I.

Introduction
1.1 Purpose

This document describes the functional specification for Risk Management 6.0.2 product. The Risk Management 6.0 will be based on the Enterprise Governance Risk Compliance Platform (EGRCP) Release 6.0. MetricStreams Risk Management 6.0 application provides a comprehensive approach to identify potential risks and a powerful framework to evaluate and assess them based on various factors on a periodicity basis. The product is web based and is an improved version of Enterprise Risks Management 5.5.1. The product is built on the Enterprise Governance Risk Compliance Platform version 6.0 and AppStudio 1.0. This document describes the Planning part of the Risks Management 6.0. The Risk Management 6.0 application Supports assessments based on various risk scoring scenarios, qualitative & quantitative assessment factors. It triggers issues based on risk assessments and performs Risk scoring & rollups .1.2

Document Conventions

This document is designed in compliance with the IEEE standard for Software Requirement Specification document. The document is written with font face Times New Roman. All the headings are of the font size 16 pt and the sub-headings are of the font size 14 pt. Main and Sub Headings are kept bold. The rest of the document is written in Times New Roman normal font style with 1.5 line spacing and the font size is 12 pt. The document has used short forms for some commonly abbreviated terms. Flow charts are included to show the flow of control wherever needed.

1.3 Intended Audience and Reading Suggestions

This document will serve as an input to Engineering for application planning and design. The target audience for this document is Engineering, QA, and Product Management. The intended audiences for this document are testers, project managers, documentation writers and end users (clients/customers). This document is designed to give an overall description and listing of the

functionality of Risk Management 6.0. This document will also include an easily traceable means by which the user can trace functionalitys brief description to its full description. This document helps the tester to compare the performance of the software with the standard performance expected. The end users can use this document to ensure that all the functionalities of the overall system are on the right track as per their needs.

1.4 Project Scope

The aim of the project is to obtain information from modules namely GRCF module. Using the information obtained from the above modules we are suppose to develop an assessment form which will obtain Auditable entity from GRCF module and assess it in a way that is will grade the Auditable entity/Risk of a particular assessment. The Module is also supposed to trigger issue module if any of auditable entity/risk rating is high for particular assessment. Based on assessments the need to develop reports and dashboards to display assessment rating for various assessments is developed. This is one of the integrated project with others modules like Audit Management and Issue management

1.5 References
This SRS is formulated by referring SRS template by Roger Pressman. www.scribd.com/doc/9914/srs-template MetricStream Risk Management 6.0 Functional Specification. MetricStream Document Control Repository.

2. Overall Description
2.1 Product Perspective

The Risk Management 6.0 application provides a comprehensive approach to identify potential risks and a powerful framework to evaluate and assess them based on various factors on a periodicity basis. Supports assessment based on various risk scoring scenarios, qualitative & quantitative assessment factors

Performing Risk Assessments Triggering issues based on risk assessments Risk scoring & rollups

Leverages the GRC Foundation for Library content like Process, Risks and Controls Integrates seamlessly with Issue Management application for Issue tracking and remediation Includes powerful tools for risk analysis and monitoring through various dashboards, drill down reports and Heatmap. Extensible to perform risk assessments on Suppliers, IT Assets, Projects, etc through the Core Object framework.

Risk Management 6.0 Highlights:

Supports Multi-Dimensional Risk Assessments Three types of risk assessments: Org-Process/Auditable Entity-Risk, Org-Risk,

Process/Auditable Entity-Risk Extensible to support risk assessments for GRC Foundation Core Object extensions like Suppliers, IT Assets, Products, Projects, Policies, etc Continued support for multiple organizations to assess risk with their own perspectives

User Experience In-form trees to navigate risk assessment survey. Incorporates new 6.0 usability standards and tabs for improved layout, navigation and look-and-feel in forms. Provides access to prior risk-assessment data while doing the assessment. Improved ability to create ad-hoc risk assessments Common interface to set up all 3 types of assessments Data Browser to view Risk Assessment Plans and Assessments

Supports correlation between risk categories across scenarios, assessment factors and risks to be assessed

Scoring More flexible quantitative factors that can affect inherent OR residual risk score Quantitative factors support raw data entry that can be converted into scores based on scoring rules Simplified roll-up algorithms for Organization, Process & Risk scores

Integrated with Issue Management (ISM) 6.0 Trigger Issues in the Issue Management module based on Findings & Recommendations

Calendar to view Risk Assessment Schedule Shows information about risk assessment plans and when they are due and overdue

Reports & Dashboards New heat-map reports Out of the Box Reports

2.2 Product Features

The Risk Management 6.0 application has the following forms that enable it to function in a way that is

required. The forms are as follows Scenarios Use this form to create multiple scenarios for risk assessments. The system allows you to create three types (Org-Risk, Org-Core Object-Risk, and Core Object-Risk) of assessments. This is particularly helpful when multiple Governance groups (e.g. Enterprise Risk, Op Risk & Internal Audits) wish to assess the same library objects but based on their own perspectives and methodologies. This then enables the governance groups to place the different assessments sideby-side and compare how different groups rated the same business entities. Qualitative Assessment Factor Use this form to create questions that will guide the assessor in making a subjective assessment of a risk (without directly affecting the score). 4

Quantitative Assessment Factor Use this form to create questions that will guide the assessor in making a numeric assessment of a risk (without directly affecting the score). In this form, create questions with specific responses (Yes/No, High/Medium/Low, etc.) that each corresponds to a score that is then rolled up to arrive at an overall score for the assessment. These factors can be categorized as per the factor contribution specified. Risk Assessment Plan Use this form to create a risk assessment plan to assess risks on a periodic basis, based on a scheduled frequency. Risk Assessment Assessors receive this form based on the scheduled frequency defined in the assessment plan (or based on an ad-hoc task assignment). The assessor assesses each risk by responding to one or more quantitative & qualitative questions. Based on the response to factors, scores are rolled up and available at the Risk, Core Object and Organizational levels.

2.3 User Classes and Characteristics

The following provides information on the roles and their corresponding access grants Risk Administrator o RSK Manage Scenarios o RSK - Manage Risk Factors Risk Manager o RSK View Scheduled Risk Assessment o RSK Edit Scheduled Risk Assessment o RSK Approve Scheduled Risk Assessment o RSK Assess Risks o RSK Approve Risk Assessments o RSK Manage Risk Factors 5

o ISM Create Issue Risk Assessor o RSK Assess Risks o ISM - Create Issue Risk Approver o RSK Approve Scheduled Risk Assessment o RSK Approve Risk Assessments o ISM - Create Issue The following are the default set of activities in the system. RSK Manage Scenarios RSK Manage Risk Factors RSK View All Scheduled Risk Assessments RSK View Scheduled Risk Assessment RSK Edit All Scheduled Risk Assessments RSK Edit Scheduled Risk Assessment RSK Approve Scheduled Risk Assessment RSK Assess Risks RSK Approve Risk Assessments RSK View Risk Assessment RSK View All Risk Assessments

The following are the default set of users in the system. Risk Administrator Risk Manager Risk Approver 1 6

Risk Approver 2 Risk Assessor

What is required of various users of the Risk Management 6.0 system are as follows: User can specify one or more risk assessment scenarios User can set up risk assessment scenarios of three possible types (Org-Risk, ProcessRisk, Org-Process-Risk) User can identify specific organizations that can conduct each scenario assessment User can schedule a new risk assessment for a specific scenario User can specify the organizations and processes to assess. All risks related to the organization or process will be assessed User can specify which assessors will be assessing different organizations or processes User sees a list of scheduled risk assessments (as controlled by security) User can filter self-assessments by organizations, processes or risks being assessed User can view a scheduled risk assessment User can edit a scheduled risk assessment System triggers risk assessment per schedule in schedule System populates risk assessment by correlating risk categories (of the risks being assessed) to quantitative & qualitative question categories. System assigns risk assessment form to appropriate risk assessment owners Assessor sees a tree of organizations (optionally), processes (optionally) & risks that they are supposed to assess Assessor can assess risk by responding to one or more quantitative & qualitative questions Risk roll-up scores (based on assessment) are visible in tree structure User submits assessment for approval 7

Approver reviews & closes out assessment. Assessment data is used by automated scoring roll-up algorithms to populate risk dashboards. User can select existing questions/procedures from GRC Foundation library

2.4 Operating Environment

Platform Audits Management 6.0 is certified on ECP 5.5 Build 51 and ECP 6.0 SP2

Browser version Microsoft Internet Explorer 6.0 and higher

Operating Systems (MetricStream Server) Microsoft Windows Server 2000 (32 and 64 bit) Microsoft Windows Server 2003 (32 and 64 bit) RHEL 5.3

MetricStream Application Platform MetricStream Enterprise GRC Platform Version 6.0 o Build: 6.0.2.0.0 o Database Version: 6.0.2.0.0 MetricStream Enterprise Compliance Platform Version 5.5 o Build: 1222.31.12.51 o Database Version: 5.5.0.1222.31.12.51 Database Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 64 bit Production

2.5 Design and Implementation Constraints

The look and feel of the system is governed by the platform i.e., ECP 6.0 SP2. The technical scope for the development of the system is the same as that of the platform. These limitations are 8

documented in user guide of the platform and are proprietary and confidential property of MetricStream Inc., Though the interface to the system is web based and accessed through an html web browser, the system works flawlessly on Internet Explorer. This issue is attributed to the way in which the platform is developed and is expected to be dealt with the future release of the platform.

2.6 User Documentation

Risk Management 6.0 is developed to be easily followed and used by the end user. The project provides the following components for the better understandability of the user: platform_userguide.pdf Risk Management 6.0 - Quick Reference Guide.doc Risk Management 6.0 - Quick Reference Guide.ppt MS_RSK_60_InstallationGuide_Windows.doc

2.7 Assumptions and Dependencies

The integration is with the third party supplied source specifications, and is dependent on the specifications available. If the data format specifications change, the integration related code has to be revised.

3. System Features
3.1 Risk Assessment Plan Form
3.1.1 Description and Priority
This form is the main binding factor in the Risk Management 6.0. The Scenario/Perspective factor is chosen in this form. Based on the selected scenario all the Qualitative and Quantitative factors associated with it are used to score the specified Risk. The Risk which is to be calculated it also is also chosen in this form with the three dimension score of Org Process Risk.

This form has a high priority in this entire application and is also dependent on the Org Process Risk that is already defined. It also is dependent on the Control which are specified by CMP.

3.1.2

Stimulus/Response Sequences
In-order to be able to launch the Assessment Form successfully there are a number of steps which are to be carried out. The Plan form is initially in the New status when created. Once all the parameters are accurately entered then there is an action available Send for Approval. On submitting of the form for approval, the form has to go through the process of approvals based on the level of approval specified. There are three levels of approvals. They are Owner, Approver1 and Approver2. Once the form goes to any of the above mentioned levels of approvals the approvers have the following options. They can either Approve, Request Clarification or Cancel. Send for Approval This action specifies that there is no objection to the content of the form. The approver can make needed changes and send the form for approval. Request Clarification This action is called upon by an approver when there is ambiguity in the data entered, or some more information needed and clarification is required. When this action is called upon the form goes back to the level from which it originated. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form. The form then goes back to the approver who requested the clarification. The process then flows as usual. Cancel This action is called upon when the assessment for is irrelevant and not needed. It can be done by any of the approvers with the reason for the cancelation of the form.

3.1.3

Functional Requirements The Risk Manager or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form. In case of wrong user name / password the system will throw an error. 10

All mandatory fields have to be entered for the user to submit the form successfully. REQ1: The User can create plan only if he has the permission to create the Plan form. REQ2: The Risk Info Center has to be present REQ3: The Risk Assessment Plan link is available

3.2 Risk Assessment Form

3.2.1 Description and Priority
This form is the heart of the Risk product of Metric Stream. It is the final score card of the risk that is calculated. In this form we have the Org Process Risk hierarchy defined with all the information that is relevant to each level. The Risk is scored up with the Standard, Qualitative and Quantitative Factors. In addition to this the Control is also displayed. These controls can be preset for each risk or can be added into the form. The form has high priority in the Risk Management 6.0.

3.2.2

Stimulus/Response Sequences
On being triggered the Assessment form is available. The triggering can be done manually or can automated by specified the time style in the Assessment Plan form. Once triggered the form flows a similar for like that of the Assessment Plan Form. The Plan form is initially in the Assess Assessment status when triggered. Once all the parameters are accurately entered then there are a number of actions available, Send for Reviewer, Send for Approval, Reassign to User and Cancel Assessment. Send for Approval This action specifies that the form is in proper order and there is no objection to the content of the form. The approver can make needed changes and send the form for approval.

11

Request Clarification This action is called upon by an approver when there is ambiguity in the data entered and clarification is required. When this action is called upon the form goes back to the level from which it originated. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form. The form then goes back to the approver who requested the clarification. The process then flows as usual. Send for Reviewer This action allows an approver to send the assessment form to a reviewer for comments on the data that is entered. The reviewer can only make comments and submit but cannot modify the data that is in the form. Reassign to User This action allows the approver to select another Assessor to do the assessment of the form and skip the process of approval. Cancel This action is called upon when the assessment for is irrelevant and not needed. It can be done by any of the approvers with the reason for the cancelation of the form.

3.2.3

Functional Requirements The Risk Approver or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form. In case of wrong user name / password the system will throw an error. All mandatory fields have to be entered for the user to submit the form successfully. REQ1: The User can create plan only if he has the permission to approve the Assessment form. REQ2: The Assessment Form has to be triggered

12

3.3 Frequency of Risk Assessment

3.2.1 Description and Priority RSK 6.0 enables frequent Risk Assessments where the system can periodically (daily, weekly, etc) re-score a top-down assessments automated factors This is Vital for the continuous assessment of the Organization. Based on these continuous assessments the health of an organization can be monitored. 3.2.2 Stimulus/Response Sequences
The Assessment Form needs to be triggered regularly in order to obtain the updated health of the risks that an organization may face. This is done by setting a frequency in the Risk Assessment Plan form. This can be done on a specific date, weekly, monthly, quarterly or yearly. Based on the specified time the Assessment form will be triggered to the required approvers for review. The flow then follows that of Assessment Form. The Plan form is initially in the Assess Assessment status when triggered. Once all the parameters are accurately entered then there are a number of actions available, Send for Reviewer, Send for Approval, Reassign to User and Cancel Assessment. Send for Approval This action specifies that the form is in proper order and there is no objection to the content of the form. The approver can make needed changes and send the form for approval. Request Clarification This action is called upon by an approver when there is ambiguity in the data entered and clarification is required. When this action is called upon the form goes back to the level from which it originated. That respective user has to do the required changes or provide the necessary requirements and submit the Clarified form. The form then goes back to the approver who requested the clarification. The process then flows as usual.

13

Send for Reviewer This action allows an approver to send the assessment form to a reviewer for comments on the data that is entered. The reviewer can only make comments and submit but cannot modify the data that is in the form. Reassign to User This action allows the approver to select another Approver to do the approval of the form and skip the process of approval. Cancel This action is called upon when the assessment for is irrelevant and not needed. It can be done by any of the approvers with the reason for the cancelation of the form.

3.2.3

Functional Requirements The Risk Apporver or any other authorized personnel can use this form plan and publish the Risk Assessment Plan form. In case of wrong user name / password the system will throw an error. All mandatory fields have to be entered for the user to submit the form successfully. REQ1: The User can create plan only if he has the permission to approve the Assessment form. REQ2: The Assessment Form has to be triggered

4. External Interface Requirements

4.1 User Interfaces
The entire system inherits its UI from the platform. It is meant to have a single web based UI. It is a self contained system to manage users, roles, organizations and their hierarchy. It also allows creation and management of data objects and creates interfaces to the same with the help of Data Forms.

14

Here are some key UI characteristics: Provide consistent navigational concepts and application patterns across all applications to reduce perceived complexity and improve adoption Information-based user interface Minimize the number of clicks to get to any form, report or dashboard Minimize clutter and improve visual appeal Further optimize for repeat users Provide contextual information

4.2 Hardware Interfaces

The system doesnt include any functionality to interact directly with any hardware. Hardware level interaction (if any, like handling print jobs) is completely done by the underlying operating system

15

4.3 Software Interfaces

The system uses many software interfaces provided by the platform either as standard features and few more than add-on modules. These interfaces are abstract from the product, completely handled by the platform and provide the various features to it.

4.4 Communications Interfaces

The system requires the following communication interfaces to operate at full functionality. Network connection to communicate between client and server Web browser to interact with the system (Certified to work only on Internet Explorer)

5. Other Nonfunctional Requirements

5.1 Performance Requirements
Though the performance aspect which includes responsiveness is basically attributed to the underlying platform, it is desired to design the system in a manner where the system would be reasonably responsive all the time. The key factors in this aspect would be efficient JS coding, Java coding and optimizing DB usage/look-ups.

5.2 Safety Requirements

It follows industry standards of data protection measures like frequent data backups, regular dump of AppServer and system optimizations.

5.3 Security Requirements

In general, security with Audits follows a three-level structure as follows: Access Grants (Activities) as available through Roles for the current user Organizational associations for the current user correlated with the organizational ownership or organizational relevance of individual objects Object-specific view restrictions

16

The system inherits its security features from the platform. This includes various users with different roles and responsibilities, access control to data based on various factors like organization hierarchy, user roles and privileges. The data is abstract from the user and integrally maintained by the system / platform, assuring data integrity. The system is hosted on a secured server, so a certain set of security risks are eliminated. But it is required to ensure that the host server is free of system security threats / loopholes.

5.4 Software Quality Attributes

Here are a few quality attributes expected of the system. Intuitive & value-added information presentation o Dynamic presentation of relevant information & actions o Maintain context during interactions o Tabbed presentation o Field and Page-specific help Sleek & elegant o NOT an Industrial look o Icons & graphics based - More visual o Clean lines and pleasing color palette Intuitive navigation o Navigation constructs corresponding to task (e.g. hierarchical control/risk navigation) o Leverage common metaphors like calendars o Single click for most common actions. No more than two clicks to get to any action Consistency o Across applications/platform activities and pages

17

6. Other Requirements
None

Appendix A: Glossary
o ECP (Enterprise Compliance Platform) o Apps studio o GRC (Governance Risk and Compliance) Risk, Process and o RSK ( Risk Management) o ISM (Issue Management) o CMP (Compliance Management) Control o AUDITS (Audits Management) Risk

18

Appendix B: Analysis Models

19