Behavior rules of controls (Function object type)
If the attribute Effect of control (attribute type group Governance, Risk & Compliance (GRC) > Compliance management > Control attributes) is specified, only the defined effect is considered. If the attribute is not specified, the control is executed but has no preventive or detective effect.
An applied and effective preventive control reduces the probability of occurrence of a risk for the remaining run time of the process instance.
If a preventive control is executed multiple times for a process instance, the reduced probability of occurrence is retained after the first successful execution even if the control was not successfully executed at a later time.
If multiple preventive controls reduce the probability of occurrence of a risk, the highest value of the reduction is applied. Probabilities are not added up. If a control with a low reduction value is executed after a control with a higher reduction the higher value is still applied. This means that the control with the largest reduction of the probability of occurrence is considered the active control.
The preventive control with the highest reduction of the probability of occurrence is assigned the prevented damage or the unprevented damage.
A preventive control is not assigned the prevented damage if the risk does not occur due to its original probability of occurrence (not reduced) of less than 100%.
A preventive control is assigned unprevented damages if the control was not successful, but could have prevented the damages if it had been successfully executed.
A preventive control whose execution ends only after a risk has occurred is not assigned any unprevented damages.
A preventive control whose execution starts before the occurrence of a risk is not assigned any failed damage reduction.
The execution or effect of detective controls does not depend on other controls. This is contrary to preventive controls for which only the control with the largest reduction potential per risk is active. If a control was successfully executed it reduces the damages of the assigned risks that have occurred up to the current point in time. If it is not successfully executed it is assigned the damages that it could have prevented as failed damage reduction.
Behavior rules of risks (Risk object type)
Occurrence copies of risks are evaluated individually.
Damages referring to an occurrence copy of a risk are added up in the object definition of the risk.