Ts 795

E-mail Notification Process
TS-795 during Risk and Control Self-

Assessment Validation in
SAS® OpRisk Monitor 3.4
E-mail Notification Process during Risk and Control Self-Assessment Validation in SAS® OpRisk Monitor
34
Table of Contents
Overview ......................................................................................................................... 1
Example Details .............................................................................................................. 1
Enabling E-mail Notifications ....................................................................................... 1
Setting Up the Workflow Process................................................................................. 2
Creating a Questionnaire Template .......................................................................... 2
Creating an Assessment ........................................................................................... 3
E-mail Notification Process........................................................................................... 8
Step 1: Opening the Assessment .............................................................................. 9
Step 2: Submitting the Questionnaire ...................................................................... 12
Step 3: Stage 1 Validation ....................................................................................... 16
Step 4: Returning the Questionnaire ....................................................................... 18
Step 5: Stage 1 Validation (Second Time) .............................................................. 22
Step 6: Stage 2 Validation ....................................................................................... 23
Step 7: Closing the Assessment.............................................................................. 24
i
E-mail Notification Process during Risk and Control Self-Assessment Validation in SAS® OpRisk Monitor 3.4
Overview
This document provides a comprehensive example that illustrates the e-mail notification process that occurs during risk
and control self-assessment (RCSA) validation in SAS OpRisk Monitor 3.4.x. The example demonstrates when e-mail is
sent, by whom it is sent, and who received it and when. This e-mail alert system ensures that an RCSA is conducted on
schedule. After the RCSA is completed, an organization can use the information that is gathered to mitigate the identified
risks and losses during an assessment.
This start-to-finish example is based on sample data in SAS OpRisk Monitor. This data is installed, by default, with SAS
OpRisk Monitor 3.4.x. The data resides in the SAS OpRisk Monitor Tools installation directory located in C:\Program
Files\SAS\OpriskMonitor\Tools\3.2\dbscripts\data.
This document is specifically for experienced users who are performing SAS OpRisk Monitor customization, but it is also
helpful for anyone who creates risk-and-control self assessments on a routine basis.
Example Details
®
The system configuration for this example uses the SAS 9.1.3 SP4 BI platform, with SAS OpRisk Monitor 3.4.1 installed
and Hot Fix 4 applied. The software runs in the Windows environment.
The example employs user profiles for the following fictitious users:
• Graham Madden
• John Gibbon
• Andy Gibbon
• David Terry
These profiles are contained in the SAS OpRisk Monitor sample database. In a real-life application, you must create the
user profiles before you start the RCSA process. For details about how to create user profiles, see “Create User Window”
®
in the SAS OpRisk Monitor 3.4 User’s Guide.
Important: The administrator role in this example can be anyone who has the appropriate administrator permissions. For
the purposes of this paper, it is assumed that the reader is the administrator. If you are not an administrator, you
cannot perform the steps in this example without administrator permissions. However, you can still follow the example to
understand the flow of the e-mail notifications process.
Enabling E-mail Notifications

E-mail notifications are disabled, by default. Before executing this example, be sure to enable e-mail notifications, as
follows:
1. Open the configdata.properties file.

Note: Two copies of this file are installed with SAS OpRisk Monitor. One copy resides in the
configuration-directory/WEB-INF/classes directory on the machine where the SAS OpRisk
Monitor middle tier is deployed. The second copy resides in the ormonitoradm/classes directory on the
machine that hosts the administrative tools. Modify one of those files. Then replace the other file with a copy of
the final version of the modified file. Be sure to redeploy the Web application after you edit the file so that the
configuration changes take effect.
2. Set the value of the MONITOR.MAIL.ENABLED parameter to TRUE.
3. Set the value of the MONITOR.MAIL.SMTPSERVER parameter to name of your outgoing, or SMTP, server.
You can also set the value of the MONITOR.MAIL.DEBUG parameter to TRUE if you want to log information about e-mail
notifications for debugging purposes
1
Setting Up the Workflow Process

To begin this example, you (the administrator) must identify the management organization and the risk dimension. (In this
particular example, the management organization is Superior Life Investments, which is in the example database.)
Because risk identification is not focus of the paper, this process is not explained here. For information on how to identify
the risk, see “Examples: Conducting a Risk and Control Self-Assessment” in the SAS OpRisk Monitor 3.4 User’s Guide.
Next, you create a workflow and identify users that have roles within the management organization. This process entails
the following steps:
1. Create a questionnaire template.

2. Create an assessment.
a. Select the user that you want to notify.
b. Assign the assessment validation workflow specification (that is, assign validators for each stage
of the workflow).
Creating a Questionnaire Template
First, you must create a questionnaire template. For details about how to create a questionnaire template, see
“Questionnaire Templates” in the SAS OpRisk Monitor 3.4 User’s Guide. In this example, the following template is
created:
Display 1. Creating the Questionnaire Template
2
Creating an Assessment
Next, you create an assessment using the Create Assessment wizard. For details about how to create an assessment,
see the sections “Create Assessment Wizard” and “Example: Conducting a Risk and Control Self-Assessment” in the
®
SAS OpRisk Monitor 3.4 User’s Guide.
Note: You create an assessment at this point, but you do not open it. In this example, you, as the administrator, open the
assessment when the specification of the validation workflow is completed.
The example scenario uses the following assessment:
Display 2. Creating an Assessment
In this example, the targeted management organization is Superior Life ► Superior Life Investments, which you
choose in the Operational Risk Area section of the Create Assessment wizard.
The originator of the assessment will be the user that has a position that is consistent with the selections you make in the
Roles section. In this example, the Operational Risk Area (ORA) is Management Organization: Superior Life
►Superior Life Investments. If you select Local Risk Manager in the Roles section, the originator will be Graham
Madden because he has a position that is consistent with this role and scope (ORA). You can create and edit user
positions in the User Profile window.
3
Display 3. Roles That Are Available for the Selected ORA
After you create the assessment and then close it at the end of the example, valid scores will be propagated to the Risk
Profile. The location in which the scores will be propagated is noted in Step 7 of the Create Assessment wizard. For this
example, scores will be propagated to the location shown in Display 4.
Display 4. Location of the Assessment
At this point, you need to add the user to notify and selects the roles of the assessors.
4
Select the User to Notify
In step 8 of the Create Assessment wizard, add the user that is to be notified by e-mail, as follows:
1. In the wizard, click Notify List in the left panel.
2. In the Notify List that appears in the right panel, click Add User and select the user’s name (David
Terry).
David Terry’s information then appears in the Users to Notify list, as shown in Display 5.
Display 5. Adding the Name and E-mail Address of the User to Notify
®
For more details, see “Create Assessment Wizard” in the SAS OpRisk Monitor 3.4 User’s Guide
Assign the Assessment Validation Workflow Specification

Next, assign the assessment validation workflow specification; that is, assign the validators for each stage of the workflow.
In this example, the following assigned users are selected from the example database:
• Graham Madden (user name: graham)—assessment originator and workflow stage 1 validator
• Andy Gibbon (user name: andy)—workflow stage 2 validator
Graham and Andy are assigned these validator roles based on the scope of their roles that are defined in their profiles.
5
Display 6. Two-Level Assessment Validation Workflow before an Additional Stage 1 Validator Is Added
The configdata.properties.txt file contains a workflow validator parameter called monitor.validation.originatorCanValidate.

When this parameter is set to TRUE (the default value), the originator has the authority to validate an object.
However, in this example, the monitor.validation.originatorCanValidate parameter is set to FALSE. As a result, Graham
Madden, who is specified as the originator and as a stage 1 validator, is not authorized to validate an assessment.
Therefore, another stage 1 validator must be added. In this case, the second stage 1 validator is John Gibbon (user name:
john).
Add John Gibbon as another stage 1 workflow validator, as follows:

1. Select Risk Management ►Assessment Validation Workflow from the SAS OpRisk Monitor main window. This
action opens the Assessment Validation Workflow window.
2. In the Assessment Validation Workflow window, click Edit Validation Stages in the Current
Validation Stages section of the window. The Edit Validation Stages window appears.
3. In the Edit Validation Stages window, click the validation stage that you want to edit. This action opens the Edit
Validation Stage dialog box.
6
4. In the Edit Validation Stage dialog box, click Add User to display the Select a User dialog box.
5. In the Select a User dialog box, select the user’s name (John Gibbon), as shown in Display 7.
Display 7. Selecting a User Name in the Select a User Dialog Box
The Select a User dialog box closes automatically after you select John’s name. His information then appears in the
Validators list, under Graham Madden’s information.
Display 8. John Gibbon Added as Second Stage-1 Validator
7
To see the final validation workflow:

1. Select the Risk Management ► Assessments in the SAS OpRisk Monitor main window.
2. Click the down arrow in the Assessments table next to the assessment in which you are interested and select
View Questionnaires.
3. From the list of questionnaires, select the questionnaire in which you are interested.
Note: If the entire questionnaire is not visible, expand the Validation Workflow table by clicking the plus sign (+)
next to Validation Workflow.
Display 9. Final Validation of the Workflow
E-mail Notification Process

In SAS OpRisk Monitor 3.4, e-mail notifications are triggered through a sequence of processes. This example progresses
through the following sequence:
1. The administrator opens the assessment and sends the questionnaire to the originator.
2. The assessment originator (Graham) fills in the questionnaire and submits (originates) it to the user that is to be
notified and to the stage 1 validators.
3. The stage 1 validator (John) validates the assessment.
4. The stage 2 validator (Andy) returns the questionnaire to the stage 1 validator (John) instead of validating it.
(Andy returns the questionnaire because, for this example scenario, he adds new information that needs to go
through the stage 1 validation).
5. The stage 1 validator (John) validates the assessment again.
6. The stage 2 validator (Andy) validates the assessment.
7. The administrator closes the assessment.
8
The next sections explain each of these steps that trigger e-mail notifications in more detail.
Step 1: Opening the Assessment
In this step, you (as the administrator) open the assessment, triggering e-mail notifications.
To open an assessment:
1. Select Risk Management ► Assessments.
2. In the Assessments table, click the down arrow next to the assessment in which you are interested.
3. Select Open, as shown in Display 10, to display the assessment.
Display 10. Opening the Assessment
When the assessment is opened, the e-mail notifications are triggered and one questionnaire is sent to the originator
(Graham), as shown in Display 11:
9
Display 11. Assessment Is Opened and a Questionnaire Is Sent to the Originator (Graham)
At this time, two e-mail notifications are sent: one to the originator, as mentioned previously, and one to the user (David)
that is to be notified.
The contents of those e-mail messages are as follows:
• Contents of e-mail from the administrator to Graham Madden (originator)
-----Original Message-----
From: admin (admin)
Sent: Tuesday, July 22, 2008 2:11 PM
To: Graham Madden
Subject: A Questionnaire is Ready for You to Answer
This message is from SAS OpRisk Monitor.
There is a questionnaire that is ready for you to answer; please check

your task list for details.
Name: Assessment for documenting email

Location: Management Organization: Superior Life > Superior Life
Investments
If you log on to the application as Graham Madden, you can see Graham’s task list (Display 12), which shows the
number of questionnaires he needs to answer.
10
Display 12. Graham Madden’s Task List
• Contents of e-mail from the administrator to David Terry (the user to notify)
From: admin (admin)
To: David Terry
Subject: A Questionnaire is Ready to be Answered
There is a questionnaire for which you are listed as a user to notify

that is ready to be answered; please check your task list for details.

Investments
If you log on to the application as David Terry, you can see David’s task list (Display 13), which shows that he has
been notified of the questionnaire,
11
Display 13. David Terry’s Task List
Step 2: Submitting the Questionnaire
In this step, Graham (the originator) fills in the questionnaire and submits it, as follows.
1. Graham logs on to SAS OpRisk Monitor as the originator of the RCSA using his profile (graham). His task list
appears (Display 11), showing that the questionnaire is awaiting his response.
2. He clicks a questionnaire attribute, which opens the questionnaire in the View Assessment Questionnaire window.
3. Graham clicks Begin Modification in the View Assessment Questionnaire window in order to fill in all of the
required fields.
4. After all of the required fields are filled, Graham clicks End Modification to save the questionnaire.
5. He then clicks Submit (Display 14) to send the questionnaire to the next person (John) in the workflow.
12
Display 14. Submitting the Questionnaire
After Graham submits the questionnaire, the real-time status of the validation workflow appears, as shown here:
Display 15. Real-Time Status of the Validation Workflow
13
Note: The following display illustrates an error of which you need to be aware. Graham’s task list shows the incorrect
status for the assessment. The Questionnaires I Need to Validate field indicates that he still needs to validate
the questionnaire, even though he has already done that. The error occurs despite the fact that the
OriginatorCanValidate= parameter is set to FALSE.
Display 16. Incorrect Status in the Assessment Originator’s Task List
When Graham submits the questionnaire, a new wave of e-mail notifications is triggered. A second error occurs in this
part of the process. The application should send one e-mail notification to John and one to David. Instead, the
application generates four e-mail notifications.
Note: These errors are known behaviors that occur in the software. There is no solution or workaround for them at this
time, although a fix is planned for a future release. You can continue with the following steps regardless of these e-mail
errors.
The contents of the e-mail messages are as follows:

• Two identical e-mail notifications from Graham (originator) to David (user to notify)
From: Graham Madden
To: David Terry
Subject: A Questionnaire Is Pending Validation

that is ready to be validated; please check your task list for details.
14

Investments
• E-mail from Graham (originator) to Graham (stage 1 validator)
From: Graham Madden
To: Graham Madden
Subject: A Questionnaire Is Pending Your Validation
There is a questionnaire that is ready for you to validate; please check


Investments
• E-mail from Graham (originator) to John (stage 1 validator)
From: Graham Madden
To: John Gibbon


Investments
If you log on as John Gibbon, you see that he has been notified about questionnaire he needs to validate.
15
Display 17. John Gibbon’s Task List
Step 3: Stage 1 Validation
John Gibbon validates the assessment, as follows:

1. John logs on to SAS OpRisk Monitor as a stage 1 validator of the RCSA using his profile (john). His task list
appears (Display 18), showing that the questionnaire is awaiting his validation.
2. He clicks a questionnaire attribute, which opens the questionnaire in the View Assessment Questionnaire window.
3. John clicks Validate in the View Assessment Questionnaire window in order to validate the assessment.
4. After he validates the assessment, John clicks Submit to send the questionnaire to the next person (Andy) in the
workflow.
As shown in Display 18, John’s task list now shows that the questionnaire is now waiting to be validated by someone else
(Andy).
16
Display 18. John Gibbon’s Task List after He Validates the Assessment
After John validates the assessment, the real-time validation workflow appears as shown in Display 19.
Display 19. Real-Time Status of the Validation Workflow after John Validates the Assessment
At this point, two e-mail notifications are sent: one to the Andy Gibbon (the next validator), and one to David Terry (the
user to notify). The contents of those e-mail messages are as follows:
17
• E-mail from John Gibbon (stage 1 validator) to Andy Gibbon (stage 2 validator)
From: John Gibbon
Sent: Thursday, July 24, 2008 3:18 PM
To: Andy Gibbon


Investments
• E-mail from John Gibbon (stage 1 validator) to David Terry (user to notify)
From: John Gibbon
To: David Terry
Subject: A Questionnaire Is Pending Validation

that is ready to be validated; please check your task list for details.

Investments
Step 4: Returning the Questionnaire
At this point, instead of performing a stage 2 validation, Andy Gibbon provides new information. This information has not
been validated yet by the stage 1 validator, so Andy returns the questionnaire, setting the workflow back to the initial
stage. Andy returns the questionnaire, as follows:
1. Andy logs on to SAS OpRisk Monitor as a stage 2 validator of the RCSA using his profile (andy). His task list
18
Display 20. Andy’s Task List
2. Andy clicks a questionnaire attribute, which opens the questionnaire in the View Assessment Questionnaire
window.
3. Andy then clicks Return from Validation (see Display 21) to return the questionnaire.
Display 21. Returning the Questionnaire
19
After Andy clicks Return from Validation, the Change Reason dialog box opens (Display 22).
.
Display 22. Returning the Questionnaire
4. Andy enters the reason for returning the questionnaire and clicks Save. After he clicks Save, the application
returns to the questionnaire (Display 21).
5. Andy clicks Done in the questionnaire window, and the application takes him to his task list (Display 20).
After Andy returns the questionnaire, the real-time validation workflow appears as follows:
Display 23. Real-Time Status of the Validation Workflow after Andy Returns the Questionnaire
20
At this point, four e-mail notifications are sent.
Note: The e-mail error that is described in “Step 2: Submitting the Questionnaire” also occurs here. That is, the application
should send only one e-mail notification to David Terry, but it sends two identical notifications instead. You can ignore
these errors, however, and continue with the steps in the process.
The content of the e-mail notifications are as follows:
• E-mail from Andy Gibbon (stage 2 validator) to Graham Madden (stage 1 validator)
From: Andy Gibbon
To: Graham Madden
Subject: A Questionnaire Has Been Returned To You
There is a questionnaire that has been returned to you by another

reviewer; please check your task list for details.

Investments
• E-mail from Andy Gibbon (stage 2 validator) to John Gibbon (stage 1 validator)
From: Andy Gibbon
To: John Gibbon
Subject: A Questionnaire Has Been Returned To You
There is a questionnaire that has been returned to you by another

reviewer; please check your task list for details.

Investments
21
If you log on to the application as John Gibbon, you see in the task list that he has been notified about the
questionnaire that has been returned to him.
Display 24. John Gibbon’s Task List Showing That He Has Been Notified about the Returned Questionnaire
• Two identical e-mail notifications from Andy Gibbon (stage 2 validator) to David Terry (user to notify)
From: Andy Gibbon
To: David Terry
Subject: There is a questionnaire for which you are listed as a user to
notify that has been returned by another reviewer; please check your
task list for details.

that has been returned by another reviewer; please check your task list
for details.

Investments
Step 5: Stage 1 Validation (Second Time)
The workflow returns back to John. He reviews the new information that Andy added in the questionnaire and validates
the assessment one more time. After John validates the assessment, the real-time validation workflow appears as follows:
22
Display 25. Real-Time Status of the Validation Workflow after John Validates the Assessment the Second Time
The e-mail notifications that are generated during this step are the same as those in Step 3: one e-mail message to Andy
(stage 2 validator) and one e-mail message to David (the user to notify).
Step 6: Stage 2 Validation
Andy Gibbon validates the assessment, as follows:

1. Andy logs on to SAS OpRisk Monitor as a stage 2 validator of the RCSA using his profile (andy). His task list
Display 26. Andy Gibbon’s Task List Showing That He Has Been Notified about the Questionnaire He Needs to Validate
23
2. Andy clicks a questionnaire attribute, which opens the questionnaire in the View Assessment Questionnaire
window.
3. He clicks Validate in the View Assessment Questionnaire window in order to validate the assessment.
At this point, the questionnaire is considered to be fully validated, and no further e-mail notifications are sent. After Andy
validates the assessment, the real-time validation workflow appears as shown in Display 27.
Display 27. Real-Time Status of the validation workflow after Andy Performs the Stage 2 Validation
Step 7: Closing the Assessment
After the validation is complete, you (as administrator) close the assessment, as follows:
1. Log on to SAS OpRisk Monitor using the administrator profile (admin) with which the assessment was created.
2. Select Risk Management ► Assessments to open the Assessments window.
3. Click the down arrow to the left of the assessment that was conducted to display the Actions menu, as shown
in Display 28.
24
Display 28. Closing the Assessment
4. On the Actions menu, select Close to close the assessment.

After you perform this last step, the process is complete.
25
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA
and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies.
Copyright © 2008 SAS Institute Inc., Cary, NC, USA. All rights reserved.

Ts 795

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ts 795

Uploaded by

Copyright:

Available Formats

E-mail Notification Process

TS-795 during Risk and Control Self-

Enabling E-mail Notifications

1. Open the configdata.properties file.

Setting Up the Workflow Process

1. Create a questionnaire template.

Creating a Questionnaire Template

Display 1. Creating the Questionnaire Template

The example scenario uses the following assessment:

Display 2. Creating an Assessment

Display 3. Roles That Are Available for the Selected ORA

Display 4. Location of the Assessment

Select the User to Notify

Assign the Assessment Validation Workflow Specification

• Andy Gibbon (user name: andy)—workflow stage 2 validator

The configdata.properties.txt file contains a workflow validator parameter called monitor.validation.originatorCanValidate.

Add John Gibbon as another stage 1 workflow validator, as follows:

Display 7. Selecting a User Name in the Select a User Dialog Box

Display 8. John Gibbon Added as Second Stage-1 Validator

To see the final validation workflow:

Display 9. Final Validation of the Workflow

E-mail Notification Process

Step 1: Opening the Assessment

Display 10. Opening the Assessment

The contents of those e-mail messages are as follows:

• Contents of e-mail from the administrator to Graham Madden (originator)

This message is from SAS OpRisk Monitor.

There is a questionnaire that is ready for you to answer; please check

Name: Assessment for documenting email

Display 12. Graham Madden’s Task List

This message is from SAS OpRisk Monitor.

There is a questionnaire for which you are listed as a user to notify

Name: Assessment for documenting email

Display 13. David Terry’s Task List

Step 2: Submitting the Questionnaire

Display 14. Submitting the Questionnaire

Display 15. Real-Time Status of the Validation Workflow

Display 16. Incorrect Status in the Assessment Originator’s Task List

The contents of the e-mail messages are as follows:

This message is from SAS OpRisk Monitor.

There is a questionnaire for which you are listed as a user to notify

Name: Assessment for documenting email

• E-mail from Graham (originator) to Graham (stage 1 validator)

This message is from SAS OpRisk Monitor.

There is a questionnaire that is ready for you to validate; please check

Name: Assessment for documenting email

• E-mail from Graham (originator) to John (stage 1 validator)

This message is from SAS OpRisk Monitor.

There is a questionnaire that is ready for you to validate; please check

Name: Assessment for documenting email

Display 17. John Gibbon’s Task List

Step 3: Stage 1 Validation

John Gibbon validates the assessment, as follows:

This message is from SAS OpRisk Monitor.

There is a questionnaire that is ready for you to validate; please check

Name: Assessment for documenting email

This message is from SAS OpRisk Monitor.

There is a questionnaire for which you are listed as a user to notify

Name: Assessment for documenting email

Step 4: Returning the Questionnaire

Display 20. Andy’s Task List

Display 21. Returning the Questionnaire