Policy & Compliance Management (PCM) Module Overviewpublic.dhe.ibm.com/.../OP_PCM_Module_Overview.pdf · Module Overview. IBM OpenPages GRC Platform 6.1.0 PCM Module Overview 2 of

IBM OpenPages GRC Platform Version 6.1.0

Policy & Compliance Management (PCM) Module Overview

IBM OpenPages GRC Platform 6.1.0 PCM Module Overview 2 of 23

NOTE Before using this information and the product it supports, read the information in the “Notices” section of this document.

Product Information This document applies to IBM OpenPages GRC Platform 6.1.0 and may also apply to subsequent releases. Licensed Materials – Property of IBM Corporation. Copyright IBM Corporation, 2003, 2012.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Documentation Release Information Last Modified: March 12, 2012 10:51:23 AM


Table of Contents

Introduction......................................................................................................................... 4 Module Description...................................................................................................4 Document Contents .................................................................................................4 Object Type Licensing...............................................................................................4

Object Types ....................................................................................................................... 5 Object Types Enabled by Default................................................................................5 Object Types Disabled by Default ...............................................................................9

Computed Fields ............................................................................................................... 10 Helpers .............................................................................................................................. 11

Policy Viewers ....................................................................................................... 11 Compare Policy View .............................................................................................. 11 Policy Unlock Helper............................................................................................... 11 Publishing Batch Notification.................................................................................... 12 Policy Awareness View............................................................................................ 12 Attestation Creation Report Helper ........................................................................... 12

Reports .............................................................................................................................. 13 PCM-Specific Reports.............................................................................................. 13

Regulatory Compliance Reports .......................................................................... 13 Reports Shared with Other Modules.......................................................................... 13

Risk Assessment Reports ................................................................................... 13 Risk Reports .................................................................................................... 14 Control Reports ................................................................................................ 14 Testing Reports ................................................................................................ 14 Indicator Reports.............................................................................................. 14

Triggers ............................................................................................................................. 15 PCM-Specific Triggers ............................................................................................. 15

Policy Import Trigger......................................................................................... 15 Policy Lock Trigger............................................................................................ 16

Triggers Shared with Other Modules ......................................................................... 16 Risk Rating Computations Trigger ....................................................................... 16 KRI Life Cycle Trigger........................................................................................ 16 KPI Life Cycle Trigger ........................................................................................ 17

Profiles .............................................................................................................................. 18 OpenPages PCM 6.1 Master Profile ........................................................................... 18 Home Page Filtered Lists......................................................................................... 18 Activity Views........................................................................................................ 19

Role Templates ................................................................................................................. 20 Documentation Updates.................................................................................................... 21 Notices .............................................................................................................................. 21


Introduction

Module Description IBM OpenPages Policy and Compliance Management (PCM) is an enterprise compliance management software solution that reduces the cost, complexity and cumbersome nature of compliance with multiple regulatory mandates and corporate policies. PCM enables companies to manage and monitor compliance activities through a full set of integrated functionality including:

o Regulatory Libraries and Change Management o Risk and Control Assessments o Policy Management, including Policy Creation, Review & Approval and Policy

Awareness

o Control Testing and Issue Remediation o Regulator Interaction Management o Incident Tracking o Key Performance Indicators o Reporting, monitoring and analytics

Within Policy Management, OpenPages supports three approaches:

1. Datacentric – Policy attributes are stored as meta data in the Policy object. Policy and Procedure content is created, stored, edited and reviewed in OpenPages via Policy Viewers. Red-lined track changes within draft iterations are not supported.

2. Docucentric - Policy attributes are stored as meta data in the Policy object. Policy and Procedure content is created outside of OpenPages and the entire document is attached to the Policy Object. Policy and Procedure content is never imported or stored in OpenPages.

3. Hybrid - Policy attributes are stored as meta data in the Policy object. Policy and Procedure content is created and edited in Word documents then imported and stored in OpenPages. Native Word Track Changes functionality is utilized for tracking red-line changes within draft iterations.

Document Contents This document contains the following sections: - Object Types: the set of objects that are licensed to be used with this module. - Computed Fields: the computed fields that are provided with this module. - Helpers: the JSP helpers included with this module. - Reports: the Cognos reports that are provided for this module. - Triggers: the triggers included with this module. - Profiles: the profiles, home page filtered lists and activity views included with this module. - Role Templates: the role templates that are provided with this module.

Object Type Licensing For the PCM module you are licensed to use the object types listed in the "Object Types" section of this document. Use of any other object type not listed in the Object Type section is prohibited without prior written approval from OpenPages.


Object Types

Object Types Enabled by Default The following object types are available in the default PCM configuration and are enabled by default.

Object Type Label Description

Business Entity

Business entities are abstract representations of your business structure. A business entity can contain sub-entities (such as departments, business units, or geographic locations). The entity structure that you create depends on your business needs. For example, you could create a parent entity for your business headquarters then a sub-entity for each location or department. You may also want to represent both a legal entity structure and a business entity structure. Business entities are also used to organize library data such as risk and control libraries, or regulatory content (for example, laws, regulations, and standards). When setting up your business entity hierarchy, you should work with your OpenPages consultant as the structure of your business entities will greatly impact the type and quality of the information that can be extracted from the application.

Process Processes represent the major end-to-end business activities within a business entity that are subject to risk. The processes will typically reside in areas such as financial reporting, compliance, information security, and so forth.

Sub-Process A Sub-Process is a component of a Process. It is used to decompose Processes into smaller granularity units for assessment purposes.

Risk Risks are potential liabilities. Risks can be associated with, for example, business processes, business entities, or compliance with a particular mandate. Each Risk has one or more Controls associated with it that provide safeguards against the Risk and help mitigate any consequences that may result from the Risk. You can use the Risk object to categorize risks; capture the frequency, rating, and severity of inherent and residual risk data; and view reports that help identify your top risk items.

Control Controls are typically policies and procedures (procedures are actions that implement the policies), to help ensure that risk mitigation responses are carried out. Once you have identified the risks in your practices, you need to establish controls (such as approvals, authorizations, verifications, and so forth) that remove, limit, or transfer these potential risks. Controls should be designed to provide either prevention or detection of risks. Controls are usually associated with tests that ensure a control is effective.

Test Plan You can determine the operating effectiveness of a control by conducting one or more detailed tests of a control and then documenting the results. Test Plans are descriptions of the mechanisms used to determine whether or not a control is effective.

Test Result A test result is the information obtained from running a test plan.



Risk Assessment

Risk assessments give you the ability to evaluate and report on potential liabilities for a set of business entities or processes. You can use the Risk Assessment object - which contains the names of the assessor and reviewer, the time frames for the assessment, and the status of the assessment - to manage your risk self-assessment process.

KPI, KPI Value

KPIs are components of the risk monitoring process and are used to provide leading or lagging indicators for potential risk conditions. Each instance of a KPI within the organization can have unique target and threshold limits.

Incident Incidents are used to capture, track and manage events that occur in the organization and IT Operating Environment. Incidents are typically stored under the Business Entity or IT Resource where the event occurred and associated secondarily to an impacted Mandate or Policy. They may be created by hand, or via integration with other systems (i.e. IT monitoring system.) and are commonly of type Regulatory Compliance, Legal Compliance, Information Security, or IT. Incidents can be a child of Business Entity, Mandate, Sub-Mandate, Requirement, Policy, Risk, Resource and Risk Sub-Entity. If ORM is also installed, Incident is also the parent of Loss Event.

Waiver Waivers give you the ability to document, process and manage the lifecycle of exceptions to Corporate Policies, InfoSec Policies, IT Policies or Regulatory Compliance Requirements. Waivers can be associated to Business Entities, Policies, Procedures, Requirements, Risks, Controls, Baselines and Resources.

Mandate Mandates represent external items with which organizations need to comply, such as laws, regulations, and standards. Out of the box the configuration directly supports content provided by Deloitte and UCF, and can be adapted to support content from other vendors. Typically, Mandates are represented in a Library Business Entity structure, and are not replicated throughout the system.

Sub-Mandate Sub-Mandates represent external (or internal) sub-items with which the organization needs to comply. Out of the box the configuration directly supports content provided by Deloitte and UCF, and the configuration can be adapted to support content from other vendors. Typically, Sub-Mandates are represented in a Library Business Entity structure, and are not replicated throughout the system. Sub-Mandate is recursive, but Deloitte and UCF content use exactly one level of Sub-Mandate.

Requirement Requirements represent the normalized “things you need to accomplish” in order to comply with all of their associated Sub-Mandates. Requirements accomplish two primary purposes: They translate the often difficult and wordy legalese of Mandates/Sub-Mandates into plain English, and they leverage the commonality across multiple Sub-Mandates. For example, there may be many Sub-Mandates across numerous Mandates which are all telling you to have strong passwords. A single Requirement can document the details of the strong password needs. By complying with this single Requirement, IT can satisfy many Mandates/Sub-Mandates. Out of the box the configuration directly supports content provided by Deloitte and UCF, and can be adapted to support content from other vendors. Typically, Requirements are represented in a Library Business Entity structure, and are not replicated throughout the system.

Regulation Applicability

The Regulation Applicability object is the child of Business Entity and parent of Mandate. It typically resides in the Organizational Business Hierarchy and is used to assess and track the Regulatory Impact of a Mandate in the Library on a Business Entity.



Regulatory Change

The Regulatory Change object is part of the Regulatory Change Management capability. It supports the ability to track regulatory changes (change or guidance to an existing regulation or a new regulatory requirement), assess the impact of a change on the organization, communicate the change internally to the appropriate people and drive internal processes in response to the change. Regulatory Changes typically reside in the Library Business Entity, and are associated directly to the Mandate that changed. It then has multiple Regulatory Tasks associated to it; one for each Business Entity impacted by the respective Mandate.

Regulatory Task

The Regulatory Task object is part of the Regulatory Change Management capability. It facilitates the change management process associated with a Regulatory Change. A Regulatory Task is created in the Organizational Business Hierarchy and assigned to an individual in each of the Business Entities impacted by the Mandate that was changed. The object is then used to track and monitor if an action is required as a result of the change (i.e. revise policy, control assessment, training, etc) and the progress of the action.

Policy Policies represent internal guidelines generally adopted by the Board of Directors or senior governance body within an organization. The text of a Policy can either be stored in standardized fields on the object or as an attachment to the object. Policies typically have a distinct lifecycle from Draft to Published to Expired, as well as a review and approval process. Draft policies typically reside in the Organizational Business Hierarchy, while Published and Expired Policies typically reside in reference Library entities. Policies are also often mapped to applicable Mandates in the Library to which they relate.

Procedure Procedures represent the 'what', 'where', 'when', and ‘how’ of how policies are implemented in an organization. The text of Procedures is typically stored in the fields on the object. Typically, Procedures are represented as children of a Policy and reside in the same entity structure as its parent Policy.

Policy Review Comment

Policy Review Comments support and facilitate the review and approval process of Policies and Procedures by Subject Matter Experts and Compliance Personnel.

Campaign The Campaign object is part of the Policy Awareness capability and is used to manage the project management aspects of an awareness campaign. It is also used to define the requirements/criteria that identifies which employees need to read and attest to each Policy. This is done through a series of fields. Campaigns are typically created in the Published Policy Hierarchy.

Employee The Employee object is part of the Policy Awareness Capability. It is used to capture information about individual employees such as the name, title, email, region, department, status, etc. Information from the employee profile is then matched against the Attestation Requirements defined on a Campaign to determine which Employees need to attest to each Policy. Employee data is typically derived from an HR system export, loaded via Online FastMap, and resides in the reference Employee Business Entity. It is a best practice that the Employee Name field matches the user's username.

Attestation The Attestation object is part of the Policy Awareness capability and is used to capture an employee's affirmation that they have read and understood a policy. An attestation's primary parent is the Employee record and the secondary parent is the associated Campaign.

Regulator The Regulator object is part of the Regulator Interaction Management capability and provides the ability to for organizations to create a single inventory of all Regulators with which they interact. Regulators are typically created in a reference Library Business Entity. The object is a child of Business Entity and can be associated to Mandates and Regulator Interactions.



Regulator Interaction

The Regulator Interaction object is part of the Regulator Interaction Management capability and provides the ability to manage the interactions, communication, internal work, review and approvals associated with external regulators such as inquiries, submissions, filings, exams and audits. For complex interactions such as exams and audits, customers can use a three-tier object structure (Regulator Interaction, RI Category and RI Request) to manage and track the overall interaction, each section of the interaction, and the individual requests. For simpler requests and inquiries, customers can use the Regulator Interaction object by itself to manage the request details and response details.

RI Category The RI Category object is part of the Regulator Interaction Management capability and is used as the middle tier of the three-tier object model (Regulator Interaction, RI Category and RI Request). The object is used to organize and track the progress of individual sections or categories of a complex interaction such as an exam or audit.

RI Request The RI Request object is part of the Regulator Interaction Management capability and is used as the bottom tier of the three-tier object model (Regulator Interaction, RI Category and RI Request). The object is used to organize and track the individual requests, reviews and approvals of pre-work and onsite tasks as part of a complex interaction such as an exam or audit.

Questionnaire, Section, Question

Questionnaire, Section and Question are three objects that are used together to implement questionnaires.

Signature A signature generally indicates agreement that the object meets your approval. It has no enforcement powers, and does not prevent the item from being modified after approval has been given. An object with a signature has a signature icon next to the signer's name on the Signatures tab. Depending on your system configuration, signatures (with or without associated locks) can be applied to an object in the following ways: - Manually from the detail page of an object. - Automatically through a workflow task. - Some combination of both automatic and manual. If signature locks are configured on your system, when you sign off on an object, the object and all its associated child objects are locked and cannot be modified until you either revoke your signature or an administrator unlocks the object.

Issue, Action Item

Although issues typically result from areas where internal controls are not properly implemented or designed, you can use the Issue object to document a concern associated with any object type. An issue is resolved through one or more Action Items. You can use an Action Item object or a series of related Action Item objects to form an action plan. Each Action Item can be assigned to a user for resolution, and progress can be tracked from the detail page of the parent Issue. Once all Action Items for an Issue are complete (an assignee sets the value to 100%), you can close the Issue.

File The File object type is used to embed a reference to a file (such as a document, flow chart or spreadsheet) in the OpenPages system, and associate it to one or more relevant objects.

Link The Link object type is used to embed a reference to a URL in the OpenPages system, and associate it to one or more relevant objects.


Object Types Disabled by Default These object types are included in the default PCM configuration and are disabled by default.


Control Objective

A Control Objective is an assessment object that helps define the risk categories for a Process or Sub-Process. For each Process or Sub-Process, an organization sets the Control Objectives. Control Objectives define the COSO compliance categories that the Controls associated with the Risks are intended to mitigate. For example, Control Objectives can be classified into one or more categories such as Compliance, Financial Reporting, Strategic, Operations, or Unknown. Once a Control Objective is identified, the Risks belonging to that Control Objective can then be identified and defined. In most cases, each Control Objective will have one Risk associated with it. However, Control Objectives can have more than one Risk associated with them, so they are separated into their own object type.

Milestone, Milestone Action Item

A Milestone represents a significant point in the development of your project. You can tie Milestones to specific dates, or use them to signify the completion of a portion of the entire project. Milestones can contain other Milestones or Milestone Action Items. You cannot associate a Milestone with other objects in the object hierarchy. A Milestone Action Item is a specific objective that must be completed in order to reach a Milestone. In general, all Milestone Action Items associated with a Milestone must be completed in order to reach a Milestone. When you are assigned a Milestone Action Item object, it is displayed (if configured) in the My Milestone Action Items section of your Classic Home Page.

KRI, KRI Value

KRIs are components of the risk monitoring process and are used to provide leading or lagging indicators for potential risk conditions. Each instance of a KRI within the organization can have unique target and threshold limits.

Risk Eval Risk Evaluation objects are children of Risk objects and they are used to capture risk measurement values for trending purposes. Often reporting periods do not line up with risk evaluation cycles and so Risk Eval objects can be used to capture multiple evaluation cycles within a single reporting period.

Control Eval Control Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Controls. They store control assessment data.

Risk Assessment Eval

Risk Assessment Evaluation objects are similar to Risk Evaluation objects except that they are instantiated as children of Risk Assessments. They store risk assessment data.

Preference Group, Preference

The Preference Group object is used for grouping Preference object instances together. Without this grouping object, each Preference object instance would need to be associated separately to each of the relevant Business Entities. The group object helps to minimize the associated maintenance. The Preference object is a child of Business Entity, and is used for holding variable values that can drive reports, workflows and computed fields (it has entity-specific variable values which enable different behavior for the same workflows). For example, to determine the behavior for review and approval workflows (e.g. who the appropriate users are for each level of review and approval, and what the thresholds are for determining how many levels of review and approval are required).


Computed Fields PCM does not include any computed fields by default. PCM uses the capability introduced in IBM OpenPages GRC Platform 6.1.0 to launch helpers from URL fields. The computed fields which launch helpers in PCM are implemented as URL fields and are described below.

Object Type Label Field Group Name

Field Name Label Description

Attestation OPSS-Attest Policy Attestation

Creates a link that launches the Policy Awareness View helper.

Policy OPSS-Pol Modify Policy Creates a link that launches the Policy Editor helper.

Policy OPSS-Pol View Policy Creates a link that launches the Policy Viewer helper.

Policy OPSS-Pol Open Policy for New Revision Cycle

Creates a link that launches the Policy Unlock helper.

Policy OPSS-Pol Re-Open Policy for Additional Changes

Creates a link that launches the Policy Unlock helper.


OPSS-PolRevComm Review Policy Creates a link that launches the Policy Review View helper.


Helpers PCM includes the following helpers by default. Refer to OpenPages PCM 6 R1.1 Module Details for more information on these helpers.

Policy Viewers A series of Policy Viewers facilitate the process of creating, editing, reviewing and approving Policies and Procedures. It aggregates multiple sections of a Policy and associated Procedures into a single narrative view for editing, reviewing and approving, while allowing customers to maintain standardization on a Policy template. This helper has three views:

1) Modify Policy – Launched from a Policy object, Modify Policy is an editable view that allows a Policy Author and Owner to create and edit a Policy and its associated Procedures. Utilized only as part of the datacentric approach to Policy Management.

2) View Policy – Launched from a Policy object, View Policy is a read-only view that allows users to see a Policy and its Procedures in a formatted, narrative view (Datacentric and Hybrid) or via a link to the Policy Attachment (Docucentric).

3) Review Policy – Launched from a Policy Review Comment object, Review Policy is a role-based view that facilitates the review and approval process. In addition to displaying the Policy and Procedures, or the Policy Attachment, it includes Policy Review Comments that allow Reviewers and Approvers to submit feedback by either editing the Policy directly or via the Comment form. Reviewers are presented with either an editable or read-only view, depending on the parameter set in a Registry Setting. Approvers are presented with a read-only view of the Policy.

OpenPages or the customer can configure this component to behave as appropriate for the customers' methodology via registry and application text settings.

Compare Policy View The Compare Policy View enables users to view red-lined differences from one version of a policy to another. For example, a user can visually see the differences between a current draft of a policy and the published policy, or past expired versions. The Compare Policy View is utilized with Datacentric and Hybrid approaches. OpenPages or the customer can configure this component to behave as appropriate for the customers' methodology via registry and application text settings.

Policy Unlock Helper Launched from the Policy object once the Policy has been moved into the Review and Approval phase, the Policy Unlock Helper unlocks and readies the Policy and its components (Procedures, Attachments, Policy Review Comments) for revision. It supports all three policy approaches: Datacentric, Docucentric and Hybrid. The Unlock Helper supports two use cases:

Re-Opening a Policy for Additional Changes within a Review Cycle – Sets the Approval Status back to ‘In Revision’ – Unlocks any locked objects or attachments needed during the revision process – Updates the version number

Opening a Policy for a New Revision Cycle – Sets the Approval Status back to ‘In Revision’ – Unlocks Policy and its components (Procedures, Attachments, etc) – Resets and clears fields such as Publishing Date, Publishing Status, Next

Review Date, etc – Updates the version number – Deletes or Clears Policy Review Comments


– Sets a flag on the corresponding Published Policy signifying that the draft is In Revision


Publishing Batch Notification The Publishing Batch Notification facilitates the process of promoting an approved draft policy to the Published Library, and moving the current published version to the Expired Library. It also supports retiring a policy by moving the published policy to the Published Library and deleting the draft. It supports Datacentric, Docucentric and Hybrid policy approaches. The Publishing Batch Notification is intended to run on a scheduled basis and performs the following:

Updates Draft Policy – Set fields on draft policy such as Approval Status, Published Date, Publishing

Status, etc – Updated version number according to significance of policy change

Promotes Published Policy to Expired Library – Renames Policy (appends ‘Expired – V#’) – Sets Policy Location to ‘Expired’ and Expiration Date – Maintains approvals and associations such as Entities, Mandates, etc. – Removes hybrid policy attachments

Promotes Draft Policy to Published Library – Sets Policy Location to ‘Published’ – Maintains approvals and associations such as Entities, Mandates, etc. – Maintains existing associations on Published Policy (i.e. Risk Assessment)

Send emails upon successful publishing


Policy Awareness View The Policy Awareness View is an intuitive view that allows employees (high volume, low touch users) to easily read a Policy and its associated Procedures in a narrative format and then attest to having read and understood the policy. The Helper:

Displays the Policy and its Procedures in a single read-only, narrative form with the look and feel of a corporate policy

Enables employees to attest to the Policy with a single click and no navigation Enables employees to request an Exception to the Policy Attestation requirement


Attestation Creation Report Helper The Attestation Creation Report helper is a Scheduled Notification. It can also be run from the Reporting menu (under Attestation Reports menu). This Notification Report supports the Policy Awareness capability. It is intended to run on a scheduled basis and performs the following:

Finds all Campaigns with a Status = 'Ready to Start' associated to Published Policies Finds all Active Employees that match the same Attestation Requirements criteria

defined on the Campaign Creates an Attestation record for each matching Employee for that Policy Campaign Drives the Attestation record to the employee’s home page using the configured Home

Page filtered list Sends each Employee an email notification alerting them that an Attestation is due


Reports This section describes the reports that are available for this Module. IBM OpenPages GRC Platform 6.1.0 Modules Report Details provides additional details on the reports described here. There are additional reports installed with the OpenPages Platform and available to all Modules, which are described in the IBM OpenPages GRC Platform Administrators Guide.

PCM-Specific Reports

Regulatory Compliance Reports Name Drill-Through Description

Process Control Effectiveness by Mandate

Process Control Effectiveness by Sub-Mandate

For a selected Business Entity, the report shows associated Mandates with the % of Effective Controls associated to Processes. The report has the ability to drill-through to a sub-report for detail information.

Regulatory Applicability Matrix

Displays a Matrix View of the Mandates and the Business Entities for which they apply.

Reports Shared with Other Modules

Risk Assessment Reports Name Drill-Through Description

Risk Assessment List

Shows Risk Assessment details for a specified Business Entity and all of its descendents.

Risk Assessment Status

Risk Assessment Status Detail

Displays a stacked column chart showing the status of Risk Assessments for the specified Business Entity and its direct descendents.

Risk Assessment Summary

Risk Assessment Issues and Action Items

Displays Risk Assessment details along with all associated Risks and Controls. A drill through report displays Issues and Action Items that are related to the Risk Assessments, Risks, or Controls.


Risk Reports Name Drill-Through Description

Risk Analysis Shows Risks grouped by Process for a specified Business Entity.

Risk Heat Map Risk Detail Displays a table that aggregates Risks by Residual Impact and Likelihood for a specified Business Entity.

Risk Rating by Entity

Risk Rating by Entity Detail

Displays Residual Risk Rating summary information for the selected Business Entity and its descendents, with the ability to drill-through to risk details.

Risk Rating by Category

Risk Rating by Category Detail

Displays Risk Category and Residual Risk Rating summary information for the selected Business Entity, with the ability to drill-through to Risk details.

Top Risks Summary of the top Risks ranked by Residual Risk Exposure, and also shows the Inherent Risk Exposure. By default, Risk quantitative assessment fields are not included in PCM, so this report may not be appropriate for PCM users.

Control Reports Name Drill-Through Description

Risk and Control Matrix

Shows Risk and Control data for specified Business Entity and Process(es).

Control Effectiveness Map

Control Effectiveness Detail

Control map shows counts of Controls grouped by Process(es) and Operating Effectiveness, with the ability to drill-through to a sub-report for detail information.

Testing Reports Name Drill-Through Description

Testing Dashboard

Testing Details Displays summary Test Result information for the selected Business Entity, with the ability to drill-through to detail and trend information.

Indicator Reports Name Drill-Through Description

KRI Dashboard KRI Details Displays summary KRI information for the selected Business Entity and its descendents, with the ability to drill-through to detail and trend information.

KPI Dashboard KPI Details Displays summary KPI information for the selected Business Entity and its descendents, with the ability to drill-through to detail and trend information.


Triggers This section describes the triggers which are available for this Module. IBM OpenPages GRC Platform 6.1.0 Modules Trigger Details provides additional details on the triggers described here. Triggers must be disabled before loading XML instance data via Object Manager to any object types which are configured to have triggers by default. Object types which are configured for PCM to have triggers by default include:

Risk

KRI Value

KPI Value

File (SOXDocument)

Policy Object types which are configured for other Modules to have triggers by default include:

Audit

Audit Section

Workpaper

Plan

Timesheet

Finding

Audit Review Comment

Loss Impact

Loss Recovery PCM-Specific Triggers

Policy Import Trigger The Policy Import Trigger imports Policy and Procedure content from a structured .doc or .docx Word document into OpenPages Policy and Procedure fields by parsing the different sections of the document. It is triggered by checking in an attachment to the Policy object. The trigger is designed to support the Hybrid approach to Policy Management, but also supports updating version number in the Docucentric approach when a new policy document is checked in. As part of the import process, the trigger also performs extensive validation to ensure the structure of the Word document adheres to the defined Policy Template.



Policy Lock Trigger The Policy Lock Trigger locks the Policy and/or components (Procedures, Attachments, Policy Review Comments) at different points in the Review and Approval Process. This trigger supports all three approaches to Policy Management: Datacentric, Hybrid and Docucentric. The Lock Trigger supports two use cases:

Locking Policy Attachments in support of a policy being put into a review and approval cycle to ensure that the policy content cannot be changed during approvals. (Applicable for Hybrid and Docucentric approaches.)

Locking the entire Draft Policy hierarchy (Policy, Procedures, Attachments and Policy Review Comments) once the Policy has been given final approval and is ready for publishing. (Applicable for all three policy approaches.)

OpenPages or the customer can configure this component to behave as appropriate for the customers' methodology via registry and application text settings. Triggers Shared with Other Modules

Risk Rating Computations Trigger The Risk Rating Computations trigger calculates and persists the Inherent and Residual Risk Rating, and Inherent and Residual Risk Exposure field values on the Risk object. The calculations are performed on a Risk object instance whenever that instance is created or updated. The calculations are performed as follows:

Risk Rating Fields (Inherent and Residual) Impact and Likelihood values of High, Medium and Low are combined to give Rating values of High, Medium, Low or Not Determined. If either or both input values are low, then the rating is Low. If both are Medium, or one is Low and the other is High, the rating is Medium. If both are High or one is High and the other is Medium, the rating is High. If either or both values are missing or are another value that has been added to the configuration, then the rating is Not Determined.

Risk Exposure Fields (Inherent and Residual) Frequency and Severity values are multiplied together to give an Exposure currency amount, expressed in Base Currency. By default, Risk quantitative assessment fields are not included in PCM, so this trigger will not affect PCM users.

KRI Life Cycle Trigger The KRI Life Cycle trigger is configured to calculate and persist field values on the KRI and KRI Value object types. When a KRI Value object is created or updated,

The Red Threshold, Yellow Threshold and Direction Information values are copied from the parent KRI object to the KRI Value object.

The Collection Status, Value and Value Date field values from the most recent KRI Value object are copied from the KRI Value object to the parent KRI object.

Breach Status (Red, Yellow, Green or Not Determined) is calculated by comparing the number in the Value field on the KRI Value with the Red and Yellow Thresholds and the Direction Information. Breach Status is then copied to the KRI Value object, and if this is the most recent KRI Value object, then it is also copied to the parent KRI object.

If there are more than one KRI Value children for the parent KRI, the Indicator Trend (Better, Steady, Worse, Not Determined) is calculated by comparing the two most recent KRI Values, and then the calculated Trend Indicator value is persisted on the KRI.


KPI Life Cycle Trigger The KPI Life Cycle trigger is configured to calculate and persist field values on the KPI and KPI Value object types. When a KPI Value object is created or updated,

The Red Threshold, Yellow Threshold and Direction Information values are copied from the parent KPI object to the KPI Value object.

The Collection Status, Value and Value Date field values from the most recent KPI Value object are copied from the KPI Value object to the parent KPI object.

Breach Status (Red, Yellow, Green or Not Determined) is calculated by comparing the number in the Value field on the KPI Value with the Red and Yellow Thresholds and the Direction Information. Breach Status is then copied to the KPI Value object, and if this is the most recent KPI Value object, then it is also copied to the parent KPI object.

If there are more than one KPI Value children for the parent KPI, the Indicator Trend (Better, Steady, Worse, Not Determined) is calculated by comparing the two most recent KPI Values, and then the calculated Trend Indicator value is persisted on the KPI.


Profiles

OpenPages PCM 6.1 Master Profile This profile includes the fields and configuration for all of PCM. It includes Filters, Classic Home Page tab and Home Page tabs, Dependent Fields, Dependent Picklists, Computed Fields; and Activity, Detail, Context, Folder, Overview, Filtered List and List Views. Subsets of this profile that are appropriate for a Compliance Program Manager, Privacy Officer, etc. are created during the implementation project.

Home Page Filtered Lists The following filtered lists are defined for the Classic Home Page for users of the OpenPages PCM 6.1 Master profile.

Filter Description Object Type

My Open Issues Home Page access to your open Issues. Issue

KPI Breaches Home Page access to KPIs that have a breach status of red.

KPI

Attestation Exception Requests

Home Page access to requested Attestation exceptions requiring review.

Attestation

My Attestations Home Page access to your Policy Attestations due for completion. Includes link to launch the Policy Awareness View.

Attestation

Critical Compliance Incidents

Home Page access to Compliance Incidents with a Priority rating of Critical.

Incident

My Policy Review Comments

Home Page access to your open Policy Review Comments. Includes link to launch the Review Policy View.


Policies Waiting for My Approval

Home Page access to your open requests for Policy Approval. Includes link to launch the Review Policy View.


Policies Waiting for My Review

Home Page access to your open requests for Policy Review.


My Questionnaires Due For Completion

Home Page access to your Questionnaires due for completion.

Questionnaire

My Open High Impact Regulatory Changes

Home Page access to your open Regulatory Changes assessed to be high impact.

Regulatory Change

My Regulatory Tasks Home Page access to your Regulatory Tasks requiring attention.

Regulatory Task

Meeting Requests Home Page access to your Regulatory Meeting Requests for which you are the business owner.

RI Request

On-Site Requests Home Page access to your Regulatory On-Site Requests for which you are the business owner.

RI Request

Pre-Work Requests Home Page access to your Regulatory Pre-Work Requests for which you are the business owner.

RI Request

My Draft Policies Home Page access to Draft Policies for which you are the Author. Includes link to launch

Policy


Filter Description Object Type

the Create Policy Helper

My Published Policies Home Page access to Published Policies for which you are the Author. Includes link to launch the View Policy Helper.

Policy

Activity Views The following activity views are defined for users of the OpenPages PCM 6.1 Master profile. Two activity views have been added in the IBM OpenPages GRC Platform 6.1.0 PCM release.

Activity View Name Description

Control Testing Summary

Used to indicate Control Operating Effectiveness. Provides Test Plan and Test Result information that informs the Operating Effectiveness decision.

Questionnaire Set Up Used to create and modify questionnaires using the Questionnaire, Section, Question object model.

Questionnaire Used to respond to questionnaires using the Questionnaire, Section, Question object model.

Process RCSA View Facilitates conducting process-based Risk and Control Self Assessments.

RCSA View Facilitates conducting Risk Assessment-based Risk and Control Self Assessments.

Regulatory Exams Provides a consolidated view of the Interaction Categories and detailed Requests for a complex Regulator Interaction.

Employee Policy Exception Requests

View Employee Policy Exception Requests.

Campaign Status Overview

View outstanding attestations for a campaign.

Regulatory Change Overview

Provides a consolidated view of the Regulatory Changes for a Mandate, and the corresponding Regulatory Tasks required as a result of the change. Enables user to track progress and status of the tasks.

Policy NEW: Provides a simplified view of the Policy object. Serves as a pattern for a view which can be used as the default view for appropriate users such as policy attesters.

Attestation NEW: Provides a simplified view of the Attestation object. Serves as a pattern for a view which can be used as the default view for appropriate users such as policy attesters.


Role Templates The following two role templates for PCM are available by default.

Name Description

OpenPages PCM 6.1 - All Permissions

Full R/W/D/A access to all default PCM objects. Full admin rights.

OpenPages PCM 6.1 - All Data - No Admin

Full R/W/D/A access to all default PCM objects. No admin rights except those associated with workflows, files and folders.

The above role templates provide read, write, delete and associate access to the following object types.

Object Type Name Object Type Label Attestation Attestation Campaign Campaign Employee Employee Incident Incident KeyPerfindicator KPI KeyPerfindicatorValue KPI Value Mandate Mandate Policy Policy PolicyReviewComment Policy Review Comment Procedure Procedure RegApp Regulation Applicability RegChange Regulatory Change RegInt Regulator Interaction RegTask Regulatory Task Regulator Regulator Requirement Requirement RICat RI Category RIReq RI Request RiskAssessment Risk Assessment SOXBusEntity Business Entity SOXControl Control SOXDocument, SOXExternalDocument File, Link SOXIssue Issue SOXProcess Process SOXRisk Risk SOXSignature Signature SOXSubprocess Sub-Process SOXTask Action Item SOXTest Test Plan SOXTestResult Test Result Submandate Sub-Mandate Waiver Waiver


Documentation Updates You can download the latest revision to the IBM® OpenPages® GRC Platform 6.1.0 documentation set from the IBM information server at: http://www.ibm.com/support/docview.wss?uid=swg27023798

Notices This information was developed for products and services offered in the U.S.A. IBM® may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd. 1623-14, Shimotsuruma, Yamato-shi Kanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

http://www.ibm.com/support/docview.wss?uid=swg27023798


Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Corporation Location Code FT0 550 King Street Littleton, MA 01460-1250 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

COPYRIGHT

Licensed Materials – Property of IBM Corporation. Copyright IBM Corporation, 2003, 2012. This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.


Trademarks

IBM, the IBM logo, OpenPages, AIX, Cognos, ReportNet and WebSphere are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Other product and service names might be trademarks of IBM, OpenPages, Inc., or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/ copytrade.shtml.

http://www.ibm.com/legal/http://www.ibm.com/legal/

IntroductionModule DescriptionDocument ContentsObject Type Licensing

Object TypesObject Types Enabled by DefaultObject Types Disabled by Default

Computed FieldsHelpersPolicy ViewersCompare Policy ViewPolicy Unlock HelperPublishing Batch NotificationPolicy Awareness ViewAttestation Creation Report Helper

ReportsPCM-Specific ReportsRegulatory Compliance Reports

Reports Shared with Other ModulesRisk Assessment ReportsRisk ReportsControl ReportsTesting ReportsIndicator Reports

TriggersPCM-Specific TriggersPolicy Import TriggerPolicy Lock Trigger

Triggers Shared with Other ModulesRisk Rating Computations TriggerKRI Life Cycle TriggerKPI Life Cycle Trigger

ProfilesOpenPages PCM 6.1 Master ProfileHome Page Filtered ListsActivity Views

Role TemplatesDocumentation UpdatesNotices

Documents

Policy & Compliance Management (PCM) Module Overviewpublic.dhe.ibm.com/.../OP_PCM_Module_Overview.pdf · Module Overview. IBM OpenPages GRC Platform 6.1.0 PCM Module Overview 2 of