HOPEX V2R1U3 Doc

Common Features > Other Features > Defining the Environment for Solutions > Risks and Controls > Controls

Controls

To access controls:

In the Environment desktop, select Risk Universe > Controls.

Control characteristics

To access characteristics of a control:

Select the control that interests you and click the Properties button.

The properties page appears in the right pane.

The fields present can vary according to the solution used.

On this page you can specify for the control:

• its Code enabling unique identification of the control

• Name

• Objective

• Owner

• control importance if required, by selecting the Key Control check box.

• the Control Nature: you can choose from among the following:

• Corrective

• Detective

• Preventive

• Operational Cost of control implementation.

• Execution Mode enabling specification of how the control is executed:

• "Automatic": the control is executed automatically by an IT application.

• "Manual": the control is executed manually by an organization entity.

• "Semi-automatic": the control is executed by an organization entity using an IT application.

• Status

• "Draft"

• "Validated"

You can fill in this field manually for information purposes. In HOPEX Enterprise Risk Management, there is no workflow on controls.

RACI on a control

A control properties page includes an RACI section to define the different persons responsible for control management. For more details, see RACI.

Control scope

Control scope enables definition of control location. It relates to several component types:

• Business Processes and Organizational Processes exposed to risks covered by the control. For more details, see Processes.

• Entities concerned by controls. For more details, see Entities.

• Risks covered by controls. For more details, see Risks.

• Requirements expected related to risk management. For more details, see Objectives and Requirements.

• Control Types: For more details, see Control Types.

• Operations

An operation is an elementary step in an organizational process executed by an org-unit.

• Accounts : see Financial Accounts.

• Incidents: depending on the solution, you can also view incidents (without being able to modify these).

An incident is an event occurrence, internal or external, that has an impact on the organization. It is the basic element for collection of data concerning operational risk.

Control Types

Control types enable specification of regulations that apply to a given control.

Controls can be defined by referencing the control types defined in the risk and control system concerned.

A control nomenclature frequently used is that defined by the COBIT.

COBITS stands for "Control Objectives for Information and related Technologies".

COBIT is a framework of best practices that now integrates numerous other frameworks and has the support of a large number of world experts. Of the 34 processes defined in COBIT there are 318 corresponding control objectives for which detailed control practices have been identified. The proposed verification guide describes elements necessary for correct understanding of each process, specifies controls to be carried out, provides elements for assessment of conformity to best practices and assessment of risk of non-achievement of objectives.

To access control types:

In the Environment desktop, click Risk Universe > Controls > Control Types.

A list of control types appears.

A control type allows the classification of controls implemented in a company in accordance with regulatory or domain specific standards (Cobit, etc.).