Functional and technical specifications. Background



Similar documents
RSA ARCHER OPERATIONAL RISK MANAGEMENT

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Business Process Management & Workflow Solutions

How To Manage Risk At Atb Financial

Environmental Management System & Compliance Suite. Web-based Environmental Software Boost your bottom line. Build a better world.

How To Manage A Public Safety Department Risk Management Program

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Supply Chain Management Build Connections

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The PNC Financial Services Group, Inc. Business Continuity Program

U-LINC : Workflow and Notifications Anytime and Anywhere for Microsoft Dynamics GP

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Continuous Monitoring: Match Your Business Needs with the Right Technique

Planning and Budgeting Cloud Service

DATA AUDIT: Scope and Content

Governance, Risk, and Compliance (GRC) White Paper

Advisory Services Oracle Alliance Case Study

Maximize potential with services Efficient managed reconciliation service

Directory of. Advertising Supplement

Dynamic Enterprise Performance Management

Enterprise Risk Management in Compliance 360

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

<risk> Enterprise Risk Management

Analance Data Integration Technical Whitepaper

Microsoft Dynamics CRM 2011 for Manufacturing. For all your customer relationship needs

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Incident Reporting & Management

FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER

Outperform Financial Objectives and Enable Regulatory Compliance

The Power of Risk, Compliance & Security Management in SAP S/4HANA

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

Analance Data Integration Technical Whitepaper

Paisley Enterprise GRC Audit Profile. Linda Bergs

Task Manager. Task Management

XBRL & GRC Future opportunities?

Audit & Inspection Management. Enterprise Cloud Audit & Inspection Management Solution

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Products Currency Supply Chain Management

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Seven Reasons to Use PlanView for Timesheets

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

Achieving SOX Compliance with Masergy Security Professional Services

You Can t Afford the Risks

Masterminding Data Governance

Complete Patch Management

Compliance Policy AGL Energy Limited

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Unicenter Asset Intelligence r11

IT Service Continuity Management PinkVERIFY

I D C A N A L Y S T C O N N E C T I O N

The PNC Financial Services Group, Inc. Business Continuity Program

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

CONTENT CONNECTIVITY COLLABORATION

INTERNAL AUDIT SOFTWARE BUYER S GUIDE

Module 6 Essentials of Enterprise Architecture Tools

ADAPTABLE IDENTITY GOVERNANCE AND MANAGEMENT

Simply Sophisticated. Information Security and Compliance

Risk Management. Group Standard

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Location of the job: CFO Revenue Assurance

ASSET ARENA PROCESS MANAGEMENT. Frequently Asked Questions

White Paper: FSA Data Audit

Strengthen security with intelligent identity and access management

White Paper Governance, Risk Management and Compliance: Sustainability and Integration supported by Technology

IBM Maximo Asset Management for IT

IT Governance. What is it and how to audit it. 21 April 2009

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

IBM QRadar as a Service

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

IBM Tivoli Endpoint Manager for Security and Compliance

NE-10750A Monitoring and Operating a Private Cloud with System Center 2012

Data Sheet: Archiving Symantec Enterprise Vault for Microsoft Exchange Store, Manage, and Discover Critical Business Information

Case Management and Real-time Data Analysis

Connecting your global manufacturing company NEXT»

Oracle Role Manager. An Oracle White Paper Updated June 2009

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Transcription:

Functional and technical specifications Background In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient and transparent system of finanical, risk management and internal controls. This provision in the PAA makes the DAG responsible and accountable for ensuring that processes exist to protect the institution against significant risks and control deficiencies. In executing her duties, the DAG is assisted, among others, by the Risk and Compliance Centre located within the Planning, Monitoring, Evaluation and Risk (PMER) Business Unit. The centre is responsible for coordinating and supporting overall institutional risk management processes through facilitation and monitoring to ensure that the business units and functions within the AGSA are discharging their delegated responsibilities. Currently the organisation s risk management process is enabled through manual activities that are supported by Microsoft Excel spreadsheets and Word documents. The use of these relatively cost-effective tools is not wrong; however, considering the needs of the organisation this proccess is not efficient for the following reasons: It does not effectively facilitate collaboration. Organisational risks stem from multiple business areas and thus their capturing, management and their tracking as a form of monitoring must take place in a collaborative manner with the ultimate objective of proactively lowering the identified risk exposure to an acceptible level. The use of an Excel spreadsheet is limited to a single user at a time, with no version control attached to it. It does not allow for quick decision-making on risk-related matters, thus making it less agile for modern-day business activities. Inherently, Excel spreadsheets do not have validation mechanisms, making its use prone to error. Furthermore, the tool does not enable quick risk data analysis, thus compromising the completeness and timeliness of information required to proactively manage risks. It does not encourage efficient and effective business continuity. Excel spreadsheets are generally customised by individuals for their own purposes. Data inputs and changes are usually stored on personal computers and not on a central repository. When employees leave the organisation, they usually leave with the information (the know-how) they 1

accumulated over the period they served in the role. With regard to data and in the event of a disaster, its recoverability for continuity may be compromised. Thus, in the absence of an advanced fit for purpose software or more specifically a risk tool, for which we are putting a case forward, the following key risk management processes and activities take longer to complete and are onerous: Risk identification Risk assessment and the mapping of identified risks to existing and future internal controls Monitoring of implementation of the mitigations Assessment of the design and operating effectiveness of the internal controls Timeous and effective monitoring of response plans to reported control deficiencies Complete and effective monitoring of responses to regulatory risks Timely access to information for those charged with risk management responsibilities Reporting to different stakeholders (including oversight structures) on the above. This business case thus seeks to fulfil the objectives of the AGSA s risk management promise, which includes ensuring that the process is efficient and effective, and highlighting the benefits that can be derived from a GRC tool (also referred to as an enterprise risk management tool). The key benefits that can be highlighted in this respect include the following: The provision of meaningful risk information (risk, ratings, controls, etc.) within a short period of time to enable the management and executives to make timeous and informed business decisions. The ability to follow an integrated approach to the management of organisational risks, regardless of the risk type and the geographic location. Access to updated enterprise-wide risk and control information for key role players within the risk management process, namely process owners, business executives and Exco members. The ability to implement a uniform risk taxonomy, regardless of the risk type and category. The linkage of business process risks to business process objectives and their alignment to organisational risks and objectives/strategy, and process risks where necessary. Enforcement of certain disciplines for the management of organsiational risks. 2

Why is the Governance Risk and Compliance tool needed? A GRC tool is a software application that frames and enables the organisation s approach to risk management. The objective of a GRC can be found in its elements, namely: The oversight role and the process by which the organisation manages and mitigates its risks (governance) A structured process through which the organisation identifies, evaluates and monitors all relevant organsiational risks, including the mitigation actions proposed to manage the related risk exposure (risk management) Enabling self-assessment and continous monitoring as part of proactive management of risks A process whereby the organisation ensures that it complies with regulatory/ legislative requirements, by virture of being in a specific industry (compliance). A GRC tool will also allow the organisation to follow a consistent process that enables a quick understanding of its current risk make-up (profile) and allows for proactive assessment of the changes made to it. Ultimately, a GRC tool will enable all those responsible for the management of organisational risks to provide business with instant knowledge of the threats it faces in line with its objectives. 3

Risk management Functional and technical specifications The GRC tool under consideration should be able to fulfil the following functions, at a minimum: Table 1: Functional and technical requirements Module Function Basic requirements Level of reporting Risk assessment and management (including monitoring) Remedial action Identification Risk rating and prioritisation Ability to pull information/data (i.e. controls) from the IT systems and map to risks Allocation of mitigations Reporting Set-up and monitoring of key risk indicators through parameter settings, forecasting and alerts Tracking of reported findings Assigning of action to owners Verification of implemented actions Ability to automatically escalate to upper level on a specified due date Reporting at all levels across modules Integration with existing IT systems in the AGSA (e.g. PeopleSoft ERP, Oracle database, Microsoft database, Active Directory, SharePoint, Exchange Email, Audit Software, etc.) Information/ data ownership Enable business intelligence Enables risk data mining Dashboard reporting, per business area 4

Module Function Basic requirements Level of reporting Integration The ability to collect, quickly analyse and present visual data sitting at granular level The tool must be able to integrate with other applications within the AGSA environment (i.e. PeopleSoft, Pastel, etc.) The tool must have the ability to enforce consistency and maintain a strong workflow capability The tool must be scalable capability/capacity to add multiple risks to multiple processes at multiple locations The tool must support MicroSoft Windows applications and programmes The tool must allow for risk-related data to be written to and draw data from the Oracle and Microsoft SQL Server databases The tool must enable configurability on a limited scale and be flexible to accommodate the risk structure we have adopted as an organisation 5

Vendor and third-party management Incident management Control self-assessment Module Function Basic requirements Level of reporting Control selfassessment Incident reporting and management Contract management Selection of key business processes (of the risk and control universe as per above [risk management module]) Capturing of self-assessment outcomes by multiple persons across business units Enable analysis of self-assessment outcome, including trends analysis Enable escalation to respective process owners Enable employees to report risks and incidents as they identify them or as they arise Enable continuous monitoring of implementation of mitigation plans relating to the reported incidents Automated exception identification and escalation process Tracking of service level agreements/ contract requirements Tracking of contract terms Automatic alert and escalation of noncompliance with any of the loaded requirements 6

Policy management Regulatory compliance management Module Function Basic requirements Level of reporting Regulatory compliance management Policy development and revision process Identification and maintenance of regulatory universe (including alerts on changes within the regulatory environment) Maintenance of response plans (alignment of legal requirements to existing policies and processes) Maintenance of action plans (remedial actions per legislative gap) Maintenance of a policy register, including the status of each policy Mapping of policies to relevant legislation (where applicable) Automated prompts for policies due for review Dissemination and user training on introduced policies (e.g. e-learning) 7

Software (system) demonstrations During the evaluation process, bidders who are successful post the technical evaluation process will be requested to demonstrate their software solutions. The purpose of the demonstration is for bidders to provide an overview of the software s features, detailed and visual description of the functionalities of the solution proposed and its user interface. What benefits will be achieved for the organisation? The GRC tool, as required for the AGSA, should enable the organisation to manage its risks in an integrated manner, removing the existing silos, as risk and compliance processes are usually intertwined from a governance perspective (i.e. they overlap with one another). Listed below are the benefits of implementing an enterprise-wide governance, risk and compliance management tool: start here Multiple processes will be run through a single software, providing for a single point of reference as regards the risks facing the organisation. The tool will provide management with a proactive, collaborative, real-time, context-aware approach to the management of risks that impact the achievement of objectives. Improved management decision-making emanating from real-time access to centralised and integrated risk management information from anywhere, anytime using the AGSAapproved user access devices. The toll will provide a map of internal controls that mitigate against all listed risks. Efficiencies will be introduced to the risk management process, freeing resources to focus on proactive risk management, including verifying inputs received on the implementation of mitigations and finding response actions, training, risk initiative roll-out and communication (elimination of the use of the manual Excel which in itself is inherently risky as a tool). The tool will also assist with a reduction of time, including costs of managing vendor risks and other third-party programs. An automated process to track, classify, respond to and route incidents as they occur organisation wide, will be introduced. The tool will make it possible to identify, organise, assess, escalate and mitigate risks across business units and domains. This will also provide a real-time dynamic process to update the risk register as changes occur within the key risk indicators. The tool will help with a delivery of a secure, centralised, standardised and automated risk and policy life cycle management solution to the AGSA. 8

The tool will empower risk managers, owners and champions with an appropriate technology and knowledge to manage risks in an efficient and effective manner (risk taxonomy). The toll will provide a map of internal controls that mitigate against all listed risks. The tool will assist in the creation of risk-based business responses to mitigate threats and vulnerabilities. 9

1 0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information