Flexibility of WRM and The Power of WRM. Bob Adderley

Transcription

1 Flexibility of WRM and The Power of WRM Bob Adderley 1

2 Risk Management (GRCA) are the starting point but you can add on many other things including: Internal Audit Business Continuity Management Incident Management Policy Management Project Management Reporting Vendor Management 2

3 Internal Audit Sample Dashboard Views 3

4 Audits grouped by planning periods. 4

5 Assigned Tests grouped by status 5

6 View all Audit Findings 6

7 Risks across departments/business units 7

8 Regulations & linked Risks 8

9 Business Continuity Management 9

10 Purpose Business Continuity Management is about managing disruption-related risk. Focus is on reducing the occurrence and scale of events that could cause disruption, and building capacity to: Stabilise any disruptive effects as soon as possible Continue or quickly resume operations that are most critical to the organisation s objectives Expedite a return to normal operations and a full recovery WRM can be used as a Business Continuity Management (BCM) application, integrated with ERM practices. 10

11 Purpose Determine business activity / processes to be analysed Process Review Prepare inventory list of controls / determine significance of disruption Determine the case for risk treatment Record and review contingency plan. Add / Update Risk linked to Processes Business Impact Analysis Add / Update Risk & Control with impact of disruption Add / Update Risk Treatment Contingency Plan 11

12 Purpose Business Impact Analysis (BIA) process 12

13 Identify Critical Processes 13

14 BIA 14

15 BIA Results 15

16 Contingency Plans 16

17 Incident Management 17

18 Purpose Loss Events/Incidents Reporting is an integral part of risk management Various applications in risk management include: Loss Events reporting for Operational Risk Management in Financial Institutions Incident Reporting for healthcare organizations Occupational health and safety accident reporting Fraud / Irregularities reporting Step 1: Incidents are logged directly in the system Step 2: An investigation is then performed on the logged Incident 18

19 Logging Incidents 20

20 Fraud Incidents 21

21 Health and Safety Incidents 22

22 Incident Management 24

23 Incident Reporting This view presents to the users a dashboard to input and analysis Incidents, including those with Financial Impact 25

24 Policy Management 26

25 Policy Management Process The standard configuration and methods available have been developed to meet the following high-level process. Policy Creation Policy Creation Policy Version Policy Authoring Policy Approval Policy Review Policy Approval Policy Publish Policy Attestation Policy Testing Policy Attestation 27

26 Policy Creation The Policy document allows you define who is responsible for the policy, who can allow exemption requests 28

27 Policy Version The main policy page allows the user to determine where the policy comes from (can point to external sources if required). Note the Status of the policy as it moves through the workflow 29

28 Policy Review 30

29 Policy Approval 31

30 Publication and Attestation Alerts with links for Policy Attestation are sent to the distribution list. The user reads the policy. On the next screen, they can sign off that they have read it. They can also request an exemption if required. 32

31 Project Management 33

32 Phases Summary 34

33 Summary of Impacts 35

34 Action Plan Summary 36

35 Project Overview 37

36 Project Quantification 38

37 SSRS Reporting Integration UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND 39

38 PURPOSE MS SQL Server Reporting Services (SSRS) MS SSRS is a reporting tool that is provided with MS SQL Server. Wynyard Risk Management (WRM) allows for integration with SSRS using both a Reporting Component that can be added to the Dashboard views, and a reporting menu command on Dashboard Lists SSRS reports are created using the standard SSRS Report Builder application (or other tools compatible with SSRS) External Reporting Interface (veri) SQL view based approach which turns the Risk model into a number of views for reporting and data extraction purposes Although only SSRS reports can be integrated into the WRM dashboard, these SQL views can be used to create reports in other external reporting tools such as Crystal Reports, Business Objects or Cognos 40

39 SAMPLE REPORTS - PARAMETERS 43

40 SAMPLE REPORTS - GRAPHS 44

41 SAMPLE REPORTS PARENT REPORT 45

42 SAMPLE REPORTS CHILD REPORT 46

43 Vendor Management Sample Dashboard Views 47

44 Vendor Management Examples Vendor is an item type: just like a Risk, Control, Incident, etc A Vendor can be linked to the information you re already capturing Premise is we ve loaded our Vendor details into WRM Ideally WRM sends alert with link to Vendor Vendors login and update their own details Vendor owners monitor status through dashboards Owners can assign questionnaires to the Vendors WRM s link Vendor completes qnaire in WRM Vendors are linked to the Systems/Services they provide Systems are documented in WRM Vendors via Systems are linked to Risks, Controls, Objectives, BCP items, etc 48

45 Criticality and Spend 49

46 Vendor Details 50

47 Issues/Concerns/Criticality tied to Vendors/Systems 51

48 Contract Renewal Dates 52

49 53

50 Vendor Questionnaire Overview 54

51 Advantages of upgrading to WRM UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND 58

52 Upgrading to WRM - Opportunity o WRM Upgrade is an opportunity to: o Improve the way our solution supports business needs o Reduce the overhead and increase time for important work o Engage with additional groups within your organization o Share responsibility and ownership o Tune up existing process, workflows and eliminate gaps o Engage experts in directly managing the components of GRC o Centralized, timely data: ease of monitoring, updating, reporting o Flexible dashboards: analyze information in new ways o Eliminate redundancy and duplicate effort o Reduce overhead of chasing and collating data 59

53 Upgrading to WRM - Advantages Advantages User friendly interfaces: easy to use, fewer errors, reduced training time Standardize approach: ensure consistent workflow across the enterprise Engage experts in directly managing the components of GRC Centralized, timely data: ease of monitoring, updating, reporting Flexible dashboards: analyze information in new ways Eliminate redundancy and duplicate effort Reduce overhead of chasing and collating data 60

54 Upgrading to WRM - Approach Best approach is to treat this like a standard project Begin with Requirements Analysis Expand focus to what we d like to be able to do, Not limit ourselves to what we are currently doing with ERA Engage the Subject Matter Experts throughout Including groups that aren t going to use immediately Document all objectives and requirements: Immediate short term Medium term Long term Phased approach is best - Don t boil the Ocean 61

55 Upgrading to WRM - Approach 62

56 Bob s Winter Igloo Home 63

57 Case Studies - Recent WRM Upgrades UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND 64

58 International Pharma Co. Go-Live June 2015 Top 20 on Fortune 500 > +125 billion $US in annual sales > 40,000 employees Used excel to manage 4900 Controls, 7000 Tests. WRM provided centralized data store, simple security management and direct access for external auditors. WRM s configurable Methods designed for the users reduced training 1740 users to 2, 4 or 8 hour sessions depending on roles. Built complex testing calculations, deficiency workflow and inserted bitmaps of testing calendars 65

59 International Pharma Co. Kairos WRM : Motivation Leverage new features After using Kairos for over a year came up with a wish list for improvements and extensions Desire to integrate other groups into using the solution And combine all of these improvements and expansion into the upgrade 66

60 Banking and Trust Company Go-Live May billion in assets, 12 branches Upgraded from 5 users in version 7 to 48 in version 9. Documented controls on spreadsheets but couldn t link to risks. WRM made linking easy and reduced redundancies Customisability of WRM made it possible to have more than just Risk Officers updating items. Expanded WRM to include COSO, Vendor Management, Incident and Complaints Management. 67

61 Banking and Trust Company Recognition that there was a lot of overhead Wasted low value work chasing, correcting data Data was inaccurate WRM to improve quality Process was inconsistent WRM to standardize Desire to eliminate silos Centralize the data reduce delays 68

62 US Bank Go-Live January 2015 Risk data captured in spreadsheets, scores hard to aggregate up to categories and processes WRM allows for clean data to be entered Use WRM to capture Tasks including department initiatives, process improvements, directives from Leadership Committees. Dashboards created for committee s/boards to track progress of the tasks. 69

63 70