Managing Controls
In HOPEX Enterprise Risk Management, there are different object types linked to controls:
• Object types enabling the indication of the framework within which the control is implemented:
• control system
• control type
• requirement
• associated risk
• Object types enabling the indication of control implementation means:
• organizational process
• applications
• Object types enabling the indication of control implementation responsibilities.
Reports presenting control contextualization are available as standard. For more details, see Control Identification.Accessing controls
As with risks, associated controls can be numerous. To better control their management, HOPEX Enterprise Risk Management proposes several means of access to the list of controls.
You can access controls via menus:
• Risk > Risk Library > Risks > Controls > All Controls.
• Remediation > Controls and Action Plans > Controls > All Controls.
Control scope
It is generally preferable to inventory existing controls before implementing new ones.
To do so, controls can be identified in various ways:
• From risks
Certain controls are installed to meet a particular risk.
• From control type lists
Control type lists are associated with certain regulations (eg. COBIT).
• From diagrams of existing business processes
As during risk identification, it is possible to examine the operation of each business process step to determine the controls implemented.
• From specialist expertise
A specialist in a particular field is often able to describe controls which are or should be implemented.
• etc.
You can define the control more precisely by indicating the control types, requirements, risks and risk factors that are attached to it.
To define control scope:
1. Select the control in the list and open its properties page,
2. Expand the Scope section.
The following tabs are available:
• Business Process and Organizational Process: enables indication of processes implementing the control.
• Entities: enables indication of entities implementing the control.
• Risks: enables indication of which risks are prevented by the control.Requirements: enables indication of the regulatory or legal requirement the control meets.
• Control Type: enables indication of the control types to which the control refers.
• Operations
• Accounts
• Incidents
An incident is an event occurrence, internal or external, that has an impact on the organization. It is the basic element for collection of data concerning operational risk.Analyzing Controls
The control types enable specification of regulations that apply to a given control.
A control type allows the classification of controls implemented in a company in accordance with regulatory or domain specific standards (Cobit, etc.).Controls can be defined by referencing the control types defined in the risk and control system concerned.
A risk and control system is a set of controls that enables the assurance of risk prevention and management, application of internal operating rules, respect of a law or regulation, or achievement of an objective as defined by company strategy.This control system can be defined as the implementation of a regulation within the framework of one of the enterprise business functions, such as application of an enterprise financial policy in the purchasing field.
To access control types:
In the Risk desktop, select Risk Library > Risks > Categories > Control Types.A list of control types appears.