JP4970484B2 - Office quality control device, office quality control processing program, and office quality control processing method - Google Patents

Description

The present invention relates to an office quality management apparatus , an office quality management processing program, and an office quality management processing method for managing the quality of office processing in an organization such as a financial institution.

  In recent years, financial institutions have taken measures to independently consider operational risk in addition to credit risk and market risk, and assign the required capital ratio based on the quantification of risk. At that time, the operational risk management system is one of the qualified requirements.

  Accordingly, each financial institution is proceeding with the establishment of an operational risk management system.

  In the banking industry, advanced operational risk management is required by the Basel II regulations, and the response to financial inspection manuals and the burden of internal control-related operations under the Financial Commerce Act (J-SOX) have increased. Therefore, effective internal control management that goes beyond the system is required.

  Financial institutions use the operational risk management system to manage case information about losses that have occurred in the past in the paperwork and manage information to prevent the recurrence of such losses. For example, as disclosed in Patent Document 1, risk control self-assessment (RCSA) information that is information for avoiding the occurrence of a loss of a scale assumed in advance is managed.

JP 2008-287604 A

  In the conventional risk management self-assessment information, what kind of risks and controls exist for the assets to be assessed are defined as brute force based on the current administrative regulations, in order to input the evaluation and review the evaluation items It is necessary to search for the target risk and control while referring to the business rules, and as the number of items of the business rules increases, the efficiency in inputting the evaluation and reviewing the evaluation items decreases.

Accordingly, an object of the present invention is to provide an office quality management apparatus , an office quality management processing program, and an office quality management processing method that can improve the efficiency of evaluation work related to evaluation items in risk management self-evaluation information. It is in.

In other words, the business quality management device according to the present invention is configured to avoid classification information relating to assets for business processing, loss information for identifying a loss assumed in advance regarding assets in the classification, and occurrence of the loss. a management information storage means for storing management information that associates the policy information for specifying the measures, among the classification information indicated by the management information, the implementation of measures to prevent the evaluation objects and the loss of the loss Or, the category information input means for inputting the category information related to the asset whose effectiveness is to be evaluated, which indicates whether or not there is an implementation schedule, and the loss information associated with the category information input by the category information input means among the management information, and Extraction means for extracting the measure information associated with the classification information input by the classification information input means, and extraction by the extraction means And loss severity input means for inputting the size of losses identified by loss information, measures the efficacy input means for inputting information indicating the measures implemented or scheduled implementation of the measures specified in policy information extracted by the extraction means And output means for outputting the information input by the loss scale input means together with loss information related to the information, and outputting the information input by the measure effectiveness input means together with measure information related to the information.

  ADVANTAGE OF THE INVENTION According to this invention, the efficiency concerning the evaluation work regarding the evaluation item in risk management self-evaluation information can be improved.

The block diagram which shows the structural example of the office work quality management apparatus in embodiment of this invention. The figure which shows the structural example of the risk classification table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation 1st table (the 1) memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation 1st table (the 2) memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation 2nd table (the 1) memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation 2nd table (the 2) memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the potential risk classification | category table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the risk occurrence classification table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the loss scenario-loss event kind relation table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control group-loss scenario related table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the loss scenario-potential risk classification | category related table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the sub-control content table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation large classification table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control evaluation small classification table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the loss event table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the main control document table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the loss scenario table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the control group pattern table memorize | stored in the memory | storage device 4 of the office quality management apparatus in embodiment of this invention in a table format. The flowchart which shows an example of the processing operation of the office quality management apparatus in embodiment of this invention. The flowchart which shows an example of the evaluation object input process by the office work quality management apparatus in embodiment of this invention. The figure which shows an example of the evaluation object classification selection screen by the office work quality management apparatus in embodiment of this invention. The figure which shows an example of the evaluation object system and form registration screen by the office work quality management apparatus in embodiment of this invention. The figure which shows an example of the evaluation object management organization and classification registration screen by the office work quality management apparatus in embodiment of this invention. The flowchart which shows an example of the risk control extraction process by the office work quality management apparatus in embodiment of this invention. The figure for demonstrating the procedure of pattern ID generation by the office quality management apparatus in embodiment of this invention. The figure for demonstrating the procedure of the risk list acquisition by the office quality management apparatus in embodiment of this invention. The figure for demonstrating the procedure of the control list acquisition by the office work quality management apparatus in embodiment of this invention. The figure which shows the structural example of the evaluation object risk management table by the office quality management apparatus in embodiment of this invention in a table format. The figure which shows the structural example of the evaluation object control management table by the office quality management apparatus in embodiment of this invention in a table format. The flowchart which shows an example of the evaluation input process by the office work quality management apparatus in embodiment of this invention. The figure which shows an example of the evaluation input classification selection screen by the office work quality management apparatus in embodiment of this invention. The figure which shows the example of a display of the risk evaluation input screen by the office work quality management apparatus in embodiment of this invention. The figure which shows the example of a display of the control evaluation input screen by the office work quality management apparatus in embodiment of this invention. The figure which shows the example of a display of the risk management self-evaluation database form by the office work quality management apparatus in embodiment of this invention.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram illustrating a configuration example of an office quality management apparatus according to an embodiment of the present invention.
As shown in FIG. 1, the office quality management apparatus according to the embodiment of the present invention includes a control unit 1, an input device 2, an output device 3, a storage device 4, a pattern ID generation unit 5, and an evaluation target. Classification information processing unit 6, evaluation target risk list extraction unit 7, evaluation target risk list output control unit 8, evaluation target control list extraction unit 9, evaluation target control list output control unit 10, screen output control unit 11, arithmetic processing unit 12 Are connected to each other via a bus 13.

  The storage device 4 is a storage medium such as a hard disk drive or a nonvolatile memory, and includes a control unit 1, a pattern ID generation unit 5, an evaluation target category information processing unit 6, an evaluation target risk list extraction unit 7, and an evaluation target risk list output control. Unit 8, evaluation target control list extraction unit 9, evaluation target control list output control unit 10, screen output control unit 11, execution target control program by arithmetic processing unit 12, risk management information storage unit 41, evaluation It has a target information storage unit 42, an evaluation target risk list storage unit 43, and an evaluation target control list storage unit 44.

  The risk management information storage unit 41 generates classification information related to assets for business processing, loss information for specifying a loss (risk) assumed in advance regarding assets in the classification, an evaluation value of the loss, and the loss Management information storage means for storing management information for associating measure information for specifying a measure (control) for avoiding this and information indicating an evaluation value of the measure.

  Asset classification for paperwork is information indicating the form of the equipment related to the asset in the management information stored in the risk management information storage unit 41, or the jurisdiction of the asset in the management information in the risk management information storage unit 41 Information indicating the classification of the organization.

The evaluation value of the loss is the maximum value of the assumed loss amount, and the evaluation of the measure is an evaluation result of the effectiveness of the measure.
The evaluation object information storage unit 42 stores the classification information designated as the evaluation object of the loss or measure among the classification information indicated by the management information.

The evaluation target risk list storage unit 43 stores a list of losses related to the classification of the asset to be evaluated specified as described above and the evaluation value of the loss among the losses indicated by the management information.
The evaluation target control list storage unit 44 is a measure for avoiding a loss related to the classification of the asset to be evaluated specified as described above from among the measures indicated by the management information, and the evaluation of the measure Store a list of values.

  The input device 2 is, for example, a keyboard or a mouse, and the output device 3 is, for example, a display device or a printer device. In the following description, it is assumed that the output device 3 is a display device. The input device 2 is classification information input means for inputting classification information related to an asset to be evaluated for loss or an evaluation object of effectiveness of measures for avoiding the loss among the classification information indicated by the management information.

The pattern ID generation unit 5 generates a pattern ID based on the information indicating the classification of the evaluation target specified as described above.
The evaluation target classification information processing unit 6 stores the pattern ID generated by the pattern ID generation unit 5 in the evaluation target information storage unit 42.

Based on the pattern ID and the management information stored in the risk management information storage unit 41, the evaluation target risk list extraction unit 7 extracts a list of risks corresponding to the evaluation target category specified as described above.
The evaluation target risk list output control unit 8 outputs the risk list extracted by the evaluation target risk list extraction unit 7 to the output device 3.

Based on the pattern ID and the management information stored in the risk management information storage unit 41, the evaluation target control list extraction unit 9 extracts a list of controls corresponding to the evaluation target category specified as described above.
The evaluation target control list output control unit 10 outputs the control list extracted by the evaluation target control list extraction unit 9 to the output device 3.

  The input device 2 is a loss scale input means for inputting the scale of the loss specified by the extracted loss information, and a measure for inputting information indicating an effective measure among the measures specified by the extracted measure information It is also a validity input means.

FIG. 2 is a diagram showing a configuration example of the risk classification table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This risk classification table is stored in the risk management information storage unit 41 of the storage device 4, and is associated with risk occurrence classification, potential risk classification, loss scenario, assumed loss scale (maximum), and loss event mapping information on the risk classification table. . The above-described loss information for identifying a loss is a risk occurrence classification, a potential risk classification, a loss scenario, an assumed loss scale (maximum), and loss event mapping information.

  As shown in FIG. 2, the risk classification on the risk classification table is “disaster, facility destruction (terrorism, etc.)”, “illegal access / spoofing”, “hardware failure”, “software failure”, “network failure”. , "Computer virus", "Outsourcing contractor problem", "Development process problem", "Operational accident, error", "Internet business transaction fraud", "Hardware / software failure" .

  The information on potential risk classification on the risk classification table is information indicating which of the plurality of types of potential risk classification corresponds to the risk occurrence classification on the risk classification table. As shown in FIG. / Falsification "," System Stop / Recovery Delay "and" Release Delay ".

  The loss event mapping information on the risk classification table is information indicating which of a plurality of types of loss events corresponds to the loss scenario on the risk classification table. As shown in FIG. 2, loss events are “internal fraud”, “external fraud”, “customers, products and trading practices”, “damage to tangible assets”, “business activity interruptions and system failures”, It is divided into “execution of orders, etc. and management of delivery process”.

  3 and 4 are diagrams showing a configuration example of the control evaluation first table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format. Here, the first control evaluation table is divided into the table shown in FIG. 3 and the table shown in FIG. 4, but a single table may be formed by combining these.

  The control evaluation first table is a table describing the control related to the system risk of the system that is an asset. As shown in FIGS. 3 and 4, “loss scenario”, “control evaluation”, “system importance”, “ “Information importance”, “form”, “network”, “company category”, and “base category” are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

  As shown in FIG. 3, the control evaluation on the control evaluation first table includes “major category”, “minor category”, “REF to regulation (excluding affiliates)”, “control group ID”, “main control”, It is divided into “Main Control Evaluation”, “Sub Control Evaluation”, and “Sub Control Evaluation”. REF to rules (excluding affiliates) is reference information for business rules.

  The control group ID on the control evaluation first table is identification information uniquely assigned to each main control. Further, the sub-control is a measure used when the main control is not effective, that is, not implemented at present or is not scheduled to be implemented.

  The above-mentioned measure information for specifying measures includes “major classification”, “minor classification”, “REF to regulation (excluding affiliates)”, “control group ID” in the control evaluation first table. "," Main control "," main control evaluation "," sub-control "," sub-control evaluation ".

The major classification, minor classification, and REF (excluding affiliates) of the control evaluation on the control evaluation first table are determined for each control group ID on the table.
The “loss scenario” on the control evaluation first table is determined for each sub-control on the table.

“System Importance” on the first table in the control evaluation indicates the importance of the system related to the main control associated with the table, and is shown as “most important”, “important”, and “general” as shown in FIG. It is divided.
“Information importance” on the first table in the control evaluation indicates the importance of the information related to the main control associated on the table. As shown in FIG. 3, “importance”, “important”, and “general” It is divided.

  The “form” on the control evaluation first table indicates the type of device related to the main control corresponding to the control ID associated with the table, and as shown in FIG. 4, “server”, “client”, “single PC” ". Each type of item is associated with an identification number. In each section, the identification number of “server” is “1”, the identification number of “client” is “2”, and the identification number of “single PC” is “3”.

  “Network” on the control evaluation first table indicates the type of network related to the main control corresponding to the control ID associated on the table. As shown in FIG. 4, “no connection”, “in-line”, “external” It is divided into “Connection (excluding remote operation)”, “Remote operation from outside”, “Internet connection”, and “In-Van business”. In each category, the identification number for “no connection” is “4”, the identification number for “in line” is “5”, the identification number for “external connection (excluding remote operation)” is “6”, and “from outside” The identification number of “Remote operation” is “7”, the identification number of “Internet connection” is “8”, and the identification number of “In-Ban business” is “9”.

  “Company classification” on the control evaluation first table indicates the type of company that operates the system related to the main control corresponding to the control ID associated on the table, and as shown in FIG. It is classified as an “affiliated company”. In each section, the identification number of “bank body” is “10”, and the identification number of “affiliated company” is “11”.

  Further, the “site classification” on the control evaluation first table indicates the type of the operation base of the system related to the main control corresponding to the control ID associated on the table, and “office center”, as shown in FIG. “Head office”, “Sales office”, “Overseas shop”, “Affiliated company”, “External center”, “Data center”. In each section, the identification number of “Office Center” is “12”, the identification number of “Head Office” is “13”, the identification number of “Sales Office” is “14”, and the identification number of “Overseas Store” is In “15”, the identification number of “affiliated company” is “16”, the identification number of “external center” is “17”, and the identification number of “data center” is “18”.

  The main control on the control evaluation first table is stored in “system importance”, “information importance”, “form”, “network”, “company division”, “base division” associated with the main control. This means the main control that should be evaluated if the conditions are met.

Specifically, in the “most important”, “important”, and “general” columns of “system importance” and “information importance” shown in FIG. 4 associated with the main control on the control evaluation first table. When “◯” is stored, the importance in this field means that the main control associated with the table is related.
In addition, some of the columns classified in the “type”, “network”, “company category”, and “base category” shown in FIG. When a corresponding identification number is stored, the category corresponding to the identification number means that the main control associated with the table is related.

  In the example illustrated in FIG. 4, “O” is stored in the “most important” and “important” columns of the system importance associated with the control group ID “30001”, and the “important” information importance associated with the control group ID “30001”. “O” is stored in the “important” column, and “1” that is the identification number of the server is stored in the “server” column of “form” that is also associated with the “important” column. This is the case when the system importance of the system being evaluated is either “most important” or “important” and the information importance is either “most important” or “important” Further, the main control to be evaluated when the device of the system to be evaluated includes a server means that the main control corresponding to the control group ID “30001” includes “as a physical access restriction of the server...”.

  FIG. 5 and FIG. 6 are diagrams showing a configuration example of the control evaluation second table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format. Here, the second control evaluation table is divided into the table shown in FIG. 5 and the table shown in FIG. 6, but it may be a single table in which these are combined.

  The control evaluation second table is a table that describes the control related to the management organization of the system that is the asset, and is associated with “loss scenario”, “control evaluation”, “jurisdiction”, “base”, and the risk of the storage device 4. It is stored in the management information storage unit 41.

  The control evaluation on the control evaluation second table is the same as the control evaluation first table, as shown in FIG. 5, "major classification", "minor classification", "REF to regulations (excluding affiliated companies)", "control" It is divided into “Group ID”, “Main Control”, “Main Control Evaluation”, “Sub Control”, and “Sub Control Evaluation”.

  As shown in FIG. 6, “responsibility” on the second control evaluation table is divided into “system department”, “general affairs department”, “head office”, and “affiliated company”. In each category, the identification number of “System Department” is “1”, the identification number of “General Affairs Department” is “2”, the identification number of “Headquarters” is “3”, and the identification number of “Affiliated Company” is “4”.

  As shown in FIG. 6, the “base” on the second table of control evaluation is “office center”, “main store”, “sales office”, “overseas store”, “affiliated company”, “external center”, “data center”. ". In each category, the “office center” identification number is “5”, the “head office” identification number is “6”, the “sales office” identification number is “7”, and the “overseas store” identification number is In “8”, the identification number of “affiliated company” is “9”, the identification number of “external center” is “10”, and the identification number of “data center” is “11”.

  The main control on the control evaluation second table means a main control to be evaluated when the conditions stored in “responsible” and “organization” associated with the main control are satisfied.

  Specifically, an identification number corresponding to the division is stored in a part of the column of “jurisdiction” and “organization” shown in FIG. 6 associated with the main control on the control evaluation second table. In this case, the category corresponding to the identification number means a category related to the main control associated on the table.

  In the example illustrated in FIG. 6, “2” that is the identification number of the general affairs department is stored in the “general affairs department” column of “responsibility” associated with the control group ID “30060”. This means that the main control to be evaluated when the management organization of the system to be evaluated includes the general affairs department includes the main control corresponding to the control group ID “30060” “when an outsider enters the head office building ...” Means that.

  The risk classification table, the control evaluation first table, and the control evaluation second table described above are tables generated by combining information stored in various tables described below. Hereinafter, configurations of various tables for generating the risk classification table, the control evaluation first table, and the control evaluation second table will be described.

FIG. 7 is a diagram showing a configuration example of a potential risk classification table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This latent risk classification table is a table for storing information related to the potential risk classification on the risk classification table shown in FIG. 2, and the potential risk classification ID, the contents of the potential risk classification, the display order on the output device 3, the risk Type ID, invalid flag, creator ID, last updater ID, and update date and time are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

The potential risk classification ID is identification information uniquely assigned to the contents of the potential risk classification. In the present embodiment, there are three types of potential risk classification contents as shown in FIG. 2 and FIG. 7, so there are three types of potential risk classification IDs “30001” to “30003”. The risk type ID is risk type identification information. In this embodiment, the risk type ID is “3” indicating a system risk.
The invalid flag is a flag that is “1” when various items associated with the table are deleted by a predetermined operation on the input device 2. The creator ID is the ID of the creator of various items associated on the table, and the last updater ID is the ID of the last updater of various items associated on the table.

FIG. 8 is a diagram showing a configuration example of a risk occurrence classification table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This potential risk classification table is a table for storing information related to the risk occurrence classification on the risk classification table shown in FIG. 2, and includes risk occurrence classification ID, content of risk occurrence classification, display order, risk type ID. The invalid flag, the creator ID, the last updater ID, and the update date and time are associated and stored in the risk management information storage unit 41 of the storage device 4.

The risk occurrence classification ID is identification information uniquely assigned to the contents of the risk occurrence classification. In the present embodiment, there are 11 types of risk occurrence classifications as shown in FIG. 2 and FIG. 8, so there are 11 types of risk occurrence classification IDs “30001” to “30 0 11”.

FIG. 9 is a diagram showing a configuration example of a loss scenario-loss event type relation table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This loss scenario-loss event type relation table is used to store the association information of the types of loss scenarios and loss events on the risk classification table, control evaluation first table or control evaluation second table shown in FIG. The table includes a loss scenario ID, a loss event type ID, an invalid flag, a last updater ID, and an update date and time, and is stored in the risk management information storage unit 41 of the storage device 4.

  The loss scenario ID is identification information uniquely given for the content of the loss scenario, and the loss event type ID is identification information uniquely given for the content of the loss event type. In the present embodiment, there are six types of loss event contents as shown in FIG. 2, and therefore there are six types of loss event type IDs “1” to “6”.

FIG. 10 is a diagram showing a configuration example of the control group-loss scenario association table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This control group-loss scenario relation table is a table for storing the association information between the control group ID and the loss scenario, and the control group ID, loss scenario ID, invalid flag, last updater ID, and update date / time are associated with each other. And stored in the risk management information storage unit 41 of the storage device 4.

FIG. 11 is a diagram showing a configuration example of a loss scenario-latent risk classification relation table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This loss scenario-latent risk classification related table is a table for storing the association information between the loss scenario and the potential risk classification shown in FIG. 2, and the latent risk classification ID, loss scenario ID, invalid flag, and last update The person ID and the update date / time are associated and stored in the risk management information storage unit 41 of the storage device 4.

FIG. 12 is a diagram showing a configuration example of the sub-control content table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This control content table is a table for storing the control content which is the content of the sub-control on the control evaluation first table and the control evaluation second table. The control type ID, evaluation value, control content, control group ID, The check flag, display order, invalid flag, creator ID, last updater ID, and update date and time are further associated and stored in the risk management information storage unit 41 of the storage device 4.

  The control type ID is identification information uniquely given to the content of the sub-control. The evaluation value on the control content table is a value indicating a weight between another sub-control related to the same main control in the content of the sub-control associated on the table, and each sub-corresponding to the same main control. The sum of the evaluation values of the controls is 1.

  The check flag on the control content table is determined by the administrator on the sub-control evaluation input screen, which will be described later, when the content of the sub-control is valid, that is, currently implemented or scheduled to be implemented. This flag is “1” when the check box corresponding to the sub-control on the input screen is selected.

FIG. 13 is a diagram showing a configuration example of the control evaluation large classification table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This control evaluation large classification table is a table for storing the contents of the large classification of control evaluation on the control evaluation first table and the control evaluation second table. The parent type ID, parent management ID, type ID, The management ID, the value indicating the major classification of the control evaluation, the display order, the invalid flag, the creator ID, the last updater ID, and the update date and time are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

  The parent type ID is a type ID set when the parent type exists as a hierarchical structure, and when the parent type does not exist, the parent type ID is “0”. The parent management ID is a parent management ID associated with the management ID as a hierarchical structure. When there is no parent type, the management ID of the parent is “0”.

  In this embodiment, the type ID of the control evaluation large classification table is “47” unique to the table. The management ID on the table is an identification number uniquely assigned to each row value indicating the major classification of control evaluation on the table.

FIG. 14 is a diagram showing a configuration example of the control evaluation small classification table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This control evaluation small classification table is a table for storing the contents of the control evaluation small classification on the control evaluation first table and the control evaluation second table. The parent type ID, parent management ID, type ID, The management ID, the value indicating the minor classification of the control evaluation, the display order, the invalid flag, the creator ID, the last updater ID, and the update date and time are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

  In the present embodiment, the parent type ID of the control evaluation small classification table is “47” which is the type ID of the control evaluation large classification table. The type ID of the control evaluation small classification table is “48” unique to the table. The management ID on the table is an identification number uniquely assigned to a value indicating a small classification of control evaluation on the table.

FIG. 15 is a diagram showing a configuration example of the loss event table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This loss event table is a table for storing the details of the loss event on the risk classification table shown in FIG. 2, and includes the parent type ID, parent management ID, type ID, management ID, and details of the loss situation. The indicated value, display order, invalid flag, creator ID, last updater ID, and update date and time are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

  In this embodiment, the type ID of the loss event table is “51” unique to the table. The management ID on the table is an identification number uniquely given to the contents of the loss event on the table.

FIG. 16 is a diagram showing a configuration example of the main control document table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
The main control document table is a table for storing a control document and a control group ID which are the contents of the main control on the control evaluation first table and the control evaluation second table. The type ID, control group ID, control document, risk type ID, and invalid flag are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.
Although not shown, in this control document table, the creator ID, the last updater ID, and the update date / time are further associated.

FIG. 17 is a diagram showing a configuration example of the loss scenario table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This loss scenario table is a table for storing loss scenario information on the risk classification table shown in FIG. 2, and includes loss scenario ID, loss scenario, risk occurrence classification ID, risk type ID, invalid flag, creation The person ID, the last updater ID, and the update date are associated with each other and stored in the risk management information storage unit 41 of the storage device 4.

FIG. 18 is a diagram showing a configuration example of the control group pattern table stored in the storage device 4 of the office quality management apparatus in the embodiment of the present invention in a table format.
This control group pattern table is a table for storing control group pattern information for associating a control group with a system. The control group pattern ID, pattern ID, invalid flag, last updater ID, and update date and time are Associated. The pattern ID is identification information composed of numbers and underscores based on information input by the evaluation target information input process described later. The underbar on the pattern ID is a wild card.

  The contents of the various tables shown in FIGS. 6 to 18 can be arbitrarily changed by a predetermined operation on the input device 2. The risk classification table shown in FIG. 2, the control evaluation first table shown in FIGS. 3 and 4, and the control evaluation second table shown in FIGS. 5 and 6 are the contents of the various tables shown in FIGS. Is generated by the arithmetic processing unit 12.

Next, the operation of the office quality management apparatus having the configuration shown in FIG. 1 will be described.
FIG. 19 is a flowchart showing an example of the processing operation of the office quality management apparatus in the embodiment of the present invention.
The office quality management apparatus described in this embodiment designates a specific evaluation object among a plurality of evaluation objects related to risks and controls related to assets for business processing managed by a company that operates the office quality management apparatus. At this time, it has a function to support risk and control evaluation work related to the evaluation target.

  The asset for paperwork to be evaluated means the system itself managed by the company that operates the business quality management apparatus or the management organization that manages the system.

  In other words, the office quality management apparatus described in the present embodiment specifically supports a risk and control evaluation work related to a specific system among a plurality of systems managed by the company described above. The function is a function that supports a risk and control evaluation work related to system operation by designating a specific management organization among a plurality of management organizations that manage the system managed by the company.

  The office quality management apparatus first performs an evaluation target input process in accordance with the operation of the input device 2 by the evaluation target setter (step S1). The setter of the evaluation target is different from the risk and control evaluator of the evaluation target.

Details of this input processing will be described. FIG. 20 is a flowchart illustrating an example of an evaluation target input process performed by the office quality management apparatus according to the embodiment of the present invention. FIG. 21 is a diagram illustrating an example of an evaluation target type selection screen by the office quality management apparatus according to the embodiment of the present invention.
When a predetermined operation is performed on the input device 2, the screen output control unit 11 causes the output device 3 to display an evaluation target type selection screen.

  In this selection screen, the risk and control to be evaluated are input to the input device 2 as risks and controls related to a specific system managed by the company operating the office quality management apparatus, or the office quality management apparatus It is possible to select whether the risk and control are related to system operation by a specific management organization that manages the system of the company that operates the system.

  When risk and control related to a specific system are to be evaluated, the input device 2 selects a “select” icon corresponding to “system” on the screen and then selects an “OK” icon.

  In addition, when the risk and control related to system operation by a specific management organization that manages the system of the company that operates the office quality management device is to be evaluated, the input device 2 corresponds to the “management organization” on the screen. After selecting the “select” icon, the “OK” icon is selected (step S11).

FIG. 22 is a diagram illustrating an example of an evaluation target system / form registration screen by the office quality management apparatus according to the embodiment of the present invention.
When the “OK” icon is selected after the “Select” icon corresponding to “System” on the selection screen shown in FIG. 21 is selected (YES in Step S12), the screen output control unit 11 performs the operation shown in FIG. The evaluation target system / form registration screen shown in FIG.

  In this evaluation target system / form registration screen, the name, business classification, system importance level, and information importance level of the system, which are assets subject to risk or control evaluation, are entered by input operation to the input device 2 Further, among the various items of the system configuration as shown in FIG. 4, a plurality of items corresponding to the system to be evaluated can be selected (steps S13, S14, S15, S16, S17). . Input may be omitted for the business classification in the evaluation target system / form registration screen.

  The names of various systems and the names of business categories are stored in the storage device 4, and in the system name input field on the registration screen, the names of the systems to be evaluated for system risk control are displayed as selection candidates. . In this screen, the system importance level and the information importance level can be selected and input from “most important”, “important”, and “general”.

  When the input contents are determined on the evaluation target system / form registration screen or the evaluation target management organization / classification registration screen, the evaluation target classification information processing unit 6 displays the system name, business classification, The system importance level and the information importance level are stored in the evaluation target information storage unit 42 of the storage device 4 together with the tree ID, the update date and time, and the updater ID that are uniquely assigned as system information to be evaluated.

  Moreover, the evaluation object classification information processing unit 6 assigns the identification number corresponding to the selection item that is the item selected as the item corresponding to the evaluation target system among the various items of the system form in the process of step S17 to the evaluation object. Are stored in the evaluation object information storage unit 42 of the storage device 4 together with the tree ID, the update date and time, and the updater ID. This completes the input process related to the system to be evaluated.

FIG. 23 is a diagram illustrating an example of an evaluation target management organization / classification registration screen by the office quality management apparatus according to the embodiment of the present invention.
When the “select” icon corresponding to the “management organization” on the selection screen shown in FIG. 21 is selected and the “OK” icon is selected (NO in step S12), the screen output control unit 11 The output device 3 displays an evaluation object management organization / classification registration screen shown in FIG.

  On the evaluation target management organization / classification registration screen, the name of a specific management organization and business category that manages the system that is the asset that is subject to risk or control evaluation can be input by an input operation to the input device 2. Further, a plurality of items corresponding to the management organization to be evaluated can be selected from the various items of the management organization classification as shown in FIG. 6 (steps S18, S19, S20). Input may be omitted for the business category on the evaluation target management organization / classification registration screen.

  The names of various management organizations and business category names are stored in the storage device 4, and the names of each system to be evaluated for system risk control are selected as candidates for selection in the management organization name and business category input fields on the registration screen. Respectively.

  When the input content is determined on the evaluation target system / form registration screen or the evaluation target management organization / classification registration screen, the evaluation target classification information processing unit 6 inputs the management organization name and the business classification input in the processes of steps S18 and S19. Are stored in the evaluation object information storage unit 42 of the storage device 4 together with the tree ID, the update date / time, and the updater ID that are uniquely assigned as management organization information to be evaluated.

  In addition, the evaluation target category information processing unit 6 uses the identification number corresponding to the item selected as the item corresponding to the management organization to be evaluated among the various items of the management organization classification in the process of step S20. The organization information is stored in the evaluation object information storage unit 42 of the storage device 4 together with the tree ID, the update date and time, and the updater ID. This completes the input process related to the management organization to be evaluated.

  The evaluation target risk list extraction unit 7 uses the evaluation target risk list extraction unit 7 based on the contents of each item other than the evaluation target system name and the business category in the information stored in the evaluation target information storage unit 42. The risk extraction process related to the evaluation target system or management organization is performed, and the evaluation target control list extraction unit 9 performs the control extraction process related to the evaluation target system or management organization (step S2).

Here, the details of the risk / control extraction process when the evaluation target system / form registration screen shown in FIG. 22 is displayed on the output device 3 and an input is made on this screen will be described.
FIG. 24 is a flowchart showing an example of risk / control extraction processing by the office quality management apparatus according to the embodiment of the present invention. FIG. 25 is a diagram for explaining a procedure for generating a pattern ID by the office quality management apparatus according to the embodiment of the present invention. FIG. 26 is a diagram for explaining a procedure for acquiring a risk list by the office quality management apparatus according to the embodiment of the present invention.
First, the pattern ID generation unit 5 selects the item selected as corresponding to the evaluation target system in the process of step S17 among the items in the form of the evaluation target system, the system importance input in the process of step S15 And pattern ID is produced | generated based on the information importance input by the process of step S16 (step S21).

  Specifically, the highest digit of the pattern ID is a system importance value, and the digit one digit lower than the highest digit is an information importance value. The value when the system importance level and the information importance level are “most important” is “3”, the value when “important” is “2”, and the value when “general” is “normal”. 1 ”.

  The value after the third digit from the top of the pattern ID is a value indicating the information of the item selected as corresponding to the evaluation target system among the items of the evaluation target form shown in FIG. Among the items, the value of the item selected as corresponding to the evaluation target system on the evaluation target system / form registration screen is “1”, and the item not selected is represented by an underbar.

  The evaluation target risk list extraction unit 7 is a pattern ID generated by the process of step S21 among the control group IDs stored in the risk management information storage unit 41 of the storage device 4 on the control group pattern table shown in FIG. The control group ID associated with is extracted (step S22).

  The information extracted by the evaluation target risk list extraction unit 7 is information whose invalid flag in the reference table is “0”. The same applies to the various information extraction processing performed by the evaluation target risk list extraction unit 7 and the evaluation target control list extraction unit 9 described below.

  The assessment target risk list extraction unit 7 extracts the control extracted in the process of step S22 from the loss scenario ID stored in the risk management information storage unit 41 of the storage device 4 on the control group-loss scenario association table shown in FIG. A loss scenario ID associated with the group ID is extracted (step S23).

  The assessment target risk list extraction unit 7 performs the process of step S23 among the potential risk classification IDs on the loss scenario-latent risk classification relation table shown in FIG. 11 stored in the risk management information storage unit 41 of the storage device 4. A potential risk classification ID associated with the extracted loss scenario ID is extracted (step S24).

  The evaluation target risk list extraction unit 7 extracts the potential extracted in the process of step S24 from the contents of the potential risk classification on the potential risk classification table shown in FIG. 7 stored in the risk management information storage unit 41 of the storage device 4. The contents of the potential risk classification associated with the risk classification ID are extracted (step S25).

  The assessment target risk list extraction unit 7 associates with the loss scenario ID extracted in the process of step S23 among the loss scenarios on the loss scenario table shown in FIG. 17 stored in the risk management information storage unit 41 of the storage device 4. Information on the loss scenario to be obtained is extracted (step S26).

  Further, the evaluation target risk list extraction unit 7 extracts information on the risk occurrence classification ID associated with the loss scenario ID extracted in the process of step S23 among the risk occurrence classification IDs on the same loss scenario table (step S27). .

  The assessment target risk list extraction unit 7 extracts the risk extracted in the process of step S27 from the contents of the risk occurrence classification on the risk occurrence classification table shown in FIG. 18 stored in the risk management information storage unit 41 of the storage device 4. Information on the contents of the risk occurrence classification associated with the occurrence classification ID is extracted (step S28).

  The evaluation target risk list extraction unit 7 performs the process of step S23 among the loss event type IDs stored in the risk management information storage unit 41 of the storage device 4 on the loss scenario-loss event type relation table shown in FIG. A loss event type ID associated with the extracted loss scenario ID is extracted (step S29).

  The evaluation target risk list extraction unit 7 performs the process of step S29 among the values of the loss events on the loss event table shown in FIG. 15 stored in the risk management information storage unit 41 of the storage device 4, that is, the contents of the loss events. The contents of the loss event associated with the management ID having the same value as the loss event type ID extracted in step S30 are extracted (step S30).

FIG. 27 is a diagram for explaining a control list acquisition procedure by the office quality management apparatus according to the embodiment of the present invention.
Next, the evaluation target control list extraction unit 9 performs the process of step S22 among control documents that are main controls on the main control document table shown in FIG. 16 and stored in the risk management information storage unit 41 of the storage device 4. In step S31, the control document associated with the control group ID extracted by the evaluation target risk list extraction unit 7 is extracted.

  Next, the evaluation target control list extraction unit 9 includes the control evaluation large classification values stored in the risk management information storage unit 41 of the storage device 4 in the control evaluation large classification table shown in FIG. The control evaluation large classification value associated with the control group ID extracted by the evaluation target risk list extraction unit 7 in the process of step S22 is extracted from the first control evaluation table shown (step S32).

  The evaluation target control list extraction unit 9 stores the control shown in FIG. 3 among the values of the control evaluation subcategory on the control evaluation subclassification table shown in FIG. 14 stored in the risk management information storage unit 41 of the storage device 4. On the first evaluation table, the value of the control evaluation subcategory associated with the control group ID extracted by the evaluation target risk list extraction unit 7 in the process of step S22 is extracted (step S33).

  Next, the evaluation target control list extraction unit 9 performs the process of step S22 among the control contents that are sub-controls on the sub-control content table shown in FIG. 12 and stored in the risk management information storage unit 41 of the storage device 4. In step S34, the control contents associated with the control group ID extracted by the evaluation target risk list extraction unit 7 are extracted.

  The evaluation target risk list extraction unit 7 stores the potential risk classification extracted by the process of step S25 out of each row on the risk occurrence classification table shown in FIG. 2 stored in the risk management information storage unit 41 of the storage device 4. Contents, the information of the loss scenario extracted by the process of step S26, the information of the content of the risk occurrence classification extracted by the process of step S28, and the line related to the value of the loss event extracted by the process of step S30 are extracted, and this extraction For the risk occurrence classification, potential risk classification, loss scenario and loss event in the row, enter the evaluation target system name, business classification, system importance, information importance, and system configuration information entered as described above. A combined evaluation target risk management table is generated and stored in the evaluation target risk list storage unit 43 of the storage device 4. Step S35).

FIG. 28 is a diagram showing a configuration example of an evaluation target risk management table by the office quality management apparatus in the embodiment of the present invention in a table format.
In the example shown in FIG. 28, the top and second stages are extracted from the risk occurrence classification rows on the risk occurrence classification table shown in FIG. 2, and the risk occurrence classification, potential risk classification, This is an example of an evaluation target risk management table that combines the evaluation scenario system name, business classification, system importance level, information importance level, and information on the system type selection items entered as described above for the loss scenario and loss event. .

  In this risk management table to be evaluated, a column of estimated loss scale, which is an evaluation value of risk, is provided for each loss scenario, and the value of estimated loss scale is blank when evaluation has not yet been performed.

  Next, the evaluation target control list extraction unit 9 stores the control group ID extracted in the process of step S22 among the rows on the control evaluation first table stored in the risk management information storage unit 41 of the storage device 4. Extraction of relevant lines, and the evaluation target entered as described above for the main control, major classification of control evaluation, minor classification of control evaluation, sub-control, REF to regulations (excluding affiliates), and loss scenarios in this extracted line An evaluation target control management table in which system name, business classification, system importance level, information importance level, and information on selection items of the system form are combined is generated and stored in the evaluation target control list storage unit 44 of the storage device 4 ( Step S36).

FIG. 29 is a diagram showing a configuration example of an evaluation target control management table by the office quality management apparatus in the embodiment of the present invention in a table format.
In the example shown in FIG. 29, control IDs “30001” and “30002” are extracted from each row on the control evaluation first table, and the main control, control evaluation major classification, control evaluation minor classification, sub For the control, REF to regulations (excluding affiliated companies), and loss scenarios, the information of the evaluation target system name, business classification, system importance, information importance, and system configuration selection items entered as described above were combined. It is an example of an evaluation object control management table.

  In the evaluation target control management table, columns of evaluation values of various controls are provided for each of the main control and the sub-control, and when evaluation has not yet been performed, the value of this evaluation value is blank. This completes the risk control extraction process.

  Next, the office quality management apparatus performs an evaluation input process for the extracted risk or control (step S3). In the present embodiment, the extracted risk evaluation input and the extracted control evaluation can be performed separately.

FIG. 30 is a flowchart illustrating an example of evaluation input processing by the office quality management apparatus according to the embodiment of the present invention. FIG. 31 is a diagram showing an example of an evaluation input type selection screen by the office quality management apparatus in the embodiment of the present invention.
The screen output control unit 11 causes the output device 3 to display the evaluation input type selection screen shown in FIG. 31 for selecting the evaluation input target between the evaluation target risk and the evaluation target control (step S41).

In this selection screen, it is possible to select whether the evaluation input target is the risk of the evaluation target or the control of the evaluation target by an input operation to the input device 2.
When the evaluation target risk is set as an evaluation input target, the input device 2 selects a “select” icon corresponding to “risk” on the screen and then selects an “OK” icon.

  When the evaluation target control is an evaluation input target, the input device 2 selects a “select” icon corresponding to “control” on the screen and then selects an “OK” icon.

  When an evaluation target risk is selected as an evaluation input target on the evaluation input type selection screen (YES in step S42), the evaluation target risk list output control unit 8 generates the evaluation target risk generated in the process of step S35. Based on the contents of the management table, a screen for selecting a risk as an evaluation value input target from among a plurality of types of risks as evaluation target risks is displayed on the output device 3 (step S43). The contents of this screen are the same as the contents of the evaluation target risk management table shown in FIG. 28, and it is possible to select the line including the risk of the evaluation value input target among the lines on the screen by operating the input device 2. It has become.

  When a risk row for which an evaluation value is to be input is selected, the evaluation target risk list output control unit 8 causes the output device 3 to display a risk evaluation input screen for risk evaluation input corresponding to the selected row. (Step S44).

FIG. 32 is a diagram showing a display example of a risk evaluation input screen by the office quality management device according to the embodiment of the present invention.
This input screen displays the name of the evaluation target system that has already been entered, the business classification, the system importance, the information importance, and the system form. In addition, the risk occurrence classification, potential risk classification, The loss scenario and the type of loss event are displayed, and an input field for the assumed loss size (maximum) of the risk of the extracted line is displayed.

  When the maximum value of the loss due to loss is input to the input field of the assumed loss scale (maximum) by the input device 2 (step S45) and the OK icon on the screen is selected, the risk management table to be evaluated is extracted. This completes the input of the risk assessment value for the row. The arithmetic processing unit 12 updates the evaluation target risk management table according to the input result, and also updates the assumed loss scale (maximum) on the risk classification table shown in FIG.

  As shown in the control evaluation first table shown in FIG. 3 and the control evaluation second table shown in FIG. 5, a single type of loss scenario may be involved in a plurality of types of main controls. In this case, if the risk assessment input screen is displayed in a form in which the referenced information is linked with reference to the control corresponding to the risk, the number of single-type risks displayed on the risk assessment input screen is plural. Therefore, the evaluation value of a single type of risk must be input multiple times.

  However, the risk displayed on the risk evaluation input screen in the present embodiment is displayed without referring to the control type for avoiding the risk, and the number of single-type risks displayed on the screen. One is enough. Therefore, the evaluator can evaluate the risk itself with the minimum necessary work without being aware of the control related to the specific type of risk related to the system to be evaluated.

  When the evaluation target control is selected as an evaluation input target on the evaluation input type selection screen (NO in step S42), the evaluation target control list output control unit 10 performs the evaluation generated in the process of step S35. Based on the contents of the target control management table, a screen for selecting a main control to which an evaluation value is to be input is displayed on the output device 3 from among a plurality of types of main controls that are to be evaluated (step S46). The content of this screen is the same as the content of the evaluation target control management table shown in FIG. 29, and the row of the main control for which the evaluation value is input can be selected by operating the input device 2 among the rows on the screen. It has become.

  When the row of the main control to which the evaluation value is to be input is selected, the evaluation target control list output control unit 10 performs the evaluation input of the main control corresponding to the selected row and the sub-control corresponding to the main control. A control evaluation input screen is displayed on the output device 3 (step S47).

FIG. 33 is a diagram showing a display example of a control evaluation input screen by the office quality management apparatus in the embodiment of the present invention.
In this input screen, in addition to the input evaluation target system name, business classification, system importance, information importance, and system form, the loss scenario of the extraction row of the evaluation target control management table, the major classification of control evaluation, small Classification, REF to rules (excluding affiliated companies), main control, evaluation input field of main control, and sub-control are displayed. The loss scenario of the extracted row in the evaluation target control management table is displayed as an aid for understanding the contents of various controls, and may be omitted.

In the evaluation input field of the main control, “◯” and “×” for evaluating the validity of the contents of the main control are displayed as selection candidates.
If the administrator determines that the main control is valid, that is, is currently being implemented or is scheduled to be implemented, and is selected if “O” is selected as shown in FIG. 33 or if the main control is not valid. When “x” is selected by the user, the selected content becomes the evaluation result of the main control (step S48).

Further, as shown in FIG. 33, check boxes for evaluating the effectiveness of the sub-controls are provided in the information of various sub-controls on the input screen.
These check boxes are used when the evaluation result of the main control on the screen is “×” (NO in step S49), and the check box of the sub-control determined by the administrator is valid. If so (step S50), the sub-control corresponding to the check box is evaluated as valid.

  On the other hand, if the evaluation result of the main control is “◯” (YES in step S49), or the evaluation value of the sub-control is input by the input device 2 and the OK icon on the screen is selected, the evaluation target control Input of the evaluation value of the control of the extracted row of the management table is completed. The arithmetic processing unit 12 updates the evaluation target control management table according to the input result, and also updates the main control evaluation and sub-control evaluation on the control first table.

  The controls displayed on the control evaluation input screen are displayed for each control group ID without referring to the type of risk related to the control. As shown in the control evaluation first table shown in FIG. 3 and the control evaluation second table shown in FIG. 5, a single type of main control may be involved in multiple types of loss scenarios. However, since only one single type of main control is displayed on the control evaluation input screen of this embodiment, the evaluator is conscious of the type of risk related to the specific type of control related to the system to be evaluated. Therefore, the main control and the sub-controls related to the main control can be evaluated with the minimum necessary work.

  Although the loss scenario is displayed on the control evaluation input screen shown in FIG. 33, the main control associated with the pattern ID generated as described above is determined as the main control displayed on the control evaluation input screen. It is. The displayed loss scenario is information for assisting understanding of various main controls as described above. That is, the number of types of loss scenarios related to various main controls does not affect the number of main controls displayed on the control evaluation input screen.

  When an OK icon on the evaluation input screen for risks and various controls is selected by the input device 2, the screen output control unit 11 displays the evaluation input type selection screen on the output device 3 again (step S51).

  When this evaluation input type selection screen is displayed, the evaluator selects a selection icon of the corresponding type when evaluating another risk or control to be evaluated. In this case (NO in step S52), the processing after step S42 described above is performed again.

  In addition, when the evaluation of other risks or controls to be evaluated ends, the evaluator selects a selection icon corresponding to the notation of “end evaluation” on the screen and selects an OK icon. In this case (YES in step S52), the evaluation input process ends.

FIG. 34 is a diagram showing a display example of a risk management self-evaluation database form by the office quality management apparatus according to the embodiment of the present invention.
Based on the evaluation object risk management table and the evaluation object control management table updated by the evaluation input process, the arithmetic processing unit 12 performs risk occurrence classification, potential risk classification, loss scenario, assumed loss scale (maximum ), Risk management, risk assessment, control assessment major classification, minor classification, REF to regulations (excluding affiliates), main control, main control assessment, sub-control, sub-control assessment, risk management shown in FIG. A self-evaluation database form (RCSA form) is generated.

The screen output control unit 11 displays the generated RCSA form on the screen of the output device 3 (step S4). That is, the screen output control unit 11 is an output unit that outputs information input by the loss scale input unit together with loss information related to the information, and outputs information input by the measure effectiveness input unit together with measure information related to the information. is there.
Thereby, the administrator can grasp the risk, the evaluation value of the risk, the control, and the evaluation value of the control regarding the system to be evaluated.

  As described above, in the office quality management apparatus according to the embodiment of the present invention, classification information related to assets for office processing, loss (risk) assumed in advance regarding assets in the classification, evaluation of the loss, occurrence of the loss Management information that associates measures (controls) to avoid doing and information indicating whether the measures are effective or not is stored, and among the asset categories indicated by this management information, the loss assessment target When the category information to be evaluated and the category information to be evaluated for the effectiveness of the measure are input, a list of measures related to the category and measures (controls) for avoiding the occurrence of the loss is output. Therefore, if the evaluator inputs the category of the asset to be evaluated, the evaluator can improve the efficiency of the loss of the asset of the specific category and the evaluation work of the measure without being aware of the rules of the paperwork.

  The present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be omitted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

  DESCRIPTION OF SYMBOLS 1 ... Control part, 2 ... Input device, 3 ... Output device, 4 ... Memory | storage device, 5 ... Pattern ID production | generation part, 6 ... Evaluation object classification information processing part, 7 ... Evaluation object risk list extraction part, 8 ... Evaluation object risk List output control unit, 9 ... Evaluation target control list extraction unit, 10 ... Evaluation target control list output control unit, 11 ... Screen display output unit, 12 ... Arithmetic processing unit, 13 ... Bus, 41 ... Risk management information storage unit, 42 ... evaluation target information storage unit, 43 ... evaluation target risk list storage unit, 44 ... evaluation target control list storage unit.

Claims (6)

Sorting information relating to assets for paperwork, associated measures information for loss information for specifying a pre-assumed losses related assets of the division, the loss is specific measures to avoid the occurrence Management information storage means for storing management information;
Of the classification information indicated by the management information, the classification information for inputting the classification information related to the asset to be evaluated for effectiveness indicating whether the loss evaluation target and the measure for avoiding the loss are implemented or planned to be implemented Input means;
Of the management information, an extraction means for extracting the loss information associated with the classification information input by the classification information input means and the measure information associated with the classification information input by the classification information input means;
Loss scale input means for inputting the scale of loss specified by the loss information extracted by the extracting means;
Measure effectiveness input means for inputting information indicating a measure to be implemented or planned to be implemented among measures specified by the measure information extracted by the extraction means;
An office quality management apparatus comprising: an output unit that outputs information input by the loss scale input unit together with loss information related to the information, and outputs information input by the measure effectiveness input unit together with measure information related to the information. The office quality management apparatus according to claim 1, wherein the classification information related to the asset in the management information stored in the management information storage means is information indicating a form of a device related to the asset. The office quality management apparatus according to claim 1, wherein the classification information related to the asset in the management information stored in the management information storage means is information indicating a classification of a jurisdiction of the asset. The extraction means includes
Among the lost information indicated by the management information stored in said management information storage means, measures to avoid loss identified loss information associated with classification information entered by the sorting information input means in the loss information Extract without referring to the measure information to identify,
Of the measure information indicated by the management information, refer to the loss information for specifying the loss related to the measure specified by the measure information for the measure information associated with the category information input by the category information input means The office quality control device according to claim 1, wherein the office quality management device is extracted without any problem. Sorting information relating to assets for paperwork, associated measures information for loss information for specifying a pre-assumed losses related assets of the division, the loss is specific measures to avoid the occurrence A computer comprising management information storage means for storing management information,
Of the classification information indicated by the management information, the classification information for inputting the classification information related to the asset to be evaluated for effectiveness indicating whether the loss evaluation target and the measure for avoiding the loss are implemented or planned to be implemented Input means,
Extraction means for extracting, from the management information, the loss information associated with the classification information input by the input means and the measure information associated with the classification information input by the classification information input means,
Loss scale input means for inputting the scale of loss specified by the loss information extracted by the extracting means,
Measure effectiveness input means for inputting information indicating a measure to be implemented or planned to be implemented among measures specified by the measure information extracted by the extracting means,
Office quality control for functioning as an output means for outputting information inputted by the loss scale input means together with loss information related to the information, and outputting information inputted by the measure effectiveness input means together with measure information related to the information Processing program. Sorting information relating to assets for paperwork, associated measures information for loss information for specifying a pre-assumed losses related assets of the division, the loss is specific measures to avoid the occurrence A method executed by a computer having management information storage means for storing management information,
The category information input means includes the category information indicated by the management information, and the category related to the asset to be evaluated for effectiveness indicating whether the loss evaluation target and the measure for avoiding the loss are implemented or planned to be implemented Entering information,
An extraction means for extracting, from the management information, the loss information associated with the classification information input by the input means and the measure information associated with the classification information input by the classification information input means;
A step of inputting a loss scale specified by the loss information extracted by the extraction means by a loss scale input means;
A step in which measure effectiveness input means inputs information indicating a measure to be implemented or planned to be implemented among measures identified by the measure information extracted by the extracting means;
Office quality management comprising a step of outputting information inputted by the loss scale input means together with loss information related to the information, and outputting information inputted by the measure effectiveness input means together with measure information related to the information Processing method.

Images