Profile picture for user Georg Wilhelm

In a previous blog post, we talked about how ARIS helps you in assessing risks. Knowledge about risks your company is facing and assessing them is the first step in your risk and compliance management journey. But there are some further steps to go. You must decide what to do with that knowledge.

The first alternative is to accept the risk: you are willing to bear the consequences if the risk occurs. You could also transfer the adverse consequences and e.g., contract insurance. You can implement controls in your processes or IT systems to prevent or detect early enough risks to take counter measures. Controls to mitigate risks can even cover a much broader spectrum, and do not only occur in processes or IT systems, just think about engineering controls like a fire alarm or a safety helmet.

Risk mitigation

 

Implementing policies your employees must follow can also be an appropriate measure, even if these are not supported or enforced by systems. And certainly, you will find a range of other risk mitigating measures. 

Control management

 

Let us have a deeper look at controls as mitigating activities (to be) implemented in your processes and IT systems. As in all risk and compliance related topics, transparency and documentation are truly relevant steps, but only the first ones. 

Starting with a control library can be a good entry point, but in many cases, you will have to adapt them and create distinguished controls fitting to your specific situation and settings. A typical element of a control library could be “Establish logging operations for your key systems.” Realization and implementation of this might vary from application to application, from process to process. Thus, in many cases it will make sense to use the control library content as an initial input and create your own variants describing your specific controls. You will have to define people responsible, not only for the control library, but for each control implemented in your company. Somebody must take care that the controls are mapped into the company context (risks, processes, IT systems, relevant regulations, norms, etc.) and are maintained and up-do-date.

In ARIS, controls are described via a function object, carrying specific additional attributes like control objectives, effect of control, etc. The tool offers a wide range of assets to describe responsibilities, business context and the related risk and compliance relevant items (e.g., regulations or norms). This can either be maintained in a graphical way, but also in a more textual or table like. All this content can also be used for reporting and analytical purposes or evaluations. But this is not all the data needed. Current and historical information about the status of the controls implemented (effective or not) should be available to find out if and where is needed to improve.

Control management

 

Control definition and description 

 

To define and describe controls you must include different stakeholders having the needed expertise as subject matter experts (be it regarding legal aspects, technical expertise, knowledge about processes, etc.). Controls can have different effects: they can be preventive, detective, or corrective. Preventive controls aim to avoid or minimize a risk, detective controls make risks visible, and corrective controls help fix the consequences of a risk after occurrence. 

Control description

 

Control frameworks offer criteria to classify or structure controls and help to cover several aspects and analyze the control system accordingly. An example are the five components defined by the Committee of Sponsoring Organizations (COSO), addressing Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring Activities. 

ARIS offers out-of-the-box a pre-defined set of attributes to specify controls accordingly. More detailed information about modelling conventions is available in ARIS Documentation Risk and Compliance.

Before implementing, a “Test of design” should be executed to check whether the control is intelligently designed and fulfills its purpose. And after implementation, it makes sense to execute this kind of check regularly for already implemented controls. Typical frequency is a yearly check. ARIS can support in performing such tests with a specific extension Risk and Compliance Management.

Control implementation and execution documentation

 

Typically, the mentioned kinds of controls are implemented in processes and / or in supporting applications. You can either define your own control processes or implement control activities into your existing way of working. A good description can be used as a blueprint for the implementation. After adapting the processes (and IT systems), you should be able to prove and show evidence that controls are executed. This can be supported by analysis of the executed processes, importing the results via an API, or by human intervention. Conformance checks executed and documented with ARIS Process Mining can help you to automate this analysis.

Control testing

 

As already mentioned above, a test of design to check whether the control is (still) appropriately designed should be executed before implementing, but also on a regular basis in the running system. Changes in your company, in the company environment, technical innovations etc. will force you to permanently double-check if your control system is still appropriate.

In addition to that, regular tests of control effectiveness help to get clarity whether the controls are really executed and working or not. There are different options on which these tests are based: inquiry, observation, examination, and reperformance. And of course, control tests can include each control execution or use a defined sample size. It is possible to use the above-mentioned control execution documentation as input for these tests. In that sense, the tests are a kind of controls of a control.

Control test

ARIS supports you in gathering and documenting results of these tests in an audit proof manner, making visible by whom and when test cases were executed.

If controls are not designed or working correctly, you will have to define appropriate measures to improve or adapt your control system. Following an integrated four-eye-principle, a specific reviewer can decide on that.

Workflows facilitates professional management and clear overview about status and results

 

To ensure that all tasks are generated following the defined frequency and are executed by the correct people, a control management system using workflows with appropriate information, remaindering and escalation mechanism is key. The responsible people at the different hierarchy levels in the different areas of responsibility (e.g., process owner, subject matter experts, site manager) need up-to-date access to both the status of different activities and results.

 

Control system dashboard

 

ARIS offers the capability to define and adapt dashboards for specific needs to help the different stakeholders in managing and make decisions.

Teaserimage: Photo by charlesdeluvio on Unsplash 

Featured achievement

Genius
You like to help others solve their problems by answering questions.
Recent Unlocks
  • KF
  • KH
  • RG
  • Profile picture for user Vee_ARIS
  • Profile picture for user smarty
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock