You are on page 1of 19

I.

Introduction
1.1 Purpose

This document describes the functional specification for Risk Management 6.0.2 product. The Risk Management 6.0 will be based on the Enterprise Governance Risk Compliance Platform (EGRCP) Release 6.0. MetricStream‟s Risk Management 6.0 application provides a comprehensive approach to identify potential risks and a powerful framework to evaluate and assess them based on various factors on a periodicity basis. The product is web based and is an improved version of Enterprise Risks Management 5.5.1. The product is built on the Enterprise Governance Risk Compliance Platform version 6.0 and AppStudio 1.0. This document describes the Planning part of the Risks Management 6.0. The Risk Management 6.0 application Supports assessments based on various risk scoring scenarios, qualitative & quantitative assessment factors. It triggers issues based on risk assessments and performs Risk scoring & rollups .1.2

Document Conventions

This document is designed in compliance with the IEEE standard for Software Requirement Specification document. The document is written with font face Times New Roman. All the headings are of the font size 16 pt and the sub-headings are of the font size 14 pt. Main and Sub Headings are kept bold. The rest of the document is written in Times New Roman normal font style with 1.5 line spacing and the font size is 12 pt. The document has used short forms for some commonly abbreviated terms. Flow charts are included to show the flow of control wherever needed.

1.3 Intended Audience and Reading Suggestions
This document will serve as an input to Engineering for application planning and design. The target audience for this document is Engineering, QA, and Product Management. The intended audiences for this document are testers, project managers, documentation writers and end users (clients/customers). This document is designed to give an overall description and listing of the

1

MetricStream Document Control Repository. qualitative & quantitative assessment factors 2 . This document will also include an easily traceable means by which the user can trace functionality‟s brief description to its full description. The end users can use this document to ensure that all the functionalities of the overall system are on the right track as per their needs.com/doc/9914/srs-template   MetricStream Risk Management 6. This is one of the integrated project with others modules like Audit Management and Issue management 1. www. Overall Description 2.0 application provides a comprehensive approach to identify potential risks and a powerful framework to evaluate and assess them based on various factors on a periodicity basis. – Supports assessment based on various risk scoring scenarios. Using the information obtained from the above modules we are suppose to develop an assessment form which will obtain Auditable entity from GRCF module and assess it in a way that is will grade the Auditable entity/Risk of a particular assessment.1 Product Perspective The Risk Management 6.functionality of Risk Management 6.0. The Module is also supposed to trigger issue module if any of auditable entity/risk rating is high for particular assessment. This document helps the tester to compare the performance of the software with the standard performance expected.4 Project Scope The aim of the project is to obtain information from modules namely GRCF module.5 References  This SRS is formulated by referring SRS template by Roger Pressman.scribd. 1. 2.0 Functional Specification. Based on assessments the need to develop reports and dashboards to display assessment rating for various assessments is developed.

etc through the „Core Object‟ framework. – Improved ability to create ad-hoc risk assessments – Common interface to set up all 3 types of assessments – Data Browser to view Risk Assessment Plans and Assessments  Supports correlation between risk categories across scenarios. Extensible to perform risk assessments on Suppliers.– – – Performing Risk Assessments Triggering issues based on risk assessments Risk scoring & rollups Leverages the GRC Foundation for Library content like Process. IT Assets. drill down reports and Heatmap. Policies. Org-Risk. Process/Auditable Entity-Risk – Extensible to support risk assessments for GRC Foundation „Core Object‟ extensions like Suppliers.0 usability standards and tabs for improved layout.0 Highlights:  Supports Multi-Dimensional Risk Assessments – Three types of risk assessments: Org-Process/Auditable Entity-Risk. assessment factors and risks to be assessed 3 . etc – Continued support for multiple organizations to assess risk with their own perspectives  User Experience – In-form trees to navigate risk assessment survey. – Incorporates new 6. navigation and look-and-feel in forms. Projects. – Provides access to prior risk-assessment data while doing the assessment. Projects. Risks and Controls Integrates seamlessly with Issue Management application for Issue tracking and remediation Includes powerful tools for risk analysis and monitoring through various dashboards. Risk Management 6. IT Assets. Products.

This is particularly helpful when multiple Governance groups (e.0 – Trigger Issues in the Issue Management module based on Findings & Recommendations  Calendar to view Risk Assessment Schedule – Shows information about risk assessment plans and when they are due and overdue  Reports & Dashboards – New heat-map reports – Out of the Box Reports 2. The forms are as follows Scenarios Use this form to create multiple scenarios for risk assessments.0 application has the following forms that enable it to function in a way that is required. The system allows you to create three types (Org-Risk. This then enables the governance groups to place the different assessments sideby-side and compare how different groups rated the same business entities.2 Product Features The Risk Management 6. Scoring – More flexible quantitative factors that can affect inherent OR residual risk score – Quantitative factors support raw data entry that can be converted into scores based on scoring rules – Simplified roll-up algorithms for Organization. 4 . Op Risk & Internal Audits) wish to assess the same library objects but based on their own perspectives and methodologies. Enterprise Risk.g. Qualitative Assessment Factor Use this form to create questions that will guide the assessor in making a subjective assessment of a risk (without directly affecting the score). and Core Object-Risk) of assessments. Process & Risk scores  Integrated with Issue Management (ISM) 6. Org-Core Object-Risk.

3 User Classes and Characteristics The following provides information on the roles and their corresponding access grants  Risk Administrator o RSK – Manage Scenarios o RSK . Based on the response to factors.Manage Risk Factors  Risk Manager o RSK – View Scheduled Risk Assessment o RSK – Edit Scheduled Risk Assessment o RSK – Approve Scheduled Risk Assessment o RSK – Assess Risks o RSK – Approve Risk Assessments o RSK – Manage Risk Factors 5 . These factors can be categorized as per the factor contribution specified. Risk Assessment Plan Use this form to create a risk assessment plan to assess risks on a periodic basis. scores are rolled up and available at the Risk. based on a scheduled frequency. create questions with specific responses (Yes/No. etc.Quantitative Assessment Factor Use this form to create questions that will guide the assessor in making a numeric assessment of a risk (without directly affecting the score). 2. The assessor assesses each risk by responding to one or more quantitative & qualitative questions.) that each corresponds to a score that is then rolled up to arrive at an overall score for the assessment. Core Object and Organizational levels. Risk Assessment Assessors receive this form based on the scheduled frequency defined in the assessment plan (or based on an ad-hoc task assignment). In this form. High/Medium/Low.

           RSK – Manage Scenarios RSK – Manage Risk Factors RSK – View All Scheduled Risk Assessments RSK – View Scheduled Risk Assessment RSK – Edit All Scheduled Risk Assessments RSK – Edit Scheduled Risk Assessment RSK – Approve Scheduled Risk Assessment RSK – Assess Risks RSK – Approve Risk Assessments RSK – View Risk Assessment RSK – View All Risk Assessments The following are the default set of users in the system.o ISM – Create Issue  Risk Assessor o RSK – Assess Risks o ISM .    Risk Administrator Risk Manager Risk Approver 1 6 .Create Issue The following are the default set of activities in the system.Create Issue  Risk Approver o RSK – Approve Scheduled Risk Assessment o RSK – Approve Risk Assessments o ISM .

All risks related to the organization or process will be assessed        User can specify which assessors will be assessing different organizations or processes User sees a list of scheduled risk assessments (as controlled by security) User can filter self-assessments by organizations.  Risk Approver 2 Risk Assessor What is required of various users of the Risk Management 6.0 system are as follows:   User can specify one or more risk assessment scenarios User can set up risk assessment scenarios of three possible types (Org-Risk.   System assigns risk assessment form to appropriate risk assessment owners Assessor sees a tree of organizations (optionally). processes (optionally) & risks that they are supposed to assess  Assessor can assess risk by responding to one or more quantitative & qualitative questions   Risk roll-up scores (based on assessment) are visible in tree structure User submits assessment for approval 7 . Org-Process-Risk)    User can identify specific organizations that can conduct each scenario assessment User can schedule a new risk assessment for a specific scenario User can specify the organizations and processes to assess. processes or risks being assessed User can view a scheduled risk assessment User can edit a scheduled risk assessment System triggers risk assessment per schedule in schedule System populates risk assessment by correlating risk categories (of the risks being assessed) to quantitative & qualitative question categories. ProcessRisk.

0  MetricStream Enterprise Compliance Platform Version 5.0.3 MetricStream Application Platform  MetricStream Enterprise GRC Platform Version 6.31.5.1222.e.0 – 64 bit Production 2.31.0.1.4 Operating Environment Platform  Audits Management 6.5 o Build: 1222.0 and higher Operating Systems (MetricStream Server)    Microsoft Windows Server 2000 (32 and 64 bit) Microsoft Windows Server 2003 (32 and 64 bit) RHEL 5.5 Build 51 and ECP 6..0 o Database Version: 6.2. User can select existing questions/procedures from GRC Foundation library 2.0.0.0 SP2 Browser version  Microsoft Internet Explorer 6.2.0.0 is certified on ECP 5. The technical scope for the development of the system is the same as that of the platform.0 SP2. These limitations are 8 .12.5 Design and Implementation Constraints The look and feel of the system is governed by the platform i.51 Database  Oracle Database 11g Enterprise Edition Release 11.0 o Build: 6.51 o Database Version: 5.  Approver reviews & closes out assessment.0.2. ECP 6.12. Assessment data is used by automated scoring roll-up algorithms to populate risk dashboards.

0 .6 User Documentation Risk Management 6. and is dependent on the specifications available.7 Assumptions and Dependencies The integration is with the third party supplied source specifications. Though the interface to the system is web based and accessed through an html web browser.pdf Risk Management 6.doc Risk Management 6.1 Risk Assessment Plan Form 3.documented in user guide of the platform and are proprietary and confidential property of MetricStream Inc.0 ..0 is developed to be easily followed and used by the end user. the integration related code has to be revised. 3.0. The Risk which is to be calculated it also is also chosen in this form with the three dimension score of Org – Process – Risk. 2.Quick Reference Guide.1. Based on the selected scenario all the Qualitative and Quantitative factors associated with it are used to score the specified Risk. This issue is attributed to the way in which the platform is developed and is expected to be dealt with the future release of the platform. the system works flawlessly on Internet Explorer. If the data format specifications change. The Scenario/Perspective factor is chosen in this form. The project provides the following components for the better understandability of the user:     platform_userguide. System Features 3.Quick Reference Guide. 9 .1 Description and Priority This form is the main binding factor in the Risk Management 6.ppt MS_RSK_60_InstallationGuide_Windows.doc 2.

Approver1 and Approver2. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form.This form has a high priority in this entire application and is also dependent on the Org – Process – Risk that is already defined. 3.2 Stimulus/Response Sequences In-order to be able to launch the Assessment Form successfully there are a number of steps which are to be carried out. 3. Send for Approval This action specifies that there is no objection to the content of the form.1. Request Clarification This action is called upon by an approver when there is ambiguity in the data entered. It also is dependent on the Control which are specified by CMP. The process then flows as usual. There are three levels of approvals. It can be done by any of the approvers with the reason for the cancelation of the form. When this action is called upon the form goes back to the level from which it originated. They are Owner. „Request Clarification‟ or „Cancel‟. The form then goes back to the approver who requested the clarification. They can either „Approve. In case of wrong user name / password the system will throw an error.1. The Plan form is initially in the „New‟ status when created. 10 .3 Functional Requirements The Risk Manager or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form. On submitting of the form for approval. the form has to go through the process of approvals based on the level of approval specified. Once all the parameters are accurately entered then there is an action available “Send for Approval”. Once the form goes to any of the above mentioned levels of approvals the approvers have the following options. The approver can make needed changes and send the form for approval. or some more information needed and clarification is required. Cancel This action is called upon when the assessment for is irrelevant and not needed.

3.All mandatory fields have to be entered for the user to submit the form successfully. The triggering can be done manually or can automated by specified the time style in the Assessment Plan form. The form has high priority in the Risk Management 6. These controls can be preset for each risk or can be added into the form. 11 . The Plan form is initially in the „Assess Assessment‟ status when triggered. „Send for Approval‟.2 Risk Assessment Form 3. Qualitative and Quantitative Factors.2. REQ1: The User can create plan only if he has the permission to create the Plan form. REQ2: The „Risk‟ Info Center has to be present REQ3: The „Risk Assessment Plan‟ link is available 3. In addition to this the Control is also displayed. Once all the parameters are accurately entered then there are a number of actions available.2 Stimulus/Response Sequences On being triggered the Assessment form is available. In this form we have the Org – Process – Risk hierarchy defined with all the information that is relevant to each level.1 Description and Priority This form is the heart of the Risk product of Metric Stream. Once triggered the form flows a similar for like that of the Assessment Plan Form.2. Send for Approval This action specifies that the form is in proper order and there is no objection to the content of the form. „Send for Reviewer‟. The approver can make needed changes and send the form for approval. „Reassign to User‟ and „Cancel Assessment‟. It is the final score card of the risk that is calculated.0. The Risk is scored up with the Standard.

2. The reviewer can only make comments and submit but cannot modify the data that is in the form. REQ1: The User can create plan only if he has the permission to approve the Assessment form. Cancel This action is called upon when the assessment for is irrelevant and not needed. In case of wrong user name / password the system will throw an error.3 Functional Requirements The Risk Approver or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form.Request Clarification This action is called upon by an approver when there is ambiguity in the data entered and clarification is required. 3. When this action is called upon the form goes back to the level from which it originated. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form. All mandatory fields have to be entered for the user to submit the form successfully. REQ2: The „Assessment Form‟ has to be triggered 12 . Reassign to User This action allows the approver to select another Assessor to do the assessment of the form and skip the process of approval. The process then flows as usual. It can be done by any of the approvers with the reason for the cancelation of the form. Send for Reviewer This action allows an approver to send the assessment form to a reviewer for comments on the data that is entered. The form then goes back to the approver who requested the clarification.

monthly. The form then goes back to the approver who requested the clarification. Based on the specified time the Assessment form will be triggered to the required approvers for review. „Send for Approval‟. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form.2 Stimulus/Response Sequences The Assessment Form needs to be triggered regularly in order to obtain the updated health of the risks that an organization may face. Based on these continuous assessments the health of an organization can be monitored. quarterly or yearly.0 enables frequent „Risk Assessments‟ where the system can periodically (daily. The approver can make needed changes and send the form for approval. „Reassign to User‟ and „Cancel Assessment‟. weekly. The process then flows as usual.3 Frequency of Risk Assessment 3. weekly. When this action is called upon the form goes back to the level from which it originated. This can be done on a specific date.3.1 Description and Priority RSK 6. Send for Approval This action specifies that the form is in proper order and there is no objection to the content of the form. Request Clarification This action is called upon by an approver when there is ambiguity in the data entered and clarification is required.2. 3. 13 . The flow then follows that of Assessment Form. etc) re-score a top-down assessment‟s automated factors This is Vital for the continuous assessment of the Organization. This is done by setting a frequency in the Risk Assessment Plan form.2. „Send for Reviewer‟. The Plan form is initially in the „Assess Assessment‟ status when triggered. Once all the parameters are accurately entered then there are a number of actions available.

Send for Reviewer This action allows an approver to send the assessment form to a reviewer for comments on the data that is entered. It also allows creation and management of data objects and creates interfaces to the same with the help of Data Forms. In case of wrong user name / password the system will throw an error. REQ1: The User can create plan only if he has the permission to approve the Assessment form. It is meant to have a single web based UI. REQ2: The „Assessment Form‟ has to be triggered 4. Reassign to User This action allows the approver to select another Approver to do the approval of the form and skip the process of approval. Cancel This action is called upon when the assessment for is irrelevant and not needed. roles.1 User Interfaces The entire system inherits its UI from the platform. All mandatory fields have to be entered for the user to submit the form successfully.2. External Interface Requirements 4. It can be done by any of the approvers with the reason for the cancelation of the form. 3. It is a self contained system to manage users.3 Functional Requirements The Risk Apporver or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form. 14 . The reviewer can only make comments and submit but cannot modify the data that is in the form. organizations and their hierarchy.

2 Hardware Interfaces The system doesn‟t include any functionality to interact directly with any hardware. report or dashboard Minimize clutter and improve visual appeal Further optimize for repeat users Provide contextual information  4. like handling print jobs) is completely done by the underlying operating system 15 .Here are some key UI characteristics:  Provide consistent navigational concepts and application patterns across all applications to reduce perceived complexity and improve adoption     Information-based user interface Minimize the number of clicks to get to any form. Hardware level interaction (if any.

Other Nonfunctional Requirements 5.3 Software Interfaces The system uses many software interfaces provided by the platform either as standard features and few more than add-on modules.2 Safety Requirements It follows industry standards of data protection measures like frequent data backups. The key factors in this aspect would be efficient JS coding. 5.4 Communications Interfaces The system requires the following communication interfaces to operate at full functionality. regular dump of AppServer and system optimizations. it is desired to design the system in a manner where the system would be reasonably responsive all the time. These interfaces are abstract from the product. security with Audits follows a three-level structure as follows:   Access Grants (Activities) as available through Roles for the current user Organizational associations for the current user correlated with the organizational ownership or organizational relevance of individual objects  Object-specific view restrictions 16 . Java coding and optimizing DB usage/look-ups.4. 5.   Network connection to communicate between client and server Web browser to interact with the system (Certified to work only on Internet Explorer) 5.1 Performance Requirements Though the performance aspect which includes responsiveness is basically attributed to the underlying platform. completely handled by the platform and provide the various features to it. 4.3 Security Requirements In general.

Intuitive & value-added information presentation o Dynamic presentation of relevant information & actions o Maintain context during interactions o Tabbed presentation o Field and Page-specific help Sleek & elegant o NOT an „Industrial‟ look o Icons & graphics based . so a certain set of security risks are eliminated.g. access control to data based on various factors like organization hierarchy. user roles and privileges.4 Software Quality Attributes Here are a few quality attributes expected of the system. assuring data integrity.More visual o Clean lines and pleasing color palette Intuitive navigation o Navigation constructs corresponding to task (e. hierarchical control/risk navigation) o Leverage common metaphors like calendars o Single click for most common actions. No more than two clicks to get to any action Consistency o Across applications/platform activities and pages 17 . But it is required to ensure that the host server is free of system security threats / loopholes. The system is hosted on a secured server.The system inherits its security features from the platform. This includes various users with different roles and responsibilities. The data is abstract from the user and integrally maintained by the system / platform. 5.

6. Other Requirements None Appendix A: Glossary o ECP (Enterprise Compliance Platform) o Apps studio o GRC (Governance Risk and Compliance) – Risk. Process and o RSK ( Risk Management) o ISM (Issue Management) o CMP (Compliance Management) Control o AUDITS (Audits Management) – Risk 18 .

Appendix B: Analysis Models 19 .