an integrated risk management, compliance & audit solution ... · implementation of risk –...

Ian Abrahams

An Integrated Risk Mngt, Compliance

& Audit Solution

CorProfit Systems Pty Ltd

Introduction

Clients see risk-compliance as a “cost”, integration of functions would reduce the overheadThere is no “1-way” to perform risk mngt, consists of a number of processesAn overall solution will see alignment of: risk – compliance - audit

Depth & Breadth of Risk

Where does R.M. fit in; who will use?

Senior Mgrs

Executive

Team Ldrs

Workers

AuditAudit

Risk Risk MgntMgntDeptDept

ComplianceCompliance

People & Technology Interwoven

If only risk mngt dept, or audit or compliance using a system, they can learn the hardest system.If everyday staff are going to be the users (risk / control owners) of the system, the system must be user friendly for them.The System follows the need.

Integrates Proactive R.M.

Internal Audit & Compliance

Link, Organisation’sIn-house Objectives,

Policies & Procedures

ExecutiveOverview

BU/FunctionRisk Id

KnowRisk[Core Engine]

Multiple Risk Mgt Activities(Integrated & Aggregated Management)

KnowRiskEngine

Insurance

Businesscontinuity planning

Legalcompliance Security,

IT / Assets

IncidentEvents

Loss Recording

Crisismgt

Loss Prevention

OH&S Regulatorycompliance

Projects

Risk Management Framework

CorProfit advocates, and KnowRisk supports a Framework:

That serves all functional areasWorks from Board to shop-floor That integrates:

RiskAuditCompliance

Risk Methods – The Core

Set Context Risks Conseq

Controls

Assurance

Controls

This “core” covers all risk assessments, it is generic. This “core” covers all risk assessments, it is generic. KnowRisk has brought a science together.KnowRisk has brought a science together.

CSA & Audit

Audit Audit –– Independent ReviewsIndependent Reviews

Inh

If High InhRisks &

Ctrls

Inadequate Ctrls Improve

CtrlsAction Plan

Adequate Ctrls

Self Test

Res

Acceptable

Methodology

LikelihoodMagnitude ImpactControl Effectiveness

Controls Fail (or Gaps) Effectiveness Retained Risk

Risk reduction a balance of:

Inherent Risk Controls Residual

Risk

Run Through Simplest MethodRun through the R.M. processAdd new User Defined fieldAdd new Key Word listApply filters / reportsConfigure user screens

Configure KnowRisk according to user roles. Configure KnowRisk according to user roles. The ‘Simplest Method” is a broadThe ‘Simplest Method” is a broad--brush brush approach to populating a Risk Registerapproach to populating a Risk Register

User Interface

Explorer ViewContext

Context Data

R (Risk) Risk Data

Q (Impact) Impact Data

CC (LikelihControl)

Control Data

Select in tree / context window, displays data

in window:- logical associations

- logical sequence

Admin ViewUser’s View

Implementation of Risk – Compliance Solution

An ideal system delivers:There are not many functions to learnOnce familiar in one area of the System, the same functionality and “look & feel” is available in all other areasTraining effort is low, particularly for richness in features and scope of methods covered.

Risk Assessment

Inherent Controls Residual

L x Q = Rating L x Q = RatingPrev Corr

Calc Calc Calc Calc

Calc Calc Calc Calc

Calc CalcCalc Calc

Each has a role, and particularly useful for Each has a role, and particularly useful for audit reviews.audit reviews.

Risk Assessment

Benefits of the scientific options to assessment:

Strategic risk managementIncreasing accuracyIntegrate different strategies

Gain the maximum risk Gain the maximum risk mitigation for the least effortsmitigation for the least efforts

Strategic Risk Management

Start with Inherent to Residual levels

Assessments at R level, view Q & CAssessments at R level, view Q & C

Populates your Risk RegisterPopulates your Risk Register

Inherent Controls Residual

Before Controls After Controls

RR

QQCC

CC

Existing

Strategic Risk Management

Inherent to Residual levels

Strategic Risk Management

Prioritise leads to Action Plan, set Targets

Work with small population RisksWork with small population Risks

After Existing Controls

RR

QQCC

CC

Improve

Inherent Controls Residual Controls Target

1st Stage Next Stage

Strategic Risk Management

Prioritise key risks, start aggregation

Overall Perspective

Strategic Risk Management

Set targets for Prevention

Similarly for Correction

Increasing AccuracyStart with simplest approach (fewest fields, 8, but lots of risks, i.e. build Risk Register)Prioritise risks, show target risk (add 5 fields, work with smaller population of risks)Use ‘Global’ & ‘Relative’ impact values, start some semi-quantitative analysisStart aggregation (add just 5 new fields)Gap analysis in Controls, improve “Existing” effectiveness “To” (larger effort, smallest no. risks)

ProjectsEtc

Human ResourceBusiness Continuity

Extend Broad-Brush Method

Use “Common” & “unique” fields in the process

Risks Conseq

Controls

Generic, Broad-Brush

Extend Broad-Brush Method

Compliance Strategies

Same information in the Act now set in KnowRisk

Structures in KnowRisk Ideal for Compliance

Organisation Wide Risk Profile

A user interacts with their own profilesThat user is part of a business unitBusiness unit part of a group / divisionEtc . . .To encompass whole organisation

Audit

KnowRisk provides forRecording audit findings

Management of actions arising

Monitoring progress of actions -grouped by audits

Audit Sampling in KR

KnowRisk enables the review of control effectiveness / performance

Set the audit plan

Appropriateness of controls

Testing effectiveness

Maintains ongoing effectiveness

Risks

Controls

Audit Sampling

Audit Plan

Audit can see framework “in 1 place”

Bus Unit 1Bus Unit 1

Div 2Div 2

RiskRiskControlControl

CompanyCompany

Div 1Div 1 RR QQ CCHRHRProjProj

EtcEtc

Reput’nReput’nRegul’nRegul’n

EtcEtc

Profiles Knowledge Base

Example Risk Knowledge Base

Consequences + Controls Likewise ClassifiedConsequences + Controls Likewise Classified

Organisation Wide Framework

Executive

Team Ldrs

Workers

Senior Mgrs

ITIT HRHR EtcEtc

EtcEtcRecruitRecruitEtcEtc

Environ’tEnviron’t

Summarise

Aggregate

BCPBCPEtcEtc

Risk Risk MgntMgntDeptDept ComplianceCompliance AuditAudit

MatureProcess

MaintainGood Controls(Internal Audit)

Scalability & Distribution

Defineneeds.

Estab.Process

Start profiles

PopulateKnow. Bases

Work-shops

Frame-work

Implement“Core Method”

Extend• Insurance• BCP etc

Risk Register

KnowRisk™ ReportingSummarised

Reports

BusinessUnits (Depts.) Profiles

Divisions

Audit / RiskCommittee

Board

Exec

Strategic

Operational

Risk - Compliance Kept Simple

ID & Assess Risks

Prioritise / Treatment

Key Tasks / Improve Controls / Monitor

Cross-link Objectives & Work Performed

Value to Boards

Collates all identified risks on an equitable basisUsers can easily filter risks to select appropriate risks to report to the BoardRisk status can be aggregatedStandard reports (including graphs) can be prepared by activating pre programmed iconsReports can be supported by detailed documentation at all framework levels & functions