OpenPages Policy and Compliance Management enables you to consolidate policy and compliance management, as well as manage regulatory change and regulator interaction. This software helps reduce the complexity and expense of complying with industry, ethics, privacy, and government regulatory mandates.
OpenPages Policy and Compliance Management can be used to automate the policy management lifecycle to help you to achieve compliance, mitigate risks, and adhere to corporate policies and procedures.
Key features include:
OpenPages Internal Audit Management : Helps to automate internal auditing procedures and adds new efficiencies and standardization to the assessment of risk and compliance performance, which are designed to improve the efficiency and effectiveness of internal audit processes, while it helps you maintain independence and objectivity.
OpenPages Internal Audit Management enables auditors to automate and manage internal audits, and conduct broader risk and compliance management activities.
Key features include:
Time and expense reporting
Audit report and wrap up that allows you to:
Users and groups are organized under the following top-level groups:
Entity Group icon Security Domains - this group is a container for the security domain groups that are automatically created by the system when a business entity or sub-entity is added. You can use security domains to distribute your users and organizational groups so they can be administered by delegated administrators. For an overview of security domains, see Security domains.
Group icon Workflow, Reporting and Others - this group is a container for organizational groups that are used system-wide. Administrators often create organizational groups to organize users and other groups. You can define all your users and groups under the Workflow, Reporting and Others group, and later associate them to different security domains. For upgrade customers, this top-level group also includes the groups that existed in prior releases of OpenPages GRC Platform.
To create and administer users and groups, you must have administrative privileges. For information about delegating and assigning administrator permissions, see The Super Administrator.
When a user or group is disassociated from an organizational or security domain group, and that user or group is not a direct or indirect member of any other group, the system makes that user or group a member of a special group called Standalone Users and Groups. Only the Super Administrator has administrative access to this group.
OpenPages Regulatory Compliance Management : OpenPages Regulatory Compliance Management enables organizations to break down regulations into requirements, evaluate its impact to the business, and create actionable tasks.
Key features include the ability to:
By visualizing the business process, which can include the subproceses, activites, risks, and controls, you can sped the risk management proces and data analysis.Some of the visualizations that you can ad to your proceses are Busines Entiy Organization charts and proces diagrams.
The busines proces visualizations provide users with the folowing benefits:
OpenPages Model Risk Governance : OpenPages Model Risk Governance helps banks and financial institutions address this risk that arises from the inaccuracy or misuse of models. Featuring dynamic dashboards for clear, concise reporting, this customizable platform enables firms to create and maintain a comprehensive model inventory for enhanced collaboration and regulatory compliance across multiple regions and geographies.
Enabling organizations to demonstrate strong controls throughout the model lifecycle, IBM Enterprise Model Risk Governance provides management with the reporting, tools and decision support necessary to help ensure model data quality, regulatory compliance and overall financial risk governance.
Key features include the ability to:
The Super Administrator (specified during the install or upgrade process) is a user who has complete access to all objects, folders, Role Templates, and groups in the system.
In a new installation, the Super Administrator is the only user in the system. In an upgrade installation, you can enter a new user or select one of the existing users (such as SOXAdministrator or OpenPagesAdministrator) as a Super Administrator during the upgrade process.
A Super Administrator can create users, groups, other system administrators, and assign roles. A Super Administrator can decentralize and delegate administration activities by assigning roles to users through the use of Role Templates (for more information see Role templates) and group administrator permissions (for more information, see Delegate administrator permissions).
A Super Administrator can also assign an administrator to a security domain or organizational group without making the administrator a member of that group.
Some examples of the types of administrators a Super Administrator could create are:
A Regional or Group Administrator - this would be a user with at least one security management permission assigned to perform administrative activities for a security domain or organizational group.
A Delegated Administrator - this would be a group administrator with certain security management permissions who could, in turn, assign new administrators to the same group or to any of the child groups, granting them the same security management permissions.
Decentralized Administrators - each group (security domain or organizational) could have an administrator who would have one or more administrators responsible for creating and associating users to that group as well as for enable/disable, lock/unlock, assign roles and reset password operations. A decentralized administrator would be able to perform these operations on all child groups associated to their group but not on other groups in the system.
If you change the logon user name and/or password of the Super Administrator account after installation (using the application interface), you must manually make corresponding changes to the Cognos Framework Generator property file so the reporting framework will update properly.
@ - ! . _ / : * " # % ? < >
Built-in visualizations are provided as a starting point for designing new process diagrams or viewing the organizational chart for a Business Entity.
By default, the following visualization templates are installed on all IBM® OpenPages® GRC Platform systems:
Business process flow visualization :
Risk professionals can use the process flow visualization to make sure that the documented flow accurately reflects the business process and its sub-processes, data inputs and outputs, risks and controls. Users can also update in real time to reflect any changes.
A process flow visualization is a child object of the Process. You can use the following major elements to build your process flow diagram.
Process Object : Process object types represent the major end-to-end business activities within a business entity that are subject to risk. Process objects are typically used in areas such as financial reporting, compliance, and information security. Depending on the diagram, the process object is not explicitly shown; however, it exists to provide context.
Subprocesses (or Activities) : A Subprocess object type is a component of a Process object. It is used to break down processes into smaller granular units for assessment purposes.
Risks : Risk object types represent potential liabilities. Risk objects can be associated with, for example, business processes, business entities, or compliance with a particular mandate. Each Risk object has one or more Control objects that are associated with it that provide safeguards against the risk and help mitigate any consequences that might result from the risk.
The process flow is visually optimal when risks for each process are fewer than five.
Controls : Control object types typically represent policies and procedures to help ensure that risk mitigation responses are carried out. After you identify the risks in your practices, you can then establish controls (such as approvals, authorizations, and verifications) that remove, limit, or trfer these potential risks.
A process flow is visually optimal when you have one to two Controls per Risk.
Data Input and Data Output objects : Data Input objects and Data Output objects are child objects of the Process and can have associations only to existing Risks. They represent elements of a flow to depict an Input into the Business Flow or an Output from various activities within a process, such as running a report or updating a CRM system or getting an external data source feed.
The flow of the process is represented by connectors that link the activities, inputs and outputs, and decision-branching points. You can specify labels for the decision connections.
All elements and relationships of the Business Process visualizations are stored as data in the OpenPages GRC Platform repository on the OpenPages GRC Platform server. The element types are shown or hidden in the Application Object Views that are based on Profiles. You can have multiple diagrams per process. For example, some diagrams can be at different stages of the process, such as those diagrams that are published or are being revised or approved.
Business Entity organization charts :
The Hierarchy diagram provides contextual and aggregate views of the Business Entity data model. The organizational structure of a company is captured as Business Entity objects in the OpenPages GRC Platform GRC repository, which can be visualized as an organizational chart.
This type of structure is useful for infrequent users who must understand the complex model quickly and who have business entities with risk assessments. Color codes indicate the status that is based on aggregation.
OpenPages Operational Risk Management : Helps to automate the process of identifying, measuring, and monitoring operational risk. It combines all risk data, which includes risk and control self assessments, loss events, scenario analysis, external losses, and key risk indicators, into a single integrated module.
Key features include:
Loss events, which include the following activities:
To make it easy to find a specific user without browsing through multiple groups and subgroups, you can create a group named Everyone (you can use other name) as a sub-group of the Workflow, Reporting and Others group.
This is useful since normally you create users in the context of a group, and then add them to multiple groups directly. This me that in order to find an existing user, you need to know a group to which the user belongs. To help this process, follow the following suggestions.
As you create your list of users, add them directly to the Everyone group, as well as to the functional groups that the users need to belong to. In this manner, to find a specific user quickly, you can open the Everyone group and select the user directly.
If you want to deny a user access to the application by removing him or her from all groups, you need to remove the user from the Everyone group as well.
Users with the correct permissions can create groups using the User/Group interface. Groups can contain other groups and users, and inherit application permissions from the groups that they belong to.
Delegate administrator permissions : By assigning specific security management permissions to an administrator's user account, you can delegate various security management activities to that administrator. For example, you could set up an administrator for a security domain group (such as a regional or local office) who would only have the ability to reset passwords for that group.
If there are child groups under a parent group, the administrator can delegate an administrator for each child group as well.
Administrators do not have to be members of groups for which they perform administrative tasks. By default, only the Super Administrator has Read and Write access to objects in the system. Delegating administration responsibilities to a user on a security domain, does not automatically grant Read and Write access to objects under the corresponding entity.
You can only assign those permissions that you have to other administrators.
If you disassociate an administrator from a security domain or organizational group, all user management privileges (such as manage users, lock/unlock users, reset passwords, enable/disable users, assign roles) are retained by that administrator and are not revoked.
You want to designate Mary Smith as an administrator who can reset passwords for any users in the Boston Sales Office. You would navigate to the Boston Sales Office entity group detail page and assign the Reset Password permission to Mary Smith’s user account.
If there are multiple child groups under the Boston Sales Office entity group, Mary Smith could delegate an administrator for each child group. She would only be able to assign the Reset Password permission to another administrator.
A trigger is a piece of code that can be added before or after the execution of an operation is performed on the OpenPages platform. This piece of code can perform anything that is written in Java.
A trigger consists of the following two parts:
A rule - this is a condition that applies to the operation being executed and the parameters involved in the operation. For example,
One or more event handlers - an event handler is executed if the current operation satisfies the rule defined for the trigger. These actions can perform any business logic. For example,
Associating users with a group : If a new user only belongs to an "Everyone" or "All_Users" group, you need to give the user access to the appropriate business entity or entities.
You do this by associating users to the security domain group that corresponds to the business entity for which they need access. For information about security domains, see Security domains.
OpenPages IT Governance : Helps to align IT operations management with corporate business initiatives, strategy, and regulatory requirements. This software allows you to sustain compliance across best-practice frameworks and regulations while managing internal IT control and risk according to the business processes they support.
OpenPages IT Governance lets you build a sustainable risk and compliance approach to address sensitive data, management of technology assets and regulatory requirements. Key features include:
OpenPages GRC Platform V7.2 capabilities include: Central platform for integrated reporting, workflow, and policies Patented, adaptable framework that enables easy configuration Interactive dashboards and ad hoc reports for decision support Powerful workflow for automating business processes
Enabling and disabling System Administration Mode : You must have the System Administration Mode application permission set on your account to view the System Administration Mode link and the System Administration Mode menu item from the Administration menu.
Settings for System Administration Mode :
If Link... If icon... Use to...
Enabled Enable enter System Administration Mode
Disabled Disable exit and terminate System Administration Mode
Log on to the IBM->OpenPages->GRC Platform user interface as a user with the System Administration Mode permissions.
Do one of the following:
Creating user accounts : When creating a new user in IBM® OpenPages® GRC Platform, you must first select the group to which the user will belong. Then, enter information about the user and user account.
If you have not created an appropriate group for the new user, you can add the user to the top-level Security Domains group or Workflow, Reporting and Others group. In addition, you can create an "Everyone" or "All_Users" group under the top-level Workflow, Reporting and Others group and add all the users to this group. At a later time, you can then associate these users to the required security domains. In this way, there is one group that lists all users. See Creating an organizational group for details.
If a user is responsible for adding, editing, or removing folder-based access control (ACLs) using the Custom Security menu option on the Administration menu, the user should be associated with a group that has Access Control Lists application permission.
What to do next :
OpenPages Capital Modeling : OpenPages Operational Risk Capital Modeling application is an integrated tool that provides a set of tools to analyze, simulate, and quantify operational risk capital by using a variety of methods.
The tool offers three different approaches to calculate operational risk capital, the Basic Indicator Approach (BIA), the Standardized Approach (TSA), and also the Advanced Measurement Approach, which provides an actuarial-based, bottom-up method for aggregating loss calculations by developing best-fit frequency and severity estimates. The application can estimate capital by using multiple data sources, which include internal loss data, external loss data, and structured scenario data. It also provides advanced modeling features, such as copula based correlation.
The application is also integrated with the OpenPages Operational Risk Management module, which allows you to simultaneously collect, model, and report on operational risk data and capital. You can apply the robust OpenPages platform framework to capital models, such as role based security and audit trail and create cross-functional, capital modeling reports by using IBM Cognos®. By providing a one stop shop for operational risk management and measurement, OpenPages Operational Risk Capital Modeling application allows you to accurately measure and mitigate your operational risk.
Key feature include:
OpenPages GRC Platform V7.2 is an integrated governance, risk, and compliance platform that enables companies to manage risk and regulatory challenges across the enterprise. It provides a set of core services and functional components that span risk and compliance domains, which include operational risk, policy and compliance, financial controls management, IT governance, and internal audit.
Triggers have the following characteristics:
OpenPages Financial Controls Management :
OpenPages Financial Controls Management combines powerful document and process management with rich, interactive reporting capabilities in a flexible, adaptable, easy-to-use environment. They enable CEOs, CFOs, managers, independent auditors, and audit committees to perform all the necessary activities for complying with Sarbanes-Oxley and similar financial reporting regulations in a simple and efficient manner.
OpenPages Financial Controls Management provides trparency into the state of financial controls and helps ensure that compliance demands are addressed.
Key features include:
OpenPages GRC Platform improves overall usability and efficiency with a new set of features that are designed to increase overall productivity and enterprise-wide security. This release also introduces a model risk governance and regulatory compliance management capability. New features include:
By using visualizations, users can achieve the folowing goals:
IBM® OpenPages® GRC Platform supports the use of strong passwords (passwords that include letters, numbers, and symbols).
It also allows administrators to enforce mandatory password changes and other password behavior.
Configuring password policies : The IBM OpenPages GRC Platform allows administrators who can access the Settings administrative section to modify the password policies for the application.
Configuring password encryption : You can modify the encryption algorithm, and change the key that is used by the encryption algorithm to encrypt passwords in IBM OpenPages GRC Platform.
Modify password encryption : To modify password encryption, you use the Update Password Encryption Algorithm (UPEA) tool.
Using the UPEA tool : The UPEA tool defines the parameters of the password encryption algorithm.