This topic explains the Operational Risk Management use case design.
On this page
Architecture Diagram
The following diagram shows the relationships between the applications in the Operational Risk Management use case and the other use cases within the Enterprise and Operational Risk Solution.
Download the source file of the diagram here: Operational Risk Management Architecture Diagram
Note: Feeds that create Metrics from a metric library (either the Business Process or Risks) do not also create Risks records from the associated Risk Statement records. Business Asset Catalog objects and their associated assessments are not automatically scoped into Risk Project and must each be scoped in manually.
Applications
|
Application |
Description |
|---|---|
|
Self-Assessment |
The Self-Assessment application contains records of the self-assessments that have been created. |
|
Risk Assessment Data |
The Risk Assessment Data application contains the records relating to the self-assessments that your company can undertake. |
|
Assessment Campaign |
The Assessment Campaign application allows you to create self-assessment records at either the business process or business unit level. Additionally, you can generate a campaign that, once completed, is automatically enrolled in an Advanced Workflow. |
|
Business Processes Assessment Data |
The Business Processes Assessment Data application contains the self-assessment data related to business processes. |
|
Control Assessment Data |
The Control Assessment Data contains the self-assessment data related to control procedures. |
|
Corporate Objectives |
The Corporate Objectives application tracks strategic, operational, reporting, and compliance objectives as they relate to company policies and risks. Key Performance Indicators allow the corporation to track its progress with regard to meeting these objectives. |
|
Applications |
The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure. Note: The Applications application is included in the Enterprise Catalog package. |
|
Contacts |
The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information. Note: The Contacts application is included in the Enterprise Catalog package. |
|
Insurance |
The Insurance application is designed to serve as a repository of all of the organization’s insurance policies. Policies can be managed along with associated claims, risks can be mapped to policy inclusion and exclusion, and losses cataloged against the policies to which they apply. Use the Insurance application to: manage corporate insurance programs by tracking insurance applications, insurance policies, premiums, deductibles, brokers, underwriters, underwriter financial strength, and expiration dates; identify gaps associated with uninsured risks and analyzing over and under insured risks by mapping insurance policies to risks; analyze losses incurred versus insurance premiums paid (loss ratios); perform basic insurance claims management via Loss Events; rationalize the corporate insurance risk transfer program in terms of the organization’s overall risk profile. |
Access roles
|
Access Role |
Description |
|---|---|
|
RM: Admin |
Serves as the administrator for the use case. (Risk Manager, Risk Manager Specialist) |
|
RM: Executives |
Provides the appropriate access levels for the use case to the executives team (CFO, CEO, Controller). |
|
RM: Manager |
Provides create, read, and update access to management stakeholders for the use case. |
|
RM: Owner |
Provides create, read, and update access to business process owners for the use case. |
|
RM: Read Only |
Provides read-only access for the use case. |
Note: For detailed, page-level access rights, see the Data Dictionary.
For a complete list of application record permission fields, including which user/groups fields populate the fields and where the fields inherit permissions from, see the Data Dictionary.
Groups
|
Groups |
Description |
|---|---|
|
Risk Manager 2nd line of defense |
Individuals associated to this group are responsible for monitoring the effectiveness of the risk management process, and implementing necessary changes. They identify, assess, prioritize, and monitor risk trends within the broader business infrastructure. Chief Risk Officers and Risk Managers are persona's that align with the 2nd line of defense, and are ultimately responsible for the oversight of the 1st line's risk management. |
|
Enterprise 1st line of defense |
Individuals associated to this group are responsible for identifying and managing risks in processes under their business line. Organizational positions that might be included in the category of the 1st line of defense include the Business Line Manager and the Business Line Coordinator. The Business Line Managers are accountable for managing the business line's operational risks, while the Business Line Coordinators typically contribute efforts toward completing business line self-assessment activities as defined by the organization's risk self-assessment program. |
|
Compliance 2nd line of defense |
Individuals associated to this group are responsible for monitoring the effectiveness of the compliance management process, and implementing necessary changes. |
Dashboards
|
Dashboard |
Description |
|---|---|
|
Executive Management |
Used by Controllers, CFOs, and CEOs to view business unit/company risks, track risk exposure, and review loss events that require executive sign-off. |
|
Business Unit Manager |
Used by Business Unit Managers and Business Unit Coordinators to create new loss events and to view active assessments, unapproved loss events, and loss events requiring executive review or sign-off. |
|
Business Unit Owner |
Used by Business Unit Owners to view risks and risk approval assessments, and to add new risks, risk assessments, loss events, and metric results. |
|
Risk Manager |
Used by Risk Managers and Risk Specialists to view active assessments, loss events awaiting review, and open risk projects. |
|
Data Quality Administration |
Contains several iViews that report on potential data quality or integrity issues, such as Business Processes, Risks, or Controls with multiple owners/managers, Risks not tied to Business Processes, and Risks without mitigating controls. |
Advanced Workflow
The following workflow applies to all self-assessments in the Self-Assessments application.
Note: Processing and calculation logic automatically exclude all quantitative risks from scope.
Task 1: Assessment Stage
The Risk Manager begins by evaluating what entities they want assessed: Business Units, Business Processes, or Products and Services. The Risk Manager creates an assessment campaign to scope the desired entities. They can create pRCSA, RCSA, or CSA self-assessment records. The Risk Manager auto-generates the self-assessments from the campaign, and the generated records are placed into the Self-Assessments application. Notifications are sent to the Business Unit Manager. The self-assessment is automatically assigned to the Business Unit Manager, but it can be reassigned as needed.
The Business Unit Manager or Business Unit Coordinator starts their evaluation. They can override the previous Inherent and Residual ratings for individual risks or keep the existing ratings and manually set the Evaluated Flag status to Evaluated. They can also rate the controls associated to each risk and/or add new findings to risks or controls. Once all of the risks are marked as Evaluated, the Business Unit Manager submits the self-assessment to the Risk Manager, who receives a notification, and the Review Stage begins.
Task 2: Review Stage
The Risk Manager reviews the Self-Assessment records. If the Risk Manager agrees with all of the assessments, they set the Review flag status to Agree with Assessment. If the Risk Manager disagrees with any of the assessments, they set the Review flag status of the risk to Disagree with Assessment and submits it back for review.
Task 3: Re-Assess and Re-Review Stages
The Business Unit Manager or Business Unit Coordinator reviews the rejected risks. Once the recommended changes are implemented by the Business Unit Manager, they set the Review Flag status to Fixed before re-submitting the assessment to the Risk Manager. The Risk Manager reviews the changes, and either accepts or rejects the risk. If the Risk Manager accepts the updates, the record is published. If the Risk Manager rejects the updates, Task 3 begins again.
Task 4: Publish
Archer goes through the accepted assessment and publishes the Business Processes, Risks, and Control Procedures records with the assessment data. Once the publish is finished and the changes are made, the assessment is complete and is marked as Validated. If the publish fails, the Risk Manager may review the issue preventing the publish, fix any issues, and republish.
Note: If any of the assessment content fails to publish, the entire assessment is updated to Failed. A Failed status means that not all of the content was published. Publish nodes do not revert all of the data that was successfully published. Once the self-assessment is marked as Validated, all updates have been successfully published.
