The best practice to model Risk and Control

Last activity on October 1, 2023 - 11:21 26.7k Views 4 Replies Professional ARIS

Claudio Hernandez on January 24, 2012

Dear members, the next example are right or wrong, and what is your suggestion to model Risk and Control?

1.- Risk in EPC?

In this case the control are conect to function by relationship "Occur in"

2.- Risk in FAD

In this case the control are conect to function by relationship Occur in

3.- Control in EPC and Risk conect to control?

In this case the relationship between function and control is "es ejecutado en"

4.- Control in FAD

In this case the relationship between risk and control is "occur in"

Notify Moderator

4 Replies

Frank Engelbert on January 25, 2012

Hello Claudio,

please refer to this article for the modeling conventions and meta model for risk & compliance, especially SOX Compliance:

http://www.ariscommunity.com/users/fengelbert/2011-04-01-how-model-sox-compliance-aris

Number 1+2 of your examples fit best, from 'risk'-object, you create an assignment to model type 'Business Control Diagram'.

There is more to risk & control modeling, such as Compliance Testing, Audit Management, specific attributes for regulations and so on.

Let me know if you need further information.

kind regards,

frank

Like

Sign in
or register to reply.

Notify Moderator
Claudio Hernandez Author on February 19, 2012
Thanks Frank

I appreciate your coment in this topic.

So, a couple of question more:

1.- What is you suggestion about use Library for Risk and group them in different categories?. Is the best form to work with risk or isn't necesary this model?

2.- And finaly where is best place to put a Object Definition from a risk?

in a group from EPC model

in a group from Diagram Risk

or other?

Thanks again

Claudio
Like

Sign in
or register to reply.

Notify Moderator
Frank Engelbert on February 22, 2012

Hi Claudio,

reg 1, i'd recommend to use risk diagram for classification/categorization/discovery of risks

reg 2, i'd put in in the same folder as Business Controls Diagram, so you can assign/restrict access per BCD

let me know if that helps.

best regards,

frank

Like

Sign in
or register to reply.

Notify Moderator
Claudio Hernandez Author on February 22, 2012
Thanks Frank

I aprecite your response, is very precise. And need your help in one thinks more, i made a post a cuple a day ago, in this post i made a question about how can i model a contol in a EPC?.

Realy i thik the first question is

1.- where is recommendable to diagram a Control:

First in a BCD then in a EPC

Only in a EPC (i assume without contection with a risk)

2.- I suppose that the SOX regulation prevent that the control made executed by the same person that execute a task that produce RISK. Then my question is:

Is possible to find a control y the same process where i found a Risk and how can i diagram this situation, i made a occur copy of function to control or is a definition copy of funcition?

3.- And finaly How to diagram that a function (task/activitiy) is a control

Conect a control on the function in a EPC, that is right i guess is wrong, because finaly coontrol is a function then the conxion betwee function is "is predecessor" and doesn't make a sense.

http://www.ariscommunity.com/users/chernandez/2012-02-19-how-identify-control-epc

Thanks for your help again
Like

Sign in
or register to reply.

Notify Moderator

Upcoming events

Wednesday, June 18, 2025 - 13:00

ARIS User Group DACH

ARIS User Group DACH