We have our Business processes modeled using VACDs & EPCs and are now looking to model the associated risks & controls.

After reviewing the Method Manual, UMG DemoDB and related content, the recommended approach seem to be:

  1. Use "Risk Diagram" to model the risks & risk categories (as appropriate)
  2. Associate risk objects to related Process Functions in corresponding EPCs
  3. Use "Business Controls Diagram" to model the controls that are in place for each risk identified
  • Is this all? Or is there more to it?
  • Is this the right approach? Or is a different approach recommended?

 

  • Once risks & controls are modeled, how can they be used in Process Analysis?
  • What out-of-the-box reports can be leveraged once the Risks & Controls are modeled, for further Process Analysis ?
  • How do you typically use these information once you model in ARIS?

I also read that these objects / models as used in ARIS - SAP integation / synchronization... Are they relevant only if the modeled processes are implemented in SAP or managed using ARIS GRC?

Looking forward to hear your responses on ideas, suggestions, recommendations & experiences.

Thanks & Regards,

Shankar

 or register to reply.

Notify Moderator