Functional and technical specifications. Background

Transcription

1 Functional and technical specifications Background In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient and transparent system of finanical, risk management and internal controls. This provision in the PAA makes the DAG responsible and accountable for ensuring that processes exist to protect the institution against significant risks and control deficiencies. In executing her duties, the DAG is assisted, among others, by the Risk and Compliance Centre located within the Planning, Monitoring, Evaluation and Risk (PMER) Business Unit. The centre is responsible for coordinating and supporting overall institutional risk management processes through facilitation and monitoring to ensure that the business units and functions within the AGSA are discharging their delegated responsibilities. Currently the organisation s risk management process is enabled through manual activities that are supported by Microsoft Excel spreadsheets and Word documents. The use of these relatively cost-effective tools is not wrong; however, considering the needs of the organisation this proccess is not efficient for the following reasons: It does not effectively facilitate collaboration. Organisational risks stem from multiple business areas and thus their capturing, management and their tracking as a form of monitoring must take place in a collaborative manner with the ultimate objective of proactively lowering the identified risk exposure to an acceptible level. The use of an Excel spreadsheet is limited to a single user at a time, with no version control attached to it. It does not allow for quick decision-making on risk-related matters, thus making it less agile for modern-day business activities. Inherently, Excel spreadsheets do not have validation mechanisms, making its use prone to error. Furthermore, the tool does not enable quick risk data analysis, thus compromising the completeness and timeliness of information required to proactively manage risks. It does not encourage efficient and effective business continuity. Excel spreadsheets are generally customised by individuals for their own purposes. Data inputs and changes are usually stored on personal computers and not on a central repository. When employees leave the organisation, they usually leave with the information (the know-how) they 1

2 accumulated over the period they served in the role. With regard to data and in the event of a disaster, its recoverability for continuity may be compromised. Thus, in the absence of an advanced fit for purpose software or more specifically a risk tool, for which we are putting a case forward, the following key risk management processes and activities take longer to complete and are onerous: Risk identification Risk assessment and the mapping of identified risks to existing and future internal controls Monitoring of implementation of the mitigations Assessment of the design and operating effectiveness of the internal controls Timeous and effective monitoring of response plans to reported control deficiencies Complete and effective monitoring of responses to regulatory risks Timely access to information for those charged with risk management responsibilities Reporting to different stakeholders (including oversight structures) on the above. This business case thus seeks to fulfil the objectives of the AGSA s risk management promise, which includes ensuring that the process is efficient and effective, and highlighting the benefits that can be derived from a GRC tool (also referred to as an enterprise risk management tool). The key benefits that can be highlighted in this respect include the following: The provision of meaningful risk information (risk, ratings, controls, etc.) within a short period of time to enable the management and executives to make timeous and informed business decisions. The ability to follow an integrated approach to the management of organisational risks, regardless of the risk type and the geographic location. Access to updated enterprise-wide risk and control information for key role players within the risk management process, namely process owners, business executives and Exco members. The ability to implement a uniform risk taxonomy, regardless of the risk type and category. The linkage of business process risks to business process objectives and their alignment to organisational risks and objectives/strategy, and process risks where necessary. Enforcement of certain disciplines for the management of organsiational risks. 2

3 Why is the Governance Risk and Compliance tool needed? A GRC tool is a software application that frames and enables the organisation s approach to risk management. The objective of a GRC can be found in its elements, namely: The oversight role and the process by which the organisation manages and mitigates its risks (governance) A structured process through which the organisation identifies, evaluates and monitors all relevant organsiational risks, including the mitigation actions proposed to manage the related risk exposure (risk management) Enabling self-assessment and continous monitoring as part of proactive management of risks A process whereby the organisation ensures that it complies with regulatory/ legislative requirements, by virture of being in a specific industry (compliance). A GRC tool will also allow the organisation to follow a consistent process that enables a quick understanding of its current risk make-up (profile) and allows for proactive assessment of the changes made to it. Ultimately, a GRC tool will enable all those responsible for the management of organisational risks to provide business with instant knowledge of the threats it faces in line with its objectives. 3

4 Risk management Functional and technical specifications The GRC tool under consideration should be able to fulfil the following functions, at a minimum: Table 1: Functional and technical requirements Module Function Basic requirements Level of reporting Risk assessment and management (including monitoring) Remedial action Identification Risk rating and prioritisation Ability to pull information/data (i.e. controls) from the IT systems and map to risks Allocation of mitigations Reporting Set-up and monitoring of key risk indicators through parameter settings, forecasting and alerts Tracking of reported findings Assigning of action to owners Verification of implemented actions Ability to automatically escalate to upper level on a specified due date Reporting at all levels across modules Integration with existing IT systems in the AGSA (e.g. PeopleSoft ERP, Oracle database, Microsoft database, Active Directory, SharePoint, Exchange , Audit Software, etc.) Information/ data ownership Enable business intelligence Enables risk data mining Dashboard reporting, per business area 4

5 Module Function Basic requirements Level of reporting Integration The ability to collect, quickly analyse and present visual data sitting at granular level The tool must be able to integrate with other applications within the AGSA environment (i.e. PeopleSoft, Pastel, etc.) The tool must have the ability to enforce consistency and maintain a strong workflow capability The tool must be scalable capability/capacity to add multiple risks to multiple processes at multiple locations The tool must support MicroSoft Windows applications and programmes The tool must allow for risk-related data to be written to and draw data from the Oracle and Microsoft SQL Server databases The tool must enable configurability on a limited scale and be flexible to accommodate the risk structure we have adopted as an organisation 5

6 Vendor and third-party management Incident management Control self-assessment Module Function Basic requirements Level of reporting Control selfassessment Incident reporting and management Contract management Selection of key business processes (of the risk and control universe as per above [risk management module]) Capturing of self-assessment outcomes by multiple persons across business units Enable analysis of self-assessment outcome, including trends analysis Enable escalation to respective process owners Enable employees to report risks and incidents as they identify them or as they arise Enable continuous monitoring of implementation of mitigation plans relating to the reported incidents Automated exception identification and escalation process Tracking of service level agreements/ contract requirements Tracking of contract terms Automatic alert and escalation of noncompliance with any of the loaded requirements 6

7 Policy management Regulatory compliance management Module Function Basic requirements Level of reporting Regulatory compliance management Policy development and revision process Identification and maintenance of regulatory universe (including alerts on changes within the regulatory environment) Maintenance of response plans (alignment of legal requirements to existing policies and processes) Maintenance of action plans (remedial actions per legislative gap) Maintenance of a policy register, including the status of each policy Mapping of policies to relevant legislation (where applicable) Automated prompts for policies due for review Dissemination and user training on introduced policies (e.g. e-learning) 7

8 Software (system) demonstrations During the evaluation process, bidders who are successful post the technical evaluation process will be requested to demonstrate their software solutions. The purpose of the demonstration is for bidders to provide an overview of the software s features, detailed and visual description of the functionalities of the solution proposed and its user interface. What benefits will be achieved for the organisation? The GRC tool, as required for the AGSA, should enable the organisation to manage its risks in an integrated manner, removing the existing silos, as risk and compliance processes are usually intertwined from a governance perspective (i.e. they overlap with one another). Listed below are the benefits of implementing an enterprise-wide governance, risk and compliance management tool: start here Multiple processes will be run through a single software, providing for a single point of reference as regards the risks facing the organisation. The tool will provide management with a proactive, collaborative, real-time, context-aware approach to the management of risks that impact the achievement of objectives. Improved management decision-making emanating from real-time access to centralised and integrated risk management information from anywhere, anytime using the AGSAapproved user access devices. The toll will provide a map of internal controls that mitigate against all listed risks. Efficiencies will be introduced to the risk management process, freeing resources to focus on proactive risk management, including verifying inputs received on the implementation of mitigations and finding response actions, training, risk initiative roll-out and communication (elimination of the use of the manual Excel which in itself is inherently risky as a tool). The tool will also assist with a reduction of time, including costs of managing vendor risks and other third-party programs. An automated process to track, classify, respond to and route incidents as they occur organisation wide, will be introduced. The tool will make it possible to identify, organise, assess, escalate and mitigate risks across business units and domains. This will also provide a real-time dynamic process to update the risk register as changes occur within the key risk indicators. The tool will help with a delivery of a secure, centralised, standardised and automated risk and policy life cycle management solution to the AGSA. 8

9 The tool will empower risk managers, owners and champions with an appropriate technology and knowledge to manage risks in an efficient and effective manner (risk taxonomy). The toll will provide a map of internal controls that mitigate against all listed risks. The tool will assist in the creation of risk-based business responses to mitigate threats and vulnerabilities. 9

10 1 0