flexibility of wrm and the power of wrm

1

Flexibility of WRM and

The Power of WRM

Bob Adderley

2

Risk Management (GRCA) are the starting point but you can add on

many other things including:

• Internal Audit

• Business Continuity Management

• Incident Management

• Policy Management

• Project Management

• Reporting

• Vendor Management

3

Internal AuditSample Dashboard Views

4

Audits grouped by planning periods

.

5

Assigned Tests grouped by status

6

View all Audit Findings

7

Risks across departments/business units

8

Regulations & linked Risks

9

Business Continuity Management

10

• Business Continuity Management is about managing disruption-related risk.

• Focus is on reducing the occurrence and scale of events that could cause

disruption, and building capacity to:

– Stabilise any disruptive effects as soon as possible

– Continue or quickly resume operations that are most critical to the

organisation’s objectives

– Expedite a return to normal operations and a full recovery

• WRM can be used as a Business Continuity Management (BCM) application,

integrated with ERM practices.

Purpose

11

Purpose

Determine

business activity

/ processes to

be analysed

Process Review

Prepare inventory

list of controls /

determine

significance of

disruption

Determine the

case for risk

treatment

Record and

review

contingency

plan.

Add / Update

Risk linked to

Processes

Business

Impact

Analysis

Add / Update

Risk & Control

with impact of

disruption

Add / Update

Risk Treatment

Contingency

Plan

12

• Business Impact Analysis (BIA) process

Purpose

13

Identify Critical Processes

14

BIA

15

BIA Results

16

Contingency Plans

17

Incident Management

18

Purpose

• Loss Events/Incidents Reporting is an integral part of risk management

• Various applications in risk management include:

– Loss Events reporting for Operational Risk Management in Financial Institutions

– Incident Reporting for healthcare organizations

– Occupational health and safety accident reporting

– Fraud / Irregularities reporting

• Step 1: Incidents are logged directly in the system

• Step 2: An investigation is then performed on the logged Incident

20

Logging Incidents

21

Fraud Incidents

22

Health and Safety Incidents

24

Incident Management

25

• This view presents to the users a dashboard to input and analysis

Incidents, including those with Financial Impact

Incident Reporting

26

Policy Management

27

• The standard configuration and methods available have been

developed to meet the following high-level process.

Policy Management Process

Policy

Creation

Policy

Approval

Policy

Attestation

Policy

Creation

Policy

Version

Policy

Authoring

Policy

Review

Policy

Approval

Policy

Publish

Policy

TestingPolicy

Attestation

28

• The Policy document allows you define who is responsible for the policy, who can allow exemption requests

Policy Creation

29

• The main policy page allows the user to determine where the policy comes from (can point to external sources

if required). Note the Status of the policy as it moves through the workflow

Policy Version

30

Policy Review

31

Policy Approval

32

• Alerts with links for Policy Attestation are sent to the distribution list.

• The user reads the policy. On the next screen, they can sign off that they have read it. They can also request

an exemption if required.

Publication and Attestation

33

Project Management

34

Phases Summary

35

Summary of Impacts

36

Action Plan Summary

37

Project Overview

38

Project Quantification

39

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

SSRS Reporting Integration

40

PURPOSE

MS SQL Server Reporting Services (SSRS)

• MS SSRS is a reporting tool that is provided with MS SQL Server. Wynyard Risk Management (WRM)

allows for integration with SSRS using both a Reporting Component that can be added to the

Dashboard views, and a reporting menu command on Dashboard Lists

• SSRS reports are created using the standard SSRS Report Builder application (or other tools

compatible with SSRS)

External Reporting Interface (vERI)

• SQL view based approach which turns the Risk model into a number of views for reporting and data

extraction purposes

• Although only SSRS reports can be integrated into the WRM dashboard, these SQL views can be

used to create reports in other external reporting tools such as Crystal Reports, Business Objects or

Cognos

43

SAMPLE REPORTS - PARAMETERS

44

SAMPLE REPORTS - GRAPHS

45

SAMPLE REPORTS – PARENT REPORT

46

SAMPLE REPORTS – CHILD REPORT

47

Vendor ManagementSample Dashboard Views

48

Vendor Management Examples

• Vendor is an item type: just like a Risk, Control, Incident, etc…

• A Vendor can be linked to the information you’re already capturing

• Premise is we’ve loaded our Vendor details into WRM

• Ideally WRM sends alert email with link to Vendor

• Vendors login and update their own details

• Vendor owners monitor status through dashboards

• Owners can assign questionnaires to the Vendors

• WRM emails link – Vendor completes qnaire in WRM

• Vendors are linked to the Systems/Services they provide

• Systems are documented in WRM

• Vendors via Systems are linked to Risks, Controls, Objectives,

BCP items, etc…

49Criticality and Spend

50Vendor Details

51Issues/Concerns/Criticality tied to Vendors/Systems

52Contract Renewal Dates

53

54Vendor Questionnaire Overview

58

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

Advantages of upgrading to WRM

59

o WRM Upgrade is an opportunity to:

o Improve the way our solution supports business needs

o Reduce the overhead and increase time for important work

o Engage with additional groups within your organization

o Share responsibility and ownership

o Tune up existing process, workflows and eliminate gaps

o Engage experts in directly managing the components of GRC

o Centralized, timely data: ease of monitoring, updating, reporting

o Flexible dashboards: analyze information in new ways

o Eliminate redundancy and duplicate effort

o Reduce overhead of chasing and collating data

Upgrading to WRM - Opportunity

60

• Advantages

– User friendly interfaces: easy to use, fewer errors, reduced training time

– Standardize approach: ensure consistent workflow across the enterprise

– Engage experts in directly managing the components of GRC

– Centralized, timely data: ease of monitoring, updating, reporting

– Flexible dashboards: analyze information in new ways

– Eliminate redundancy and duplicate effort

– Reduce overhead of chasing and collating data

Upgrading to WRM - Advantages

61

– Best approach is to treat this like a standard project

– Begin with Requirements Analysis

– Expand focus to what we’d like to be able to do, Not limit ourselves to

what we are currently doing with ERA

– Engage the Subject Matter Experts throughout

– Including groups that aren’t going to use immediately

– Document all objectives and requirements:

– Immediate short term

– Medium term

– Long term

– Phased approach is best - Don’t boil the Ocean

Upgrading to WRM - Approach

62

Upgrading to WRM - Approach

63Bob’s Winter Igloo Home

64

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

Case Studies - Recent WRM

Upgrades

65

• Top 20 on Fortune 500 > +125 billion $US in annual sales > 40,000

employees

• Used excel to manage 4900 Controls, 7000 Tests.

• WRM provided centralized data store, simple security management and

direct access for external auditors.

• WRM’s configurable Methods designed for the users reduced training

1740 users to 2, 4 or 8 hour sessions depending on roles.

• Built complex testing calculations, deficiency workflow and inserted

bitmaps of testing calendars

International Pharma Co.Go-Live June 2015

66

• Leverage new features

• After using Kairos for over a year came up with a wish list for

improvements and extensions

• Desire to integrate other groups into using the solution

• And combine all of these improvements and expansion into the upgrade

International Pharma Co.Kairos – WRM : Motivation

67

• 1.5 billion in assets, 12 branches

• Upgraded from 5 users in version 7 to 48 in version 9.

• Documented controls on spreadsheets but couldn’t link to risks.

• WRM made linking easy and reduced redundancies

• Customisability of WRM made it possible to have more than just Risk

Officers updating items.

• Expanded WRM to include COSO, Vendor Management, Incident and

Complaints Management.

Banking and Trust Company Go-Live May 2015

68

• Recognition that there was a lot of overhead

– Wasted low value work chasing, correcting data

• Data was inaccurate

– WRM to improve quality

• Process was inconsistent

– WRM to standardize

• Desire to eliminate silos

– Centralize the data – reduce delays

Banking and Trust Company

69

• Risk data captured in spreadsheets, scores hard to aggregate up to

categories and processes

• WRM allows for clean data to be entered

• Use WRM to capture Tasks including department initiatives, process

improvements, directives from Leadership Committees.

• Dashboards created for committee’s/boards to track progress of the

tasks.

US BankGo-Live January 2015

70