an integrated risk management, compliance & audit solution ... · implementation of risk –...
TRANSCRIPT
Ian Abrahams
An Integrated Risk Mngt, Compliance
& Audit Solution
CorProfit Systems Pty Ltd
Introduction
Clients see risk-compliance as a “cost”, integration of functions would reduce the overheadThere is no “1-way” to perform risk mngt, consists of a number of processesAn overall solution will see alignment of: risk – compliance - audit
Depth & Breadth of Risk
Where does R.M. fit in; who will use?
Senior Mgrs
Executive
Team Ldrs
Workers
AuditAudit
Risk Risk MgntMgntDeptDept
ComplianceCompliance
People & Technology Interwoven
If only risk mngt dept, or audit or compliance using a system, they can learn the hardest system.If everyday staff are going to be the users (risk / control owners) of the system, the system must be user friendly for them.The System follows the need.
Integrates Proactive R.M.
Internal Audit & Compliance
Link, Organisation’sIn-house Objectives,
Policies & Procedures
ExecutiveOverview
BU/FunctionRisk Id
KnowRisk[Core Engine]
Multiple Risk Mgt Activities(Integrated & Aggregated Management)
KnowRiskEngine
Insurance
Businesscontinuity planning
Legalcompliance Security,
IT / Assets
IncidentEvents
Loss Recording
Crisismgt
Loss Prevention
OH&S Regulatorycompliance
Projects
Risk Management Framework
CorProfit advocates, and KnowRisk supports a Framework:
That serves all functional areasWorks from Board to shop-floor That integrates:
RiskAuditCompliance
Risk Methods – The Core
Set Context Risks Conseq
Controls
Assurance
Controls
This “core” covers all risk assessments, it is generic. This “core” covers all risk assessments, it is generic. KnowRisk has brought a science together.KnowRisk has brought a science together.
CSA & Audit
Audit Audit –– Independent ReviewsIndependent Reviews
Inh
If High InhRisks &
Ctrls
Inadequate Ctrls Improve
CtrlsAction Plan
Adequate Ctrls
Self Test
Res
Acceptable
Methodology
LikelihoodMagnitude ImpactControl Effectiveness
Controls Fail (or Gaps) Effectiveness Retained Risk
Risk reduction a balance of:
Inherent Risk Controls Residual
Risk
Run Through Simplest MethodRun through the R.M. processAdd new User Defined fieldAdd new Key Word listApply filters / reportsConfigure user screens
Configure KnowRisk according to user roles. Configure KnowRisk according to user roles. The ‘Simplest Method” is a broadThe ‘Simplest Method” is a broad--brush brush approach to populating a Risk Registerapproach to populating a Risk Register
User Interface
Explorer ViewContext
Context Data
R (Risk) Risk Data
Q (Impact) Impact Data
CC (LikelihControl)
Control Data
Select in tree / context window, displays data
in window:- logical associations
- logical sequence
Admin ViewUser’s View
Implementation of Risk – Compliance Solution
An ideal system delivers:There are not many functions to learnOnce familiar in one area of the System, the same functionality and “look & feel” is available in all other areasTraining effort is low, particularly for richness in features and scope of methods covered.
Risk Assessment
Inherent Controls Residual
L x Q = Rating L x Q = RatingPrev Corr
Calc Calc Calc Calc
Calc Calc Calc Calc
Calc CalcCalc Calc
Each has a role, and particularly useful for Each has a role, and particularly useful for audit reviews.audit reviews.
Risk Assessment
Benefits of the scientific options to assessment:
Strategic risk managementIncreasing accuracyIntegrate different strategies
Gain the maximum risk Gain the maximum risk mitigation for the least effortsmitigation for the least efforts
Strategic Risk Management
Start with Inherent to Residual levels
Assessments at R level, view Q & CAssessments at R level, view Q & C
Populates your Risk RegisterPopulates your Risk Register
Inherent Controls Residual
Before Controls After Controls
RR
QQCC
CC
Existing
Strategic Risk Management
Inherent to Residual levels
Strategic Risk Management
Prioritise leads to Action Plan, set Targets
Work with small population RisksWork with small population Risks
After Existing Controls
RR
QQCC
CC
Improve
Inherent Controls Residual Controls Target
1st Stage Next Stage
Strategic Risk Management
Prioritise key risks, start aggregation
Overall Perspective
Strategic Risk Management
Set targets for Prevention
Similarly for Correction
Increasing AccuracyStart with simplest approach (fewest fields, 8, but lots of risks, i.e. build Risk Register)Prioritise risks, show target risk (add 5 fields, work with smaller population of risks)Use ‘Global’ & ‘Relative’ impact values, start some semi-quantitative analysisStart aggregation (add just 5 new fields)Gap analysis in Controls, improve “Existing” effectiveness “To” (larger effort, smallest no. risks)
ProjectsEtc
Human ResourceBusiness Continuity
Extend Broad-Brush Method
Use “Common” & “unique” fields in the process
Risks Conseq
Controls
Generic, Broad-Brush
Extend Broad-Brush Method
Compliance Strategies
Same information in the Act now set in KnowRisk
Structures in KnowRisk Ideal for Compliance
Organisation Wide Risk Profile
A user interacts with their own profilesThat user is part of a business unitBusiness unit part of a group / divisionEtc . . .To encompass whole organisation
Audit
KnowRisk provides forRecording audit findings
Management of actions arising
Monitoring progress of actions -grouped by audits
Audit Sampling in KR
KnowRisk enables the review of control effectiveness / performance
Set the audit plan
Appropriateness of controls
Testing effectiveness
Maintains ongoing effectiveness
Risks
Controls
Audit Sampling
Audit Plan
Audit can see framework “in 1 place”
Bus Unit 1Bus Unit 1
Div 2Div 2
RiskRiskControlControl
CompanyCompany
Div 1Div 1 RR QQ CCHRHRProjProj
EtcEtc
Reput’nReput’nRegul’nRegul’n
EtcEtc
Profiles Knowledge Base
Example Risk Knowledge Base
Consequences + Controls Likewise ClassifiedConsequences + Controls Likewise Classified
Organisation Wide Framework
Executive
Team Ldrs
Workers
Senior Mgrs
ITIT HRHR EtcEtc
EtcEtcRecruitRecruitEtcEtc
Environ’tEnviron’t
Summarise
Aggregate
BCPBCPEtcEtc
Risk Risk MgntMgntDeptDept ComplianceCompliance AuditAudit
MatureProcess
MaintainGood Controls(Internal Audit)
Scalability & Distribution
Defineneeds.
Estab.Process
Start profiles
PopulateKnow. Bases
Work-shops
Frame-work
Implement“Core Method”
Extend• Insurance• BCP etc
Risk Register
KnowRisk™ ReportingSummarised
Reports
BusinessUnits (Depts.) Profiles
Divisions
Audit / RiskCommittee
Board
Exec
Strategic
Operational
Risk - Compliance Kept Simple
ID & Assess Risks
Prioritise / Treatment
Key Tasks / Improve Controls / Monitor
Cross-link Objectives & Work Performed
Value to Boards
Collates all identified risks on an equitable basisUsers can easily filter risks to select appropriate risks to report to the BoardRisk status can be aggregatedStandard reports (including graphs) can be prepared by activating pre programmed iconsReports can be supported by detailed documentation at all framework levels & functions