Risk Control & Process Risk Management
Enterprise Process Center® (EPC) facilitates organizations to be proactive vs. reactive when it comes to risk control and process risk management strategies. Not only is risk management important to protect against disaster striking, but by integrating controls into daily operations you can ensure that quality standards are met and customer satisfaction is maintained. Additionally, there is nothing greater than the cost of “non-compliance”, hence, comprehensive risk and process transparency is a necessity to comply with laws and regulatory requirements such as Sarbanes Oxley, Basel III, IMF, HIPPA, FDA, ISO 15000, among others. EPC offers within a single collaborative platform an area where analysts can identify, assess and prioritize risk mitigation plans, and auditors can schedule then execute control audits and implement corrective action plans based on test results. Furthermore, by identifying key risk and control indicators and quantifying threshold limits; management can monitor measures to ensure policies are enforced and standards are maintained.
2017 Gartner® Enterprise Business Process Analysis
2017 Gartner® Business Operating Systems
The EPC toolkit provides organizations with:
Total Risk Lifecycle Management
Risk Identification Library:
Risks of all levels can be documented, organized into library structures and communicated to stakeholders via the EPC. Users are able to capture not only the name of the risk, but just as importantly all of its details, such as identifier(ID), description, type, category as well as responsible (RASCI-VS) resources. Risk attributes can be extended to include custom properties that may be specific to your industry, compliance and/or local laws. All risk details can be import/exported to excel as well as filtered and reported on by attribute.
Risk likelihood & impact assessment:
Analysts can indicate how likely certain risks are to occur as well as their impact on their organization. From this, risks are given a gross score for comparison and mitigation prioritization purposes.
Residual risk & action prioritization:
Risk priority levels readjust according to the controls that mitigate them. This provides users with a realistic “roll-up” view of the residual risk once one or many controls have been implemented.
Customizable Risk Matrix:
Organizations have the ability to adapt the EPC’s risk matrices according to their specific risk appetite. This includes everything from risk likelihood, impact, score, percentage, color and priority.
Child risk break-down (downstream impacts):
Macro risks can be decomposed into more targeted and manageable micro risks; risks that are specific to organizational units, processes, tasks or procedures. This makes them easier to identify, monitor and measure.
Process-oriented risk assessment and control
Process Visibility provides risk clarity:
Identifying what and where a risk resides within the organization can often be extremely challenging. EPC offers risk analysts and auditors with clear end-to-end process visibility which in-turn simplifies the vexing effort of risk identification and evaluation.
Process & Task risk analysis:
Organizations can asses and document the severity of the same risk’s potential impact and likelihood based on individual tasks’ and/or processes. Process and task individual gross and residual risk evaluation allows the organization to integrate risk control strategies into daily operations and adjust control levels based on risk appetite vs. control cost analysis.
Communicate relevance of Controls:
A documented control brings no value to the organization if employees are not communicated the specifics of when and how to conduct such control. Control is not just for compliance; the EPC integrates the control as part of the business process, clarifying and communicating the objective, importance and procedure to implement such control to those responsible across the organization. Employees that better understand why actions are performed ensures consistent execution of otherwise inefficient or redundant tasks at times.
Reusable risks and controls:
Users save time and the risk of redundancy because a single risk and control can be modeled onto several objects simultaneously. This avoids the risk of lost energy, time and money when repeatedly evaluating different instances of the same risk or control.
Clarify Key Control tasks:
Often control strategies and action plans are implemented to mitigate underlying risks. However, in many cases, the control that mitigates such risk is actually in a different process across, even conducted by a different business unit. By clarifying which processes and tasks are controls that mitigate risks, analysts have the knowledge required to know not to remove a specific task even if it improves the process because the cost of the task is far less than the cost of the potential risk occurrence.
Integrated Control Management
One central control repository:
As controls can range from physical to IT based measures and procedures, it can be sometimes difficult to hold them within one repository. The EPC can display, classify and associate controls to consolidate risk, quality and compliance management practices within a single system.
Rules and Controls:
Business rules can be put in place for countless reasons, such as keeping a competitive advantage or following regulatory requirements. Controls can also be set to ensure that these are respected and followed.
Control Attributes and Settings:
Analysts can indicate how often the control is executed, whether it is preventive or detective, performed manually or automatically, and more.
Organizations can monitor their controls through audits. The EPC can serve as a repository to help management document audit test plans, set recurrent audit schedules, evaluate their results, and implement corrective & preventive actions.
COSO ERM Framework:
The EPC can serve as a way to document each COSO component being attended to at the necessary level to reach a certain degree of strategic, operational, reporting and/or compliance alignment. This is especially relevant to finance-oriented enterprises seeking to reach or maintain Sarbanes-Oxley or Basel III compliance.
Reports can be extracted from the EPC to evaluate each control’s effectiveness at maintaining a certain standard.
Risk and Control Monitoring
Key risk and control indicators:
Risks and controls can be better managed by associating both qualitative and quantitative measures to them. Process Risk Management can use more than one source to detect risks, ensure that rules are followed and assess risk control effectiveness.
Measure by Risk and Control objective:
Users can compile related risk and control indicators into one section. These containers can be marked as an objective that must be attained.
As risk and control indicators can be either high or low level measurements, their significance can be interpreted and visualized through a hierarchy diagram.
Target threshold setting:
Users can set control limits to evaluate whether a measure is within an acceptable range or not. Through this, they can know exactly when a certain action is required to rectify an issue.
Analysts can also include which assets the measurement data is to be extracted from.
Read more about other Modules & Features:
Sign-up to our Newsletter!
Receive regular news, tips & tricks, videos, upcoming webinars, and other collateral about Interfacing, the Enterprise Process Center® and related management topics such as business process management, digital transformation, Standard Operating Procedure Management, Risk Control Management, Governance and Compliance.