This document will continue to evolve as existing sections change and new information is added. All updates are logged below, with the most recent updates at the top.
| Date |
What’s Changed |
Notes |
|---|---|---|
| 25 JUL 2016 |
Oracle Fusion Financial Reporting Compliance Cloud: WebCenter Content Configuration |
Added revised feature information delivered in Update 8 (August). |
| 25 JUL 2016 |
Oracle Fusion Financial Reporting Compliance Cloud: Import Template Download |
Added new feature information delivered in Update 8 (August). |
| 01 MAR 2016 |
Initial Document Creation |
This guide outlines the information you need to know about new or improved functionality in Oracle Risk Management Cloud Release 11. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.
We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.
Some of the new Release 11 features are automatically available to users after the upgrade and some require action from the user, the company administrator, or Oracle.
The table below offers a quick view of the actions required to enable each of the Release 11 features.
| Action Required to Enable Feature |
||||
|---|---|---|---|---|
| Feature |
Automatically Available |
End User Action Required |
Administrator Action Required |
Oracle Service Request Required |
| Oracle Financial Reporting Compliance Cloud |
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
|
|
||||
Oracle Risk Management Cloud offers Financial Reporting Compliance, which documents your policies for identifying and resolving risk in your financial processes.
Oracle Financial Reporting Compliance Cloud
Oracle Financial Reporting Compliance Cloud documents your business practices so that you can satisfy financial reporting regulations. Use it to:
- Define business processes, identify risks to those processes, and formulate controls to address the risks.
- Evaluate risks, and analyze the impact of controls upon them.
- Assess objects regularly to determine operational effectiveness accurately and comprehensively, and ultimately to strengthen financial-reporting controls.
Define the processes your company follows to meet its goals. For example, a process may enumerate the steps required to complete a year-end closing. Once a process is in place, you can track risks that may affect it, and devise controls to alleviate those risks.
A process may be as broadly or tightly defined as you like. You can describe the process in any level of detail as you create it. You can also create action items — individual tasks that constitute steps toward the completion of the process. For example, a year-end-closing process might require an action item to verify that certain tax documents are included in the year-end reporting.
The management page for a process shows, among other things, a graph that tracks the completion of its action items.
Steps to Enable
Processes require no advance setup. However, an administrator may select among activities that users may complete as they assess processes.
A risk defines circumstances that could adversely affect a business process. As you work with a risk, you not only define it, but also:
- Relate controls to it. By doing so, you indicate that each control plays a part in reducing the risk.
- Perform analysis to determine both “inherent” and “residual” risk — the level of threat existing before and after controls are in place to address the risk. Analysis employs a set of three models that interact with one another; you can use seeded models or create your own. Depending on the models you use, analysis is either “qualitative” or “quantitative” — you may select, and models may return, either labels or numbers to rate elements of the risk and the risk itself.
- Evaluate a risk to determine whether to accept, monitor, or treat it, based on standard (model-defined) criteria. Evaluation also rates the significance of the risk in comparison with other risks. The models you use for evaluation are distinct from those you use for analysis; once again, you can use seeded models for evaluation or create your own.
You may assign each control a stratification value — for example, “key” or “mitigating.” Each value defines the role a control plays in dealing with a risk. Also, you may determine that a control has a “primary” effect upon a risk, or that it is “subordinate” to another control.
As you create a risk, you not only name and describe it, but may also select models for analysis and evaluation.
Steps to Enable
Although an administrator can configure certain risk features, it’s recommended that you accept the default configuration. Apart from that, an administrator may select among activities that users may complete as they assess risks.
A control documents measures your company takes to address a risk. It describes actions taken externally to Financial Reporting Compliance, either automatically in other systems or manually. You relate controls directly to risks (as described above).
For each control, you can create test plans. These document steps to be followed in determining whether the control is effective. Users execute a test plan while completing an assessment of the control for which the plan is created. A control may have multiple test plans, but no more than one per assessment activity type.
As you create a control, you can record how it is to be enforced, whether it's manual or automated, how often it is to be run, and whether it's in scope to be assessed.
Steps to Enable
Controls require no advance setup. However, an administrator may select among activities that users may complete as they assess controls.
An assessment is the review of a risk, control, or process, run periodically to ensure that the object is defined correctly or that its definition remains appropriate over time. Business stakeholders, internal and external auditors, and other users may be invited to participate in an assessment.
An assessment may be batch or ad hoc. A batch assessment is initiated from a plan, which in turn is developed from a template; it may specify any number of activities that assessors are to complete; it may incorporate tools such as surveys and test plans; and it may focus on any number of objects (although users assess each of these objects individually). An ad hoc assessment is simpler, focusing on a single instance of an object and a single activity.
One step in initiating a batch assessment is to set criteria for selecting the objects to be assessed.
Steps to Enable
For each assessable object (process, risk, or control), an administrator must select activities that may be included in an assessment. For each activity, the administrator may edit “guidance text” and an “activity question.” The former is a statement of purpose a user may consult while completing the assessment activity. The user’s response to the latter determines whether the object passes its assessment.
The following tools support the creation, maintenance, and assessment of processes, risks, and controls.
A perspective is a set of related, hierarchically organized values. The root value may be organization, region, regulatory code, or any other concept you determine to be meaningful. Users assign individual perspective values to individual processes, risks, or controls, establishing a context in which these objects exist.
Perspectives play an important part in securing Financial Reporting Compliance. Users are assigned job roles. One component of a job role is the data security policy, which defines a set of data to which the role grants access. A data security policy may specify perspective values; if so, it grants access only to data concerning objects associated with the same perspective values.
In addition, perspectives are useful as filtering values in Financial Reporting Compliance object-management pages and in reports.
A survey is a configured set of questions, together with instructions for answering them. A question may be in any of nine formats, for most of which you can create “choice sets” of possible answers.
A survey may be attached to an assessment plan. If so, users would answer survey questions while completing assessments developed from the plan. Or, a survey may be distributed independently of assessments, its questions pertaining to a designated Financial Compliance Reporting object or perspective.
An issue is a perceived defect in a Financial Reporting Compliance object, or in an assessment or other activity performed against an object. For example, a user may raise an issue against a control because no test plan has been created for it, and so the user feels that an assessment of the control cannot be meaningful.
The resolution of an issue involves a determination (by a user other than the one who created it) that the issue is valid and, if so, the creation and completion of a remediation plan. An issue may be closed if it is found to be invalid, if its remediation plan is successfully completed, of if an attempt at remediation shows that the issue cannot be resolved.
Seeded Financial Reporting Compliance reports provide information about processes, risks, controls, assessments, and issues. You can run reports on demand, or schedule them to run at regular intervals. Some reports are intended to be viewed within the application, and other “extract” reports are for export to a tool like Excel, where you can manipulate and analyze results.
Steps to Enable
These tools require no advance setup.
Tips and Considerations
Although you can create and modify perspective hierarchies at any point, you may want to define an essential set of perspectives before working in other areas of the application, so that perspective values are available to be selected for processes, risks, controls, and data security policies.
The following topics support setup and administration of the Risk Management Cloud.
WebCenter Content Configuration
WebCenter Content instance manages import and export files created by a Data Migration utility, as well as files attached to individual objects. Its setup page has changed.
Enter basic information into the WebCenter Content configuration page to work with files.
Steps to Enable
Open the Content Management page: Navigate to Risk Management Tools > Setup and Administration > Application Configurations. Select the Content Management tab. Then enter the following criteria:
- Select the Enable WebCenter Content check box.
- Set User Name to na, and leave Password and Confirm Password blank.
- Clear the Enable Security Sockets Layer Authentication check box.
- For Port, enter any numeric value.
- Set Server Name to na.
- Configure the Attachment Folder as before: /Contribution folders/GRC Attachments. This folder needs to be created in WebCenter Content.
- Set Document Type 1 to Document. This is the default document type in WebCenter Content and is already defined there. Select its Default radio button. Leave the other document types blank.
You use a Data Migration utility to import process, risk, control, and related data into Risk Management Cloud. The first step in doing so is to create and download an import template. Formerly, you were required to download this template directly from WebCenter Content. As an enhancement, you can now download the template from a record of the Generate Import Template job on Monitor Jobs page in Risk Management Tools. In that record, select a Job Completed link in a Message column. This opens a Job Details dialog, in which you select an Item Results link to download the template.
Steps to Enable
This download procedure requires no setup.
---
Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only, and the contents hereof are subject to change without notice.This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced ortransmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation.All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
11.08