Main object types
A Control object represents a control placed on the enterprise; an action required to ensure, or test for, compliance. Controls enable you to assert business structure, or to control or influence the behavior of the business. A Control might require, for example, a formal review of a process or activity that requires manager sign-off.
In iGrafx releases prior to 16.4, this object was called Business Rule, which is now a type of Control. This change allows you to be more specific in your Model if required and separate your mitigating controls you use for risk management from business rules you might apply anywhere else.
A Control Instance object represents the actual use or application off a control. While those can be observed in a real process whereas the Control objects can be considered an item in a catalog. However, if this is too much granularity in your model then you can consider ignoring Risk and Control Instances which makes it less complex but you lose the ability to differentiate between the different levels of instantiation.
Controls and Control Instances can control Risks or Risk Instances. By mitigating those risk objects, the inherent risk value is reduced to the residual risk value. For more information, see Residual Risk Calculation. Also if you use Risk Categories, you typically assign Controls to cover all Risk Categories. See the screenshots in the Risk, Risk Instance article about how a gap between the identified categories on a Risk and non-matching Risk categories on Control or Control Instance objects are represented.
Control Folders can contain:
- Control Folder
Control Objects can contain:
All folders and objects under Controls can contain:
Control Instance objects can reside almost anywhere in the repository and cannot be decomposed (i.e. they can't contain objects underneath them).