Governance, Risk & Compliance Management with ARIS

Transcription

1 ARIS Platform - White Paper White Paper June 2008 Governance, Risk & Compliance Management with ARIS

2 White Paper Table of Content 1 Increasingly complex requirements demand implementation of a GRC platform Why GRC? German Supervision and Transparency in the Area of Enterprise Act(Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - KonTraG) Minimum requirements for bank equity (Basel II) Sarbanes-Oxley Act The 8th EU Directive (EURO-SOX) Markets in Financial Instruments Directive (MiFID) Solvency II Setting up a QM system to comply with DIN ISO 9000: Draft statement of minimum requirements for risk management in banks as of February 2, Combating money laundering Added value through international standards for setting up internal control systems CObIT (Control Objectives for Information and Related Technology) COSO Framework SAS Applying standards - not reinventing the wheel Well equipped for integrated GRC management Acting, not reacting Integrated GRC architecture ARIS Solution for GRC seamless and integrated ARIS Business Architect ARIS Risk & Compliance Manager ARIS Business Publisher ARIS Process Risk Scout Interaction with other external applications Document management systems Directory services Operational systems Authorization systems From nightmare to competitive advantage Bibliography

3 Governance, Risk & Compliance Management with ARIS Increasingly complex requirements demand implementation of a GRC platform 1 GRC aims to align a company with the requirements of its interest groups and help identify changes in those requirements. It focuses on sustainable, risk- and value-based, ethical, and legally compliant corporate management. All relevant expectations of the interest groups result from the requirements of the three elements of corporate governance, risk management and compliance. Corporate governance refers to a framework for goal-oriented, responsible, ethical and legally compliant manage ment and control of a company. Risk management refers to handling risks that pose a threat to the achievement of strategic and operational corporate goals. Compliance refers to meeting all relevant internal and external requirements, both binding and non-binding, of all interest groups. Non-compliance with these requirements is a risk for companies and affects numerous corporate processes. This raises the fundamental question of how compliance with all relevant requirements can be ensured. Governance, risk and compliance management comprises risk-oriented corporate management within a frame work of principles for goal-oriented, responsible, ethical, controlling and legally compliant management. It also includes the documented incorporation of all relevant internal and external, current and future, binding and non-binding regulations and requirements into the design of business processes in a way that can be audited at any time. Fig. 1: Various GRC requirements that companies face Regulatory multiple jurisdictions, restrictive environment Technology interconnectivity, diversity Political public policy, foreign relations Compliance Business relationships complexity, extended environment Economic outsourcing, distributed operations Geographic multiple markets, cost of capital Michael Rasmussen Business Complexity Challenges Compliance Forrester, 14 July 2005 Many companies have taken initial steps in the right direction. Individual control systems have been put in place for specific divisions and legal regulations. In most cases, however, these control systems do not access a shared database and many lack a uniform conceptual basis. A decentralized approach, combined with other factors such as time pressure, have led to the creation of isolated applications in different company areas, which rely on different IT support systems and are incompatible or cannot be evaluated. The risk-based definition of effective controls, documentation of these and monitoring of how up-to-date and effective they are in a constantly changing, dynamic GRC and business environment is a major challenge facing companies today. As activities that do not directly add value, controls must be kept to a necessary minimum. Integrated GRC management therefore affords companies an opportunity to ensure the efficiency and effectiveness not only of the processes themselves but also of the actual controls implemented. Many laws and directives require a company s internal control system to be ready for audit at any time. This calls for complete and audit-acceptable documentation and monitoring of controls, as well as the definition of processes and responsibilities for dealing with deficiencies and for releasing documents and test intervals. In addition, test data must be processed for external or internal auditors or management at certain times in an appropriate form for the relevant target group. For all these tasks, it is extremely important for companies to establish a central GRC strategy. This ensures that the various activities can be combined into a consolidated GRC management system and that all synergies (personnel resources, data, IT, and existing knowledge) can be efficiently exploited. 3

4 White Paper 1.1 Why GRC? Continually developing systems lead to increasingly complex corporate processes. While many work steps and inspections were still performed manually twenty years ago, today s systems can order materials and also carry out the corresponding payments and postings of business transactions. Against this background of growing process complexity, the creation and monitoring of an appropriate and effective internal control system is essential to ensuring a company s lasting success. The large number of accounting scandals in recent years has led to international and national legislation that obliges companies to set up (accounting-related) internal auditing systems and to implement technical standards and recommendations to restore confidence in financial reporting. Some of these regulations are briefly discussed below. German Supervision and Transparency in the Area of Enterprise Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - KonTraG) Passed eight years ago, this law requires companies to implement and operate a company-wide early warning system for business risks. As a minimum, this system must be able to identify and evaluate risks that threaten the company s existence, define measures to monitor risks and verify that the defined measures have been taken. These may be strategic risks (e.g. market developments/new competitors), IT risks (e.g. system failures, data losses), or operational risks (e.g. production outages). Suitable measures for controlling these risks must then be taken to prevent situations that threaten the company s existence. Finally, the implementation of the defined risk-control actions should be tested and a cost-benefit analysis carried out. Minimum requirements for bank equity (Basel II) In its current revision of the minimum requirements for bank equity (Basel II), the Basel Committee of the Bank for International Settlement (with headquarters in Basel, Switzerland) requires dedicated handling of operational risks (OpRisk) for the first time. Banks must maintain sufficient equity for their OpRisk to ensure sufficient reserves in case of losses due to these risks. This framework is not legally binding in itself but national central banks have generally implemented it without any changes in binding legal standards. The framework is currently being implemented under European law under the EuroCAD 3 directive. Basel II is therefore legally binding. Sarbanes-Oxley Act Following numerous accounting scandals and company crashes, the Sarbanes-Oxley Act (SOX) was passed in 2002 with a view to improving the quality of risk management and control systems in companies. Section 404 regulates the implementation and monitoring of processes to guarantee an efficient (accounting-related) internal control system. The act requires that companies and their subsidiaries listed on the American stock exchange are able to prove the efficiency of internal control systems for financial reporting. Within the scope of numerous Sarbanes-Oxley projects, companies are currently checking their internal control systems for weak points. Process flows and internal controls are systematically recorded and documented, existing weaknesses are eliminated and the effectiveness of these controls is repeatedly tested. 4

5 Governance, Risk & Compliance Management with ARIS The 8th EU Directive (EURO-SOX) The purpose of the 8th EU Directive, or Audit Directive, is to tighten up the requirements to be met by published company accounts, along the lines of the US Sarbanes-Oxley Act. On September 28, 2005, the European Parliament adopted the proposed compromise text of the directive at its first reading. Internal control systems will therefore need to comply with higher standards in the EU in the future. All processes and their controls must be documented to provide reliable proof that all business transactions have been handled correctly. With reference to IT, this means that the security and availability of IT systems must be verifiable. The key change for companies of public interest is the requirement to set up an audit committee. The duties of such a committee include monitoring the effectiveness of internal audit activities, the risk management system, and internal control system. The 8th EU Directive will be implemented in national law by June 28, Markets in Financial Instruments Directive (MiFID) The Markets in Financial Instruments Directive (MiFID) is an EU Directive designed to harmonize the financial markets within the European internal market. The Directive was officially adopted under the title Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments amending Council Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC of the European Parliament and of the Council and repealing Council Directive 93/22/EEC. In early February 2006, the European Commission published draft documents covering implementation of the Directive. The European Parliament consented to an extension of the deadline for implementation, according to which Member States had to put MiFID, together with the Implementation Directive, into force no later than January 31, The regulations themselves must be applied no later than November 1, The Directive is implemented in German law by the Act Implementing MiFID (FRUG), in conjunction with the Ordinance on Specifying the Rules of Conduct and Organizational Requirements for Companies providing Securities Services (WpDVerOV). Solvency II The Solvency II directive aims to establish a risk-based solvency system to enable risk-oriented evaluation of premium regulations and to take account of dependencies between assets and liabilities, as well as recent concepts in the fields of risk management, insurance mathematics, financing methods, and financial reporting. Actuarial, operational, market and credit risk are to be taken into account, as well as the risk of incongruity between assets and liabilities. Sophisticated methods of risk analysis and capital allocation are available to ensure a more accurate determination of a company s realistic equity-to-assets ratio. Solvency II is closely associated with Basel II, the legal supervisory basis for banks, and IFRS, the new accounting principles. Setting up a QM system to comply with DIN ISO 9000:2000 DIN ISO 9000:2000 requires a company to set up process-oriented QM systems. Implementing a quality management system should enhance a company s efficiency by speeding up improvement processes, reducing frictional losses and boosting employee motivation through clear structures and well-defined instructions. Furthermore, customer and employee confidence in the quality of the company s goods and services is reinforced in a sustainable manner. The main requirement of this standard is the process-oriented alignment of the company and thus also the QM system. This means that all departments and functions within the company must be examined to determine how they interact because quality is the responsibility of the company as a whole, rather than of individual departments. 5

6 White Paper Draft statement of minimum requirements for risk management in banks as of February 2, 2005 With the publication of the draft statement of the German Federal Financial Supervisory Authority (BaFin) on the minimum requirements for risk management in banks dated February 2, 2005, the BaFin considers essential elements of the second pillar of the Basel Accord the Supervisory Review Process (SRP) and the essential guidelines for implementation. A key element of the SRP is the Internal Capital Adequacy Assessment Process (ICAAP). According to ICAAP, institutions must ensure that sufficient internal capital is available to cover all major risks, based on the individual risk profile. This assessment, which is based on an integrated risk examination, requires the institutions to have implemented appropriate management, control and monitoring processes. In this respect, the statement represents a basis for assessment by the supervisory body. Specifically, the statement is based on Section 25a, paragraph 1 of the German Banking Act (KWG), under which every institution must have a business organization that complies with the regulations. Combating money laundering Prevention of money laundering is an essential part of banking supervisory law. It particularly affects banks and financial service institutions as defined in Section 1 of the German Banking Act (KWG), which are subject to supervision by the Federal Financial Supervisory Authority (BaFin). However, industrial companies are also obliged to implement the provisions of the German Money Laundering Act (GwG). The following key elements of money laundering prevention warrant special mention: Know Your Customer Principle (Know the Source of the Money Principle) Identification obligations and obligation to determine the true owner Obligation to record results and keep records. The prosecuting authorities can access these records in the course of investigations and trace the flow of money that may have been involved in crime (referred to as the paper trail ). In particular, complying with and implementing these obligations requires the development of internal principles, as well as appropriate business and customer-related security systems. Appropriate business and customer-related security systems are usually set up using software that enables extensive data pools to be evaluated and linked by customer, turnover and business type. The processes and the controlling environment must be adapted accordingly. The BaFin states that not only customer groups, but also business processes must be subject to money laundering control activities. 6

7 Governance, Risk & Compliance Management with ARIS Added value through international standards for setting up internal control systems 1.2 CObIT (Control Objectives for Information and Related Technology) Unlike the regulations discussed above, CObIT is an internationally acknowledged framework for strategic IT management, rather than a binding law. It helps companies to comply with various legislation and international standards. CObIT is published by the IT Governance Institute (ITGI). The ITGI s role is to produce an internationally recognized set of IT control targets for managers and auditors. CObIT makes a company s IT measurable and therefore manageable in terms of business goals. The framework combines 41 national and international standards dealing with quality, safety and compliance with regulations: Technical standards, such as ISO, EDIFACT Codes of conduct, published by the EU, OECD, ISACA Qualification criteria for IT systems and processes, including ITSEC, TCSEC, ISO 9000, ISO 17799, ITIL Professional standards in terms of internal control and auditing: COSO report, IFAC, AICPA, IIA, ISACA, PCIE, GAO Industrial practices and requirements of industrial committees Requirements from the banking, electronic commerce, and IT sectors Requirements relating to the Sarbanes-Oxley Act Effective IT control plays an important role in the context of Sarbanes-Oxley. The underlying auditing standard (PCAOB Auditing Standard No. 2) requires the setting up of controls for IT systems that have a significant effect on financial reporting. In 2004, the IT Governance Institute (ITGI) published the IT Control Objectives for Sarbanes-Oxley. In this publication, 12 of the 34 existing CObIT processes are identified as relevant for Sarbanes-Oxley. Companies that successfully implement CObIT therefore already meet a majority of the IT-related requirements from the Sarbanes-Oxley Act. COSO Framework Like CObIT, the COSO Framework is an internationally recognized framework for the adequate definition of an internal control system and related goals, rather than a binding law. It was developed by the Treadway Commission s Committee of Sponsoring Organizations. Components Financial Reporting Control Environment Risk Assessment Control Activities Information and Communication Monitoring Operations Objectives Compliance Group Committee of Sponsoring Organizations (Treadway Commission) Corporate Departments Regional Companies Entities Fig. 2: Elements of an adequate ICS according to COSO II Once an internal control system contains all the components described in the COSO Framework, it can be declared appropriate for the purposes of meeting statutory requirements. This is expressed, for example, in PCAOB Auditing Standard No. 2 by an explicit reference to the COSO Framework. National and international standards for auditors have also adopted the elements of the COSO Framework (for example, see IDW (German Institute of Auditors) PS 260). SAS 70 SAS 70 (Statement on Auditing Standard 70) reporting has become the de facto international standard for auditing in (IT) service organizations. SAS 70 is the internationally recognized AICPA Standard (American Institution of Certified Public Accountants) for compliance with Section 404 of the Sarbanes-Oxley Act. 7

8 White Paper 1.3 Applying standards - not reinventing the wheel The standards mentioned in this section help companies set up comprehensive control frameworks and meet the requirements of a wide variety of regulations. As a result of risk or quality management requirements, many companies have already adopted one of these approaches and therefore only need to supplement their existing structures. In any case, the right choice and appropriate use of standards can considerably reduce roll-out times and costs, provide a guarantee of the completeness and quality of a GRC solution, and ensure the reusability of structures and data for future requirements. 2 Well equipped for integrated GRC management Definitive regulations as to the form that an internal control system should take and the necessary components for it to be classified as appropriate are not specified in the Sarbanes-Oxley Act, the national IDW professional regulations or other laws and standards. As far as regulations exist, they specify the obligation to set up an appropriate internal control system based on generally accepted management principles. How to design such a system is not defined, but left to the discretion of individual companies. This allows sufficient scope to reflect specific aspects of each company s organization and business activities. So, how can companies best tackle the complex issue of GRC management? How can companies make sure that they are complying with current requirements while remaining sufficiently well equipped and flexible to deal with future demands? How do companies protect the investment in a company-wide GRC management system that will undoubtedly be necessary? The regulated economic environment represents a new challenge for management. On the one hand, companies do business in a dynamic and complex economic environment that requires fast responses and flexibility but also the maintenance of a consistently high standard of quality. On the other hand, they have to meet the requirements of the regulatory environment, which calls for a very strict procedure so that proof and documentation can be presented in the required manner. Yet even in this regulated economic environment, the constant increase in legal and regulatory requirements makes a dynamic and flexible response to change essential to survival. Dynamic & complex economic environment Fig. 3: The regulated economic environment as a challenge for management Compliance? Business processes must be organized in such a way that they are not only appropriate for the economic environment, but also comply with the requirements of laws, standards and ethical principles. Companies must be able to integrate new regulatory requirements efficiently into corporate processes without obstructing the economic environment. It is precisely this require ment that most companies have to date regarded as a burden. Dynamic & complex regulatory environment 8

9 Governance, Risk & Compliance Management with ARIS Acting, not reacting IDS Scheer provides a framework for integrating GRC requirements into business processes. According to an IDS survey conducted in 2005, half of those polled saw potential for competitive advantage in an integrated, process-based GRC solution. 2.1 IT analysts such as Forrester see an important milestone towards the setting up of a functioning GRC system in the decision not to react to every law and regulation with independent, stand-alone responses, but to control the GRC Management issue centrally and define a company-wide GRC strategy: Move compliance from tactical reaction to strategic imperative. Firms can no longer afford to approach compliance as a periodic and tactical project like meeting the Sarbanes-Oxley 404 deadline. Forrester, Business Complexity Challenges Compliance, 14 July 2005 Regardless of how reassuring it is to receive Sarbanes-Oxley certification, companies will still be very aware that the next audit date has already been set and that much more is involved than merely complying with the Sarbanes-Oxley Act. This means moving away from one-off actions and adopting a recurring GRC cycle within the company: Because the requirement to be compliant with regulations never ends, having a cyclical framework to guide the compliance activity is important. Gartner, The IT Executive s Best Practice Guide to Sarbanes-Oxley, 31 August 2005 Since GRC requirements partially overlap, companies need a comprehensive architecture that covers a wide range of aspects. In terms of software-based solutions, a company must have the ability to implement the requirements of several sets of regulations at the same time. This is precisely why companies should opt for comprehensive and proven standards and then tailor these to meet company-specific requirements. Use peer-reviewed, publicly available internal control frameworks [such as COSO and COBIT] to improve corporate and IT governance. Gartner, The IT Executive s Best Practice Guide to Sarbanes-Oxley, 31 August 2005 IT systems can then be implemented that play a critical role in successful and sustained compliance projects by providing the best possible support for meeting the demands placed on companies by the economic and regulatory environment. Compliance, corporate governance and public policy issue management will become competitive differentiators dependent on IT in much the same way as is e-business. Gartner, The IT Executive s Best Practice Guide to Sarbanes-Oxley, 31 August

10 White Paper 2.2 Integrated GRC architecture What would the architecture of an integrated GRC system that met the requirements outlined above actually look like? GRC management is only worthwhile if a company uses the opportunity to optimize and harmonize processes and put in place an efficient organization with clear goals, integrated methods and coordinated system support. Our response to this was to develop a three-tier GRC architecture (see figure 4). Design of method Regulated Economic Environment (SOX, ICS, etc.) Interpretation of legislation and regulations on strategic level Definition of Compliance Portfolios Control Framework (COSO, COBIT, etc.) Implementation of frameworks on business unit level Utilisation of Compliance Solution CIO BPM Compliance Operations Implementation of solution Execution on operational level Risk Mgmt. Audit Documentation ICS IT BPM Owner BPM-Office Organization & Responsibilities Projects Process Framework Conventions Management Processes + Governance Processes IT CFO CM Process Owner CM Owner CM-Office Organization & Responsibilities CM-Framework Audits / Reports Assessments Conventions Fig. 4: Integrated GRC architecture If a strategy is to have any potential for success, it must be geared towards both the regulatory and economic environment of a company. It is therefore important to begin by clarifying which laws, regulations, or standards are relevant for a company and to what extent. In addition, a successful project outcome requires the integration of a GRC organization with clearly defined competencies and tasks (see example in figure 5) into the company s organizational model. Fig. 5: Example of a GRC organization The next step is to define the necessary levels, functions, and inputs/outputs of a GRC system based on standard frameworks such as COSO (Section 1.2.9) or CObIT (Section 1.2.8). This includes identifying the divisions and processes in the company that are affected by the requirements, identifying and evaluating the specific risks within the affected processes and defining and implementing actions / controls to optimize the risk portfolio. Based on this, tests are defined to monitor whether the specified actions / controls are implemented and to verify on a regular basis the effectiveness and design of the control itself. This allows outdated, redundant or inefficient controls to be identified and subsequently optimized or eliminated. Finally, the GRC organization is supplemented by testing, escalation, and release hierarchies that must be seamlessly integrated into the process to ultimately create complete control system documentation that can be signed off and meets the demands of external auditors. The lowest level of the GRC architecture relates to operational GRC processes. This is where the testing, documentation, evaluation and reporting are carried out. Furthermore, both internal and external audits can be prepared from these data pools. IDS Scheer provides its customers with software support for these tasks in the form of the integrated tools and methods of the ARIS Solution for GRC. Another important aspect is the project procedure. IDS Scheer has developed the ARIS Value Engineering consulting approach, which can be used for this purpose. 10

11 Governance, Risk & Compliance Management with ARIS Compliance Management Roadmap Strategy Assess compliance situation Assess risk management situation Define business case Define project scope Assess modeling status Set up project contract Design Design compliance workflow Design risk mgmt workflow Define conventions Define reports Define customization requirements Implementation Implement compliance workflow Implement risk mgmt workflow Execute modeling Validate & publish data Customize & int. accept. test Install solution Train users Technical acceptance Controlling Execute & monitor compliance process Execute project audit Maintain & monitor ARIS Solution for GRC Fig. 6: ARIS Value Engineering Set up project plan Define technical infrastructure Set up support & maintenance Control service-level agreements With ARIS Value Engineering, IDS Scheer provides an innovative procedural model. The individual components of the BPM lifecycle can be combined flexibly rather than sequentially as in a waterfall model. ARIS Value Engineering can be deployed for end-to-end projects, such as the complete rollout of a process-oriented organization or optimizing entire value chains. However, ARIS Value Engineering also offers solutions for specific tasks, such as introducing process controlling or implementing a company-wide GRC system. ARIS Value Engineering is a toolkit consisting of services, methods, tools and know-how. ARIS Solution for GRC seamless and integrated The ARIS Solution for GRC covers the entire lifecycle, from identification of the processes that are relevant for risks and the affected items to the definition of risks, design of controls and tests and their implementation and documentation, right through to monitoring and re-testing of the improvement measures. ARIS Controlling Platform ARIS Risk & ComplianceManager ARIS Process Performance Manager Tests Deficiency management Sign-off Survey management Issue management Operational risk management Compliance Process Dashboard Compliance Process Performance Manager ARIS Strategy Platform ARIS Business Optimizer ARIS BSC Management of business strategy & objectives Quantitative process analysis (times, costs, resource requirements) Fig. 7: ARIS Solution for GRC 2.3 ARIS Design Platform ARIS Business Architect ARIS Business Publisher Process modeling Documentation of compliance master data Publication of information 11

12 White Paper ARIS Business Architect ARIS Business Architect is used to document both the processes and risks and the entire master data for the GRC system (controls, resources, tests, etc.), which can then provide a basis for continuous monitoring of the suitability and effectiveness of internal controls in ARIS Risk & Compliance Manager. Fig. 8: GRC master data in ARIS Business Architect A key feature of an effective GRC system is the ability to link processes to risks and controls. This allows a process-oriented risk/control approach, which can be used across all organizational areas within a company. Risks in processes are identified and assigned controls. These controls are, in turn, assigned control tests. ARIS Risk & Compliance Manager is configured using the following data: Documentation of a company s processes, hierarchies, organizational structures, IT systems Identification of relevant risks and assignment within the business processes Definition and description of risks, including classification, date of the last evaluation, early warning signals and KPIs for risk monitoring with intervention thresholds, control processes, emergency processes, risk owners Risk assessment: Risk analysis includes not only the identification of risks, but also the assessment of risks in terms of potential losses. This assessment provides the data necessary for subsequent phases, in particular the planned design of internal controls and risk reporting. Without an assessment of the risks, it is impossible to perform a meaningful cost-benefit analysis for any possible actions, as the costs of risk-reducing actions have to be compared with the potential for mitigating the risk. Definition of actions/controls to minimize the risks (assignment of internal controls specifying the control targets and the person responsible for the control). Assignment to the risk that the internal control is designed to prevent, reduce, uncover and correct; link between the control and the components of the COSO Framework. Definition of tests to monitor the controls implemented, including all relevant information: who tests what, how often and at what time, to what extent, etc. This documentation is used to feed data into ARIS Risk & Compliance Manager, which is then the workflow system for operational monitoring of all internal controls. 12

13 Governance, Risk & Compliance Management with ARIS ARIS Risk & Compliance Manager As an internal control and monitoring system component, ARIS Risk & Compliance Manager helps companies create an audit-ready control environment with an audit workflow for continuous monitoring and optimization of the risk-based internal control system. Fig. 9: ARIS Risk & Compliance Manager Once ARIS Risk & Compliance Manager has automatically synchronized the risk, control and test data from ARIS Business Architect, it performs a test run with a workflow which starts by automatically addressing the people responsible for the test and ends with sign-off and preparation of the data for external audits. Test workflow In ARIS Risk & Compliance Manager, all test owners can display an overview of all tests assigned to them and a date by which the tests must be completed. The test workflow system provides testers with all the necessary information, guides them through the test and the associated documentation and triggers necessary follow-up actions depending on the test results. Fig. 10: List of test cases including results The control test procedure must follow the dual purpose test principle, in which the control must be assessed in terms of both its suitability and its effectiveness. Both results are stored in the ARIS Risk & Compliance Manager database. During processing, the system documents and logs any additional changes. Tests cannot be changed once they have been closed by the system or the user, thus ensuring that they cannot be manipulated. 13

14 White Paper Deficiency management defined change management processes for control system flaws An escalation process is triggered for all tests not completed on time and thus automatically closed by the system, which ensures that the owner is informed. A deficiency management process is triggered for all tests showing that certain controls are ineffective, which ensures that action is taken to restore the integrity of the internal control system. The system documents and logs all processes so that they can be tracked by management and prepared for an external auditor without a great deal of extra work. Sign-off management organization of release processes A second instance evaluates all completed tests in terms of their execution and quality. In addition, as preparation for a final check (audit), for example, at the end of the fiscal year, an extra confirmation is performed for individual areas to verify that the internal control system can be regarded as adequate and effective and can therefore be released. ARIS Risk & Compliance Manager provides a workflow-based release process for this. ARIS Risk & Compliance Manager also offers the option of a release for each financial statement item or process. These various elements can be structured using a hierarchy. After checking and release, all releases for the individual elements are bundled and transferred for release to the next level in the hierarchy, until approval is granted by senior management. Survey management The option of performing self-assessments based on integrated questionnaires (e.g. a COSO questionnaire) enables the implementation of appropriate and adequate controls for a risk. Fig. 11: Example of an ARIS Risk & Compliance Manager questionnaire ARIS Risk & Compliance Manager provides the functionality to create and manage questionnaires with a very wide range of content. In addition, ARIS Risk & Compliance Manager provides functionalities for conducting surveys and provides support in the form of automatic evaluations and production of customized reports. 14

15 Governance, Risk & Compliance Management with ARIS Compliance Process Dashboard ARIS Risk & Compliance Manager features a Web-based Dashboard, with KPIs that provide a quick overview of the status of all GRC activities. For example, the proportion of still open test cases or deficiencies found in a business process can be displayed. Fig. 12: Example of the evaluation of test cases by type and effect in the Monitoring Dashboard In addition to this configurable overview, a powerful front-end is provided, in which detailed interactive analysis options are available for the various features (dimensions). This enables the easy compilation of analyses using Drag and Drop, for example, to list the number of deficiencies by region and status. Process owners and department managers benefit from a detailed, ongoing overview of test activity status, so that internal control system shortcomings can be detected and resolved at an early stage. For companies seeking to leverage improvement potential and eliminate bottlenecks, Compliance Process Performance Manager provides more in-depth analysis functions, such as structural analysis and automated search functionality (data mining). Fig. 13: Aggregated process sequence, automatically generated from process instances In addition, every single test and deficiency process can be analyzed and displayed as a process chain. Aggregated process displays (e.g., an EPC of the test flow in the first quarter) with probabilities and KPIs reveal structural weaknesses in process execution and enable optimization potential to be identified in the compliance processes. The data mining functionality automatically flags up potential weaknesses. 15

16 White Paper ARIS Business Publisher Linking the control system to the relevant processes is an essential requirement, which is fulfilled by the ARIS Solution for GRC. All internal controls and associated tests are linked to processes in which risks were identified. Web-based risk portals provide employees with role-based access to the relevant information, allowing them to find all data relating to the required process details, risk data or emergency plans at the click of a mouse. ARIS Process Risk Scout ARIS Process Risk Scout supports companies in the fast, effective rollout of a risk management system. This includes a project procedure description in the form of an ARIS Scout Assistant, the ARIS Scout Factory for customization or creation of a company-specific ARIS Scout Assistant, and all components needed to create an ARIS Risk Portal. Procedural model in the ARIS Scout Assistant The ARIS Scout Assistant is a detailed procedural model that provides specific instructions to guide companies through the individual phases, work packages and activities in their risk management project. To help you complete the various activities, you will also find relevant checklists, sample forms, reference data and many other helpful tools. All this helps reduce total project runtime, improve communication within the project and assure the quality of results. Companies can use the integrated ARIS Scout Factory to customize the ARIS Scout Assistant to meet their specific requirements and thus produce a tailored guide for their projects. For example, they can define additional activities or hide existing activities, include their own forms and define owners for individual project phases. Communication, reporting, and risk monitoring with the ARIS Risk Portal As a result of the risk analysis, a role- and user-based ARIS Risk Portal is automatically set up from within ARIS. This user portal enables company-wide analysis and communication of the identified risks. Based on the ARIS models and the risk analysis, the ARIS Risk Portal is configured in such a way that each user is shown only the risk information for which they are responsible. In addition to risk and process data, emergency, alternative and control processes that are necessary for maintaining operations are made transparent for all risk owners. Combined with the easy, convenient option of monitoring and reviewing existing risks and identifying new ones, this significantly increases acceptance of the risk management system in all areas of a company. Employees can also use the ARIS Risk Portal to report back to the relevant risk manager on risks and risk reviews. Risk managers synchronize the risks or the results of a risk review sent back to them with the ARIS database after they have checked the data thoroughly or edited it in the ARIS Risk Portal. A loss database can be integrated at any time for collecting and evaluating risk events. It is also possible to integrate ARIS Process Performance Manager into the ARIS Risk Portal, so that the key risk indicators for the business processes in a company (e.g. process run times, cancellation or complaint rates) are automatically analyzed. ARIS Process Performance Manager then becomes an automatic early warning system for your process risks. Other risk performance indicators that have to be reported manually can be maintained easily with ARIS Business Optimizer for KIM (Key Indicator Management), even in the largest corporate structures. 16

17 Governance, Risk & Compliance Management with ARIS Interaction with other external applications In addition to ARIS Platform products, other programs and applications can be integrated into the ARIS Solution for GRC to handle additional tasks or act as a data source. Document management systems Document management systems (DMS) play an important role in GRC management. Apart from the issue of archiving, conducting test cases may require not only the completion of forms, but also the production of other documents containing detailed information. Documents may also be used for conducting test cases, either as templates or additional documentation. ARIS products can easily be connected to document management systems. This ensures that testers have all the information they need for carrying out tests and auditors have the information they need for tracking conducted tests. Directory services Directory services, such as LDAP (Lightweight Directory Access Protocol) are generally used on the Internet and corporate intranets as a central store for user data and to provide applications. ARIS Risk & Compliance Manager supports this standard and thus facilitates central and consolidated user administration and privilege assignment. Operational systems Operational systems supply the data to be audited in GRC management. For example, document data can be used as the basis for auditing risk management mechanisms (compliance with the dual control principle, etc.). Operational systems must also be examined as a cause of risks. System-inherent risks must be described within the GRC solution and suitable control mechanisms (IT controls) must be defined. In addition, risks and the definition of control structures can be described in operational systems or GRC-related functions may have to be integrated into an overall solution. This information can be transferred via interfaces either as a basis or a result (for example, in terms of automated tests). Functions such as supplying a random sample suitable for testing can also be integrated into the test process via operational systems. Evaluations of samples taken during the test can in turn provide information about the quality of the test. Authorization systems Depending on the configuration in question, role conflicts may arise in operational systems. Functions in which segregation of duties is required may be carried out by the same person in different roles. Authorization systems that provide tools for analyzing and configuring operational systems can supply information about risks in systems that must be taken into consideration in a GRC solution. This information should, in turn, be transferred to the GRC solution

18 White Paper 3 From nightmare to competitive advantage The ARIS Solution for GRC turns the governance, risk and compliance nightmare (which is viewed by many as merely a cost driver) into an important component of strategic corporate control and a tool for increasing and sustaining a competitive advantage. Optimized and consolidated business processes, transparent corporate structures and an efficient internal control system that can react quickly and flexibly to changing requirements provides management with the assurance that all necessary standards and legal requirements are fulfilled in the company. IDS Scheer stands for end-to-end professional business process management, from strategy through design and implementation to process control with the highly integrated ARIS Platform tools. With this approach and by linking up with other operational systems (ERP, DMS, MIS), ARIS Risk & Compliance Manager and ARIS Process Performance Manager close the loop - the tools allow operational processes to be monitored and generate timely alerts via their alarm and escalation functions, thus informing the user about weaknesses in the control system and the potential for optimization in the company. ARIS Risk & Compliance Manager was developed with this focus in mind and is part of a highly integrated solution that, by implementing an end-to-end business process management system, helps companies achieve their business goals and goes above and beyond the issue of GRC. 18

19 Governance, Risk & Compliance Management with ARIS Bibliography Michael Rasmussen with Laurie Orlov and Samuel Bright: Business Complexity Challenges Compliance Forrester, 14 July French Caldwell, Lane Leskela, Debra Logan, John Bace, Carol Rozwell, Bill Kirwin, Richard J. De Lotto, Rich Mogull: The IT Executive s Best Practice Guide to Sarbanes-Oxley Gartner, 31 August 2005 John Hagerty, Jennifer Hackbush, Dennis Gaughan, and Simon Jacobson: The Governance, Risk Management, and Compliance Spending Report, : Inside the $32B GRC Market AMR Research

20 IDS Scheer AG Headquarters Altenkesseler Str Saarbruecken Phone: Fax: Copyright IDS Scheer AG, Saarbruecken, All rights reserved. The contents of this document are subject to copyright. Any changes, modifications, additions or amendments require prior written consent from IDS Scheer AG, Saarbruecken. Reproduction in any form is only permitted on the condition that the copyright notice remains on the actual document. Publication or translation in any form requires prior written consent from IDS Scheer AG, Saarbruecken. ARIS, IDS, ProcessWorld, PPM, ARIS with Platform symbol and Y symbol are trademarks or registered trademarks of IDS Scheer AG in Germany and in many other countries worldwide. SAP NetWeaver is a trademark of SAP AG, Walldorf. All other trademarks are the property of their respective owners. ID-Number: WP-GRC-0608-E