We have our Business processes modeled using VACDs & EPCs and are now looking to model the associated risks & controls.
After reviewing the Method Manual, UMG DemoDB and related content, the recommended approach seem to be:
- Use "Risk Diagram" to model the risks & risk categories (as appropriate)
- Associate risk objects to related Process Functions in corresponding EPCs
- Use "Business Controls Diagram" to model the controls that are in place for each risk identified
- Is this all? Or is there more to it?
- Is this the right approach? Or is a different approach recommended?
- Once risks & controls are modeled, how can they be used in Process Analysis?
- What out-of-the-box reports can be leveraged once the Risks & Controls are modeled, for further Process Analysis ?
- How do you typically use these information once you model in ARIS?
I also read that these objects / models as used in ARIS - SAP integation / synchronization... Are they relevant only if the modeled processes are implemented in SAP or managed using ARIS GRC?
Looking forward to hear your responses on ideas, suggestions, recommendations & experiences.
Thanks & Regards,
Shankar