HN

In one of my last articles I already wrote about policy management and how it can/should be handled in theory. Today I would like to show you the first part of how we can support this process of policy management with our new version 4.1 of ARIS Risk & Compliance Manager.

Let me start with a quick reminder about how the process of policy management looks like (for details please have a look on my previous article):

So first of all the process starts with the need and the definition of a policy. In this phase the policy is written, the responsible people are defined, the aim of the policy is specified and the affected systems, organizations, processes are checked. Modeled in the ARIS Business Architect an example for a policy could look like this:

In this example the policy 'code of conduct' is used to reduce the risk 'damage to image' and it affects the complete organization. On the left side you can see the responsible persons:

-The policy owner group is responsible for the complete workflow of the policy.

- The policy approver group (e.g. the members of the legal department, the management board etc.) are the ones who have to approve that the policy is correct and compliant with the company aims and regulations.

- Furthermore there are the policy addressees who are those people that should be addressed by the policy. In our example the addressees are probably all employees of the company because everybody in the company should know the code of conduct and act according to it.

- Last but not least there are the policy auditors who have read rights for the policy.

When the definition of the policy is finished, all the information can be imported into the ARIS Risk & Compliance Manager and as soon as a before defined start time is reached the approval workflow starts. This means that the members of the approver group are notified by the system about the new/updated policy and then they can check the correctness of the policy within the ARIS Risk & Compliance Manager. If they approve the policy, it can be finally published within the company.

Depending on the criticality for some policies the publication might be enough but if a company wants to be compliant with special laws and regulations sometimes it is also necessary that the employees sign or confirm the policy. This means that the addressees confirm that they read it, understood it and will act according to it. In the ARIS Risk & Compliance Manager you can define for each policy if an attestation by the addressees has to be done or is not needed. If you choose the attestation, the ARIS Risk & Compliance Manager will automatically generate a form for each addressee which he/she can accept or reject.

Of course the policy owner has an overview about how many people accepted it or not at any time. For our example it could look like this:

In the list you can see the different people who need to confirm the policy with their current status of the confirmation (in the example there are two people who accepted the policy already, one is still open and one person rejected the policy). The accumulated result is shown in the pie chart.

That’s it so far about the first two phases “definition” and “communication” of the policy management process. The next two phases I will describe in another article.

Featured achievement

Question Solver
Share your expertise and have your answer accepted as best reply.
Recent Unlocks
  • CR
  • BH
  • Profile picture for user Ivan.Ivanov.softwareag.com
  • Profile picture for user mscheid
  • MS
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock