Dear members, the next example are right or wrong, and what is your suggestion to model Risk and Control?
1.- Risk in EPC?
In this case the control are conect to function by relationship "Occur in"
2.- Risk in FAD
In this case the control are conect to function by relationship Occur in
3.- Control in EPC and Risk conect to control?
In this case the relationship between function and control is "es ejecutado en"
4.- Control in FAD
In this case the relationship between risk and control is "occur in"
Hello Claudio,
please refer to this article for the modeling conventions and meta model for risk & compliance, especially SOX Compliance:
http://www.ariscommunity.com/users/fengelbert/2011-04-01-how-model-sox-compliance-aris
Number 1+2 of your examples fit best, from 'risk'-object, you create an assignment to model type 'Business Control Diagram'.
There is more to risk & control modeling, such as Compliance Testing, Audit Management, specific attributes for regulations and so on.
Let me know if you need further information.
kind regards,
frank
Thanks Frank
I appreciate your coment in this topic.
So, a couple of question more:
1.- What is you suggestion about use Library for Risk and group them in different categories?. Is the best form to work with risk or isn't necesary this model?
2.- And finaly where is best place to put a Object Definition from a risk?
- in a group from EPC model
- in a group from Diagram Risk
- or other?
Thanks again
Claudio
Thanks Frank
I aprecite your response, is very precise. And need your help in one thinks more, i made a post a cuple a day ago, in this post i made a question about how can i model a contol in a EPC?.
Realy i thik the first question is
1.- where is recommendable to diagram a Control:
- First in a BCD then in a EPC
- Only in a EPC (i assume without contection with a risk)
2.- I suppose that the SOX regulation prevent that the control made executed by the same person that execute a task that produce RISK. Then my question is:
- Is possible to find a control y the same process where i found a Risk and how can i diagram this situation, i made a occur copy of function to control or is a definition copy of funcition?
3.- And finaly How to diagram that a function (task/activitiy) is a control
- Conect a control on the function in a EPC, that is right i guess is wrong, because finaly coontrol is a function then the conxion betwee function is "is predecessor" and doesn't make a sense.
http://www.ariscommunity.com/users/chernandez/2012-02-19-how-identify-control-epc
Thanks for your help again