Managing your Risks by Managing your Process

Similar documents
Internal Control Requirements for Adopting New Accounting Standards

The CIA certification has 4 parts. The CCSA exam and the CGAP exam are single part specialty exams.

NCTJ Conflicts of Interest Policy and Procedures

Our vision is: New Zealand values the wellbeing of tamariki above all else.

Risk and Audit Committee charter

The Virtual PMO. This paper covers the following topics:

International Standard on Auditing (Ireland) 265. Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

IFRS UPDATE. Focused on IFRS 9, IFRS15 and other recent pronouncements

[AGENCY NAME] Mandate and Roles Document. (Pure Advisory Committees)

Risk Management Policy

Audit and Risk Management Committee Charter

School Business Manager

Operational Risk Management Training Methodology

Are you ready for the FUTURE of your Quality Management system?

AUDIT and ASSURANCE COMMITTEE TERMS OF REFERENCE

Local Code Of Corporate Governance

Audit & Risk Committee Charter

AUDIT, RISK MANAGEMENT AND COMPLIANCE COMMITTEE CHARTER

Academic and Administrative and Other Related Staff Annual Review

Enterprise Risk Management Focusing on the Right Risks

TERMS OF REFERENCE FOR THE PROVISION OF OUTSOURCED INTERNAL AUDIT SERVICE

Investor Money Regulations

International Standard on Auditing (UK) 265

Chapter 1. Introduction and Overview of Audit & Assurance

RISK MANAGEMENT AND BUSINESS CONTINUANCE A FAIS Standard. An AC Guidance Note. July 2010

TERMS OF REFERENCE. Audit and Risk Committee (the "Committee") of Wilmcote Holdings Plc (the "Company")

EXECUTIVE SUMMARY INTERNAL AUDIT REPORT. IOM Kingston JM JULY 2017

Frequently Asked Questions: Broader Public Sector Procurement Directive

Audit, Risk & Compliance Committee Charter

ABORIGINAL ECONOMIC PARTNERSHIPS Program Grant Application Guidelines

Grant Application Guidelines

TASSAL GROUP LIMITED ABN Procedures for the Oversight and Management of Material Business Risks. (Approved by the Board 28 May 2015)

Engineering IT Application Development Governance Workflow

SUMMARY FOR THIRD PARTY SUPPLIERS

Terms of Reference - Board of Directors (approved by the Board on 12 April 2018)

Agenda item Data Quality Group. Terms of Reference and Operating Arrangements

Telephone: Fax: Web: Job Description

International Standard on Review Engagements (ISRE) 2400 (Revised), Engagements to Review Historical Financial Statements

Factorytalk is very pleased to invite you to a seminar on Quality Management for PICS, what is required today and coming compliance developments

LMA GUIDANCE: GDPR CORE USES INFORMATION NOTICE

CAQ Lessons Learned. Performing an Audit of Internal Control. In an Integrated Audit

AUDIT & RISK COMMITTEE CHARTER

Select Auditing Considerations for the 2013 Audit Cycle

UCEA/ECU Age Discrimination Working Group Guidance. Age Discrimination Legislation Guidance Note 1: Pay and Benefits A UCEA Publication

JOB OPPORTUNITY WITH CIBC FIRSTCARIBBEAN INTERNATIONAL BANK. This Role is being posted internally and externally simultaneously

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Workers Pension Trust

Corporate Governance Principles

List of Services that we provide:

TERMS OF REFERENCE FOR CONSULTANTS

Information concerning the constitution, goals and functions of the agency, including 1 :

Understanding Self Managed Superannuation Funds

REA Space Unit guidelines for Individual Evaluation Report Coordination & support actions. DT-SPACE-07-BIZ-2018: Space hubs for Copernicus

Current Developments: Canadian Securities and Auditing Matters

ABORIGINAL ECONOMIC PARTNERSHIPS Program Application Guidelines

CYBG PLC BOARD REMUNERATION COMMITTEE. Charter

JAUPT Appraisal Criteria Centre Application. November 2016

Nova Scotia Power Integrated Resource Plan Terms of Reference

Corporate Governance Charter

TERMS AND CONDITIONS FOR APPOINTMENT OF INDEPENDENT DIRECTOR

ensuring staff are aware of the Principles they must follow when handling personal data ensuring appropriate controls are in place and are effective

Annual Return Guidance

HSBC USA INC. HSBC BANK USA, N.A. CHARTER OF THE COMPLIANCE COMMITTEE

CONSTRUCTSAFE TIER 3 COMPETENCY FRAMEWORK

NO LATE ENTRIES WILL BE ACCEPTED.

The Committee is specifically charged with the following duties and responsibilities:

Best Execution & Client Order Execution Policy. October P age 1 6. BE31/10/17 v1

CRSP Index Governance Committees Terms of Reference. Introduction... 2 Governance and Oversight Control Framework... 3 Index Oversight Committee...

Summary and Future Work

ReAssure Trustees Limited

*** A DRAFT starting point *** South Central Fresno Community Steering Committee Charter

Subject Access Requests

UCSD - Audit & Management Advisory Services - Internal Control Questionnaire

Active Sussex. Trustee Recruitment Pack

Client Advisory. Pension Changes Proposed: Federal Funding and Investment Rules. Proposed Funding Rules. Summary

Board Performance Review & Renewal Policy

CITIGROUP INC. AUDIT COMMITTEE CHARTER As of January 18, 2018

INFORMATION TECHNOLOGY SERVICES NIST COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION

TOPIC 12: PART 1 WAYS OF GATHERING AUDIT EVIDENCE

THE CLOROX COMPANY AUDIT COMMITTEE CHARTER. [Effective May 8, 2017]

OSHA INSPECTION CHECKLIST

ARIZONA FIRE DISTRICT ASSOCIATION FINANCIAL PROCEDURES POLICY

Administrative Budget of the Green Climate Fund for 2017

A0aa. Assertions that the auditor may use in addressing the requirements of this ISA are further described in paragraph A121c.

CORPORATE GOVERNANCE POLICY

PROJECT CHARTER PLAN VERSION: 1A (DRAFT) <DD-MM-YY> <SECTION NAME>

Safeguards Phase 2 Section 600/Non-assurance Services (NAS) Part 4A International Independence Standards for Audits and Reviews

ALERT. The SEC s Final Crowdfunding Rules: Still May Not Be a Crowd Pleaser. Author: Issuer and Investor Eligibility.

ACCOUNTING GUIDELINES INTERNAL TRANSFERS

Internal Control: A COSO framework

RISK INFORMATION CHURCHES CHURCH RISK MANAGEMENT

Documentation / Other important Standards with SME perspective

Practice Review and Internal Audit Plan

UNITED NATIONS OFFICE FOR PROJECT SERVICES (UNOPS) INTERNAL AUDIT REPORT 3 JUNE 2014

EPPA Update Issued September 2012 / Updated October, 2012 Defined Benefit Funding Relief Provisions

Safeguards Phase 2 Section 600/Non-assurance Services (NAS) Part 4A International Independence Standards for Audits and Reviews

Standard INT Evaluation of Interchange Transactions

Written Submission for the Pre-Budget Consultations in Advance of the 2019 Budget. By: The Investment Funds Institute of Canada

Counter-Terrorist Financing Certificate Course Syllabus

Department of Environment Land, Water and Planning

Transcription:

Managing yur Risks by Managing yur Prcess Gvernance, Risk and Cmpliance (GRC) is a tpic few businesses and rganisatins can affrd t ignre. Over mre than ten years, successive financial crises including: Wrldcm, Enrn, Sciété Générale, thrugh t Lehman Brthers and nw the cntinuing wrries ver the Eur have led t mre and mre stringent financial regulatin being put in place. Sarbanes Oxley, BaseI II, Slvency II, PCI the list ges n and n. In additin, legislatin is nt just limited t the financial sphere: Health & Safety, Data Prtectin, EU Directives and many mre regulatins nw affect every rganisatin. Increasing glbalisatin means it is als necessary fr businesses t take accunt f regulatins in every cuntry where they perate r trade. Organisatins are becming mre and mre aware f the need t guard against the risk f failing t cmply with this multitude f regulatin as well as managing day-t-day peratinal risks and cmpliance t internal plicies and bjectives. At the same time, the need t be able t prve cmpliance has added an additin burden. In the past, dcument-based systems (e.g. ISO 9001, ISO 30000, US Financial Reprting Standards, etc.) have been used t manage quality and ensure that apprpriate cntrls have been put in place. Checking that these cntrls were being perated, and perated crrectly, was largely ensured by undertaking audits and thse audits were generally audits f the dcumentatin rather than the actual peratin f the business. Figure 1. The Develpment f Risk Management 1

Enterprise Risk Management The challenge has been t scale dcument management-based appraches t deal with multiple regulatins and t avid duplicatin and stve piped slutins. The intrductin f the Sarbanes Oxley Act in the United States in 2002 prmpted many rganisatins t start t lk fr mre sphisticated tls t manage risks and dcument cmpliance in a way that was easily auditable. A significant step frward was the develpment f the cncept f Enterprise Risk Management (ERM) that integrates the management f cmpliance with regulatins such as Sarbanes Oxley with internal risk management and cntrl. There was increasing realisatin that managing risk and putting in place cntrls was integrally linked with the rganisatin s prcesses. After all: Prcesses are nt just smething yur business des prcesses are the business [1] Managing yur risks is therefre abut managing yur prcesses. Figure 1 shw hw the maturity f risk management has develped in the last decade. This has been supprted by the intrductin f risk management framewrks such as the COSO "Enterprise Risk Management- Integrated Framewrk" published in 2004 [2]. The COSO framewrk (Figure 2) defines an internal cntrl as a prcess perated by an rganisatin s bard f directrs, management and staff, designed t prvide "reasnable assurance" f the achieving business bjectives. Figure 2. The COSO Framewrk COSO is very much a prcess driven apprach and the better the internal prcesses are, the fewer cntrls are required. This raises the questin f why yu need cntrls at all. Surely, if an rganisatin s prcesses were designed t take accunt f all risks, then it wuldn t be necessary t have cntrls r even auditing. In reality, f curse, there are several reasns why this wuld never be pssible. Firstly, althugh prcesses are key t the perating and understanding the business, nt everything that is risk affecting will be described in day-t-day peratinal prcesses. Fr instance, the need t have manual access cntrls n the drs t the cmputer centre t prevent the risk f data theft r crruptin is a vital cntrl, but it is nt smething that wuld be dcumented in a business prcess. Secndly, the business wrld, and the wrld f risk and security, is cnstantly changing. T deal with this change it is necessary t add new cntrls, tests and audits, ften at a pace that is much mre rapid than business prcesses are nrmally updated. Thirdly, n prcess is ever perfect; it is a representatin f hw the business perates t deal with real wrld events, but it will never be cmplete r handle every eventuality. Hence it is necessary t supplement prcesses with cntrls that plug the gaps t manage risks and ensure cmpliance. In practice GRC is a balance (Figure 3). We can t put all the management f risk int the peratinal prcesses, but n the ther hand paralleling every peratinal prcess with a cntrl prcess that checks that the peratinal prcess is being perated crrectly is inefficient and ineffective. Many financial rganisatins, faced with the need t rapidly implement risk and cmpliance management, set up manual cntrl prcesses that cnstantly duble-check that the business prcess is cmplying with the regulatin and that risks are minimised. This apprach rapidly becmes untenable as mre and mre individual cntrls, tests and cntrl prcesses have t be put in place t cpe with the requirements f each regulatin. 2

Figure 3. Balancing GRC Objectives What are needed instead are prcess-based tls t dcument risks and cntrls, supprt the implementatin f the cntrls and create autmated test results. This type f autmatin already exists in many crprate IT systems that were riginally intrduced fr autmatin f prcesses, particularly financial, rder prcessing, and lgistics prcesses. Hwever, these systems ften cannt be adapted easily r quickly t changing regulatry requirements. In large rganisatins, the cntrls als tend t exist acrss system bundaries, with the result that additinal, cmpensating cntrls have t be executed manually in additin t the autmatic cntrls. Gvernance, Risk and Cmpliance (GRC) System The need t have a dedicated apprach t managing risk and cmpliance has led t the develpment f Gvernance, Risk and Cmpliance (GRC) systems. Gartner has identified fur key elements f a GRC system (Figure 4). Figure 4. Capabilities f GRC Platfrms 3

GRC systems enable flexible implementatin and efficient peratin f an enterprise-wide cmpliance and risk management system. Based n this apprach, prcess-based GRC systems have been develped that have cre functins including: 1. Identificatin and cmmunicatin f riskrelevant prcesses and the affected items. 2. Analysis and evaluatin f peratinal risks. 3. Design, implementatin, and dcumentatin f the necessary cntrls, tests, and risk assessments. 4. Prvisin f cntrlled wrkflws implementing tests, managing issues and nn-cmpliance and re-testing f imprvements. 5. Design and autmatin and reprting f surveys t manage cmpliance and attestatins. 6. Integrated audit management fr efficiently cnducting audits based n risk, cntrl and test data frm the same repsitry. 7. Management dashbards t present status infrmatin frm all fur perspectives allwing access t infrmatin frm the summary t incident level. Frequently GRC systems are cmbined with enterprise mdeling tls and prcess autmatin tls which take full advantage f integrating risk management with business prcess management. Hence Prcess-based GRC = ERM + BPM. The benefits f such systems include: Cst Reductin Increased efficiency Prcess Imprvement: every GRC prject ptimizes the business prcesses Reduced staff csts (e.g. auditrs) Reduced external audit & risk assessment csts Cmmn apprach fr cntrl testing and risk assessment Transparent wnership f risk & cntrls Audit-prf dcumentatin Fact-based decisin making Transparency and cmmunicatin Categrizatin f risk & cntrls Risk and cntrls linked t prcesses 4

Faster adaptin t new regulatins Cnslidated apprach t managing verlapping laws & regulatins Reuse f business prcesses, cmpliance requirements and reprts Cmbining audit management with GRC is particularly advantageus as it allws the auditr t have direct access t the prcesses and assciated dcumentatin and allws audit plans, templates and results t be directly linked t GRC assets. The Future is Reality In Figure 1 we saw that rganisatins have mved away frm a dcument-based apprach that was discnnected frm the reality f peratins t a prcess-based apprach. That can be extended further by mnitring the perfrmance f the prcess t understand hw the business is perfrming n a day-by-day r hur-by-hur basis. Hwever, even a prcess-based apprach is still discnnected frm the real wrld. Prcesses are abstract representatins f what is intended t happen r at best a high level view f what is happening. In the real wrld things happen, and change, minute by minute. In fact in the financial wrld things can ften happen in millisecnds and fraud invlving huge sums f mney can be accmplished within secnds. In this type f envirnment, manual audits n a weekly, mnthly r quarterly basis can nly prvide a limited level f security. Figure 5. Cnnecting GRC with Reality The next stage in the evlutin f GRC systems (Figure 5) is t bring in reality (Real 2 ). That is mnitring real prcesses in real time. Technlgies such as Cmplex Event Prcessing (CEP) and In-Memry technlgy allw the cntinuus mnitring f thusands f event streams and tens f thusands f events per secnd t lk fr cmplex crrelatins, patterns and sequences. Nt nly can this technlgy reprt pssible risks and breaches, it can detect them while they are happening and even stp them. There is n dubt that risk and cmpliance management is here t stay and that managing yur prcesses is always ging t be a vital part f managing yur risks. 5

References [1] Rb Davis. What Organizatins Need is a BPM Radmap with Clear Benefits BPTrends, July 2010 [2] http://www.cs.rg/ ------- Authr Rb is a Senir ARIS BPM cnsultant with Sftware AG which merged with IDS Scheer in 2011. He is an internatinally recgnized expert in Business Prcess Management (BPM) and the practical use f the ARIS Design Platfrm. Previusly, Rb wrked fr British Telecm (BT) where he was respnsible fr selecting and implementing ARIS in a large scale implementatin. Rb has built extensive experience f all aspects f BPM and specializes in prviding cnsultancy n BPM, prcess mdelling and design, architecture and framewrks, prcess gvernance, and integrating prcess and IT design. Rb has written three definitive bks n the practical use f ARIS Design Platfrm fr BPM. Fr mre infrmatin see http://www.rb-davis.c.uk. BPTrends Linkedin Discussin Grup We created a BPTrends Discussin Grup n Linkedin t allw ur members, readers and friends t freely exchange ideas n a wide variety f BPM related tpics. We encurage yu t initiate a new discussin n this publicatin, r n ther BPM related tpics f interest t yu, r t cntribute t existing discussins. G t Linkedin and jin the BPTrends Discussin Grup. 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback