Oracle Enterprise Governance, Risk And Compliance


Oracle Enterprise Governance, Risk and Compliance ManagerUser GuideRelease 8.6.3Part No. E20638-01July 2011

Oracle Enterprise Governance, Risk and Compliance Manager User GuideCopyright 2011 Oracle Corporation and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks oftheir respective owners.The software and related documentation are provided under a license agreement containing restrictions on useand disclosure and are protected by intellectual property laws. Except as expressly permitted in your licenseagreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit,distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering,disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf ofthe U.S. Government, the following notice is applicable.U.S. GOVERNMENT RIGHTSPrograms, software, databases, and related documentation and technical data delivered to U.S. Governmentcustomers are “commercial computer software” or “commercial technical data” pursuant to the applicableFederal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication,disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in theapplicable Government contract, and, to the extent applicable by the terms of the Government contract, theadditional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). OracleUSA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.The software is developed for general use in a variety of information management applications. It is notdeveloped or intended for use in any inherently dangerous applications, including applications which may create arisk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take allappropriate fail-safe, backup, redundancy and other measures to ensure the safe use of this software. OracleCorporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerousapplications.The software and documentation may provide access to or information on content, products and services fromthird parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties ofany kind with respect to third party content, products and services. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third party content,products or services.

Contents1 About Enterprise Governance, Risk and ComplianceManagerWhat Is Governance, Risk and Compliance? . 1-1Enterprise Governance, Risk and Compliance Manager Explained 1-1Business Objects Explained . 1-1What are User-Defined Attributes? . 1-2Example: Using UDAs. 1-2Perspectives Explained . 1-2Risks Explained . 1-3Controls Explained . 1-3Issues Explained . 1-3Assessments Explained . 1-4Surveys Explained . 1-4Application Modules Explained . 1-4What Is the Financial Governance Module? . 1-5Reporting Explained . 1-52 Basic Application Operation and Common TasksSecurity Overview. 2-1Roles Explained. 2-1Basic User Interface . 2-2Home Page Explained . 2-2Common Regions on Overview Pages . 2-3Contentsiii

Common Elements in Overview, Dashboard,and Component Pages . 2-3Object States . 2-4Common Tasks . 2-5Preferences Explained . 2-5Attachments Explained . 2-6Revisions Explained . 2-6Managing Objects Explained . 2-6Copying Objects Explained . 2-6Reviewing Objects Explained . 2-8Approving Objects Explained . 2-8Creating Issues: Critical Choices . 2-8EGRCM Reporting Described . 2-83 Perspective ManagementPerspective Management Explained . 3-1Delivered Perspectives Explained. 3-1When Should I Create an Issue for a Perspective? . 3-2Creating Perspectives: Critical Choices . 3-3Perspective Assessments Explained . 3-3Perspective Certification Process Explained . 3-34 Risk ManagementRisk Management Explained . 4-1Risk Life Cycle Explained. 4-1Proposing a Risk Explained . 4-2What Is the Difference Between Creating andProposing a Risk? . 4-2Do I Always Have to Propose a Risk Before ICan Create One? . 4-2Are Risks Automatically Created from Proposed Risks? . 4-3Creating a New Risk: Critical Choices. 4-3Editing Related Controls: Critical Choices . 4-3Creating a New Event: Critical Choices . 4-4Creating New Consequences: Critical Choices . 4-4ivOracle Enterprise Governance, Risk and Compliance Manager User Guide

Risk Analysis Explained . 4-4Risk Analysis Process . 4-5Create an Analysis: Critical Choices . 4-5Risk Evaluation Explained . 4-6Creating an Evaluation: Critical Choices . 4-6Risk Assessments Explained. 4-6Risk Treatments Explained . 4-7Creating a New Treatment Plan: Critical Choices . 4-7Creating a New Treatment: Critical Choices . 4-7Risk Administration . 4-8Creating an Analysis Model: Critical Choices . 4-8Creating a Likelihood or Impact Model: Critical Choices . 4-8Creating a Risk Context Model: Critical Decisions . 4-9Risk Significance Models Explained. 4-95 Control ManagementManaging Controls Explained . 5-1Creating New Controls: Critical Choices . 5-1Creating Control Test Plans and Instructions . 5-2Test Plans Explained . 5-2Creating Test Plans: Critical Choices . 5-2Creating Manual Test Instructions Explained . 5-3Creating Automatic Test Instructions Explained . 5-3Editing Control Definitions Explained . 5-3Control Assessments Explained . 5-36 Managing Base ObjectsBase Objects Explained . 6-1Managing Base Objects Explained . 6-1Creating New Base Objects: Critical Choices . 6-1When Would I Create an Issue for an Object? . 6-2Base Object Assessments Explained . 6-2Action Items . 6-2Creating Action Items: Critical Choices . 6-2Contentsv

What Is the Difference Between an Action Itemand an Issue? . 6-3What Is the Difference Between a Target CompletionDate and a Due Date? . 6-37 Issue ManagementIssue Management Explained . 7-1Issues Explained . 7-1Issue Life Cycle Explained . 7-1Creating Issues: Critical Choices . 7-2Editing an Issue: Critical Choices . 7-2Creating Remediation Plans: Critical Choices . 7-3What Is the Difference Between a Target CompletionDate and a Due Date? . 7-3Creating a Remediation Task: Critical Choices . 7-38 Managing AssessmentsAssessments Explained . 8-1Assessment Activities Described . 8-2Methods of Initiating Assessments Described . 8-3Ad Hoc Assessments Explained . 8-3Assessment Management Explained . 8-4Managing Assessments . 8-4Creating Assessment Templates: Critical Choices. 8-4Assessment Plans Explained . 8-5Creating Assessment Plans: Critical Choices . 8-5What Is the Difference Between an AssessmentTemplate and an Assessment Plan? . 8-5Initiating Assessments Explained . 8-5Initiating an Assessment: Critical Choices . 8-5Completing Assessments Explained . 8-6Reviewing and Approving Assessments Explained. 8-7What Do the Assessment Result Options Mean? . 8-79 Managing SurveysManaging Surveys Explained. 9-1viOracle Enterprise Governance, Risk and Compliance Manager User Guide

Managing Survey Questions. 9-1Creating Questions: Critical Choices. 9-1Managing Survey Choice Sets . 9-2Managing Survey Templates . 9-3Creating a Survey Template: Critical Choices . 9-3What Happens When I Delete a Survey Template? . 9-3Creating and Editing Surveys Explained . 9-3Completing Surveys Explained . 9-410 ReportingReports Explained . 10-1Delivered Reports . 10-211 Administration TasksManaging Application Configurations . 11-1Properties Tab . 11-1Worklist Tab . 11-2Security Tab . 11-2Analytics Tab . 11-3User Integration Tab . 11-3Notification Tab . 11-4Managing Installation Options . 11-5Managing Lookup Tables . 11-5Managing Content Types . 11-6Managing the URL Repository. 11-7Managing Assessment Results Explained . 11-712 Managing SecuritySecurity Overview. 12-1Managing Duty Roles . 12-1Managing Data Roles . 12-1Managing Job Roles . 12-3Managing Users . 12-3Creating New Users . 12-3Importing Users from LDAP . 12-4Contentsvii

13 Managing ModulesModule Management . 13-1Templates Explained . 13-1Example: Creating a New Module . 13-2Configuring Module Objects . 13-4Managing User-Defined Attributes . 13-4Managing Module Perspectives . 13-5Managing Data Migration . 13-6GlossaryviiiOracle Enterprise Governance, Risk and Compliance Manager User Guide

PrefaceThis Preface introduces the guides and other information sources available to helpyou more effectively use Oracle Fusion Applications.DisclaimerThe information contained in this document is intended to outline our generalproduct direction and is for informational sharing purposes only, and should beconsidered in your capacity as a customer advisory board member or pursuant toyour beta trial agreement only. It is not a commitment to deliver any material, code,or functionality, and should not be relied upon in making purchasing decisions. Thedevelopment, release, and timing of any features or functionality described in thisdocument remains at the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary information that is the exclusiveproperty of Oracle. Your access to and use of this confidential material is subject tothe terms and conditions of your Oracle software license and service agreement,which has been executed and with which you agree to comply. This document andinformation contained herein may not be disclosed, copied, reproduced ordistributed to anyone outside Oracle without prior written consent of Oracle. Thisdocument is not part of your license agreement nor can it be incorporated into anycontractual agreement with Oracle or its subsidiaries or affiliates.Other Information SourcesMy Oracle SupportOracle customers have access to electronic support through My Oracle Support. Forinformation, visit or tml if you are hearing impaired.Use the My Oracle Support Knowledge Browser to find documents for a productarea. You can search for release-specific information, such as patches, alerts, whitepapers, and troubleshooting tips. Other services include health checks, guided lifecycle advice, and direct contact with industry experts through the My OracleSupport Community.Prefaceix

Oracle Enterprise RepositoryOracle Enterprise Repository provides visibility into service-oriented architectureassets to help you manage the life cycle of your software from planning throughimplementation, testing, production, and changes. In Oracle Fusion Applications,you can use the Oracle Enterprise Repository for: Technical information about integrating with other applications, includingservices, operations, composites, events, and integration tables. Theclassification scheme shows the scenarios in which you use the assets, andincludes diagrams, schematics, and links to other technical documentation. Publishing other technical information such as reusable components, policies,architecture diagrams, and topology diagrams.The Oracle Fusion Applications information is provided as a solution pack that youcan upload to your own deployment of Oracle Enterprise Repository. You candocument and govern integration interface assets provided by Oracle with otherassets in your environment in a common repository.Documentation AccessibilityFor information about Oracle’s commitment to accessibility, visit the OracleAccessibility Program website at ndex.html.Comments and SuggestionsYour comments are important to us. We encourage you to send us feedback aboutOracle Fusion Applications Help and guides. Please send your suggestions tooracle fusion applications help You can use the Send Feedbackto Oracle link in the footer of Oracle Fusion Applications Help.xOracle Enterprise Governance, Risk and Compliance Manager User Guide

1About Enterprise Governance, Risk andCompliance ManagerWhat Is Governance, Risk and Compliance?Worldwide, legislators, regulators and investors are placing increasing mandates onbusinesses to improve transparency and controls over financial and compliancereporting. Laws such as the U.S. Sarbanes Oxley Act, Canadian Bill 198, OMBCircular 123A, and Japanese SOX (JSOX) are forcing organizations to adoptrigorous approaches to documenting and testing internal proces

businesses to improve transparency and controls over financial and compliance reporting. Laws such as the U.S. Sarbanes Oxley Act, Canadian Bill 198, OMB Circular 123A, and Japane