JP2007183807A - Business process evaluation system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform overall evaluation for all processes, by executing processing for evaluating controls on risks of a company by using a documented list. <P>SOLUTION: This system comprises a control registration means 111 for registering controls for each process; a score by process calculation means 112 for calculating scores of the controls for each process; an evaluation by process means 113 for evaluating the controls for each process; and a business process evaluation means 114 for overall evaluations of all processes. The control registration means manages a plurality of risk contents, control contents that are countermeasure contents, and validity of control results in process units, and the score by process calculation means calculates scores of control results by risk of each process managed by the control registration means. The evaluation by process means summarizes the calculated scores of control results by risk for each process, and the business process evaluation means evaluates the controls to risks of all the processes by the process scores summarized by process units and the process evaluations. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a business process evaluation system, and more particularly, to a business process evaluation system that uses a computer to evaluate a company's risk control using a documented list.

As a conventional technique related to a business process evaluation system, for example, a technique described in Patent Document 1 is known. This prior art identifies various compliance requirements and compliance issues for business processes, creates action plans based on them, and forwards them to individuals or entities to determine whether compliance requirements and compliance issues are handled appropriately. In order to do this, the result of the action plan is monitored.
JP 2001-250023 A

  In general, the risks that a company has in doing business are inherent in the overall business, and the company is required to grasp the risks. For this purpose, the company formulates and manages various management systems and measures. However, it is difficult for a company to comprehensively grasp risks and analyze and evaluate the controls for those risks. In the above-described prior art, various risks are created as control details only in compliance with laws and regulations, and the person in charge manages and compares the risks in units of one record of the control details. For this reason, while the above-mentioned conventional technology can manage risks only in compliance with laws and regulations, it comprehensively understands the risks inherent in the overall operations of the company and analyzes the controls for those risks. Therefore, there is a problem that it cannot be evaluated.

  The object of the present invention is to solve the above-mentioned problems of the prior art, manage the risks and controls related to the overall operations of the company, and evaluate the process and the whole process from the individual risks and controls. Is to provide a business process evaluation system.

  According to the present invention, the object is, in the business process evaluation system for evaluating the control against the risk of the company, a control registration means for registering a control for each process, a score calculation means for each process for calculating a score for the control for each process, A process evaluation means for evaluating the control for each process and a business process evaluation means for integrating the evaluation of all processes. The control registration means includes a plurality of risk contents for each process and a countermeasure content for each risk. A control content and the effectiveness of the result of the control are registered and managed as control details, and the score calculation means for each process is a control result for each risk of each process of the control details managed by the control registration means. The process-based evaluation means calculates the score of the control result for each risk calculated by the process-specific score calculation means. A process score and process evaluation summarized for each process are obtained, and the business process evaluation means evaluates the risk control of all processes by the process score and process evaluation summarized for each process obtained by the process-specific evaluation means. Is achieved.

  According to the present invention, it is possible to manage risks and controls related to overall business operations of a company and to evaluate processes and the entire processes (evaluation of the entire company) from the individual risks and controls.

  Embodiments of a business process evaluation system according to the present invention will be described below in detail with reference to the drawings.

  FIG. 1 is a block diagram showing the configuration of a business process evaluation system according to an embodiment of the present invention. In FIG. 1, 101 is a department terminal, 102 is a network, 103 is a WEB server, 104 is a menu program, 105 is a basic information registration screen program, 106 is a control registration screen program, 107 is a process evaluation screen program, and 108 is a process-specific control. Detailed screen program, 109 is a business process server, 110 is a basic information registration program, 111 is a control registration program, 112 is a score calculation program by process, 113 is an evaluation program by process, 114 is a business process evaluation program, and 115 is a reference sample text 116 is an influence text, 117 is a company text, 118 is a basic information DB, 119 is a control details DB, 120 is a control score DB, 121 is a process-specific evaluation DB, and 122 is a business process evaluation DB.

  A business process evaluation system according to an embodiment of the present invention is configured by connecting a business process server 109, a department terminal 101, and a WEB server 103 via a network 102, as shown in FIG.

  As described above, the business process server 109 is a server computer or a PC, and the basic information registration program 110, the control registration program 111, the process evaluation calculation program 112, the process evaluation program 113, and the business process evaluation program 114 are stored in the memory thereof. Each program and each text of the reference sample text 115, the influence text 116, and the company text 117 are stored, and each program described above is executed by the CPU of the business process server 109. In addition, a basic information DB 118, a control details DB 119, a control score DB 120, a process-specific evaluation DB 121, and a business process evaluation DB 122 are stored on the storage device of the business process server 109.

  The WEB server 103 is a server computer or a PC, and each of a menu screen program 104, a basic information registration screen program 105, a control registration screen program 106, a process evaluation screen program 107, and a process-specific control detail screen program 108 is stored in its memory. Programs are stored, and these programs are executed by the CPU of the WEB server 103.

  The department terminal 101 includes an input device and a display device, and includes a WEB browser, displays a control registration screen from the business process server 109 via the WEB, and is used for data registration and reference by a person in charge.

  Next, before explaining the processing operation in the embodiment of the present invention, FIG. 7 to FIG. 19 show the configuration of the display screen displayed on the department terminal 101 and the configuration of each DB and text in the processing described later. The description will be given with reference.

  FIG. 7 is a diagram illustrating an example of a menu screen displayed on the department terminal 101. This menu screen is displayed on the department terminal 101 after the business process server 109 is accessed by the operator from the department terminal 101 and authenticated. In this menu screen, a company name 701 corresponding to the accessed operator is displayed, and a processing name executed by the operator, in the illustrated example, basic information registration 702, process-specific control registration 703, and process evaluation 704 can be selectively input. Is displayed.

  FIG. 8 is a diagram illustrating an example of a basic information registration screen displayed on the department terminal 101. On this basic information registration screen, a company name 801 corresponding to the accessed operator and “basic information registration” which is the name of this screen are displayed, and the department 802, process 803, and process owner 804 to be input by the operator are displayed. Each input area and a registration button 805 for registering input information after the input are displayed.

  FIG. 9 is a diagram showing an example of a control registration screen displayed on the department terminal 101. On this control registration screen, a company name 901, a department 902, and a process 903 (pull-down) are displayed, a control item number 904 as control information, an affected account item 905 (an account item that affects the risk content 906). In addition, when risk other than financial risk is described in risk content 906, this item is left blank), risk content 906, control content 907, control frequency 908, number of samples 909, number of deficiencies 910, impact 911, The items of the control effectiveness 912, the presence / absence of complementary control 913, and the item number 914 of the complementary control are displayed to be inputable. A registration button 915 for registering input information after input is displayed. In the control item number 904, a number that is unique in all processes is input.

  In FIG. 9, for example, the risk content 906 for the account receivable of the account item 905 in the item number 1 of the control item number 904 is an erroneous input, and the control content 904 corresponding thereto is a verification, and this verification Indicates that this may be done at any time. In addition, the control effectiveness 912 indicates whether or not there is a defect as a result of the control. In the case of the item number 1 described, there are two defects in the verification results for 50 samples. Therefore, N is put here. Further, the influence degree 911 indicates the magnitude of the influence including not only the sales process shown in FIG. 9 but also other departments.

  FIG. 10 is a diagram illustrating an example of a process evaluation screen displayed on the department terminal 101. On this process evaluation screen, a company name 1001 and a department 1002 are displayed, and information transmitted from the business process server 109 includes a process 1004, a control registration status 1006, a process evaluation 1009, a process evaluation (finance) 1007, Process evaluation (others) 1008 and process owner 1005 are displayed. The detailed display 1003 is a check box that cannot be selected in plural, and the top process is checked when the process evaluation screen shown in FIG. 10 is initially displayed. Further, a button for detailed display 1011, a button for process-specific evaluation 1012, and a button for comprehensive evaluation 1013 are displayed, and the corresponding functions can be executed by pressing these buttons. In addition, a display area 1010 indicating whether the evaluation result is acceptable is displayed.

  FIG. 11 is a diagram showing an example of a process-specific control detail screen displayed on the department terminal 101. In this process-specific control details screen, company name 1101, department 1102, process 1103, and process owner 1104 are displayed, and information transmitted from the business process server 109 includes control item number 1105, risk category 1106, risk It is displayed as a content 1107, a control content 1108, and a control score 1109. In addition, a score calculation button 1110 is displayed and pressed for an instruction to calculate the score.

  FIG. 12 is a diagram showing the configuration of the reference sample text 115. The reference sample text 115 stores a frequency 1201 for executing control and a reference sample number 1202. In the illustrated example, the frequency 1201 indicates that there are five types as needed, daily, weekly, monthly, and quarterly, and the number of samples serving as a reference when performing control at those frequencies is designated. ing.

  FIG. 13 is a diagram showing the configuration of the influence text 116. This influence text 116 indicates that there are three types of influence degrees 1301, large, medium, and small.

  FIG. 14 is a diagram showing the configuration of the company text 117. In this company text 117, an operator ID 1401, a company name 1402, and a department 1403 are managed for each operator.

  FIG. 15 is a diagram showing the configuration of the basic information DB 118. The basic information DB 118 is information input from the screen shown in FIG. 8, where basic information is managed by a record for each item number of the basic information item number 1501, a department 1502, a process 1503, a process Each item of the owner 1504 is stored.

  FIG. 16 is a diagram showing the configuration of the control details DB 119. The control details DB 119 registers information input from the screen shown in FIG. 9, and the control information stored and managed in the control details DB 119 is how the company responds to business risks. It is information indicating whether or not to perform. In the control details DB 119, a record for each item number of the control item number 1601 includes a process 1602, an affected account item 1603, a risk content 1604, a control content 1605, a control frequency 1606, a sample number 1607, a deficiency number 1608, The degree of influence 1609, the effectiveness of control 1610, the presence / absence of complementary control 1611, and the item number 1612 of complementary control are stored and managed.

  FIG. 17 is a diagram showing the configuration of the control score DB 120. The control score DB 120 stores the result of evaluating the control indicated by the screen shown in FIG. 11. This control score DB 120 includes a process 1702 and a risk classification in a record for each item number of the control item number 1701. 1703 and a control score 1704 are stored and managed.

  FIG. 18 is a diagram showing the configuration of the process-by-process evaluation DB 121. This process-by-process evaluation DB 121 stores the results of evaluation of each process by the process-by-process evaluation program 113. In this process-by-process evaluation DB 121, a process 1801, a control registration status 1802, a control count 1803, a threshold 1804, a control effectiveness “N” count 1805, and a supplementary record are recorded for each item number. “Y” number of cases 1806, effectiveness of complementary control “Y” number 1807, process score 1808, process evaluation 1809, number of financial controls 1810, financial threshold 1811, financial process score 1812, financial process evaluation 1813, The number of other controls 1714, the other threshold value 1815, the other process score 1816, and the other process evaluation 1817 are stored and managed.

  FIG. 19 is a diagram showing the configuration of the business process evaluation DB 122. The business process evaluation DB 122 stores a target process 1 1901, a target process 2 1902, an overall threshold value 1903, and an overall process evaluation 1904 as results of the evaluation.

  FIG. 2 is a flowchart for explaining the processing operation in the case where basic information of a process to be evaluated by the business process evaluation system is registered. This will be described next. This process is mainly performed by the basic information registration program 110.

(1) First, the operator inputs the operator ID 1401 and password from the department terminal 101. This input information is transmitted to the business process server 109, and personal authentication is performed by the business process server 109 (steps 201 and 202).

(2) Next, if the authentication is OK in the process of step 202, the business process server 109 obtains the company name 1402 that matches the authenticated operator ID 1401 from the company text 117 shown in FIG. It is acquired and transmitted to the WEB server 103 (step 203).

(3) The menu screen program 104 of the WEB server 103 generates display information based on the received company name 1402 and the menu screen information, and transmits it to the department terminal 101 (step 204).

(4) Based on the display information transmitted in step 204, the department terminal 101 displays a menu screen describing the company name 701 as shown in FIG. Here, the operator presses the button for basic information registration 702 (step 205).

(5) Pressing of the basic information registration button 702 by the operator in step 205 is transmitted to the WEB server 103, and the basic information registration screen program 105 acquires the basic information registration screen information and describes the basic name describing the company name 801. An information registration screen is created and transmitted to the department terminal 101 (step 206).

(6) The department terminal 101 receives and displays a basic information registration screen as shown in FIG. The operator inputs a department 802, a process 803, and a process owner 804 on this basic information registration screen, and presses a registration 805 button. Here, the information input as the process owner 804 is the name of the head of the “sales department” input to the department 802 (step 207).

(7) The information input in step 207 is transmitted to the business process server 109, and the basic information registration program 110 updates the department 1502, the process 1503, and the process owner 1504 of the basic information DB 118 shown in FIG. (Step 208).

(8) Thereafter, the business process server 109 gives update completion to the basic information registration screen information and transmits it to the WEB server 103. The basic information registration screen program 105 notifies the update completion by creating a basic information registration screen indicating the completion of the update, transmitting it to the department terminal 101 and displaying it (steps 209 and 210).

  FIG. 3 is a flowchart for explaining processing for registering a control for each process to be evaluated by the business process evaluation system. Next, this will be described. This process is mainly performed by the control registration program 111.

(1) First, the operator inputs the operator ID 1401 and password from the department terminal 101. This input information is transmitted to the business process server 109, and personal authentication is performed by the business process server 109 (steps 301 and 302).

(2) Next, if the authentication is OK in the process of step 302, the business process server 109 obtains the company name 1402 that matches the authenticated operator ID 1401 from the company text 117 shown in FIG. It is acquired and transmitted to the WEB server 103 (step 303).

(3) The menu screen program 104 of the WEB server 103 generates display information based on the received company name 1402 and menu screen information, and transmits the display information to the department terminal 101 (step 304).

(4) Based on the display information transmitted in step 304, the department terminal 101 displays a menu screen describing the company name 701 as shown in FIG. Here, the operator presses the button of the process-specific control registration 703 (step 305).

(5) The press of the process-specific control registration button 703 by the operator in step 305 is transmitted to the business process server 109. The business process server 109 acquires the basic information registration screen information by the basic information registration screen program 105. All the processes 1503 in the basic information DB 118 are acquired and transmitted to the WEB server 103 (step 306).

(6) The control registration screen program 106 of the WEB server 103 creates control registration screen information using the received information of all the processes 1503 as initial information and transmits it to the department terminal 101 (step 307).

(7) The department terminal 101 displays a control registration screen describing the company name 901, department 902, and process 903 (pull-down) as shown in FIG. 9 based on the received control registration screen information. The operator has a control item number 904, an account item 905 that is affected (this is an account item that affects the risk content 906, and this item is left blank when a risk other than financial risk is described in the risk content 906), Enter risk content 906, control content 907, control frequency 908, number of samples 909, number of deficiencies 910, impact 911, effectiveness of control 912, presence / absence of complementary control 913, item number 914 of complementary control, and register button 915 Press. In the control item number 904, a number unique to all processes is input (step 308).

(8) When the registration button 915 is pressed in step 308, the input information is transmitted to the business process server 109, and the control registration program 111 updates the control details DB 119. This update is made up of the control item number 1601, the process 1602, the affected account item 1603, the risk content 1604, the control content 1605, the control frequency 1606, the number of samples 1607, the number of deficiencies 1608, and the degree of influence 1609 of the control details DB 119 shown in FIG. The update of the effectiveness 1610 of the control, the presence / absence of complementary control 1611, and the item number 1612 of the complementary control (step 309).

(9) Next, only the items of the control item number 904 and process 903 input in step 308 are updated to the control item number 1701 and process 1702 of the control score DB 120 shown in FIG. In addition, the item of the affected account item 905 input in step 308 is also replaced with “Finance” when the account item 905 is input, and “Other” when the account item 905 is not input. The risk category 1703 is updated. This is because the US Corporate Reform Act (SO Law) emphasizes the reliability associated with financial reporting, and is from the perspective of evaluating and assessing financial risk (step 310).

(10) Next, the business process server 109 stores the process 903 in the process 1801 of the process evaluation DB 121 shown in FIG. 18 and stores “registration” in the control registration status 1802 to update the process evaluation DB 121, Update completion is notified to the WEB server 103 (step 311).

(12) Upon receiving the report of the update completion, the WEB server 103 notifies the department terminal 101 of the update completion by including the update completion information in the control registration screen information and sending it to the department terminal 101 for display. Steps 312, 313).

  FIG. 4 is a flowchart for explaining a process of calculating and registering a control score for each process to be evaluated by the business process evaluation system, which will be described next. This process is mainly performed by the process-specific score calculation program 112.

(1) First, the operator inputs the operator ID 1401 and password from the department terminal 101. This input information is transmitted to the business process server 109, and personal authentication is performed by the business process server 109 (steps 401 and 402).

(2) Next, when authentication is OK in the process of step 402, the business process server 109 obtains a company name 1402 that matches the authenticated operator ID 1401 from the company text 117 shown in FIG. It is acquired and transmitted to the WEB server 103 (step 403).

(3) The menu screen program 104 of the WEB server 103 generates display information based on the received company name 1402 and menu screen information and transmits it to the department terminal 101 (step 404).

(4) Based on the display information transmitted in step 204, the department terminal 101 displays a menu screen describing the company name 701 as shown in FIG. Here, the operator presses the button of the process evaluation 704 (step 405).

(5) The pressing of the process evaluation 704 button in step 405 is transmitted to the business process server 109. Upon receiving this, the process score calculation program 112 of the business process server 109 receives all the processes 1801, control registration status 1802, process evaluation 1809, financial process evaluation 1813 registered in the process evaluation DB 121 shown in FIG. Other process evaluation 1817 is acquired. Further, the process owner corresponding to the acquired process 1801 is acquired from the process owner 1504 of the basic information DB 118 shown in FIG. Then, the acquired information is transmitted to the WEB server (steps 408 and 407).

(6) Upon receiving the information from the business process server 109, the WEB server 103 transmits the received information and the process evaluation screen information created by the process evaluation screen program 107 to the department terminal 101 (step 409).

(7) Upon receiving the information sent from the WEB server 103 in step 409, the department terminal 101 displays a process evaluation screen as shown in FIG. On this process evaluation screen, the company name 1001 and the department 1002 are displayed, and the transmitted process 1801, control registration status 1802, process evaluation 1809, financial process evaluation 1813, other process evaluation 1817, and process owner 1504 are respectively displayed. Are displayed as process 1004, control registration status 1006, process evaluation 1009, process evaluation (finance) 1007, process evaluation (others) 1008, and process owner 1005. The detailed display 1003 is a check box that cannot be selected in plural, and the top process is checked when the process evaluation screen shown in FIG. 10 is initially displayed. Here, the operator presses the detail button 1011 (step 406).

(8) The pressing of the detail button 1011 in step 406 is transmitted to the business process server 109, and the business process server 109 that has received this is checked in the detailed display 1003 of the process evaluation screen shown in FIG. The initial control information corresponding to 1004 is acquired as the process 1602 of the control details DB 119 shown in FIG. 16, and the control item number 1601, the affected account item 1603, the risk content 1604, and the control content 1605 are also acquired. At the same time, a risk score 1703 and a control score 1704 corresponding to the control item number 1701 of the control score DB 120 are acquired from the control score corresponding to the acquired control item number 1601, and the information is transmitted to the WEB server 103 (step 410). .

(9) Upon receiving the information from the business process server 109 in step 410, the WEB server 103 transmits, to the department terminal 101, the process-specific control detail screen information created by the process-specific control detail screen program 108 together with the received information. (Step 411).

(10) Based on the information received from the WEB server in step 410, the department terminal 101 displays a process-specific control detail screen as shown in FIG. In this process-specific control details screen, the company name 1101, department 1102, process 1103, and process owner 1104 are displayed, and the transmitted control item number 1601, risk category 1703, risk content 1604, control content 1605, control Each of the scores 1704 is displayed as a control item number 1105, a risk category 1106, a risk content 1107, a control content 1108, and a control score 1109. Thereafter, the operator presses the score calculation button 1110 in the process-specific control detail screen shown in FIG. 11 (step 412).

(11) By pressing the score calculation button 1110 in step 412, the information in the screen is transmitted to the business process server 109, and the business process server 109 that has received the information sends the control corresponding to the process 1103 to the process of the control details DB 119. All items are acquired from 1602, and at the same time, control item number 1601, risk content 1604, control content 1605, control frequency 1606, number of samples 1607, number of deficiencies 1608, degree of influence 1609, effectiveness of control 1610, presence / absence of complementary control 1611 The item number 1612 of the complementary control is acquired (step 413).

(12) Next, the process-specific score calculation program 112 of the business process server 109 extracts one case from the control acquired in the processing of Step 413, and the control frequency 1606 of the extracted control and the frequency 1201 of the reference sample text 115. The corresponding reference sample number 1202 is obtained. Then, using this reference sample number 1202 and the acquired control sample number 1607, a control score is calculated and determined as (sample number 1607 / reference sample number 1202) (step 415).

(13) Next, it is checked whether or not the control effectiveness 1610 is “Y”. If it is “Y”, the process proceeds to step 421 described later, and the control effectiveness 1610 is “N”. In the case of "", the presence / absence of complementary control 1611 is referred to as the presence / absence of other controls (steps 416 and 417).

(14) If the presence / absence of complementary control 1611 is “N” by referring to step 417, the process proceeds to step 419 described later, and if it is “Y”, the effectiveness of other controls is determined. Therefore, the control matching with the control item number 1601 of the control details DB 119 is searched from the item number 1612 of the complementary control, the control effectiveness 1610 of the complementary control is acquired, and the effectiveness of the control is determined. In this determination, if the effectiveness 1610 of the control is “Y”, the control score obtained in the process of step 415 is multiplied by 0.8 (this numerical value can be made variable in the system). Then, the process proceeds to step 421 described later (step 418).

(15) If it is determined in step 418 that the effectiveness 1610 of the control is “N”, or if the presence / absence of complementary control 1611 is “N” in step 417, the control frequency 1606 is “ If the number of deficiencies 1608 is 0 at any time, “daily”, or “weekly”, the control score in step 415 is directly used as the control score in step 419, and the deficiency count 1608 is 1 or more and 1 of the sample number 1607. If less than / 3, multiply the control score in step 415 by 0.5 (this number can be variable in the system), the number of deficiencies 1608 is 1/3 or more of the number of samples 1607 and the number of samples If it is less than 2/3 of 1607, the control score in step 415 is multiplied by 0.2 (this number may be variable in the system), and the number of deficiencies 1608 is the number of samples. If 607 2/3 or more, 0 to control score step 415 (this number is also possible is that a variable in the system) carries out a process to control score multiplied by. Also, when the control frequency 1606 is “monthly” and the number of deficiencies 1608 is 0, the control score in step 415 is directly used as the control score here, and the deficit number 1608 is 1 or more and 2/3 of the sample number 1607. If less, multiply the control score of step 415 by 0.2 (this number can be variable in the system), and if the number of deficiencies 1608 is 2/3 or more of the number of samples 1607, step The control score of 415 is multiplied by 0 to obtain the control score here. Further, when the control frequency 1606 is “annual”, if the number of deficiencies 1608 is 0, the control score in step 415 is used as the control score here, and if the deficiency count 1608 is 1 or more, the control in step 415 is controlled. A process of multiplying the score by 0 to obtain the control score here is performed (step 419).

(16) After the processing in step 419, when the influence 1609 is “low”, the control score in step 419 is multiplied by 0.8 (this numerical value can be changed in the system) to obtain the influence 1609. When the value is “medium”, the control score in step 419 is multiplied by 0.4 (this value can be variable in the system), and when the influence 1609 is “high”, the control score in step 419 is 0. (This numerical value can be made variable in the system) and multiplied by the control score to determine the influence degree (step 420).

(17) After the process in step 420, if the result of the reference / determination process in steps 416 and 418 is “Y”, the process from step 414 to step 420 is performed on the control extracted in the process in step 413. Upon completion, the control score No. 1601 is used as a key and each control score calculated up to step 420 is multiplied by 100 to update all the control scores 1704 of the control score DB 120, and at the same time, the risk category 1703 of the target control is acquired (step). 421).

(18) Thereafter, the control item number 1601, risk classification 1703, risk content 1604, control content 1605, and control score 1704 are transmitted to the department terminal 101 together with the process-specific control details screen information via the WEB server (step 422). .

(19) The department terminal 101 displays the company name 1101, department 1202, process 1103, and process owner 1104 on the process-specific control detail screen as shown in FIG. Control item number 1601, risk category 1703, risk content 1604, control content 1605, and control score 1704 are displayed in control item number 1105, risk category 1106, risk content 1107, control content 1108, and control score 1109, respectively (step 423). ).

  FIG. 5A and FIG. 5B are flowcharts for explaining a processing operation for calculating and evaluating a score for each process based on the control score calculated in FIG. 4, and this will be described next. This process is mainly performed by the process-specific evaluation program 113.

(1) First, on the process evaluation screen shown in FIG. 10 displayed on the department terminal 101, the operator presses an evaluation button 1012 for each process. Then, the department terminal 101 transmits the process 1004 with the detailed display 1003 checked to the business process server 109 (step 501).

(2) The business process server 109 acquires the risk category 1703 and the control score 1704 shown in FIG. 17 from the control score DB 120 using the received process 1004 as a key, and controls the control whose acquired risk category 1703 is “finance”. The scores 1704 are summed (steps 502 and 503).

(3) Next, the control scores 1704 of the controls whose risk category 1703 acquired in step 502 is “Other” are totaled, and the control scores 1704 of all acquired controls are totaled (steps 504 and 505).

(4) Further, the number of controls whose risk classification 1703 acquired in Step 502 is “Finance” is counted, and the number of controls whose acquired risk classification 1703 is “Other” is counted and further acquired. The number of all controls is counted (steps 506 to 508).

(5) Next, the business process server 109 obtains (the value obtained in the process of step 503 / the value obtained in the process of step 506) in the financial process score 1812 of the process-specific evaluation DB 121 (obtained by the process of step 504). Value / value obtained by the process of step 507) in the other process score 1816 of the process-specific evaluation DB 121, and (value obtained by the process of step 505 / value obtained by the process of step 508). In the rating 1808, the value obtained in step 506 is obtained in the number 1810 of financial controls in the process-specific evaluation DB 121, the value obtained in step 507 is obtained in the number of other controls 1814 in the process-specific evaluation DB 121 in the process in step 508. Are stored in the number of controls 1803 of the process-specific evaluation DB 121 using the process 1004 as a key. Updating by (step 509).

(6) Next, all the processes 1801, the control number 1803, the process score 1808, the financial control number 1810, the financial process score 1812, and the other control number 1814 in which the control registration status 1802 of the process-specific evaluation DB 121 is “registered”. The other process score 1816 is acquired (step 510).

(7) The business process server 109 sorts the processes 1801 acquired in step 510 in ascending order by the number of financial controls 1810, and finances the financial process score 1812 of the previous process of the target process in the sorted order. The threshold value is determined as the threshold value 1810 (when the target process score is equal to or higher than the threshold value, the threshold value is accepted). That is, the third process is rearranged, and the financial process score 1812 of the second process is set as the financial threshold 1810 of the third process (step 511).

(8) Next, the process 1801 acquired in step 510 is rearranged in ascending order by the number of other controls 1814, and the other process score 1816 of the previous process of the target process is changed to the other threshold 1815 of the target process in the rearranged order. And That is, in the process that has been rearranged to become the third process, the other process score 1816 of the second process is set as the other threshold value 1815 of the third process (step 512).

(9) Next, the process 1801 acquired in step 510 is rearranged in ascending order by the control number 1803, and the process score 1808 of the previous process of the target process is set as the threshold value 1804 of the target process in the rearranged order. In other words, the process score 1808 of the second process is set to the threshold value 1804 of the third process in the third process after the rearrangement (step 513).

(10) Next, the business process server 109 determines that it is valid for the financial process evaluation 1813 if the financial threshold 1811 or more of the target process calculated in the process of step 511 for each process is a financial process score 1812. Then, “Y” is set, and if it is less than the financial threshold value 1811, “N” is set for financial evaluation determination processing (step 514).

(11) Next, if the value of the other threshold 1815 of the target process calculated in step 512 for each process is equal to or greater than the other process score 1816, the other process evaluation 1817 is determined to be valid and set to “Y”. If it is less than the value of the other threshold value 1815, it is determined as invalid and “N” is evaluated (step 515).

(12) Next, the process score 1808 is equal to or greater than the threshold value 1804 of the target process calculated in step 513 for each process, and at the same time, the financial process evaluation 1813 and the step 515 in the process of step 514 are performed. When both of the other process evaluation 1817 in the process are “Y”, the process evaluation 1809 is determined to be valid and set to “Y”, the process score 1808 is less than the threshold 1804, and the financial in the process of step 514 When the process evaluation 1813 is “N” and the other process evaluation 1817 in the process of step 515 satisfies any one of the conditions “N”, the process evaluation 1809 is determined to be invalid and is set to “N”. A determination process is performed (step 516).

(13) Count the number of “N” for the control effectiveness 1610 in the control details DB 119 for each process 1801 acquired in step 510, and whether or not there is a complementary control in the control details DB 119 for each process 1801 acquired in step 510 1611 is counted, and for each process 1801 acquired in step 510, the number of cases where the control effectiveness 1610 for the supplementary control item number 1612 in the control details DB 119 is “Y” is counted (step 517). ~ 519).

(14) Thereafter, the business process server 109 obtains the financial threshold value obtained by the process of step 511 for each process 1801 obtained by the process of step 510, the other threshold value obtained by the process of step 512, and the process of step 513. Obtained in step 514, financial process evaluation obtained in step 514, other process evaluation obtained in step 515, process evaluation obtained in step 516, count obtained in step 517, step count The number of counts obtained by the processing of 518 and the number of counts obtained by the processing of step 519 are respectively set to the financial threshold value 1811, other threshold value 1815, threshold value 1804, financial process evaluation 1813, etc. Process evaluation 1817, process evaluation 1809, control effectiveness “N” number 180 , The presence / absence of complementary control “Y” number 1806 and the effectiveness of complementary control “Y” number 1807 are updated and simultaneously stored as financial process evaluation 1813, other process evaluation 1817, process evaluation 1809, and update of evaluation DB 121 by process And transmit these pieces of information to the department terminal 101 via the WEB server 103 (step 520).

(15) The WEB server 103 creates process evaluation screen information based on the information transmitted in the process of step 520 and the process evaluation screen information, and transmits the process evaluation screen information to the department terminal 101. The score and the evaluation result are displayed on the process evaluation screen as described with reference to FIG. 10 (steps 521 and 522).

  FIG. 6 is a flowchart for explaining the processing operation for comprehensively evaluating all the registered processes, which will be described next. This processing is mainly performed by the business process evaluation program 114.

(1) First, the operator inputs the operator ID 1401 and password from the department terminal 101. This input information is transmitted to the business process server 109, and personal authentication is performed by the business process server 109 (steps 601 and 602).

(2) Next, if the authentication is OK in the process of step 602, the business process server 109 obtains the company name 1402 that matches the authenticated operator ID 1401 from the company text 117 shown in FIG. It is acquired and transmitted to the WEB server 103 (step 603).

(3) The menu screen program 104 of the WEB server 103 generates display information based on the received company name 1402 and menu screen information, and transmits the display information to the department terminal 101 (step 604).

(4) Based on the display information transmitted in step 604, the department terminal 101 displays a menu screen describing the company name 701 as shown in FIG. Here, the operator presses the button of the process evaluation 704 (step 605).

(5) The pressing of the process evaluation 704 button in step 605 is transmitted to the business process server 109. Upon receiving this, the process score calculation program 112 of the business process server 109 receives all the processes 1801, control registration status 1802, process evaluation 1809, financial process evaluation 1813 registered in the process evaluation DB 121 shown in FIG. Other process evaluation 1817 is acquired. Further, the process owner corresponding to the acquired process 1801 is acquired from the process owner 1504 of the basic information DB 118 shown in FIG. Then, the acquired information is transmitted to the WEB server (steps 607 and 606).

(6) Upon receiving the information from the business process server 109, the WEB server 103 transmits the received information and the process evaluation screen information created by the process evaluation screen program 107 to the department terminal 101 (step 608).

(7) Upon receiving the information sent from the WEB server 103 in step 409, the department terminal 101 displays a process evaluation screen as shown in FIG. On this process evaluation screen, the company name 1001 and the department 1002 are displayed, and the transmitted process 1801, control registration status 1802, process evaluation 1809, financial process evaluation 1813, other process evaluation 1817, and process owner 1504 are respectively displayed. Are displayed as process 1004, control registration status 1006, process evaluation 1009, process evaluation (finance) 1007, process evaluation (others) 1008, and process owner 1005. The detailed display 1003 is a check box that cannot be selected in plural, and the top process is checked when the process evaluation screen shown in FIG. 10 is initially displayed. Here, the operator presses the comprehensive evaluation button 1013 (step 609).

(8) The press of the comprehensive evaluation button 1013 in step 609 is transmitted to the business process server 109, and the business process server 109 that receives this presses the process 1801 in which the control registration status 1802 of the process-specific evaluation DB 121 is “registered”. The number of cases 1805 for which the effectiveness of all the controls is “N” is acquired and totaled (step 610).

(9) Next, the number 1807 of cases where the effectiveness of all the complementary controls in the process 1801 in which the control registration status 1802 of the process-specific evaluation DB 121 is “registered” is “Y” is acquired and totaled. (Step 611).

(10) [(value obtained by processing of step 610−value obtained by processing of step 611) / value obtained by processing of step 610)] is calculated, and the result is calculated as a total threshold value. Here, complementary controls mean controls that ultimately prevent deficiencies. The more effective this complementary control is, the more effective the internal control can be determined. For this reason, if the value (effective number of complementary controls) obtained by the process of step 611 approaches the value obtained by the process of step 610 (the number of invalid controls), the total threshold value decreases. Also, if complementary controls are disabled, the reverse is true and the overall threshold is increased. In addition, complementary controls may cross processes and are calculated from the entire process to see the process across (step 612).

(11) Next, in the process 1801 in which the control registration status 1802 of the process-specific evaluation DB 121 is “registered”, the process score 1808 having the maximum number of controls 1803 is acquired. When the acquired value is equal to or greater than the total threshold value calculated in step 612 and the process registration 1180 of the control registration status 1802 in the process-specific evaluation DB 121 is “Y”, the total process evaluation is performed. Is determined to be valid and is “passed”, otherwise the overall process evaluation is determined to be rejected (step 613).

(12) The target process 1 1901 in the business process evaluation DB 122 shown in FIG. 19 is the target process evaluated in step 613, the overall threshold value calculated in step 612, and the overall process evaluation obtained in step 613. The business process evaluation DB 122 is updated by storing the target process 2 1902, the overall threshold value 1903, and the overall process evaluation 1904. Information including the comprehensive process evaluation 1904 is transmitted to the department terminal 101 via the WEB server 103 (step 614).

(13) The WEB server 103 creates process evaluation screen information from the information transmitted in the process of step 614 and the process evaluation screen information, and transmits the process evaluation screen information to the department terminal 101. A process evaluation screen showing the evaluation result is displayed (steps 615 and 616).

  The department terminal 101, the WEB server 103, and the business process server 109 that constitute the embodiment of the present invention described above may be configured by an information processing apparatus including a CPU, a memory, a hard disk device, a display device, an input / output device, and the like.

  In addition, each process in each embodiment of the present invention described above can cause the CPU included in the information processing apparatus to execute each program illustrated in FIG. 1, and these programs are FD, CDROM, It can be provided by being stored in a recording medium such as a DVD, or can be provided as digital information via a network.

It is a block diagram which shows the structure of the business process evaluation system by one Embodiment of this invention. It is a flowchart explaining the processing operation in the case of registering the basic information of the process to be evaluated by the business process evaluation system. It is a flowchart explaining the process which registers the control for every process evaluated with a business process evaluation system. It is a flowchart explaining the process which calculates and registers the score of the control for every process evaluated with a business process evaluation system. FIG. 5 is a flowchart (part 1) illustrating a processing operation for calculating and evaluating a score for each process based on the control score calculated in FIG. FIG. 5 is a flowchart (part 2) illustrating a processing operation for calculating and evaluating a score for each process based on the control score calculated in FIG. It is a flowchart explaining the processing operation which comprehensively evaluates all the registered processes. It is a figure which shows the example of the menu screen displayed on a department terminal. It is a figure which shows the example of the basic information registration screen displayed on a department terminal. It is a figure which shows the example of the control registration screen displayed on a department terminal. It is a figure which shows the example of the process evaluation screen displayed on a department terminal. It is a figure which shows the example of the control detailed screen classified by process displayed on a department terminal. It is a figure which shows the structure of a reference | standard sample text. It is a figure which shows the structure of influence text. It is a figure which shows the structure of a company text. It is a figure which shows the structure of basic information DB. It is a figure which shows the structure of control details DB. It is a figure which shows the structure of control score DB. It is a figure which shows the structure of evaluation DB classified by process. It is a figure which shows the structure of business process evaluation DB.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Department terminal 102 Network 103 WEB server 104 Menu screen program 105 Basic information registration screen program 106 Control registration screen program 107 Process evaluation screen program 108 Control detail screen program according to process 109 Business process server 110 Basic information registration program 111 Control registration program 112 Process Separate score calculation program 113 Evaluation program by process 114 Business process evaluation program 115 Standard sample text 116 Impact text 117 Company text 118 Basic information DB
119 Control details DB
120 Control score DB
121 Evaluation DB by process
122 Business Process Evaluation DB

Claims (3)

In the business process evaluation system that evaluates the company's risk control,
A business registration process that integrates the evaluation of all processes, a control registration means that registers control for each process, a score calculation means for each process that calculates a score for each process control, a process-specific evaluation means that evaluates control for each process An evaluation means,
The control registration means registers and manages a plurality of risk contents for each process, a control content that is a countermeasure content for each risk, and the effectiveness of the result of the control as a control specification,
The process score calculation means calculates a score of a control result for each risk of each process of the control details managed by the control registration means,
The process-specific evaluation means obtains a process score and a process evaluation in which the scores of the control results for each risk calculated by the process-specific score calculation means are summarized for each process,
The business process evaluation system characterized in that the business process evaluation system evaluates control over risks of all processes based on process scores and process evaluations summarized for each process obtained by the process-specific evaluation means.   2. The business process evaluation system according to claim 1, wherein the effectiveness of the result of the control is determined by whether or not there is a defect as a result of the control. The business process evaluation means is characterized in that the overall process evaluation is acceptable when the score value in the process having the maximum number of controls is equal to or greater than the threshold obtained by the process-specific evaluation means. The business process evaluation system according to claim 1.

Images