Set up risk identification integration

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read

    • Before assessing an application, specify the target application where the risk identification must be initiated.

    Before you begin

    Make sure you have the following applications:
    • Application Portfolio Management must be installed if you want the recommendation engine enabled and want to use the integration.
    • Application Portfolio Management integration with Risk Management (com.snc.apm_risk_assessment) must be installed. This application is required only if you want to use the integration.
    Role required: sn_risk.admin

    About this task

    The Risk Identification Configuration form contains an entity type and a default identification record for the business application table. As a risk admin, you can either modify the default record or create your own configuration. The steps in this procedure are for creating a record. The Risk Identification Configuration form is used to do the following:
    • Gather information about the application by using a questionnaire.
    • Determine the criticality of the application.
    • Determine if an inherent assessment for the application is required.
    • Identify risks and map the relevant controls.
    • Choose to receive recommendations for risks and controls.

    Procedure

    1. Navigate to All > Advanced Risk Assessment > Administration > Risk Identification Configuration.
    2. Select New.
    3. On the form, fill in the fields.
      Table 1. Risk Identification Configuration form
      Field Description
      Name Name of the configuration. An example is Risk Identification for Business Application.
      Configuration level The level where the configuration is done. The choices are as follows:
      • Entity class
      • Table
      Target entity class Entity class for which the risk identification questionnaire is initiated. For each entity of this entity class, a risk identification record is automatically created. This field appears only when Entity class is selected from Configuration level.
      Target table Table that contains the application record. For each entity of this table, a risk identification record is automatically created. This field appears only when Table is selected from Configuration level.
      State State of the configuration. This field is automatically set to Draft.
      Risk manager group Group which reviews the risk identification workflow. The users who belong to this group must have the sn_risk.manager and sn_compliance.manager roles.
      Identification questionnaire Option to initiate a questionnaire for gathering information about the application.
      Inherent assessment Option to perform inherent assessment or business impact analysis (BIA) assessment.
      Recommendation engine Option to recommend risks and controls. This option is available only when the Target table field has Business Application.
      Inherent Assessment
      Review for inherent assessment required Option to choose if the inherent assessment must be reviewed.
      Risk assessment methodology Option to select the risk assessment methodology (RAM) to perform inherent assessment. You can see the list of RAMs associated with the selected Target table.
      Note:
      Only published object-based RAMs with the inherent assessment option enabled are available for selection.
      Approver type Type of approver for the inherent assessment. The choices are as follows:
      • User on target record
      • Group
      Note:
      This field appears only when Review for inherent assessment required option is selected.
      Approver Approver for the inherent assessment. For a business application, the approver is the business owner of the application.
      Note:
      This field appears only when User on target record is selected from Approver type.
      Approver group Approver group for inherent assessment. This field appears only when the Approver type field has Group.
      Note:
      This field appears only when Group is selected from Approver type.
      Recommendation Engine
      The Recommendation Engine section appears only when the Target table field has Business Application.
      Recommendation engine algorithm Specify the recommendation engine. The choices are as follows:
      • None
      • Based on information object mapping

      For details on information objects, see Information objects.
      Frequency
      Frequency Frequency of the reinitiation of the workflow.
      Note:
      The next run date of the reinitiation of the workflow is calculated based on the frequency defined in the risk integration configuration record. This frequency ensures continuous evaluation of the application.
      Month Month when the job must run.
      Day of month Day of the month when the job must run.
    4. Select Submit.
    5. To define the RAM mapping for the risk identification configuration, do the following actions:
      1. In the Risk Identification Configuration to RAM Mappings section, select New.
        The Risk Identification Configuration to RAM Mappings section appears only when Entity class is selected from Configuration level.
      2. On the form, fill in the fields.
        Table 2. Risk Identification Configuration to RAM Mapping form
        Field Description
        Risk identification configuration Risk identification configuration for the RAM mapping. This field is automatically set to Risk identification configuration number.
        Table Table on which you want to define the RAM mapping.
        Risk assessment methodology Option to select the RAM to perform inherent assessment. You can see the list of RAMs associated with the selected table.
        Note:
        Only published object-based RAMs with the inherent assessment option enabled are available for selection.
      3. Select Submit.
    6. Select Publish to publish the record.