Aris Risk and Compliance (ARCM)

Hi Tommaso.

I am not sure if I understand your question correctly. I dont get the issue about "To view the risk category in the report, these risks must be mapped in occurrence copy in the CPE."

But: each risk object is unique for the risk assessment. For example: you may have two occurrences of the risk "Internal fraud", one in process A and one in process B. Is this the same risk or are these two different risks? It depends on if you want to have separate assessments.

If it is the same risk and this one risk may happen in both processes, then it's one ARIS object in two EPCs and you will have one risk assessment scheduler out of it (one new risk assessment each year)

If it is two different risks and each risk may happen in one processes, then it's two different ARIS objects (two definitions with same name) in two EPCs and you will have two risk assessment schedulers out of it (two new risk assessment each year)

It depends on how you define the risk from the business side: is all fraud risk just one risk or is each fraud risk a different risk on its own?

Does this answer your question?

KR

Steffen

Hi Steffen,

the problem arises when I have the same risk in two CPEs, but the impact of that risk is different for each of them.
for example: i have two CPE (A and B) and in both CPE appears the same risk "x" (mapped in occorrence copy because i want the same category of risk. In the first CPE the impact of the risk is 1; in the second CPE the impact is 2.
The problem is that the risk is mapped in occorrence copy, so when I enter the risk rating, it will be the same in both objects (I want two different rating, for the same risk mapped in two CPE in occorrence copy).

In general, if a risk has two different "threat levels", it's supposed to be two risks (with the same name). You can use occurence copies as a risk may be related to more than one function. But then it is the SAME risk and hence it will only have ONE evaluation.

That is my problem: in the first Aris module the risks will be in occorrence copy (cause I want the same category), I would like to have those risks in definition copy in the ARCM module, so I can change the "threat level" for each risk.
Is this solution possible?

ARCM does not distinguish between definition and occurrence as it does not have models, just objects.

If you need several "definition copies" (objects) in ARCM, you need to create several definition copies in ARIS. 

What is the problem of having various definition copies in ARIS under the same category?

the problem of creating various definition copies in Aris is that I have like 150 processes and like 500 risks. Each risk is connected with the category in a risk repository in Aris(some risks are reputational, other compliance, operational, 231 etc.). If I create a risk in definition copy, it loses the connection with its risk category and this category will not displayed in the report (we have developed the software so that the risk category comes out in the report and all the risks of that category, mapped in the CPE, are listed below).

The second problem is that each risk can appear in a lot of processes: this will be a problem, having 150 processes and more than 500 risks ( I may have to create in definition copy the same risk 50 times). I was looking for another solution.

Variants of the risk may be an option. Also, please check the "assignment inheritance" of risk to risk modeling in the conventions manual. Risk category can be inherited from one definition to another.