Adding a plan template

To create a new risk and control plan, click on the

button on the main screen toolbar and, on the screen that will be opened, select one of the options:

▪New template: Allows you to create a blank template. To do that, in the Plan type field select the type which will classify the plan template. This field may be filled with the default plan type if any type is configured in the general parameters, but it is possible to edit it.

▪Existing template: Allows you to create a template from an existing plan template. To do that, in the Plan template field, select the desired template.

▪Existing plan: Allows you to create a template from an existing plan. To do that, in the Plan field, select the desired plan.

After that, click on the

button. At this point, the template data screen will be displayed.

Note: To add a new template, it is necessary to fill out the required fields in the General data section.

Field
ID #	Enter a number or code to identify the template. If you prefer, use the arrow next to this field to generate an automatic ID #. If in the type was configured the use of identification mask, at the moment of generating the automatic ID #, the respective mask will be shown. The ID # generated through the mask can only be edited if the "Enable ID # change" option is checked on the data screen of the type that sorts the template.
Name	Enter a name for the template.
Plan type	This field is filled out by the system with the plan type selected previously; however, it is possible to edit it. In that case, select the type that will classify the plan template. Use the other buttons to add a new type to sort the plan and clear the field.
Scope	Enter the scope that will be covered by the template. For that, select one of the following options: ▪SE Risk: It allows assembling the structure of the template with elements, risks, and controls. The following fields will be available: oBusiness unit: Select the business unit (SE Administration) to which the template being created belongs. oDepartment: Select the department (SE Administration) to which the template being created belongs. Note that if you have selected a business unit in the previous field, only the departments belonging to the business unit in question will be available for selection. Associate as many departments as needed. As departments are associated, they will be displayed in the department just below the field. To discard a department, position the mouse over it and click on the Close option. To discard all departments, click on the button, located next to the field. ▪SE Performance: Allows you to assemble the template structure with a scorecard. In the respective field that will be enabled, select the desired Scorecard. In order for this feature to function properly, it is necessary for the SE Performance component to be part of the solutions acquired by your organization. Refer to the specific documentation of this component for more information about scorecards. ▪SE Process: It allows assembling the structure of the template with a process. In the respective field that will be enabled, select the desired Process. In order for this feature to function properly, it is necessary for the SE Process component to be part of the solutions acquired by your organization. Refer to the specific documentation of this component for more information about processes and their modeling. ▪SE Project: It allows assembling the structure of the template with a project or program. To do this, first, select if the scope will be a project or program in the Object field and then in the field that will be enabled, select the desired Project/Program. In order for this feature to function properly, it is necessary for the SE Project component to be part of the solutions acquired by your organization. Refer to the specific documentation of this component for more information about projects and programs. ▪SE Asset: It allows assembling the structure of the template with an asset besides elements, risks, and controls. In order for this feature to function properly, it is necessary for the SE Asset component to be part of the solutions acquired by your organization. Refer to the specific documentation of this component for more information about assets.
Responsible	Select the user responsible for the template. Use the other buttons next to the field to add a new user and define it as responsible, fill in the field with the data of the logged user and clear it.
Responsible team	Select the team responsible for the template. Use the other buttons next to the field to add a new team and set it as the responsible team and clear the field.
View profile	This field is filled out by the system with the default view profile; however, it is possible to edit it. In that case, select the view profile that will be applied to the plan template. Use the other buttons next to the field to add a new profile and associate it with the plan, edit the data of the selected profile, and clear the field.
Description	Enter important information about the template being created.

The configurations for the risk and control analyses and revalidation of plans based on the template are established. To do that, the following options are available:

Add treated/potential/target evaluation: Check this option so that, at the time of the risk evaluation, it is possible to carry out the treated/potential/target risk evaluation. This evaluation is one that takes into account only the risks of the risk plan. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile.

Add residual/net/controlled/current evaluation: Check this option so that, at the time of the risk evaluation, it is possible to carry out the residual/net/controlled/current risk evaluation. This evaluation is one that takes into account the controls and treatments of the risk plans. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile. This option will not be displayed if the previously selected evaluation method is of the "Matrix (self-assessment)" type.

Residual/net/controlled/current risk calculation: This field will only be enabled if the Add residual/net/controlled/current evaluation option is checked in the type that classifies the template. Select one of the following options to set how the residual/net/controlled/current risk of plans of this type will be calculated:

▪Manual: Select this option for the calculation of the residual risk to be calculated manually, that is, during the risk evaluation, the system will display the fields to enter the evaluation score.

▪% of control effectiveness: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the multiplication of the actual risk by the effectiveness percentage of the risk controls. When the risk has only one control, the control effectiveness percentage will be the value of the control evaluation itself; however, when the risk has two or more controls, the effectiveness will be obtained through a calculation of the intersection of the values (percentage) of the control evaluations, which is given by: Control effectiveness = 100 - { [ (100 - control_01 ) / 100] * [ (100 - control_02 ) / 100] * ... * [ (100 - control_N ) / 100] * 100 }. The residual risk evaluation result for each method is obtained as follows:

oQuantitative: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness, which is obtained by means of a percentage calculation that takes into account the results of all controls of that risk. Residual risk = Actual risk * (% of control effectiveness).

oMatrix and Quantitative matrix: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will multiply the actual risk evaluation result by the effectiveness percentage of the controls. Residual risk = [ Actual risk * ( % of control effectiveness ) ] x [ Actual risk * ( % of control effectiveness ) ].

The risk classification determines whether the control effectiveness is used to minimize or maximize the value of the residual risk. For example: When risk is classified as "Opportunity", the controls act to increase exposure to the original risk. In this way, the effectiveness increases the value of the residual risk, since it is desired that the risk is manifested.

▪Control effectiveness subtract: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the subtraction of the actual risk by the effectiveness of the risk controls. The control effectiveness is obtained through the arithmetic sum of the values of the control evaluations. The result of the calculation for each method is obtained as follows:

oQuantitative: The residual risk evaluation result will be obtained through the subtraction of the evaluation result of the actual risk by the risk control effectiveness. Residual risk = Actual risk - (Control effectiveness).

oMatrix and Quantitative matrix: The control effectiveness will be obtained through the subtraction of the actual risk evaluation result by the sum of the results of the evaluations of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will subtract the actual risk evaluation result by the sum of the results of the control evaluations. Residual risk = [ Actual risk ( Control effectiveness ) ] x [ Actual risk - (Control effectiveness ) ].

▪Customize: This option will only be displayed if a customized formula has been configured. In this type of calculation, the evaluation result will be obtained through the customized formulas recorded in the General parameters. Thus, it is necessary to define which formulas will be used in the X axis and Y axis of the matrix.

Set responsible for all risk analyses of the plan: Check this option to set a single party responsible for all risk analyses of plans based on this template. The following fields will be enabled:

▪Responsible: Select the user responsible for the risk analyses. Use the other buttons next to the field to add a new user and define it as responsible, fill in the field with the data of the logged user and clear it.

▪Responsible team: Select the team responsible for the risk analyses. Use the other buttons next to the field to add a new team and set it as the responsible team and clear the field.

Set responsible for all control analyses of the plan: Check this option to set a party in charge for all control analyses of plans based on this template. To do that, in the fields that will be enabled define the responsible user and/or the responsible team for the control analyses. A detailed description of the fields has been made previously.

Use identification mask for risk analysis Check this option so that the risk analysis ID #s of the plans based on the template are obtained by means of an identification mask. To do that, the following fields are available:

▪Identification mask: Select the desired identification mask. Note that only identification masks whose object is "Risk analysis" will be available for selection.

▪Enable ID # change: Check this option to allow the generated ID # to be edited manually when creating a risk analysis. If this option is not checked, the generated ID # may not be edited.

Use identification mask for control analysis: Check this option so that the control analysis ID #s of the plans based on the template are obtained by means of an identification mask. To do that, in the fields that will be enabled, select the desired identification mask and define whether the ID # will be enabled to be edited. Notice that only identification masks whose object is "Control analysis" will be available for selection. A detailed description of the fields has been made previously.

Analysis evaluation approval route: This option will only be displayed if in the type that classifies the template, the "Allow risk and control to be evaluated only in the draft step" option is not checked or if the evaluation method associated with the type is not "Matrix (Self-assessment)". Check this option to have the risk and control analyses of the plans based on the template go by approval. To do that, in the Responsibility route field, select the desired responsibility route. Use the other buttons next to the field to add a new responsibility route, edit the data of the selected route, and clear the field.

Revalidation: This field is only available if in the type that classifies the template has been configured so that the validity of the plans based on the template is managed. The following options are available:

▪Validity: This field will be completed by the system with the default time set in the validity setting associated with the plan type. If in the validity setting is defined that the default time is Fixed, this field may not be edited. If it is set to be Variable and the default time field has not been filled, enter the amount of time in days, months, or years, or the date by which the plan will be considered valid. If the field has already been filled in, the user can edit the value.

▪Revalidation: This field is completed by the system after the plan has been revalidated. Click on the button to display the revalidation data displayed.

▪Validity date: This field is filled by the system after the plan has been approved, or after it has been revalidated, with the date until which it is valid, that is, on this date, the Expired plan task will be generated so that the revision/revalidation of the plan is performed again.

This section lists all attributes associated with the plan type through the Configuration Plan type menu. Therefore, required attributes must necessarily have their values filled in. To do that, simply enter them in the attributes list itself. Remember that the method to enter an attribute value depends on the configurations set when creating the attribute.

After creating the template, it is also possible to assemble its structure so that at the time of creating plans based on this template, it is imported. To do that, select the template from the records list on the main screen, and then click on the

button. Refer to the Assembling the plan structure section for details on how to associate risks, controls and elements with the plan template structure.