Cloud Readiness / Oracle Risk Management Cloud
What's New
Expand All


  1. Update 20C
  1. Revision History
  2. Overview
  3. Feature Summary
  4. Risk Management
    1. Common
        1. Mass Edit Security by Record Owners
        2. Security Synchronization Is Optimized
    2. Financial Reporting Compliance
        1. Assessment Records Security Now Supports Adding Assessors
        2. Assessment Batch Start Date is Now Read Only
        3. Enhanced Assessment In-Scope Values
        4. Due Date is No Longer a Required Field for Risk Analysis or Evaluation
        5. Changes Made to Context Model Name
    3. Advanced Financial Controls
        1. Data Access Requirement with Messaging
        2. Character Length Increased on System-Generated Column
        3. System-Generated Date Values Use Object Locale
        4. Data Synchronization Job Runs Across All Objects
        5. Mass Edit More Than 25 Incidents
    4. Advanced Access Controls
        1. New and Updated Delivered Model Content
        2. Mass Edit More Than 25 Incidents
    5. Transactional Business Intelligence for Risk Management
        1. Created By, Reviewed By, Approved By and Comments Are Added
        2. Relabeled User Authorization Attribute
        3. Reporting On User Assignment Security Is Added for Process and Risk
  5. IMPORTANT Actions and Considerations

Update 20C

Revision History

This document will continue to evolve as existing sections change and new information is added. All updates appear in the following table:

Date Product Feature Notes
19 JUN 2020     Created initial document.

Overview

This guide outlines the information you need to know about new or improved functionality in this update, and describes any tasks you might need to perform for the update. Each section includes a brief description of the feature, the steps you need to take to enable or begin using the feature, any tips or considerations that you should keep in mind, and the resources available to help you.

Give Us Feedback

We welcome your comments and suggestions to improve the content. Please send us your feedback at oracle_fusion_applications_help_ww_grp@oracle.com.

Feature Summary

Column Definitions:

Features Delivered Enabled

Report = New or modified, Oracle-delivered, ready to run reports.

UI or Process-Based: Small Scale = These UI or process-based features are typically comprised of minor field, validation, or program changes. Therefore, the potential impact to users is minimal.

UI or Process-Based: Larger Scale* = These UI or process-based features have more complex designs. Therefore, the potential impact to users is higher.

Features Delivered Disabled = Action is needed BEFORE these features can be used by END USERS. These features are delivered disabled and you choose if and when to enable them. For example, a) new or expanded BI subject areas need to first be incorporated into reports, b) Integration is required to utilize new web services, or c) features must be assigned to user roles before they can be accessed.

Ready for Use by End Users
(Features Delivered Enabled)

Reports plus Small Scale UI or Process-Based new features will have minimal user impact after an update. Therefore, customer acceptance testing should focus on the Larger Scale UI or Process-Based* new features.

Action is Needed BEFORE Use by End Users
(Features Delivered Disabled)

Not disruptive as action is required to make these features ready to use. As you selectively choose to leverage, you set your test and roll out timing.

Feature

Report

UI or
Process-Based:
Small Scale

UI or
Process-Based:
Larger Scale*

Risk Management

Common

Mass Edit Security by Record Owners

Security Synchronization Is Optimized

Financial Reporting Compliance

Assessment Records Security Now Supports Adding Assessors

Assessment Batch Start Date is Now Read Only

Enhanced Assessment In-Scope Values

Due Date is No Longer a Required Field for Risk Analysis or Evaluation

Changes Made to Context Model Name

Advanced Financial Controls

Data Access Requirement with Messaging

Character Length Increased on System-Generated Column

System-Generated Date Values Use Object Locale

Data Synchronization Job Runs Across All Objects

Mass Edit More Than 25 Incidents

Advanced Access Controls

New and Updated Delivered Model Content

Mass Edit More Than 25 Incidents

Transactional Business Intelligence for Risk Management

Created By, Reviewed By, Approved By and Comments Are Added

Relabeled User Authorization Attribute

Reporting On User Assignment Security Is Added for Process and Risk

>>Click for IMPORTANT Actions and Considerations

Risk Management

Oracle Risk Management consists of the following key solution areas:

  • Financial Reporting Compliance to automate audit assessments and certifications.
  • Advanced Access Controls to manage user access and separation-of-duty risk.
  • Advanced Financial Controls to continuously monitor configuration changes and business transactions.
  • Access Certifications to streamline reviews by process owners to ensure that employees have been granted appropriate access based on their current jobs.
  • Enterprise Risk Management to streamline the analysis, evaluation, and treatment of documented risks.

Common

Mass Edit Security by Record Owners

You can now mass-update data-security assignments for records you're authorized to own. These records include models, controls, and incident results in Advanced Controls; processes, risks, controls, assessments, issues, and remediation plans in Financial Reporting Compliance; and certifications in Access Certification.

Broadly, the procedure involves selecting the records you want to update, and then defining how security should change for those records.

For object types other than incident results in Advanced Controls, you complete both tasks in the Mass Edit Security Assignment tool. It's available in the Risk Management Data Security work area. In earlier releases, a security administrator could use this tool to update security for all records regardless of who owns them, and that remains the case. What's new is that Mass Edit Security Assignment is available to users who may only have at least one of the owner privileges. The ability to perform mass edits is limited to those records for which you’re authorized as an owner.

Security Mass Edit

For Advanced Controls incident results, the procedure's a bit different. To avoid a limit on the number of records you can select, you don't use Mass Edit Security Assignment to select them. Instead, you use a Mass Edit feature available in the Advanced Controls application. In the page that displays incident results generated by a control, you filter those results to include only those you want to update. Then you click a Mass Edit button. Next, in a Mass Edit panel, you select a Mass Edit Security radio button. This takes you to the Mass Edit Security Assignment tool, but with your incidents already selected, you use it only to define how to update security for them.

Incident Result Security Mass Edit

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

In earlier releases, you may have granted security-administrator access to record owners, so they could perform security mass edits. You can and should remove the Mass Edit Security Assignments privilege which enables this excessive access from those users, so that their ability to update security is limited to records they are explicitly authorized to own.

Security Synchronization Is Optimized

Worklist synchronization used to run as part of the Security Synchronization job. In 20C, the Security Synchronization job has been optimized. It will spawn two separate jobs, which you can view in the Monitor Jobs page: Result Worklist Synchronization (related to Advanced Controls) and Financial Reporting Compliance Worklist Synchronization.

Security Synchronization and Spawned Jobs

You may also notice the worklist synchronization job is no longer available in the scheduling page. Because it is automatically spawned by the security synchronization job, there is no need for you to schedule this.

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

If you had the worklist synchronization job scheduled in the past, it has been automatically removed since it is no longer a job that needs to be scheduled.

Financial Reporting Compliance

Assessment Records Security Now Supports Adding Assessors

Once an assessment batch is active, the batch owner can add assessors to its records. For assessments that include surveys, the additional assessors can complete and edit the survey responses.

Steps to Enable

To add assessors, navigate to the active assessment batch that needs to be updated. Drill into the assessment batch by clicking on the batch name. Then click on View Assessment Record Security. Select the assessment records you need to add an assessor to, select the assessor name, and click apply.

Assessment Record Security Assignment

Assessment Batch Start Date is Now Read Only

The assessment batch start date is now a read only value. The application will automatically set the current date and time as the batch start date.

Steps to Enable

You don't need to do anything to enable this feature.

Enhanced Assessment In-Scope Values

As you create an assessment plan for the Process or Control object, one of the two in-scope values is now selected by default. That selection is determined by the assessment activity inherited from the assessment template on which a plan is based. For the Audit Test activity, the Audit Test in-scope value is selected; for any other activity, the Assessment in-scope value is selected. The plan returns processes or controls assigned the selected in-scope value.

If neither in-scope value is selected as a control or process is defined, a record of that object is not returned for potential inclusion in any assessment batch you initiate. However, you can create impromptu assessments of such controls and processes.

Criteria Selection is the third step in the procedure to initiate an assessment batch. It displays a new label, Records in Scope Type, which identifies the scoping value inherited from the assessment plan that the batch is based on. You can also confirm the assessment activity type inherited from the plan. Only object records defined with this scoping value are returned in the Proposed Records to Be Assessed region as you initiate the assessment batch.

The New Record In Scope Type Label in the Initiate Assessment Batch Guided Process Step 3, Criteria Selection

Steps to Enable

You don't need to do anything to enable this feature.

Due Date is No Longer a Required Field for Risk Analysis or Evaluation

The due date for a risk analysis or risk evaluation is no longer mandatory.

Steps to Enable

You don't need to do anything to enable this feature.

Changes Made to Context Model Name

You can now create a risk context model name with a maximum of 150 characters.

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Financial Controls

Data Access Requirement with Messaging

To view or edit a transaction model or control, you must not only be authorized as its owner, editor, or viewer, but also be assigned all the business objects from which it draws data for analysis. If you are missing business-object security, a Missing Business Objects Access icon appears at the beginning of the model or control name. If you click the name, an error message identifies the missing objects.

Missing Business Objects Access Icon

Error Message Details

A data-security administrator must use a Business Object Security page, available in the Risk Management Data Security work area, to grant you access to the objects you're missing. Until then, you can't perform model or control actions. These include:

  • Models - Edit, copy, delete, run, export, and synchronize business objects
  • Controls - Edit, copy, delete, run, export, and schedule

The import action does not validate for data security. For you to import models or controls, you require only the create privilege, but to work with objects you import, you still need to have appropriate business object security.

Steps to Enable

You don't need to do anything to enable this feature.

Character Length Increased on System-Generated Column

Results returned by transaction models and controls may include system-generated columns, such as those created by the Similar and Equals conditions. The character limit for system-generated columns has been increased from 50 to 250.

The illustration shows examples of system-generated columns produced by filters that use the Similar and Equals conditions: Payables Invoice Number is 70 percent similar (the fourth column) and Payables Invoice Amount is the same (the fifth column). Such columns now support a length of up to 250 characters.

Example with System-Generated Result Columns

Steps to Enable

The character-length increase is meant to address the possibility that system-generated string values may have been truncated. After the upgrade, however:

  1. Initially, you will see the same string values as before in control incident result columns. All will be 50 or fewer characters.
  2. To update system-generated string values that may exceed 50 characters, run analysis for the controls that generated these values. First, you may want to synchronize transaction data to retrieve current source data for the analysis.
  3. Strings that would have exceeded 50 characters are updated so that the complete strings appear. In each case, the existing incident result ID remains the same, even though the value has changed.

System-Generated Date Values Use Object Locale

A value in a system-generated column is of the string type, even if it comprises attributes of other data types. Formatting preferences you may configure for date attributes have no bearing on dates in system-generated columns. Instead, the Source Language (locale) of a model or control that produces system-generated values determines the date format for those values.

Select the View > Columns in the Models or Controls page to display the Source Language column.  This Source Language determines the format used in a string value under system-generated columns that use a date attribute as a source.

Source Language Information on Model Page

Using the two different locale examples, English and Korean, the default date format for English is M/d/yy and Korean is yy. M. d.  The string values have the same meaning, just the date formats are different based on locale defaults related to Source Language.

System-Generated String Value Example

Steps to Enable

You don't need to do anything to enable this feature.

Data Synchronization Job Runs Across All Objects

Data synchronization, which is run from the Advanced Controls Configuration page, refreshes data in business objects used by transaction models and controls. Previously, the job recognized only business objects assigned to the person who ran the job. Now, the job updates all business objects used in all models and controls, regardless of who runs it.

Location of Transaction Data Synchronization

Steps to Enable

You don't need to do anything to enable this feature.

Tips And Considerations

You still require the necessary security to access the page and run the job, which is the Synchronize Transaction Data Source privilege.

Mass Edit More Than 25 Incidents

Previously, you could select up to 25 incident results to mass edit. Now, you can mass edit any number of incidents that match your search criteria. For example, don't select any records and click the Mass Edit button.

Mass Edit

After you select the Mass Edit button, the Mass Edit page summarizes how many records will potentially be updated with the information you provide (such as status, comments, etc.)

Mass Edit Page

Steps to Enable

You don't need to do anything to enable this feature.

Advanced Access Controls

New and Updated Delivered Model Content

Oracle delivers three new models to detect separation-of-duties conflicts and sensitive access, and has revised three models to reference entitlements delivered with earlier updates.

Advanced Access Controls 20C includes the following new models:

  • 4085: HDL Import Data into Stage Tables and HDL Import Data into Application Tables
  • 4096: HDL Sensitive Data Loader Privileges
  • 4097: HDL Sensitive Data Exchange Work Area

Advanced Access Controls 20C includes the following model name and entitlement updates:

  • 7551: Post Journal Entry and Manage Accounting Period Statuses changed to: 7551: Post Journal Entry and Manage Accounting Period Statuses for General Ledger
    • Replaced entitlement Manage Accounting Period Statuses with entitlement Manage Accounting Period Statuses for General Ledger, which was an entitlement introduced in 20B.

  • 6918: Enter Journals and Manage Accounting Period Statuses changed to: 6918: Enter Journals and Manage Accounting Period Statuses for General Ledger
    • Replaced entitlement Manage Accounting Period Statuses with new entitlement Manage Accounting Period Statuses for General Ledger, which was an entitlement introduced in 20B.

  • 10014: Maintain Project Accounting Periods and Manage Accounting Period Statuses changed to: 10014: Maintain Project Accounting Periods and Manage Accounting Period Statuses for Project Accounting
    • Replaced entitlement Manage Accounting Period Statuses with new entitlement Manage Accounting Period Statuses for Project Accounting, which was an entitlement introduced in 20B.

Steps to Enable

As a rule, when you import a model that uses entitlements, you import the entitlements automatically. But if an earlier version of an entitlement exists in your target environment, the content-import job cannot replace it with a newer version. So:

  • If an entitlement has been revised, but you have not yet imported any of the models that use it, you can import one of these models now. The import operation includes the new entitlement along with the model.
  • If an entitlement has been revised, and you imported a model that uses it during an earlier update, you also imported the earlier version of that entitlement. To use the new version, your only option is to edit your existing entitlement to incorporate its revisions.

Mass Edit More Than 25 Incidents

Previously, you could select up to 25 incident results to mass edit. Now, you can mass edit any number of incidents that match your search criteria. For example, select Show Filters and search for the access entitlement Enter Journals. Now, select Mass Edit button. (Don't select the pencil icon. It will still let you mass edit, but only those records you select on one page.)

Mass Edit

After selecting the mass edit button, the mass edit page summarizes how many records will potentially be updated with the information you provide (such as status, comments, etc.)

Mass Edit Page

Steps to Enable

You don't need to do anything to enable this feature.

Transactional Business Intelligence for Risk Management

Created By, Reviewed By, Approved By and Comments Are Added

Risk Management Cloud - Assessment Results Real Time the Assessment Results dimension now includes the following attributes: Who reviewed the assessment record and the comments submitted by the reviewer.

Risk Management Cloud - Compliance Real Time the Issue Details dimension now includes the following attributes: Creation Date, record of origin name, who reviewed, who approved, when reviewed, when approved, and the comments submitted by the reviewer and/or approver.

View of the Risk Management Cloud - Compliance Real Time Subject Area

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating and Administering Analytics and Reports book (available from the Oracle Help Center > your apps service area of interest > Books > Administration).

Relabeled User Authorization Attribute

In some Risk Management subject areas, you will find objects with a user security assignment folder. Within this folder, the User Authorization attribute has been relabeled to Assigned Authorization.

Assigned Authorization

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating and Administering Analytics and Reports book (available from the Oracle Help Center > your apps service area of interest > Books > Administration).

Reporting On User Assignment Security Is Added for Process and Risk

To secure Risk Management records, you authorize individual users or user groups as owners, editors, or viewers. You can now report on which users and groups are authorized, and at what levels, for these objects: process and risk in Financial Reporting Compliance. Reports also display whether the user is eligible, meaning that the user also has the functional access.

OTBI Catalog

Steps to Enable

Leverage new subject area(s) by adding to existing reports or using in new reports. For details about creating and editing reports, see the Creating and Administering Analytics and Reports book (available from the Oracle Help Center > your apps service area of interest > Books > Administration).

IMPORTANT Actions and Considerations

COMMON

Security

Due to the new features introduced in 20A around Change to Direct Assignment Security Model, security artifacts will be removed in future releases. Those to be removed include:

  • The Enterprise Risk and Controls Manager job role, and its nested primary and composite duties.
  • The Compliance Manager job role, and its nested primary and composite duties.
  • Privileges that will no longer be required, because new ones for the direct-assignment security model will replace them.  You can identify the privileges planned for removal: In the 20B version of the Security Reference for Risk Management, the name of each contains the suffix "To Be Deprecated."  You can search for this suffix.

The Security Reference for Risk Management is available at Oracle Help Center > Cloud Applications > Risk Manager > Books.

REST API

In the FRC Risk REST API for 20C, unsupported actions relating to treatment plans are to be removed. These include POST, PATCH, and DELETE. Only the GET action is to remain as a supported action for treatment plans.