The best practice to model Risk and Control

Last activity on October 1, 2023 - 11:21 26.7k Views 4 Replies Professional ARIS

Claudio Hernandez on January 24, 2012

Dear members, the next example are right or wrong, and what is your suggestion to model Risk and Control?

1.- Risk in EPC?

In this case the control are conect to function by relationship "Occur in"

2.- Risk in FAD

In this case the control are conect to function by relationship Occur in

3.- Control in EPC and Risk conect to control?

In this case the relationship between function and control is "es ejecutado en"

4.- Control in FAD

In this case the relationship between risk and control is "occur in"

Bookmark

Notify Moderator

4 Replies

Frank Engelbert on January 25, 2012 - 01:09

Hello Claudio,

please refer to this article for the modeling conventions and meta model for risk & compliance, especially SOX Compliance:

http://www.ariscommunity.com/users/fengelbert/2011-04-01-how-model-sox-compliance-aris

Number 1+2 of your examples fit best, from 'risk'-object, you create an assignment to model type 'Business Control Diagram'.

There is more to risk & control modeling, such as Compliance Testing, Audit Management, specific attributes for regulations and so on.

Let me know if you need further information.

kind regards,

frank

or register to reply.

Notify Moderator

Claudio Hernandez Author on February 19, 2012 - 01:44

Thanks Frank

I appreciate your coment in this topic.

So, a couple of question more:

1.- What is you suggestion about use Library for Risk and group them in different categories?. Is the best form to work with risk or isn't necesary this model?

2.- And finaly where is best place to put a Object Definition from a risk?

in a group from EPC model
in a group from Diagram Risk
or other?

Thanks again

Claudio

or register to reply.

Notify Moderator

Frank Engelbert on February 22, 2012 - 01:07

Hi Claudio,

reg 1, i'd recommend to use risk diagram for classification/categorization/discovery of risks

reg 2, i'd put in in the same folder as Business Controls Diagram, so you can assign/restrict access per BCD

let me know if that helps.

best regards,

frank

or register to reply.

Notify Moderator

Claudio Hernandez Author on February 22, 2012 - 03:29

Thanks Frank

I aprecite your response, is very precise. And need your help in one thinks more, i made a post a cuple a day ago, in this post i made a question about how can i model a contol in a EPC?.

Realy i thik the first question is

1.- where is recommendable to diagram a Control:

First in a BCD then in a EPC
Only in a EPC (i assume without contection with a risk)

2.- I suppose that the SOX regulation prevent that the control made executed by the same person that execute a task that produce RISK. Then my question is:

Is possible to find a control y the same process where i found a Risk and how can i diagram this situation, i made a occur copy of function to control or is a definition copy of funcition?

3.- And finaly How to diagram that a function (task/activitiy) is a control

Conect a control on the function in a EPC, that is right i guess is wrong, because finaly coontrol is a function then the conxion betwee function is "is predecessor" and doesn't make a sense.

http://www.ariscommunity.com/users/chernandez/2012-02-19-how-identify-control-epc

Thanks for your help again

or register to reply.

Notify Moderator

Upcoming events

Monday, October 13, 2025 - 11:00

GITEX GLOBAL | 13-17 October 2025
Tuesday, October 14, 2025 - 09:00

OPEX Week: Business Transformation Summit ANZ
Monday, October 20, 2025 - 18:45

Gartner® IT Xymposium/Xpo™ 2025
Tuesday, November 18, 2025 - 09:00

ARIS Roadshow 2025 in Crystal City
Thursday, November 20, 2025 - 12:00

ARIS Roadshow 2025 in Amsterdam

GITEX GLOBAL | 13-17 October 2025

OPEX Week: Business Transformation Summit ANZ

Gartner® IT Xymposium/Xpo™ 2025

ARIS Roadshow 2025 in Crystal City

ARIS Roadshow 2025 in Amsterdam