Kilclare VISUAL Assurance Internal Control Governance Basel CoBit COSO FDICIA HIPAA SOA Sarbanes

RISK MANAGEMENT IMPLEMENTATIONS

Many users deploy VA in order to analyze the risks and exposures inherent in their business objectives and processes. Whether for a single business unit or the organization as a whole, business objectives are identified and input to VA. Next, the obstacles (or risks) to the successful achievement of each objective are identified and input. Then, for each risk, activities that have or should have been put in place to mitigate exposure to that risk (i.e., Controls) are identified and input. Finally, tests of the identified controls are designed and input at the test-level.

One of VA's largest users, a U.S. banking concern, has deployed VA throughout its operating units to perform continuous risk assessments of its operating landscape.

They have created an Entity structure that defines the company's subsidiaries and, within each of these, the groups, divisions, and departments.

Discrete assessment types have been developed for each entity type (e.g., group, division, and department), each focusing on risk at different levels. For example, group assessments focus their risk assessments at the highest level - giving emphasis to the strategic objectives encompassed in the group mission. Division assessments focus on the business objectives, and departmental assessments burrow down into the greatest level of detail, focusing on the operational processes.

To accomplish these assessments, teams have been created that partner entity managers with facilitators from the Operational Risk Management ("ORM") unit as well as advisors from Accounting, Internal Audit, Legal, and Compliance. The team is charged with creating the assessment content or Knowledgebase (KB) as it is called in VA. The ORM facilitator trains and guides the entity managers in the KB creation process and involves the team advisors, when appropriate, to ensure that the assessments will be complete and that there is uniformity throughout the organization.

Once the KB is completed, the entity managers perform the actual assessment by providing the required answers to the question set. The solution focuses on risk so that in performing the assessment, the team is responsible for estimating both the impact and likelihood of each risk and exposure, and the risk threshold for the business unit.

The following diagram illustrates the process tasks:
Once completed throughout the organization, senior management will have the ability to see at a glance its entire organization along with the level of risk and exposure inherent to each entity within it. VA's drill-down capability permits easy access to assessment details and remedial action plans related to particular out-of-tolerance conditions. In addition to reviewing all risks and exposures within the organization, management can now also see its risks classified across alternate frameworks such as the categories of risk employed by regulators.

The speed at which such a deployment can yield large-scale results depends on the resources assigned to such a project. There is clearly an upfront time commitment required to train users and prepare the assessment content. Subsequent assessments, however, require very little additional time - just review and adjust the assessment content (KB) for currency, then provide the appropriate, updated responses.

Despite the upfront time requirement, the value in such an approach is overwhelmingly viewed as a worthwhile investment. Senior management has a new, aggregated view of the organization that helps manage strategic, business, and process risks. Unit managers clearly buy into the process as the typical control-evaluation exercise has now been transformed to couple control functioning with risk - the risk that they will or will not meet their business objectives with direct impact on how senior management will review their performance. Internal audit and compliance are typically pleased with the process, as their concerns are incorporated into the assessments from the beginning, and VA provides them with the tool to perform and document their independent testing of the controls.