Kilclare Home VA International
SolutionsSystemSupportContractingDownloadsAbout UsContact
VA Reference
SystemFunctionalityFeaturesRequirementsUtilities Solutions Brochure Solutions Brochure


FUNCTIONALITY


It is important to note that VA is not a tool for managing specific risks but, rather, a tool that aggregates the data indicating where an organization has specific risks and what estimates of the current exposures to those risk are. It provides a "heat map" of the organization, permitting drill down to find the specifics about the exposure along with any captured plans to improve the risk/exposure imbalance.
See the color coded example Heat Map
The process of performing continuous assessments using complex risk/control frameworks can be overwhelming. VISUAL Assurance was developed to give organizations a tool that will accommodate the increasing complexity and sheer volume of assessment data, and make the continuous use of control frameworks a more efficient process capable of yielding more useful results.

VISUAL Assurance precepts and concepts...

VA is a powerful database program that helps the user get organized around defining and collecting risk and control data within the organization and use this data to build assessments of the risks and controls. There are three distinct components in the VISUAL Assurance system that work together to accomplish this: The Entity Structure, the Knowledgebase Libraries, and the Assessments.

The Entity Structure

The Entity Structure is a hierarchical representation of the organization; it's how VA "sees" the organization being assessed. This structure is built by the user and, thus, is completely customizable. Many users choose to have the entity structure resemble their corporate organizational chart, with the various subsidiaries, groups divisions and departments forming the layers of the structure. Others choose to organize the entity structure in other ways,for example, geographically, by product or service-lines, etc.

Entity Structure

The best way to organize the structure depends on how you would like to have the information summarized and reported back, remembering that assessments are attached to the entities . An example entity structure is pictured above. It details the global enterprise, with two companies owned by that enterprise, one of which has further detailed branch offices and departments.

Knowledgebases & Knowledgebase Libraries

Knowledgebase Libraries make up the second part of the VA system. Knowledgebases contain the content that is used to perform the assessment of the entities in the Corporate Structure. A knowledgebase library is simply a collection of knowledgebases on a certain subject. For example, one could create several knowledgebases, each designed to assess compliance with the securities laws (e.g., The 40 Act, the Advisors Act, etc.). These could all be kept in a "Securities" library. Most users create their own, customized knowledgebase content - specific to their organization and the entities being assessed.

A knowledgebase is structured in five tiers as detailed below. These tiers or levels are identical to those in the assessments. Through VA's authoring facility, the user creates the content for each of the level items. Notice that each of the five functional levels are composed of text fields and attributes. The authoring facility can also be used to modify existing knowledgebases - whether for customizing a purchased or independently developed knowledgebase or updating existing knowledgebases to reflect the changing organization that is having the assessments performed.

The linked example illustrates the structure of the knowledgebase.

Knowledge Bases

VA currently ships with a tutorial knowledgebase to help you get started. Kilclare and its partners offer other knowledgebases relating to particular industries or treating particular topics of general interest.

Assessments & The Assessment Process

The entity structure represents the business units being assessed and the knowledgebase libraries contain the content of that assessment. To bring these two together, we take a knowledgebase and assign it to a specific entity. By doing this, we create the third part of the VA system - the Assessment. Another way to describe these elements would be to say that the knowledgebase is the set of questions we want answered, the entity is who we are asking, and the assessment is their responses. While the content of each assessment may vary widely depending on the subject matter, the basic process of conducting an assessment remains consistent for all assessments. Each assessment consists of five levels: Area, Objective, Risk, Consideration, and Test.

The following formula is the basic premise behind assessments in VA:

For every Objective: Risk - Control = Exposure

Assessment Levels

Level 1 - Area

Areas are broad categories into which the organization's objectives can be categorized. Areas are buckets for organizing objectives.

Level 2 - Objective

When an area has been defined, its Objectives - the first part of our formula - are listed beneath it. Objectives are defined as "key activities or strategies that must take place to ensure success for the organization." When the objectives for an area have been defined, we then turn our attention toward the Risks to our objectives.

Level 3 - Risk (or Compliance Summary)

Within VA risks are defined as: "threats that an event or action will adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully." Within VA, risks make up the third level of an assessment. After being identified, each risk is assessed and measured in terms of overall impact and likelihood of occurrence.

Level 4 - Consideration (Control)

Considerations (or Controls) are defined as "actions or activities that decrease the impact of a risk or the likelihood of its occurrence and increase the likelihood of achieving an objective." After risks have been identified and rated at the third level of the knowledgebase, we move to the fourth level and assess the listed considerations (or controls) which have been put into place to mitigate the effects of the risk. The rating scale, which is completely customizable during knowledgebase authoring, can be in the form of Yes, No, or Part - Yes, it is effective; No, it is not effective; or Part, it is partially effective. Once the considerations at the fourth level have been rated for effectiveness, we return to the third level to give the risks a second rating, this time for Exposure. Exposure is defined as "the residual level of risk after all controls have been taken into consideration." Like risk, exposure is measured in terms of impact and likelihood. These exposure ratings flow up from the risk level and are reflected at the objective level. From the objective level, they flow up through the area level to overall assessment, and then on to the specific entity that is being assessed.

Level 5 - Test

A test level makes up the fifth level of the assessment. This test level is available so that, after all of the risk, control, and exposure assessments have been made, an independent group (like Internal Audit) can access the system and do testing on the controls to validate the assertions made about their effectiveness. These tests are optional, and may be performed on all or only a select number of controls.

Summary

By looking at the graphic High Risk we can see that when assessments are conducted, areas of high exposure are identified. Once the organization knows where some of these problems are, steps can be taken to reduce the exposure which, in turn, results in fewer surprises. In this section, we've covered some of the background that drove the development of VISUAL Assurance, and introduced the fundamental concepts behind the system.
Kilclare Footer Solutions System Support Contracting Downloads About Us Contact Us