Update 22D

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date	Module	Feature	Notes
16 SEP 2022			Created initial document.

Overview

HAVE AN IDEA?

We’re here and we’re listening. If you have a suggestion on how to make our cloud services even better then go ahead and tell us. There are several ways to submit your ideas, for example, through the Ideas Lab on Oracle Customer Connect. Wherever you see this icon after the feature name it means we delivered one of your ideas.

GIVE US FEEDBACK

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

DISCLAIMER

The information contained in this document may include statements about Oracle’s product development plans. Many factors can materially affect Oracle’s product development plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle.

This information may not be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Oracle specifically disclaims any liability with respect to this information. Refer to the Legal Notices and Terms of Use for further information.

Feature Summary

Risk Common

Transactional Business Intelligence for Risk Management

New Financial Control Deep Link Attributes

The Risk Management Cloud - Advanced Financial Controls Real Time subject area offers a new deep link URL to the advanced controls results page. This deep link allows you to view or edit specific sets of records by passing multiple parameters.

The following is the new action link:

Object Type	Deep-Link URL
View Results for a Transaction Type Control	https://<server_url>/fscmUI/faces/deeplink?objType=GRC_AC_RESULTS&action=VIEW&objKey=controlId=@{1};Navigation=deepLink;resultValueA=@{2};resultDrillIdA=@{3};resultValueB=@{4};resultDrillIdB=@{5};resultValueC=@{6};resultDrillIdC=@{7};resultValueD=@{8};resultDrillIdD=@{9};resultValueE=@{10};resultDrillIdE=@{11};group=@{12};groupingValue=@{13};statusCode=@{14};stateCode=@{15}

The subject area has a new dimension named Transaction Incident Result Headers > Result Drill IDs, with 25 new attributes. These attributes provide IDs that can be passed as action link parameters to incident results related to advanced financial controls.

New Dimension

For example, you may be viewing duplicate invoices by supplier in OTBI, and want to accept all the incidents for supplier XYZ because they are legitimate invoices, not duplicates. You can now drill on the supplier ID and Invoice number and see only those incidents that match.

Here's an example report of duplicate supplier invoices:

Identifying Dimension Values To Pass

Let's say you want to drill to the results in order to accept all incidents for supplier ID 12 and invoice number INV_1001577. If you set up an action link on the Name column to pass those two values it would look like this:

Parameters Passed

The objKey is the Control ID. The resultValueA is the invoice number, the corresponding drill ID is 16006. The resultValueB is the supplier ID and the corresponding drill ID is 16010.

To set this up, edit the report. To make the link on the control name, edit the column properties, go to Interaction tab then create a new action link. Up to 5 result values can be passed, each with their corresponding result drill ID. In addition the group, groupingValue, statusCode and stateCode can optionally be passed. In this example, the URL is: 

https://hostname/fscmUI/faces/deeplink?objType=GRC_AC_RESULTS&action=VIEW&objKey=controlId=@{1};Navigation=deepLink;resultValueA=@{2};resultDrillIdA=@{3};resultValueB=@{4};resultDrillIdB=@{5}

Not all of the parameters have to be passed. In this example, only two drill IDs are passed.

Set Up Action Link

To provide the Invoice number, pass two parameter values:

• resultValueA "Transaction Incident Result Values"."Result Value 6"
• resultDrillIdA "Result Drill IDs"."Result Drill ID6" 

Result Value 6 and Result Drill ID6 are passed because Result Header 6 is the Payables Invoice.Number (see Identifying Dimension Values To Pass screenshot). These values could have been passed to any of the 5 available parameters A-E. 

To provide the Supplier ID, pass two parameter values:

• resultValueB "Transaction Incident Result Values"."Result Value 10"
• resultDrillIdB "Result Drill IDs"."Result Drill ID10" 

Result Value 10 and Result Drill ID10 are passed because Result Header 10 is the Payables Invoice.Supplier ID (see Identifying Dimension Values To Pass screenshot). These values could have been passed to any of the 4 available parameters left B-E (we used A for Invoice Number).

Now when Control Name link is clicked, you're brought to the incident results page where it is already filtered to show incidents related to the supplier and invoice that were passed in the action link parameters:

Results Filtered By Supplier and Invoice

This example demonstrates how to pass multiple values, and so one record is returned that matches the invoice number and supplier ID. Just the supplier ID could have been passed to return both records for that supplier, or the grouping value could have been passed to return the potential duplicates.

Some things to keep in mind:

• The Result Values passed will show in the filters area of the results page once you drill to it.

• If your intention is to return records that are not pending (like closed or approved results), then you'll also need to pass the state or status codes to override the default saved search which only returns pending results.

• Attributes passed will override any default saved search on the results page.

• Dates must be passed in format dd-mm-yyyy

With the ability to pass result values, more focused searches can be achieved. So, instead of only being able pass a result ID or a control ID, you can now drill to a subset of results. This is helpful in cases where you are analyzing records in OTBI, and then want to take action on that same set of records in the results page.

Steps to Enable

You don't need to do anything to enable this feature.

Key Resources

• See Creating Analytics for Risk Management, Link Analyses to Application Pages section for more information on setting up deep-link URLs.

Common Risk Management

Updates to User Group Membership

In the User Assignment Groups page, you can create filters to search for user groups easily. Click a Show Filters link to expose a Filters panel. In it, create filters based on the following attributes, then click Search. For filters based on user information (such as Department or Location), a search returns all groups with at least one member who meets the criteria you specify.

• User Group Name
• User Group Authorization
• User Group Secured Object Type
• Only Returns Groups with Ineligible Members
• Member User Name
• Direct Manager (a.k.a. Line Manager)
• Business Unit
• Department
• Location

Example of the User Assignment Groups Filters

The ability to filter user groups based on the members' profile information, such as the group member's name, business unit, or direct manager, provides a streamlined approach for group owners to manage their user groups.

Steps to Enable

You don't need to do anything to enable this feature.

Financial Reporting Compliance

Financial Reporting Compliance

Updated Display of Related Advanced Controls Within a Documented Control, Risk and Process

Advanced controls may be related to a documented control, risk or process. The display of these advanced controls has been updated, providing more relevant information and offering better support when multiple advanced controls are related.

The display is consistent with information presented in Results by Control Summary page. It allows the user to drill down into information that they have access to.  For example, a user with at least view access to the advanced control itself can drill into the details of that control.  Likewise, a user with access to some or all of the incidents generated by a control can drill down into the count to see the individual list of incidents.

This enhancement will now give the viewer of a documented control, risk or process a more complete picture of the related advanced controls used to automate the control environment.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

Because the count of the incidents represents what the end user has at least view access to, so the user should be defined as a viewer for all newly generated incidents of the control via the control results default security definition. To do this most easily, use a security group. This will also grant the user access to previously generated incidents.

Update to Risk Treatment Plan and Related Records

Depending on the business objectives, users may need to manage treatment plans or just related controls to mitigate their documented risks. The risk object now allows treatment plans and related controls to co-exist in a single instance. To enable treatment plans, users must have the minimum privilege to view treatment plans. For these users a treatment tab will be rendered within the document risk record UX page.

The configuration options to enable treatment plans, related controls, events, and consequences have been deprecated. These risk features are now solely manage through the user’s security configuration.

Users can define and manage multiple treatment plans. However only one plan can be tagged as In-Use and one as Target. These flags can be updated when it's applicable. The risk record’s Related Records panel will display only those controls associated to the In-Use treatment plan. Users can manage these related controls in two locations, the risk's Related Records > Control tab and the corresponding treatment plan.

View of a Defined Risk Record Where Treatment, Event, and Consequences Are Accessible

Managing Related Control Records

If the business objective does not require the use of treatment plans, the risk owner can associate related controls by editing the risk record and navigating to the Related Records panel. The owner can add primary and subordinate control records and specify the control stratification for each related control record. The application will automatically create a default treatment plan in the event an in-use treatment plan has not been defined. However, the application does not require users to have the ability to manage treatment plans. All changes to the default treatment plan can be managed within the Controls tab of the risk's Related Records panel.

If the business objective does require the use of treatment plans, the risk owner will navigate to the risk record and click on the treatment tab. Here the owner can define the treatment plan and its target use, relate primary and subordinate control records, and specify the control stratification for each related control record. The controls that are related to the In-Use treatment plan will be rendered within the Related Records panel located in the risk definition tab. Related control changes that occur within the risk Definition tab  > Related Records > Control tab will only be applied to the In-Use treatment plan.

Related Records Panel Located Within the Risk Definition

The treatment plan UX page has been updated to streamline the documentation process.

Create Treatment Plan UX Page 

Beneath the Details Panel, the Related Controls Panel Enables the user to relate documented controls.

The Treatment Summary enables users to quickly view the trending activities of the inherent risk level, residual risk level, risk rating, evaluation results, and target risk level.

• Downward arrow indicates a downward trend
• Upward arrow indicates an upward trend
• Two arrows indicates no changes
• A dash indicates a value is not available

Example of the Treatment Summary Panel

Organizations now have the ability to manage their risk objectives easily as they mature over time. Initially a simple risk mitigation approach was implemented, requiring the risk owner only to relate the control records to mitigate the defined risk. However, over time the risk objective can change, requiring the risk owner to leverage the treatment plan functionality. The application allows a streamlined transition from leveraging only related controls to leveraging treatment plans. Or, a risk owner who begins by leveraging treatment plans can simply transition to only leveraging related controls.

Steps to Enable

You don't need to do anything to enable this feature.

Role And Privileges

To view treatment plans at a minimum the user needs one new privilege for the tab to be rendered within the defined risk record.  The new privilege is added to two predefined duty roles. If you've customized your roles, you need to add the new privilege to it. If you use predefined duty roles, you don't need to make any changes.

New Privilege	Updated Duty Roles	Job Role Inheriting Duties
View Treatment Plan for Risk (GTG_VIEW_TREATMENT_PLAN_FOR_RISK)	Risk Manager Duty Risk Viewer Duty	Risk Activities Manager

The other privileges to manage treatment plans:

• Create Issue for Risk Treatment (GTG_CREATE_MANAGER_ISSUE_FOR_RISK_TREATMENT)
• Create Treatment Plan for Risk (GTG_CREATE_TREATMENT_PLAN_FOR_RISK)
• Edit Treatment Plan for Risk (GTG_EDIT_TREATMENT_PLAN_FOR_RISK)

To view events and consequences at a minimum the user needs one of the following privileges for the tab to render within the defined risk record:

• Create Consequence (GTG_CREATE_CONSEQUENCE)
• Delete Consequence (GTG_DELETE_CONSEQUENCE)
• Edit Consequence (GTG_EDIT_CONSEQUENCE)
• View Consequence (GTG_VIEW_CONSEQUENCE)
• Create Event (GTG_CREATE_EVENT)
• Delete Event (GTG_DELETE_EVENT)
• Edit Event (GTG_EDIT_EVENT)
• View Event (GTG_VIEW_EVENT)

Enable Flexfields for Additional Risk Objects

Flexfields are currently supported for many objects. Flexfields are now enabled for additional risk objects: Risk Evaluation, Risk Analysis, Events, and Consequences. Once the flexfields are defined for a specific object, the attributes will be rendered within the Additional Information panel.

• The Additional Information panel will be rendered on the following UX pages:
  • Create, edit, and view risk evaluation
  • Create, edit, and view risk analysis
  • Create, edit, and view events
  • Create, edit, and view consequences

If you copy a specific object record, the flexfield values defined as part of the object record will be copied.

Specific business use cases require additional information to be captured as part of the record definition. User-defined flexfields enable you to create new attributes to expand the delivered form and capture specific data.

Steps to Enable

You don't need to do anything to enable this feature.

Assessment Records Now Display Issues

During the lifecycle of a control assessment, authorized users can create issues associated to the record being assessed and to the assessment record. Within the Complete Assessment train stop, you can now view the issues created during the assessment. The new Issues Created During the Assessment panel will be rendered once an issue has been created during the assessment flow.

Example of the Issues Created During the Assessment Panel

The addition of the Issues Created During the Assessment panel, enables the control assessment actors to view the issues created as part of the assessment process. The new panel streamlines the relevant assessment information into a single view and no longer requires the user to navigate away from the assessment record to view if any issues had been created.

Steps to Enable

You don't need to do anything to enable this feature.

Role And Privileges

The new view assessment-related issues feature requires one new privilege. The new privilege is added to five predefined duty roles. If you've customized your roles, you need to add the new privilege to it. If you use predefined duty roles, you don't need to make any changes.

New Privilege	Updated Duty Roles	Job Role Inheriting Duties
View Control Assessment Related Issues (GTG_VIEW_CONTROL_ASSESSMENT_RELATED_ISSUES)	Assessment Batch Manager Duty Control Assessment Manager Duty Control Assessor Duty Control Manager Duty Control Viewer Duty	Risk Activities Manager

Survey Responses Support Attachments

You can now configure the application to allow survey participates to attach supporting files and URLs as part of their question response. During the creation of a question you can allow for attachments by selecting the configuration option.

Example of Allow Attachment Configuration Option

Depending on the business objective of a survey, certain questions may need supporting documentation to justify their response. The enhancement streamlines the participants' survey responses by enabling them to attach supporting files and URLs to their responses.

Steps to Enable

You don't need to do anything to enable this feature.