Modeling Risks & Controls in ARIS

Last activity on October 1, 2023 - 11:21 17.8k Views 4 Replies Professional ARIS

SG

Shankar Ganesh on October 15, 2010

We have our Business processes modeled using VACDs & EPCs and are now looking to model the associated risks & controls.

After reviewing the Method Manual, UMG DemoDB and related content, the recommended approach seem to be:

Use "Risk Diagram" to model the risks & risk categories (as appropriate)
Associate risk objects to related Process Functions in corresponding EPCs
Use "Business Controls Diagram" to model the controls that are in place for each risk identified

Is this all? Or is there more to it?
Is this the right approach? Or is a different approach recommended?

Once risks & controls are modeled, how can they be used in Process Analysis?
What out-of-the-box reports can be leveraged once the Risks & Controls are modeled, for further Process Analysis ?
How do you typically use these information once you model in ARIS?

I also read that these objects / models as used in ARIS - SAP integation / synchronization... Are they relevant only if the modeled processes are implemented in SAP or managed using ARIS GRC?

Looking forward to hear your responses on ideas, suggestions, recommendations & experiences.

Thanks & Regards,

Shankar

Sign in or register to reply.

Notify Moderator

4 Replies

Frank Engelbert on October 15, 2010

Hi Shankar,

the most typical use case for risk & control effectiveness-related Process Analysis would be via the integration to the ARIS product ARIS Risk & Compliance Manager (-> category "Governance Risk & Compliance").

In a nutshell, it provides a simple workflow to make sure your controls are working effectively & your risk management system is working properly

Like

Sign in
or register to reply.

Notify Moderator
Ralf Angeli on October 18, 2010

Besides using the models in conjunction with ARIS Risk & Compliance Manager, they can also be simulated with ARIS Business Simulator in order to evaluate the financial and performance impact of risks and controls.

Like

Sign in
or register to reply.

Notify Moderator
Roman Joss on December 21, 2010

Hello Shankar,

We use this method to document our internal control system. we created a individual process-report and in an separate chapter we get most of the informations from the BCD in a table named 'risk-overvew'. As we numbred every risk we use the risk-number to sort the risk-descriptions.

We do not use the 'Governance Risk & Compliance'-Modul, but we set up the BCD-Models so, that we can use it later, if needed.

I hope that helps.

regards, roman

Like

Sign in
or register to reply.

Notify Moderator
Jos Ross on October 29, 2011

Hi Shankar,

In general your approach is ok.

Last year we start the implementation of our Enterprise Risk Management (including ISAE,SII etc) using ARCM. You can also add the object "Testplan": a testdescription for testing the control.

To manage the testactivities (including the sign-off of the processowners) use ARCM.

Like

Sign in
or register to reply.

Notify Moderator

There are currently no upcoming events.

Sign in

Reset Password