresupplemental and, as such, include no added accessibility features.

Module DescriptionIBM OpenPages IT Governance (ITG) is an enterprise IT Governance solution thataligns IT services, risks and policies with corporate business initiatives, strategy,and operational standards.

IBM OpenPages IT Governance allows you to manage internal IT control and riskaccording to the business processes they support. In addition, IBM OpenPages ITGovernance unites multiple silos of IT risk and compliance to deliver improvedvisibility, better decision support, and ultimately enhanced corporate performance.

Key features include:v IT Regulatory and Policy Compliancev Risk and Control Assessmentsv Control Testing and Issue Remediationv IT Resource Managementv Incident Trackingv Key Performance and Key Risk Indicatorsv Reporting, monitoring and analytics

Object Type Licensing

For the IBM OpenPages IT Governance module, you are licensed to use the objecttypes listed in Chapter 2, “Object Types,” on page 3. Use of any other object typesis prohibited without prior written approval from IBM.

1



2 IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview

Chapter 2. Object Types

The IBM OpenPages IT Governance module includes object types that are enabledor disabled by default, and subcomponents.

Object Types Enabled by DefaultThe following object types are available in the default IBM OpenPages ITGovernance configuration and are enabled by default.

Table 1. Object types enabled by default

Object TypeLabel Description

Business Entity Business entities are abstract representations of your business structure.A business entity can contain sub-entities (such as departments,business units, or geographic locations). The entity structure that youcreate depends on your business needs. For example, you could createa parent entity for your business headquarters then a sub-entity foreach location or department. You may also want to represent both alegal entity structure and a business entity structure.

Business entities are also used to organize library data such as risk andcontrol libraries, or regulatory content (for example, laws, regulations,and standards).

When setting up your business entity hierarchy, you should work withyour OpenPages consultant as the structure of your business entitieswill greatly impact the type and quality of the information that can beextracted from the application.

Process Processes represent the major end-to-end business activities within abusiness entity that are subject to risk. The processes will typicallyreside in areas such as financial reporting, compliance, informationsecurity, and so forth.

Sub-Process A sub-process is a component of a Process. It is used to decomposeprocesses into smaller granularity units for assessment purposes.

Risk Risks are potential liabilities. Risks can be associated with, for example,business processes, business entities, or compliance with a particularmandate. Each risk has one or more controls associated with it thatprovide safeguards against the risk and help mitigate anyconsequences that may result from the risk. You can use the Risk objectto categorize risks; capture the frequency, rating, and severity ofinherent and residual risk data; and view reports that help identifyyour top risk items.

Control Controls are typically policies and procedures (procedures are actionsthat implement the policies), to help ensure that risk mitigationresponses are carried out.

Once you have identified the risks in your practices, you need toestablish controls (such as approvals, authorizations, verifications, andso forth) that remove, limit, or transfer these potential risks.

Controls should be designed to provide either prevention or detectionof risks. Controls are usually associated with tests that ensure a controlis effective.

3

Table 1. Object types enabled by default (continued)


Test Plan You can determine the operating effectiveness of a control byconducting one or more detailed tests of a control and thendocumenting the results. Test Plans are descriptions of the mechanismsused to determine whether or not a control is effective.

Test Result A test result is the information obtained from running a test plan.

Risk Assessment Risk assessments give you the ability to evaluate and report onpotential liabilities for a set of business entities or processes. You canuse the Risk Assessment object – which contains the names of theassessor and reviewer, the time frames for the assessment, and thestatus of the assessment – to manage your risk self-assessment process.

KPI, KPI Value KPIs are components of the risk monitoring process and are used toprovide leading or lagging indicators for potential risk conditions. Eachinstance of a KPI within the organization can have unique target andthreshold limits.

KRI, KRI Value KRIs are components of the risk monitoring process and are used toprovide leading or lagging indicators for potential risk conditions. Eachinstance of a KRI within the organization can have unique target andthreshold limits.

Control Plan Object name is RiskEntity; label is Control Plan. Control Plan is a selfcontained object type; this means that folders are created for eachControl Plan. Used to group multiple Baselines to represent elementsin your operating environment that can be assessed for risk.

Baseline Object name is RiskSubEntity; label is Baseline. Baseline is a selfcontained object type; this means that folders are created for eachBaseline. Baselines in the Library are representative of types ofelements of the IT Operating Environment. They are linked toRequirements in the Library to indicate what must be complied withfor that type of element.

When a Baseline is copied from the library to the business hierarchy(using a helper which is part of IBM OpenPages IT Governance) itcopies the Baseline, creates an association back to the Requirement inthe library, creates the descendent Risk, Control and Test andpre-populates the Risk/Control/Test as appropriate with data from theRequirement. A Baseline can represent the assessment of element(s) ofthe IT Operating Environment, instead of or in addition to representingthe actual element. Process, Resource, etc. can represent the actualelements.

Resource COBIT suggests that there are four types of IT assets, whilepractitioners often include additional types as well. The Resourceobject is sub-typed using dependent fields to represent any of thesetypes of IT assets. Resources are typically created as a pool associatedto the owning or responsible IT Business Entity, then associated to therelevant operating elements (Baselines, Processes, etc.) in the ITOperating Environment, and potentially associated to relevant BusinessEntities for the Business as well. Although Resources can representindividual IT Assets, such as a particular Windows 2003 server, theywill more often represent a group of assets, such as a pool of Windows2003 Application Servers used for a particular application.




Resource Link COBIT suggests that IT assets have complicated relationships. Theyindicate that assets of type People, Process, Infrastructure andInformation can each be parents and can each be children of eachother. In addition, Resources of the same type often need to be relatedto each other. A Resource Link can be used to link Resources in amany-to-many fashion, but the practice (supported by the UserInterface helper) is to link exactly two Resources. Note that if thenames or attributes of either of the parent resources are changed, theResource Link name and attributes will be “out of sync” with itsparent Resources.

Incident Incidents are used to capture, track and manage events that occur inthe organization and IT Operating Environment. Incidents are typicallystored under the Business Entity or IT Resource where the eventoccurred and associated secondarily to an impacted Mandate or Policy.They may be created by hand, or via integration with other systems(i.e. IT monitoring system.) and are commonly of type RegulatoryCompliance, Legal Compliance, Information Security, or IT. Incidentscan be a child of Business Entity, Mandate, Sub-Mandate, Requirement,Policy, Risk, Resource and Risk Sub-Entity. If ORM is also installed,Incident is also the parent of Loss Event.

Waiver Waivers give you the ability to document, process and manage thelifecycle of exceptions to Corporate Policies, InfoSec Policies, IT Policiesor Regulatory Compliance Requirements. Waivers can be associated toBusiness Entities, Policies, Procedures, Requirements, Risks, Controls,Baselines and Resources.

Mandate Mandates represent external items with which organizations need tocomply, such as laws, regulations, and standards. Out of the box theconfiguration directly supports content provided by Deloitte and UCF,and can be adapted to support content from other vendors. Typically,Mandates are represented in a Library Business Entity structure, andare not replicated throughout the system.

Sub-Mandate Sub-Mandates represent external (or internal) sub-items with which theorganization needs to comply. Out of the box the configuration directlysupports content provided by Deloitte and UCF, and the configurationcan be adapted to support content from other vendors. Typically,Sub-Mandates are represented in a Library Business Entity structure,and are not replicated throughout the system. Sub-Mandate isrecursive, but Deloitte and UCF content use exactly one level ofSub-Mandate.

Requirement Requirements represent the normalized “things you need toaccomplish” in order to comply with all of their associatedSub-Mandates. Requirements accomplish two primary purposes: Theytranslate the often difficult and wordy legalese of Mandates/Sub-Mandates into plain English, and they leverage the commonality acrossmultiple Sub-Mandates. For example, there may be manySub-Mandates across numerous Mandates which are all telling you tohave strong passwords. A single Requirement can document the detailsof the strong password needs. By complying with this singleRequirement, IT can satisfy many Mandates/Sub-Mandates.

Out of the box the configuration directly supports content provided byDeloitte and UCF, and can be adapted to support content from othervendors. Typically, Requirements are represented in a Library BusinessEntity structure, and are not replicated throughout the system.

Chapter 2. Object Types 5



Policy Policies represent internal guidelines generally adopted by the Board ofDirectors or senior governance body within an organization. The textof a Policy can either be stored in standardized fields on the object oras an attachment to the object. Policies typically have a distinctlifecycle from Draft to Published to Expired, as well as a review andapproval process. Draft policies typically reside in the OrganizationalBusiness Hierarchy, while Published and Expired Policies typicallyreside in reference Library entities. Policies are also often mapped toapplicable Mandates in the Library to which they relate.

Preference Group,Preference

The Preference Group object is used for grouping Preference objectinstances together. Without this grouping object, each Preference objectinstance would need to be associated separately to each of the relevantBusiness Entities. The group object helps to minimize the associatedmaintenance.

The Preference object is a child of Business Entity, and is used forholding variable values that can drive reports, workflows andcomputed fields (it has entity-specific variable values which enabledifferent behavior for the same workflows). For example, to determinethe behavior for review and approval workflows (e.g. the appropriateusers for each level of review and approval, and the thresholds fordetermining how many levels of review and approval are required).

Procedure Procedures represent the 'what', 'where', 'when', and ‘how' of howpolicies are implemented in an organization. The text of Procedures istypically stored in the fields on the object. Typically, Procedures arerepresented as children of a Policy and reside in the same entitystructure as its parent Policy.

Signature A signature generally indicates agreement that the object meets yourapproval. It has no enforcement powers, and does not prevent the itemfrom being modified after approval has been given. An object with asignature has a signature icon next to the signer's name on theSignatures tab.

Depending on your system configuration, signatures (with or withoutassociated locks) can be applied to an object in the following ways:

v Manually from the detail page of an object.

v Automatically through a workflow task.

v Some combination of both automatic and manual.

If signature locks are configured on your system, when you sign off onan object, the object and all its associated child objects are locked andcannot be modified until you either revoke your signature or anadministrator unlocks the object.

Issue, Action Item Although issues typically result from areas where internal controls arenot properly implemented or designed, you can use the Issue object todocument a concern associated with any object type.

An issue is resolved through one or more Action Items. You can use anAction Item object or a series of related Action Item objects to form anaction plan. Each Action Item can be assigned to a user for resolution,and progress can be tracked from the detail page of the parent Issue.Once all Action Items for an Issue are complete (an assignee sets thevalue to 100%), you can close the Issue.




File The File object type is used to embed a reference to a file (such as adocument, flow chart or spreadsheet) in the OpenPages system, andassociate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in theOpenPages system, and associate it to one or more relevant objects.

Process Diagram A Process Diagram is a child object of the Process and can have manydiagrams per process. It is used to store the sequence of sub-processesor activities within a process with associated Risks and Controls alongwith any annotations such as decision nodes. All attributes of theBusiness Process visualization are stored in the Process Diagram object.

Data Input, DataOutput

The Data Input Object and Data Output Object are child objects of theProcess and can have associations only to existing Risks. Theyrepresent elements of a flow to depict an Input into the Business Flowor an Output from various activities within a process, such as runninga report or updating a CRM system or getting an external data sourcefeed.

Object Types Disabled by DefaultThe following object types are available in the default IBM OpenPages ITGovernance configuration and are disabled by default.

Table 2. Object types disabled by default

Object Type Label Description

Questionnaire,Section, Question

Questionnaire, Section and Question are three objects that are usedtogether to implement questionnaires.

Control Objective A Control Objective is an assessment object that helps define the riskcategories for a Process or Sub-Process. For each Process orSub-Process, an organization sets the Control Objectives.

Control Objectives define the COSO compliance categories that theControls associated with the Risks are intended to mitigate. Forexample, Control Objectives can be classified into one or morecategories such as Compliance, Financial Reporting, Strategic,Operations, or Unknown.

Once a Control Objective is identified, the Risks belonging to thatControl Objective can then be identified and defined. In most cases,each Control Objective will have one Risk associated with it.However, Control Objectives can have more than one Riskassociated with them, so they are separated into their own objecttype.


Table 2. Object types disabled by default (continued)

Object Type Label Description

Milestone, MilestoneAction Item

A Milestone represents a significant point in the development ofyour project. You can tie Milestones to specific dates, or use them tosignify the completion of a portion of the entire project. Milestonescan contain other Milestones or Milestone Action Items. You cannotassociate a Milestone with other objects in the object hierarchy.

A Milestone Action Item is a specific objective that must becompleted in order to reach a Milestone. In general, all MilestoneAction Items associated with a Milestone must be completed inorder to reach a Milestone. When you are assigned a MilestoneAction Item object, it is displayed (if configured) in the MyMilestone Action Items section of your My Work tab.

Risk Eval Risk Evaluation objects are children of Risk objects and they areused to capture risk measurement values for trending purposes.Often reporting periods do not line up with risk evaluation cyclesand so Risk Eval objects can be used to capture multiple evaluationcycles within a single reporting period.

Control Eval Control Evaluation objects are similar to Risk Evaluation objectsexcept that they are instantiated as children of Controls. They storecontrol assessment data.

Risk AssessmentEval

Risk Assessment Evaluation objects are similar to Risk Evaluationobjects except that they are instantiated as children of RiskAssessments. They store risk assessment data.

Process Eval Process Evaluation objects are children of Process objects and theyare used to capture process measurement values for trendingpurposes.

When the reporting periods do not align with the evaluation cycles,you can use Process Eval objects to capture multiple evaluationcycles within a single reporting period.

SubcomponentsIBM OpenPages GRC Platform modules consist of several subcomponents, whichare groups of object types that support a logical function within a module. Thefollowing tables list the subcomponents for the IBM OpenPages IT Governancemodule.

Table 3. Subcomponents shared with other modules

Subcomponent Object Types

Organization Business Entity

Preference Preference Group, Preference

Risk Assessment Risk Assessment, Risk Assessment Eval

Process Process, Process Eval, Sub-Process, Control Objective

Risk Risk, Risk Eval

Control Control, Control Eval

Test Test Plan, Test Result

Issue Issue, Action Item

Questionnaire Questionnaire, Section, Question

Milestone Milestone, Milestone Action Item


Table 3. Subcomponents shared with other modules (continued)


KRI KRI, KRI Value

KPI KPI, KPI Value

Incident Incident

Waiver Waiver

Regulatory Library Mandate, Sub-Mandate, Requirement

Visualization Process Diagram, Data Input, Data Output

Table 4. ITG-specific subcomponents


ITG Policy Policy, Procedure

Control Plan Control Plan, Baseline

Resource Resource, Resource Link

In addition to the subcomponents listed in the tables, the following object types areincluded in each module and can be accessed by any authorized user:v Signaturev Filev Link


Chapter 3. Computed Fields

By default, the IBM OpenPages IT Governance module includes the followingcomputed fields.

Table 5. Computed fields

Object TypeLabel

Field GroupName

Field NameLabel Description of Computation

Control Plan OPSS-RiskEnt Baselines Creates a link to launch the GetBaselines helper.

Resource OPSS-Res Resource Links Creates a link to launch the Add aResource Link helper.

11

Chapter 4. Helpers

IBM OpenPages IT Governance includes the following helpers by default: GetBaselines, and Create Resource Links.

Refer to IBM OpenPages GRC Platform ITG Module Details for more information onthese helpers.

Get Baselines Helper

Invoked via a computed field link on Control Plan, the helper copies the selectedBaseline from the Library to the IT Operating Environment, and copies, or createsand pre-populates, descendent Risks, Controls and Test Plans. The helper createsassociations from the new elements back to the Library elements and writes statusinformation to the Additional Description field on the created Baseline.

Create Resource Links Helper

Invoked via a computed field link on Resource, the helper creates a Resource Linkas a child of the “starting” Resource, and as a child of the selected Resource. Thehelper pre-populates fields on the created Resource Link object.

13

Chapter 5. Notifications

Notifications are email notifications sent to owners of a process as a reminder toact. These notifications can occur at different stages of a process or as a final stepin a trigger.

All notifications that are sent from IBM OpenPages ITG use the following senderaddress. Configure the email address and server settings:v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to

send notificationsv /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the

email sender name that is used by notificationsv /OpenPages/Common/Email/Mail Server - configure this item to identify the email

server that is used to send notifications

Notifications are part of the KRI lifecycle, the KPI lifecycle, and the IssueManagement and Remediation process.

Issue and Action Bulletin notificationDuring the closedown phase of the Issue Management and Remediation (IMR)process, an Issue and Action Bulletin is sent as an email notification to the users.The bulletin highlights important areas such as overdue issues and Actions that aredue for closure. The administrator can set the frequency of this notification byusing the Issue Management and Remediation (IMR) bulletin.

When the Issue is defined, its status is Open and the user must enter a value inthe Current due date field. The due date is copied to a read-only field thatcontains the original due date. When the user creates an Issue, the Issue Owner(who might not be the same person who created the Issue) receives an emailnotification.

The Issue Owner must record the appropriate actions to resolve an identified Issue.The following data is captured in an Action Item:v Descriptionv Assigneev Start Datev Due Datev Actual Closure datev Status (Read Only)v A comment field to record the latest updates

The Issue Owner receives an email that summarizes the Actions that must beapproved for closure. The owner can either Accept Closure or Reject Closure.When Actions are completed, the Issue Owner must review the Issue and updatethe status to Closed. If any child actions are Open or Awaiting Approval, theIssue Owner cannot close the issue.

Users receive email notifications through the consolidated Issue and Actionbulletins. The bulletin consolidates the following information in an email:

15

v Issues Assigned to the recipient in the past number daysv Actions Assigned to recipient in the past number daysv Issues due for Closure in the next number daysv Actions due for Closure in the next number daysv Overdue Issuesv Overdue Actionsv Actions awaiting closure approval

KPI Reminder notificationThe KPI Reminder notification is an email sent to the KPI owner that contains alist of all KPI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Performance Indicator (KPI), the IBMOpenPages system determines whether it must generate a KPI Value object as achild object of the KPI. If the KPI is set as Active, the KPI helper generates thevalues. If the KPI is set as Inactive, a batch utility sets up the KPI Value object as aplaceholder with a status of Awaiting collection.

The administrator can run the KPI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KPI Values withdetails, such as ID, Description, Expected Capture date, KPI Capturer, and KPIOwner.

A notification that requests the KPI Capturer enters a KPI value is presented in oneof the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KPI Value (Awaiting Collection) and the KPI Capturer

(logged-in user), the KPI Value is shown on the user's home page.

The email notification that is sent to the KPI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KPI status that is set to Awaiting Collection.

KPI Breach notificationThe KPI Breach notification sends an email to the Risk Owner when a KPI breachstatus changes from Green to Red or from Amber to Red.

The KPI Breach notification is started by the KPI Lifecycle trigger. The emailnotification contains a link to the KPI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

KRI Reminder notificationThe KRI Reminder notification is an email sent to the KRI owner that contains alist of all KRI Values that the owner or recipient is required to capture in the nextseven days.

After the Risk Owner defines the Key Risk Indicator (KRI), the IBM OpenPagessystem determines whether it must generate a KRI Value object as a child of the


KRI. If the KRI is set as Active, the KRI helper generates the values. If the KRI isset as Inactive, a batch utility sets up the KRI Value object as a placeholder with astatus of Awaiting collection.

The administrator can run the KRI Value utility when necessary, for example, whenthe automatically scheduled job fails to run. The utility creates the KRI Values withdetails, such as ID, Description, Expected Capture date, KRI Capturer, and KRIOwner.

A notification that requests the KRI Capturer enters a KRI value is presented inone of the following ways:v Weekly email notifications, which instruct the user to log in to IBM OpenPages.v Based on the status of the KRI Value (Awaiting Collection) and the KRI Capturer

(logged-in user), the KRI Value is shown on the user's home page.

The email notification that is sent to the KRI owner contains a list of KRIs thathave the following characteristics:v An expected collection date that is less than (TODAY + 7)v A KRI status that is set to Awaiting Collection.

KRI Breach notificationThe KRI Breach notification sends an email to the Risk Owner when a KRI breachstatus changes from Green to Red or from Amber to Red.

The KRI Breach notification is started by the KRI Lifecycle trigger. The emailnotification contains a link to the KRI that is in breach and advises the Risk Ownerto review the breach and take appropriate actions.

Chapter 5. Notifications 17

Chapter 6. Reports

The IBM OpenPages IT Governance module includes a set of default reports.

IBM OpenPages GRC Platform Modules Report Details provides additional details onthe reports described here.

For a description of additional reports installed with the OpenPages Platform andavailable to all modules, see the IBM OpenPages GRC Platform Administrator's Guide.

ITG-Specific ReportsDescriptions are provided for reports that are available only from the IBMOpenPages IT Governance module.

Table 6. IT asset reports

Name Drill-Through Description

Baseline Shows key attributes of the selected Baseline,along with associated Requirements, andrecommended Control Activities and TestProcedures.

Control Plan Shows key attributes of the selected ControlPlan, along with associated Baselines, theirRequirements, and recommended andimplemented Control Activities and TestProcedures.

Table 7. IT compliance reports


IT ControlEffectiveness byMandate

IT Control Effectivenessby Sub-Mandate

For a selected Business Entity, the reportshows associated Mandates with the % ofEffective Controls associated to Control Plans.The report has the ability to drill-through to asub-report for detail information.

Looks at IT Operating Environment Controlsthat are shared between Mandates andBaselines in the IT Operating Environment.Provides a view of Control OperatingEffectiveness by Mandate. One subreportdrills down for the selected Mandate to showControl Operating Effectiveness bySub-Mandate. The other subreport drillsdown for the selected Mandate to show TestResults grouped by Resource(type=Application). This provides a view ofhow compliant each application is. Thisreport is always run from the IT OperatingEnvironment (it filters out the LibraryBusiness Entity).

19

Table 7. IT compliance reports (continued)


RequirementsLibrary

For the selected Requirements, this reportshows all applicable laws and regulations.

Report is a look “up” the hierarchy from theRequirements that fit the prompt scoping, tothe Sub-Mandates and Mandates that each ofthose Requirements satisfy. So this shows youthat meeting this one Requirement satisfiesmany Laws. Report has one page perRequirement and associated Mandates. Thisreport is run from the Library.

UCFRequirementsLibrary

For the selected UCF Harmonized Control(s),this report shows all applicable AuthorityDocuments.

Reports Shared with Other ModulesThe IBM OpenPages IT Governance module contains a number of reports that areshared with other IBM OpenPages GRC Platform modules.

Table 8. Risk assessment reports


Risk AssessmentList

Shows Risk Assessment details for a specifiedBusiness Entity and all of its descendents.

Risk AssessmentStatus

Risk Assessment StatusDetail

Displays a stacked column chart showing thestatus of Risk Assessments for the specifiedBusiness Entity and its direct descendents.

Risk AssessmentSummary

Risk Assessment Issuesand Action Items

Displays Risk Assessment details along withall associated Risks and Controls. A drillthrough report displays Issues and ActionItems that are related to the Risk Assessments,Risks, or Controls.

Table 9. Risk reports


Risk Analysis Shows Risks grouped by Process for aspecified Business Entity.

Risk Heat Map Risk Detail Displays a table that aggregates Risks byResidual Impact and Likelihood for aspecified Business Entity.

Risk Rating byEntity

Risk Rating by EntityDetail

Displays Residual Risk Rating summaryinformation for the selected Business Entityand its descendents, with the ability todrill-through to risk details.

Risk Rating byCategory

Risk Rating by CategoryDetail

Displays Risk Category and Residual RiskRating summary information for the selectedBusiness Entity, with the ability todrill-through to Risk details.


Table 9. Risk reports (continued)


Top Risks Summary of the top Risks ranked by ResidualRisk Exposure, and also shows the InherentRisk Exposure. By default, Risk quantitativeassessment fields are not included in FCM, sothis report may not be appropriate for FCMusers.

Table 10. Control reports


Risk andControl Matrix

Shows Risk and Control data for specifiedBusiness Entity and Process(es).

ControlEffectivenessMap

Control EffectivenessDetail

Control map shows counts of Controlsgrouped by Process(es) and OperatingEffectiveness, with the ability to drill-throughto a sub-report for detail information.

Table 11. Testing reports


TestingDashboard

Testing Details Displays summary Test Result informationfor the selected Business Entity, with theability to drill-through to detail and trendinformation.

Table 12. Indicator reports


KRI Dashboard KRI Details Displays summary KRI information for theselected Business Entity and its descendents,with the ability to drill-through to detail andtrend information.

KPI Dashboard KPI Details Displays summary KPI information for theselected Business Entity and its descendents,with the ability to drill-through to detail andtrend information.

Table 13. Visualization reports

Name Description

Process Analysis Displays Risk and Controls in the context of a processdiagram. Provides an aggregated view of Risk andControls with risk rating and control effectiveness at theProcess and Business Entity level.

Chapter 6. Reports 21

Chapter 7. Triggers

The IBM OpenPages IT Governance module contains several available triggers.

IBM OpenPages GRC Platform Modules Trigger Details provides additional details onthe triggers described here.

Triggers must be disabled before loading XML instance data via Object Manager toany object types which are configured to have triggers by default.

Object types that are configured for IBM OpenPages IT Governance to havetriggers by default include:v Riskv KRI Valuev KPI Valuev Action Itemv Issuev Data Inputv Data Output

Object types that are configured for other Modules to have triggers by defaultinclude:v Auditv Audit Sectionv Workpaperv Planv Timesheetv Findingv Audit Review Commentv Loss Impactv Loss Recoveryv Loss Eventv File (SOXDocument)v Policy

ITG-Specific TriggersThe IBM OpenPages IT Governance module does not include any ITG-specifictriggers.

Triggers Shared with Other ModulesSeveral triggers are shared with other IBM OpenPages GRC Platform modules.

Issue Management and Remediation triggerIn an Issue Management and Remediation (IMR) framework, you can effectivelydocument, monitor, remediate, and audit identified Issues.

23

Issues are items that are identified against the documented framework and aredeemed to negatively affect the ability to accurately manage and report risk. In itslifecycle, an issue can have only one of two states: Open or Closed.

To resolve the identified Issue, the Issue Owner establishes and records theappropriate actions. When the Action is complete, the Assignee sets the Submit forClosure field to Yes. When this field is saved, a trigger is started and completesthe following actions:v Copies the value in the Issue Owner field from the parent Issue to the Actionv Sets the Action field to Awaiting Approval

The Issue owner reviews the Action and can specify to either Accept Closure orReject Closure. If the Action is saved with Reject Closure, the status reverts toOpen and the Action returns to the Action Assignee.

Several triggers are used to automate the Issue management process.

Issue Lifecycle triggerThe Issue Lifecycle trigger sets the Original Due date on the first instance of Saveof Issue and checks for any Open Actions when the Issue is saved with a status ofClosed.

When an Issue object type is created or updated, and the status of the Issue objecttype is set to Closed, the trigger completes the following actions:v The trigger checks all direct child Actions and determines whether they are all

closed. If any Actions have a status of Open or Awaiting Approval, the triggergenerates an error message. If all Actions are closed, the trigger saves thechanges.

Note: As an administrator, you can configure the error message under theAdministrator > Settings menu.

v If the Original Due date field on the Issue is blank, the trigger populates theOriginal Due date with the Current Due date value.

KRI Lifecycle triggerThe KRI Lifecycle trigger calculates and persists field values on the KRI and KRIValue object types. The trigger occurs only if the Collection status of the KRI valueis set to Collected.

When a KRI Value object is updated, associated, or disassociated, the triggercompletes the following steps:1. Determines whether KRI is set for approval.

v If the status is Yes, the trigger updates the status to Awaiting Approval andproceeds with steps 2, 3, 4, and 6.

v If the status is No, the trigger updates the status from Awaiting Collectionto Collected and proceeds with steps 2, 3, 4, and 5.

2. Copies the current threshold information from the KRI to the child KRI Value.3. Evaluates the Breach status.4. Copies the KRI Value, Value Date, Collection, and Breach status to the parent

KRI.5. If the status of the KRI Breach field changed from Green or Amber to Red, the

trigger sends an email notification to the Risk Owner to inform the owner ofthe breach.


6. If the status is set to Awaiting Approval, the KRI Value is displayed on thehome page of the KRI Owner. The KRI Owner can approve or reject the value:v If the KRI Owner saves the record with a Reject status, the KRI Value and

Value Date are changed to a blank and the KRI Value status is set toAwaiting Collection.

v If the KRI Owner saves the record with an Approved status, the Collectionstatus changes to Collected on the Value field and on the KRI.

Note: When the KRI Owner defines the KRI, the owner can specify the detailsregarding the Approval of the KRI.

KPI Lifecycle triggerThe KPI Lifecycle trigger calculates and persists field values on the KPI and KPIValue object types. The trigger occurs when if the KPI Value changed from a blankstate to a value and the status of Value Date is Completed.

When a KPI Value object is updated, associated, or disassociated, the triggercompletes the following actions:1. Determines whether KPI is set for approval.

v If the status is Yes, the trigger updates the status to Awaiting Approval andproceeds with steps 2, 3, 4, and 6.

v If the status is No, the trigger updates the status from Awaiting Collectionto Collected and proceeds with steps 2, 3, 4, and 5.

2. Copies the current threshold information from the KPI to the child KPI Value.3. Evaluates the Breach status.4. Copies the KPI Value, Value Date, Collection, and Breach status to the parent

KPI.5. If the status of the KPI Breach field changed from Green or Amber to Red, the

trigger sends an email notification to the Risk Owner to inform the owner ofthe breach.

6. If the status is set to Awaiting Approval, the KPI Value is displayed on thehome page of the KPI Owner. The KPI Owner can approve or reject the value.v If the KPI Owner saves the record with a Reject status, the KPI Value and

Value Date are changed to a blank and the KPI Value status is set toAwaiting Collection.

v If the KPI Owner saves the record with an Approved status, the Collectionstatus changes to Collected on the Value field and on the KPI.

Note: When the KPI Owner defines the KPI, the owner can specify the detailsof the Approval of the KPI.

Risk and Control Self-assessments triggersThe Risk Assessments process is used to identify, assess, and quantify a risk profileof the business. Each Risk is assessed on either a Qualitative or Quantitative basis.

When a Risk is saved, the Qualitative risk rating trigger determines a Risk Ratingof Low, Medium, High, or Very High. The trigger also populates the hiddenQuantitative fields: Severity, Frequency, and Exposure.

When a Risk is saved, the Quantitative risk rating trigger completes the followingactions:1. Computes the Exposure (Frequency x Severity)

Chapter 7. Triggers 25

2. Computes the Risk Rating as Low, Medium, High, or Very High3. Derives the Impact value (1 - 10) based on a mapping table for each Business

Unit that is stored in its Preference record.4. Derives the Likelihood value (1 - 10) based on a mapping table for each

Business Unit that is stored in its Preference record

RCSA Quantitative triggerThe Risk and Control Self-assessments (RCSA) Quantitative trigger sets the RiskRating and establishes impact, likelihood, and exposure for risks that are enteredby using the Quantitative method. The trigger occurs only if the values for theImpact or Likelihood fields for Risk were modified.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose qualitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:v Obtains the parent Preference object.

The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Determines the Impact fields of the Risk object.The Impact is calculated by identifying the threshold range in which the SeverityValue falls. If any Severity value is null, the previous value is managed as theMAX Severity.

Table 14. Impact value based on severity value

Severity value Impact value

>= 0 and <= Severity 1 1

> Severity 1 and <= Severity 2 2


> Severity 3 and <= to Severity 4 4




> Severity 7 and<= Severity 8 8


> Severity 9 10

v Determines the Liklihood fields on the SOXRisk object.The Likelihood is calculated by identifying the threshold range in which theFrequency value falls. If any Frequency value is null, the previous value ismanaged as the MAX frequency.


Table 15. Likelihood value based on frequency value

Frequency value Likelihood value

>= 0 and <= Frequency 1 1

> Frequency 1 and <= Frequency 2 2








> Frequency 9 10

v Calculates the Exposure as Severity multiplied by Frequencyv Where the Impact value is X and the Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 16. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

RCSA Qualitative triggerThe Risk and Control Self-assessments (RCSA) Qualitative trigger sets the RiskRating and establishes severity, frequency, and exposure for risks that are enteredby using the Qualitative method.

Important: You must determine whether you want to assess risks by using aquantitative or qualitative approach. If you chose quantitative, this trigger does notapply. The option for quantitative or qualitative is set during the Applicationinstallation of IBM OpenPages GRC Modules. For more information, see the IBMOpenPages GRC Platform Modules Installation Guide.

When a Risk object is updated, associated, or disassociated, the trigger completesthe following actions:


v Evaluates the Preference record for the entity, or its parent entity if no Preferencerecord exists.The trigger attempts to find the Preference object associated with the businessentity. The trigger traverses up the parent Entity hierarchy until a Preferenceobject that is associated with a business entity is found. The preference objectcontains the settings for required parameters as described in the Severity table.

v Evaluates the Severity fields of the Risk object.The Severity is determined by the Impact Value mappings that are specified inthe Preference object.

Table 17. Severity based on impact values

Impact value Severity

1 Severity 1

2 Severity 2

3 Severity 3

4 Severity 4

5 Severity 5

6 Severity 6

7 Severity 7

8 Severity 8

9 Severity 9

10 Severity 10

v Based on the Likelihood, evaluates the Frequency fields of the Risk object.The Frequency is determined by the Likelihood Value mappings that arespecified in the Preference object.

Table 18. Frequency based on Likelihood values

Likelihood value Frequency

1 Frequency 1

2 Frequency 2

3 Frequency 3

4 Frequency 4

5 Frequency 5

6 Frequency 6

7 Frequency 7

8 Frequency 8

9 Frequency 9

10 Frequency 10

v Calculates the Exposure as Severity multiplied by Frequency.v Where the Impact value is X, Likelihood value is Y:

The XMAX value is the maximum value for impact. The YMAX value is themaximum value for likelihood.The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/YMAX.


The XMAX and YMAX values are defined during installation. Do not changethese values. If these values are changed, the RCSA Qualitative and Quantitativetriggers might not correctly compute the risk rating.The trigger computes the Risk Rating by using the following formula:((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))

The rating value is 0 - 1 and expressed as a percentage.

Table 19. Risk ratings based on rating values

Rating value Risk rating

0 - 25 % LOW (green)

26-50 % MEDIUM (yellow)

51-75 % HIGH (orange)

76-100 % VERY HIGH (red)

Risk Approval Submission triggerThe Risk Approval Submission trigger updates the Status field on Risk andControls so that the Process Owner can process the Approval.

When a Risk object is created or updated, and the Submit for Approval field valueis set to Yes, the trigger completes the following actions:v Obtains all associated child Control objects and applies validation rules.

All child Control objects are assessed and the Status field is set to AwaitingAssessment.

v Updates the Status field on the Risk object and all associated control objectsfrom Awaiting Assessment to Awaiting Approval.

v Obtains the parent Process object to obtain all Risk objects and checks whetherall risks for a Process are Awaiting Approval.

v Determines whether all risks for a Process are awaiting approval, and continuesbased on the following status:– If the status is Yes, the trigger ends its process.– If the status is No, the trigger sets the Status of the parent Process object to

Awaiting Approval, and sends an email notification to the Process Owner.

RCSA Risk and Control Approval triggerThe RCSA Risk and Control Approval trigger allows the Process Owner to approveor reject an assessment of a risk and its controls.

When a Risk object Approve/Reject field is set to Approve or Reject, the triggercompletes the following actions:v If the Approve/Reject field is set to Reject, the trigger updates the Status field

value of the Risk and associated Controls to Awaiting Assessment, and sends anemail notification to the Risk Owner.

v If the Approve/Reject field is set to Approve, the trigger continues with thefollowing processes:– Updates the Status field value of the Risk and associated Controls to

Approved.– Updates the Process status to Approved, sets the Approval Date, and sends

an email notification to the RCSA coordinator.


Visualization triggersThe Visualization triggers prevent the user from adding new Risks as children ofthe Data Input and Data Output object types.

Risks can only be made children of these object types by associating existing Risksto them. Data Input and Data Output object types are not allowed to be primaryparents of Risks.


Chapter 8. Profiles

The IBM OpenPages IT Governance module includes the OpenPages ITG 7.0.0Master profile by default.

OpenPages ITG 7.0.0 Master ProfileThe OpenPages ITG 7.0.0 Master profile includes the fields and configuration forall of IBM OpenPages IT Governance.

This profile includes:v Filtersv My Work Home page tab and Home page tabsv Dependent fields and dependent pick listsv Computed fieldsv Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List

Views

Subsets of this profile that are appropriate for an IT Library Administrator, ITDirector, etc. are created during the implementation project.

Home Page Filtered ListsThe following filtered lists are defined for the My Work home page for users ofthe OpenPages ITG 7.0.0 Master profile.

Table 20. IBM OpenPages IT Governance My Work home page filter list

Filter Description Object Type

My Open Issues Home page access to your open Issues. Issue

KRI Breaches Home page access to KRIs that have a breachstatus of red.

KRI

KPI Breaches Home page access to KPIs that have a breachstatus of red.

KPI

Control Plans UnderDevelopment

Home page access to Control Plans beingdeveloped.

Control Plan

Critical IT Incidents Home page access to open critical IT-relatedIncidents.

Incident

Expiring Waivers Home page access to approved Waivers thatwill expire in the next 3 months.

Waiver

My WaiverApprovals

Home page access to Waivers that are beingreviewed that you need to approve.

Waiver

31

Activity ViewsBy default, the OpenPages ITG 7.0.0 Master profile includes the following activityviews.

Table 21. IBM OpenPages IT Governance Activity views

Activity View Name Description

UCF Mandates Shows all of the Requirements driven from each Mandatesupplied by UCF.

Deloitte Mandates Shows all of the Requirements driven from each Mandatesupplied by Deloitte.

Deloitte Mandate Overview Shows all of the Sub-Mandates, and for each Sub-Mandateshows its Requirements. Most appropriate for Deloittecontent.

UCF Mandate Overview Shows all of the Sub-Mandates, and for each Sub-Mandateshows its Requirements. Most appropriate for UCF content.

Assess Risk Used for performing risk assessments on Baselines in the ITOperating Environment.

Assess Control Plan Used for performing risk assessments on Control Plans in theIT Operating Environment.

Assess Baseline Used for performing risk assessments on Baselines in the ITOperating Environment.

Mandate Controls For the selected Mandate, see all of the associated Controls inthe IT Operating Environment. Provides corporate wide viewof Control Effectiveness for a given Mandate. Filters outControls in the Library, and only includes Ineffective or NotDetermined Controls. Should be run from a Business Entityin the Library.

Control Testing Summary Used to indicate Control Operating Effectiveness. ProvidesTest Plan and Test Result information that informs theOperating Effectiveness decision.

Questionnaire Set Up Used to create and modify questionnaires using theQuestionnaire, Section, Question object model.

Questionnaire Used to respond to questionnaires using the Questionnaire,Section, Question object model.

Process RCSA View Facilitates conducting process-based Risk and Control SelfAssessments.

KPI Value Entry Use to enter KPI values and change the status to collected.

KPI Value Approval Use to approve KPI values.

KRI Value Entry Use to enter KRI values and change the status to collected.

After the KRI is defined, the system determines if a KRIvalue is required. If the KRI is marked as Active, the KRIhelper generates values. If the KRI value is set to Inactive,the utility does not generate a blank value. The value objectis initially set up as a placeholder with a status of Awaitingcollection.

KRI Value Approval Determines whether the KRI Value approval is required. Setto Yes if the entry of the Value must be reviewed by the KRIowner.


Table 21. IBM OpenPages IT Governance Activity views (continued)

Activity View Name Description

Process Approval From the Home page, the Process owner can navigate toProcesses that are awaiting Approval, using the ProcessApproval Activity view.

RCSA Approval From the Home page, the Process owner can navigate toSelf-Assessments that are awaiting Approval.

Grid ViewsBy default, grid views are defined for users of the OpenPages ITG 7.0.0 Masterprofile.

Table 22. Grid Views

Grid View Description Object Type

Enter KRI Values Use to enter KRI Values. Before using thisview, create KRI Value objects.

KRI Value

Approve KRIValues

Use to review and approve KRI Values. Beforeusing this view, create KRI Value objects andenter the values.

KRI Value

Enter KPI Values Use to enter KPI Values. Before using thisview, create KPI Value objects.

KPI Value

Approve KPIValues

Use to review and approve KPI Values. Beforeusing this view, create KPI Value objects andenter the values.

KPI Value

Chapter 8. Profiles 33

Chapter 9. Role Templates

The following role templates are available, by default, for the IBM OpenPages ITGovernance module.

OpenPages ITG 7.0 - All PermissionsFull Read, Write, Delete, Associate (R/W/D/A) access to all default ITGovernance object types that are present and enabled by default. Fulladministrator rights.

OpenPages ITG 7.0 - All Data - No AdminFull Read, Write, Delete, Associate (R/W/D/A) access to all default ITGovernance object types that are present and enabled by default. Noadministrator rights except those associated with workflows, files andfolders.

The above role templates provide read, write, delete, and associate access to thefollowing object types.

Table 23. Role template object types

Object Type Name Object Type Label

DataInput Data Input

DataOutput Data Output

Incident Incident

KeyPerfindicator KPI

KeyPerfindicatorValue KPI Value

KeyRiskindicator KRI

KeyRiskIndicatorValue KRI Value

Mandate Mandate

Policy Policy

Procedure Procedure

ProcessDiagram Process Diagram

Requirement Requirement

Resource Resource

ResourceLink Resource Link

RiskAssessment Risk Assessment

RiskEntity Control Plan

RiskSubEntity Baseline

SOXBusEntity Business Entity

SOXControl Control

SOXDocument,SOXExternalDocument

File, Link

SOXIssue Issue

SOXProcess Process

SOXRisk Risk

SOXSignature Signature

35

Table 23. Role template object types (continued)

Object Type Name Object Type Label

SOXSubprocess Sub-Process

SOXTask Action Item

SOXTest Test Plan

SOXTestResult Test Result

Submandate Sub-Mandate

Waiver Waiver


Notices

This information was developed for products and services offered worldwide.

This material may be available from IBM in other languages. However, you may berequired to own a copy of the product or product version in that language in orderto access it.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service. This document maydescribe products, services, or features that are not included in the Program orlicense entitlement that you have purchased.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law: INTERNATIONALBUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties incertain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

37

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationLocation Code FT0550 King StreetLittleton, MA01460-1250U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.


This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

Copyright

Licensed Materials - Property of IBM Corporation.

© Copyright IBM Corporation, 2003, 2013.

US Government Users Restricted Rights – Use, duplication or disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written.

These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. You may copy, modify, and distribute these sample programs in anyform without payment to IBM for the purposes of developing, using, marketing, ordistributing application programs conforming to IBM's application programminginterfaces.

Trademarks

IBM, the IBM logo and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.

Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at “ Copyright andtrademark information ” at www.ibm.com/legal/copytrade.shtml.

Notices 39

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

Index

AAction items 24

DData Input trigger 30Data Output trigger 30

Ggrid views 33

IImpact values 26, 27Issue (object type) 24Issue and Action Bulletin notification 15Issue Lifecycle trigger 24Issues

management 24

KKPI Breach notification 16KPI Capturer

KPI Reminder notification 16KPI Lifecycle trigger 25

Breach notification 16KPI Reminder notification 16KPI Value

KPI Reminder notification 16KRI Breach notification 17KRI Capturer

KRI Reminder notification 16KRI Lifecycle trigger 24

Breach notification 17KRI Reminder notification 16KRI Value

KRI Reminder notification 16

LLikelihood values 26, 27

Nnotifications 15

Issue and Action Bulletin 15KPI Breach notification 16

notifications (continued)KPI Reminder notification 16KRI Breach notification 17KRI Reminder notification 16

Oobject types

Issue 24SOXRisk 26

RRCSA Qualitative trigger 27RCSA Quantitative trigger 26RCSA Risk and Control Approval trigger 29RCSA triggers 25Risk and Control Self-assessments triggers

See RCSA triggersRisk Approval Submission trigger 29

SSeverity values 27SOXRisk (object type) 26

Ttriggers

Issue Lifecycle 24KPI Lifecycle 25KRI Lifecycle 24RCSA Qualitative 27RCSA Quantitative 26RCSA Risk and Control Approval 29Risk Approval Submission 29visualization 30

Vvisualization triggers 30

41