flexibility of wrm and the power of wrm
Post on 04-Oct-2021
4 Views
Preview:
TRANSCRIPT
1
Flexibility of WRM and
The Power of WRM
Bob Adderley
2
Risk Management (GRCA) are the starting point but you can add on
many other things including:
• Internal Audit
• Business Continuity Management
• Incident Management
• Policy Management
• Project Management
• Reporting
• Vendor Management
3
Internal AuditSample Dashboard Views
4
Audits grouped by planning periods
.
5
Assigned Tests grouped by status
6
View all Audit Findings
7
Risks across departments/business units
8
Regulations & linked Risks
9
Business Continuity Management
10
• Business Continuity Management is about managing disruption-related risk.
• Focus is on reducing the occurrence and scale of events that could cause
disruption, and building capacity to:
– Stabilise any disruptive effects as soon as possible
– Continue or quickly resume operations that are most critical to the
organisation’s objectives
– Expedite a return to normal operations and a full recovery
• WRM can be used as a Business Continuity Management (BCM) application,
integrated with ERM practices.
Purpose
11
Purpose
Determine
business activity
/ processes to
be analysed
Process Review
Prepare inventory
list of controls /
determine
significance of
disruption
Determine the
case for risk
treatment
Record and
review
contingency
plan.
Add / Update
Risk linked to
Processes
Business
Impact
Analysis
Add / Update
Risk & Control
with impact of
disruption
Add / Update
Risk Treatment
Contingency
Plan
12
• Business Impact Analysis (BIA) process
Purpose
13
Identify Critical Processes
14
BIA
15
BIA Results
16
Contingency Plans
17
Incident Management
18
Purpose
• Loss Events/Incidents Reporting is an integral part of risk management
• Various applications in risk management include:
– Loss Events reporting for Operational Risk Management in Financial Institutions
– Incident Reporting for healthcare organizations
– Occupational health and safety accident reporting
– Fraud / Irregularities reporting
• Step 1: Incidents are logged directly in the system
• Step 2: An investigation is then performed on the logged Incident
20
Logging Incidents
21
Fraud Incidents
22
Health and Safety Incidents
24
Incident Management
25
• This view presents to the users a dashboard to input and analysis
Incidents, including those with Financial Impact
Incident Reporting
26
Policy Management
27
• The standard configuration and methods available have been
developed to meet the following high-level process.
Policy Management Process
Policy
Creation
Policy
Approval
Policy
Attestation
Policy
Creation
Policy
Version
Policy
Authoring
Policy
Review
Policy
Approval
Policy
Publish
Policy
TestingPolicy
Attestation
28
• The Policy document allows you define who is responsible for the policy, who can allow exemption requests
Policy Creation
29
• The main policy page allows the user to determine where the policy comes from (can point to external sources
if required). Note the Status of the policy as it moves through the workflow
Policy Version
30
Policy Review
31
Policy Approval
32
• Alerts with links for Policy Attestation are sent to the distribution list.
• The user reads the policy. On the next screen, they can sign off that they have read it. They can also request
an exemption if required.
Publication and Attestation
33
Project Management
34
Phases Summary
35
Summary of Impacts
36
Action Plan Summary
37
Project Overview
38
Project Quantification
39
UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND
SSRS Reporting Integration
40
PURPOSE
MS SQL Server Reporting Services (SSRS)
• MS SSRS is a reporting tool that is provided with MS SQL Server. Wynyard Risk Management (WRM)
allows for integration with SSRS using both a Reporting Component that can be added to the
Dashboard views, and a reporting menu command on Dashboard Lists
• SSRS reports are created using the standard SSRS Report Builder application (or other tools
compatible with SSRS)
External Reporting Interface (vERI)
• SQL view based approach which turns the Risk model into a number of views for reporting and data
extraction purposes
• Although only SSRS reports can be integrated into the WRM dashboard, these SQL views can be
used to create reports in other external reporting tools such as Crystal Reports, Business Objects or
Cognos
43
SAMPLE REPORTS - PARAMETERS
44
SAMPLE REPORTS - GRAPHS
45
SAMPLE REPORTS – PARENT REPORT
46
SAMPLE REPORTS – CHILD REPORT
47
Vendor ManagementSample Dashboard Views
48
Vendor Management Examples
• Vendor is an item type: just like a Risk, Control, Incident, etc…
• A Vendor can be linked to the information you’re already capturing
• Premise is we’ve loaded our Vendor details into WRM
• Ideally WRM sends alert email with link to Vendor
• Vendors login and update their own details
• Vendor owners monitor status through dashboards
• Owners can assign questionnaires to the Vendors
• WRM emails link – Vendor completes qnaire in WRM
• Vendors are linked to the Systems/Services they provide
• Systems are documented in WRM
• Vendors via Systems are linked to Risks, Controls, Objectives,
BCP items, etc…
49Criticality and Spend
50Vendor Details
51Issues/Concerns/Criticality tied to Vendors/Systems
52Contract Renewal Dates
53
54Vendor Questionnaire Overview
58
UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND
Advantages of upgrading to WRM
59
o WRM Upgrade is an opportunity to:
o Improve the way our solution supports business needs
o Reduce the overhead and increase time for important work
o Engage with additional groups within your organization
o Share responsibility and ownership
o Tune up existing process, workflows and eliminate gaps
o Engage experts in directly managing the components of GRC
o Centralized, timely data: ease of monitoring, updating, reporting
o Flexible dashboards: analyze information in new ways
o Eliminate redundancy and duplicate effort
o Reduce overhead of chasing and collating data
Upgrading to WRM - Opportunity
60
• Advantages
– User friendly interfaces: easy to use, fewer errors, reduced training time
– Standardize approach: ensure consistent workflow across the enterprise
– Engage experts in directly managing the components of GRC
– Centralized, timely data: ease of monitoring, updating, reporting
– Flexible dashboards: analyze information in new ways
– Eliminate redundancy and duplicate effort
– Reduce overhead of chasing and collating data
Upgrading to WRM - Advantages
61
– Best approach is to treat this like a standard project
– Begin with Requirements Analysis
– Expand focus to what we’d like to be able to do, Not limit ourselves to
what we are currently doing with ERA
– Engage the Subject Matter Experts throughout
– Including groups that aren’t going to use immediately
– Document all objectives and requirements:
– Immediate short term
– Medium term
– Long term
– Phased approach is best - Don’t boil the Ocean
Upgrading to WRM - Approach
62
Upgrading to WRM - Approach
63Bob’s Winter Igloo Home
64
UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND
Case Studies - Recent WRM
Upgrades
65
• Top 20 on Fortune 500 > +125 billion $US in annual sales > 40,000
employees
• Used excel to manage 4900 Controls, 7000 Tests.
• WRM provided centralized data store, simple security management and
direct access for external auditors.
• WRM’s configurable Methods designed for the users reduced training
1740 users to 2, 4 or 8 hour sessions depending on roles.
• Built complex testing calculations, deficiency workflow and inserted
bitmaps of testing calendars
International Pharma Co.Go-Live June 2015
66
• Leverage new features
• After using Kairos for over a year came up with a wish list for
improvements and extensions
• Desire to integrate other groups into using the solution
• And combine all of these improvements and expansion into the upgrade
International Pharma Co.Kairos – WRM : Motivation
67
• 1.5 billion in assets, 12 branches
• Upgraded from 5 users in version 7 to 48 in version 9.
• Documented controls on spreadsheets but couldn’t link to risks.
• WRM made linking easy and reduced redundancies
• Customisability of WRM made it possible to have more than just Risk
Officers updating items.
• Expanded WRM to include COSO, Vendor Management, Incident and
Complaints Management.
Banking and Trust Company Go-Live May 2015
68
• Recognition that there was a lot of overhead
– Wasted low value work chasing, correcting data
• Data was inaccurate
– WRM to improve quality
• Process was inconsistent
– WRM to standardize
• Desire to eliminate silos
– Centralize the data – reduce delays
Banking and Trust Company
69
• Risk data captured in spreadsheets, scores hard to aggregate up to
categories and processes
• WRM allows for clean data to be entered
• Use WRM to capture Tasks including department initiatives, process
improvements, directives from Leadership Committees.
• Dashboards created for committee’s/boards to track progress of the
tasks.
US BankGo-Live January 2015
70
top related