Enterprise Risk Management in Compliance 360

Transcription

1 Enterprise Risk Management in Compliance 360

2 2 Enterprise Risk Management in Compliance 360 Effective risk management involves identifying and understanding the risks the organization is faced with, analyzing and evaluating the risks, and determining what actions are needed to best mitigate and monitor them. In regulated industries facing increasing demands for governance and transparency, all roads converge at Enterprise Risk Management (ERM). Successful management of enterprise risks requires close coordination and integration among Governance, Risk, and Compliance (GRC) functions including regulatory compliance, internal audit, incident management, and others. What s the challenge? For many organizations, risk management is treated as a separate function that is not integrated with the day-to-day operations and often narrowly focused on particular issues such as financial controls management or data security. Some of the challenges include: Lack of a comprehensive approach that captures the full range of activities (strategic, operational, project, process, etc.) Ineffective methods for managing the information and documentation associated with risk management processes Lack of visibility as to what information and documentation exists that supports risk management efforts Ineffective and inefficient tools for managing the responses to risk Lack of ownership and accountability within business units for managing risk Ineffective tools for collaboration and communication resulting in longer cycle times Lack of ability to report the status and effects of the risk management process

3 Enterprise Risk Management in Compliance How does Compliance 360 help? Compliance 360 s Enterprise Risk Management Solution helps organizations manage the critical elements of their enterprise risk management initiatives. The system supports the elements of common risk management methodologies such as COSO (Committee of Sponsoring Organizations) and ISO 31000:2009. The solution automates the assessment of risks for identified processes across the enterprise, linking risks to strategic objectives and compliance programs, monitoring risks, and managing risk response strategies. The Enterprise Risk Management Solution provides a global view of all risk-related activities through an executive dashboard, enabling managers to quickly assess problem areas, proactively adjust processes and track the progress of corrective actions. Establish a standard, comprehensive approach Compliance 360 organizes the risk universe for your organization into risk frameworks. The configurable frameworks store the relevant information about processes, objectives, risks and controls and the relational structure between these as well as the supporting documentation. Additionally, risk frameworks contain the scoring methodology used in risk assessments and controls testing. Workflow processes are used to manage the creation or changes associated with any level in the Risk Framework hierarchy. Central visibility and control All information and documentation associated with the enterprise risk management program is stored in a unified repository allowing for easy integration with other GRC information such as regulatory content, policies and procedures and corrective action plans. Efficient management Compliance 360 utilizes a powerful workflow engine to enable automated collaboration, review, assessment and approval. Templates are commonly used to automate these work processes across different departments, teams, and individuals in a manner that is measurable and predictable. Personalized dashboards support up-to-the-minute monitoring of overall risk exposure, controls and specific hot spots.

4 4 Enterprise Risk Management in Compliance 360 Improved collaboration and communication Establishing effective lines of communication across the organization is critical to the success of an enterprise risk management program. Compliance 360 facilitates collaboration and communication using automatic notification of events and activities and allowing users to provide commentary throughout each stage of the process. Establish accountability The flexibility of the system supports a centralized corporate model or distributed autonomous model or hybrid approach for managing activities such as risk assessments and control tests. Individuals throughout the organization can be assigned activities, distributed automatically via notifications on a recurring basis. These activities can also be assigned on an as-needed basis. Once assignments are made, alerts are sent automatically if due-dates are in jeopardy of being missed. Ensure a continual audit-ready state In conjunction with the Virtual Evidence Room, enterprise risk management activities can be linked back to applicable laws and regulations, to create a dynamic body of evidence of proactive risk management and compliance and ensure a continual audit-ready state for the organization. For example, identified risks and controls can be linked to a particular regulation to provide the latest risk assessment and controls testing results for showing evidence of compliance for audits. Additionally, risk management information can be linked to audit plans in the Internal Audit module to provide visibility for internal auditors. Monitoring, Reporting and Analysis of the program The status of the enterprise risk management program is monitored using configurable reports and dashboards. Reporting is real-time and provides visibility into the current risk exposure and individual issues. The executive dashboard capability provides a global view of all risk-related activities, enabling managers to quickly assess problem areas, proactively adjust processes and track the progress of corrective actions. Additionally, the Compliance 360 workflow engine can send automatic alerts for specific events such as when risk tolerance in a particular area has been exceeded or when a control test has failed. The Compliance 360 Configurable risk model structure depicts relationships in hierarchical view.

5 Enterprise Risk Management in Compliance Features Ability to define the organization s risk universe in one or more Risk Frameworks. Supports importing of risk management information from third party sources. Ability to identify, prioritize and manage processes, objectives, risks and controls in a central repository with ability to attach or link documentation to all items. Supports a many-to-many relationship structure between all items such as relating one risk to many objectives, regulations or audits, with hierarchical views of relational structure. Ability to create multiple, actionable Risk Models from Risk Frameworks and customize for specific departments or functions. The Risk List provides a quick reference to latest inherent risk scores and current risk exposure (residual risk). Configurable workflow processes facilitate definition, collaboration and review, approval, work item management (assignments), risk assessments and control testing. Workflow processes are also associated with the creation and change of risks and controls. Built-in, optional change management feature that utilizes workflow processing to route proposed changes to processes, objectives, risks and controls through collaboration and review prior to implementation of change requests. Enables configurable scoring methodologies for risk assessment (based on impact and likelihood), control testing and risk exposure (residual risk). Ability to create customized risk assessment and control test questionnaires with mapping of answers to scoring methodology.

6 6 Enterprise Risk Management in Compliance 360 Automated distribution of assessments to respondents that can be setup on a predetermined, recurring schedule. Automated management of risk assessments and control tests using Compliance 360 s standard workflow engine. The system auto-generates messages for assignments and sends reminders of due dates. Assignees can respond to assignments directly from the message or the To Do List on the user s personal Home Page in Compliance 360. Results can be automatically forwarded to appropriate managers for review. Automatic calculation of risk exposure for processes based on risk assessment and control test results. Enables system generated automated alerts for specific events such as when risk exposure is not within tolerance parameters or when control test results have changed. Ability to use the task management feature to manage actions such as researching issues or investigating options for risk treatment. Use advanced capabilities in the Projects module for comprehensive project management of corrective action plans or remediation activities. Ability to link enterprise risk management information and activities to relevant laws and regulations using the Virtual Evidence Room. Ability to link enterprise risk management information to audit plans managed in the Internal Audit module. Ability to monitor the enterprise risk management program using a variety of configurable reports and online executive dashboards. Ability to roll up (consolidate) reporting of enterprise risk management information across the enterprise. Storage of all historical data for trend analysis purposes. Automatic audit trail shows date, time, and activity footprints of users access and changes to information. Benefits Central repository for identifying, prioritizing, and managing risk areas across the enterprise. Make enterprise risk management easier, less costly and much more manageable using automation and standardization. Integration with compliance and internal audit functions for a comprehensive view of GRC activities. Using real-time dashboards, managers and executives have improved visibility to enterprise risk management initiatives with ability to drill into supporting details for analysis. Board-level reporting is simplified with configurable reports and dashboards to show risk exposure and implications. Gain efficiencies and reduce manual workload by using workflowenabled processes to streamline activities. Productivity is improved with reusable templates and automatic distribution based on scheduled events.

7 Enterprise Risk Management in Compliance Enterprise Risk Management information is linked to applicable laws and regulations providing evidence of compliance and supporting an audit ready state. Transparency can be enhanced regarding the state of risk management within your organization. Comprehensive storage of historical data streamlines audits, supports trend analysis and helps to improve management of risks. Customer Example A multi-entity financial services company uses Compliance 360 as the platform for their Enterprise Risk Management program. The program is focused primarily on managing operational and regulatory compliance risks. The organization needed an application that would allow groups from multiple departments and business lines to collaborate on risk definition and also facilitate their risk assessment process. Prior to implementing Compliance 360 for risk management, the organization was already using Compliance 360 to manage their regulatory compliance requirements as well as the policies and procedures that govern their compliance program. The organization saw the advantages of having risk management information integrated with their compliance information in a single repository and application platform. Using Compliance 360, they now have the ability to automatically distribute risk assessments on a recurring basis to the business area owners and collect the results into one data store. The system calculates risk scores based on answers to the risk assessment questionnaire. A key feature for them is the dashboard reporting which provides real-time views of the risk exposure for the organization. Additionally, risks are linked to relevant regulations in the Virtual Evidence Room to show evidence of compliance for audits. Results Compliance 360 serves as the single, enterprise-wide source for enterprise risk management and compliance management providing improved visibility and control.

8 USA Europe Australia Asia Plainsboro, NJ T: +1 (877) 470-SAIG [7244] F: Warwickshire, UK T: +44 (0) F: +44 (0) Sydney T: F: Jakarta T: Waltham, MA T: F: Melbourne T: F: Alpharetta, GA T: F: Perth T: F: Houston, TX T: F: About SAI Global Compliance SAI Global Compliance is the world leader in providing organizations with a wide range of governance, risk and compliance (GRC) products, services and technology that help build organizational integrity and effectively manage compliance risk. Our global staff includes professionals and subject matter specialists in advisory services; program design, management and implementation; instructional design; and software development. Our focus is to help establish and enhance compliance effectiveness. With well over a thousand organizations as clients and tens of millions of satisfied users around the world, we work with clients to integrate a flexible suite of solutions and services specifically tailored for a business and industry. Our products include the world s largest library of compliance and ethics learning, Code of Conduct advisory services and training, and the Compliance 360 GRC Software Suite to manage compliance, policy, incident and audit management. Our Cintellate EH&S Software addresses key issues in operational environmental health and safety management. For more information, please call us at the full service location nearest you or visit 2014 SAI Global Ltd. The SAI Global name and logo and the Cintellate name are trademarks of SAI Global Ltd. Compliance 360 and Virtual Evidence Room are registered trademarks of Compliance 360, Inc., an SAI Global company. All Rights Reserved. ERMCBR1206a