Sei sulla pagina 1di 28

ACL GRC

Risk Management
Usage Guide
May, 2013

Copyright 2013 ACL Services Ltd. All rights reserved.


No part of these materials may be reproduced, stored in a retrieval system, or transmitted, in any
form or by any means (photocopying, electronic, mechanical, recording, or otherwise), without
permission in writing from the publisher, except by a reviewer who may quote brief passages in a review.
These materials may not contain all the information, or the most current information relevant to your
situation or intended application.
Version 1.1, May 2013
ACL Services Ltd.
1550 Alberni Street Vancouver,
BC Canada V6G 1A5
Telephone: +1-604-669-4225
E-mail: info@acl.com
Web: www.acl.com
ACL, and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other
trademarks are the property of their respective owners.

Important

Terms, conditions, features, service offerings, and prices referenced in this document are subject to
change without notice. We at ACL Services Ltd are committed to bringing you great online services.
Occasionally, we may decide to update our selection and change our product and service offerings, so
please check at www.acl.com for the latest information, including pricing and availability, on our
products and services.

Table of Contents
Welcome to ACL GRC Risk Management! .................................................................................................. 4
How Does ACL GRC Support Your ERM Process?.......................................................................................... 4
Overview of Enterprise Risk Assessment Methodology ............................................................................... 6
Getting Started Configure Your System ..................................................................................................... 7
Set Up Your Org Map .................................................................................................................................. 10
Overview of System Methodology States & Flow.................................................................................... 12
How do I Assess Risks? ................................................................................................................................ 13
Accepted or Unactionable Risk ................................................................................................................... 19
Audit or Action Risk..................................................................................................................................... 19
Continuous Audit or Automate Action of Risk ............................................................................................ 20
Mitigated completed mitigation efforts .................................................................................................. 21
Filters for Risk Profile and Visualize Reports............................................................................................... 21
Risk Mitigation Planning Integrated in Project Manager ............................................................................ 22
Associating Risks with Projects (Risk Mitigation Planning) ......................................................................... 23
The Mitigation Project List .......................................................................................................................... 23
Associate Projects to Mitigation Efforts ..................................................................................................... 23
Associating Results with Tests in Project Manager .................................................................................... 24
Finding generated from linked Control Test ............................................................................................... 26
Risk Track Aggregated Issues & Data ....................................................................................................... 27
Technical Requirements.............................................................................................................................. 28
Where to Find More Information ............................................................................................................... 28
Have Questions or Feedback?..................................................................................................................... 28

Welcome to ACL GRC Risk Management!


ACL GRC helps executives and risk managers catalog, assess, prioritize and communicate enterprise-risks
across the leadership team. It provides a simple, straight-forward way to capture and maintain a
complete view of risks across the organization, track the risks that are most important and plan audit
and risk mitigation projects for the greatest impact.
Key capabilities of ACL GRC risk management discussed in this guide include:

One clear view of the risk landscape users can categorize and track risks by critical
characteristics, organizational structure and mitigation approach.
Assess and prioritize risks supports COSO, ISO 31000 and most risk management frameworks.
Zero-in on the details with rich capabilities for key word tagging, searching and time-based
filtering.
Identify, quantify and act on issues seamless and visual integration between the enterpriselevel risk profile, audit and risk mitigation projects, project findings, test results and remediation
activity.

The purpose of this guide is to provide Audit, Risk and other GRC leadership professionals tasked with
Enterprise Risk Management (ERM) with how-to guidance on applying these functionalities to automate
your risk management process with ACL GRC.

How Does ACL GRC Support Your ERM Process?


Figure 1 illustrates the overall methodology thats built into ACL GRC. From left to right:

Risk Manager is used to assess and manage enterprise risks, associate risks with mitigation
efforts and projects in Project Manager. For Internal Audit, this process would be used by audit
leaders to determine the annual audit plan, but the same would apply to any assurance group
outside of audit as well.
Projects in Project Manager could be assessments, investigations, examinations, or pure audit
engagements. While annual assessments tend to be common, organizations are moving
towards a dynamic and ongoing process and Risk Manager is designed to support that real-time
assessment so you can action critical risks that require immediate mitigation efforts.
Results Management provides the detailed data analysis thats needed to support project
findings, provide insight into issues, and ultimately, inform on going assessment and disposition
of enterprise risk.

Fig 1: Overall ACL GRC Methodology Flow

Overview of Enterprise Risk Assessment Methodology


Risk Manager is designed to support most enterprise risk management (ERM) methodologies in use
today. Examples include the COSO and ISO 31000 frameworks, as well in-house frameworks created in
response to enterprise risk management initiatives.
In general, all risk assessment methodologies include some way of identifying strategic risks,
categorizing and rating those risks and managing them throughout their lifecycle. Risk Manager
accommodates different methodologies with a flexible system of category and thematic tags to help you
organize and document risks, and provides a choice of 3 x 3 (COSO), 5 x 5 (ISO 31000) or 10 x 10 scoring
models to help you assess the impact and likelihood of risks. Most organizations manage risks on a
quarterly to yearly cycle; Risk Manager includes the ability to manage the risk portfolio continuously and
dynamically as the organization changes, but is equally useful if you perform an annual risk assessment
to drive out your annual audit plan for internal audit groups, or the list of engagements to mitigate
enterprise risk for other assurance groups.

Fig 2: Risk Assessment Methodology

Gather Raw Input: Align with Management and Organizational Objectives


Risk Manager is designed to help you document and manage your organizations risk portfolio, and
associate high priority risks to audit and assurance projects in ACL GRC Project Manager. Figure 2
illustrates a typical approach to this process. Before using Risk Manager you should be prepared with
some initial information about your risk environment. This information should include an understanding
of your organizations business processes, reporting and/or assurance entities, a list of the risks you
have identified, and a basis to arrive at likelihood and impact ratings for each of these risks. Most
importantly, this processes allows Audit, Risk and GRC leaders to align with management and their
organizational objectives to ensure the assurance work that is performed is adding the most value to the
enterprise.
6

To assemble this information, most risk assessment leaders would perform some or all of the following
activities outside of the system:

Interview C-Suite executives


Interview business unit leaders
Hold assessment workshops with c-suite / VPs
Distribute risk self-assessment surveys
Collate internal and external sources of information to drive risk identification and grading.

Risk Manager is very flexible so you can continuously update your risk assessments as the organization
evolves, risk assessments change, and new risks are identified. You dont need a complete
understanding of your risk portfolio to get started.

Overview of Risk Configuration Methodology and Steps


To get up and running with Risk Manager, you will need to work through eight steps, from core system
settings, through to managing your risk portfolio by the state of each risk:
1.
2.
3.
4.
5.
6.

Configure Your System & Related Settings


Setup Your Org Map
Overview of System Screens, States & Flow
Create, Assess & Score Your Risks
Accepted State For risks that are acceptable and fall within your risk tolerance
Audit State For risks that you choose to address through an audit plan; create your list of
projects to perform in your audit plan
7. Continuously Monitor State For risks that you choose to address by continuous monitoring;
create a list of projects monitored by automated analytics
8. Mitigated State For risks that can be mitigated by existing/assigned resources and capabilities.

Getting Started Configure Your System


To start all users will be administrators with full read/write permissions and access to Settings. There
are additional roles available for executives or other business leaders that may need or want read-only
access; for example read-only with collaborative access to Comments and no access to System Settings.
Those roles are optional and only for GRC groups that want or need to extend that functionality to
collaborate with executives or management leaders.

Manage and Add Users


The Manage Users screen allows you to add and remove users and set user roles.

Figure 3: Manage Users

+ Add
Email address
Full name
Add an optional message
Send invite
Cancel
User Name
Email
Status
Remove
Role

Click the Add button to add a new user


Enter email address of user to add.
Enter Full name of user to add.
Enter optional message which will display on
activation email.
Click send invite to add user.
Click to cancel add process, changes not saved.
Once users are added to the system they are listed
on the Manage Users page
Username and email address of user
Shows the state of the user. Newly added users
are in a state of Pending until they click their
activation link and become Active.
Remove Risk Manager access for the user
Assign the user role: Admin, Executive or Reviewer

Set the Scoring System


The system currently supports three scoring frameworks and cannot be customized at this time. Please
select one framework for the entire system. Please note: switching scoring frameworks will reset the risk
scoring on all risks, so each risk will need to be re-scored on the basis of the new setting.

3x3 scoring to support a COSO risk framework; [1-3] x [1-3] for likelihood x impact
5x5 scoring to support an ISO 31000 risk framework; [1x5] x [1-5] for likelihood x impact
10x10 scoring; [1-10] x [1-10] for likelihood x impact

Manage Your Tags


Tags can be used to apply to individual risks for additional searching and filtering capability, and will add
a 3rd dimension to your Org Map but applied at the Risk level. This page is about managing tags, either
creating new, or modifying or deleting existing tags.

Create tags with a materiality value based on < 1MM, > 1MM, > 5MM, > 10MM
Assign an executive owner to risk by name or Title i.e. CEO, CFO, COO, CIO, CAE
Assign risk as Strategic, Operational, Financial or External
Assign risk as SOX related
Assign any of the elements of the COSO cube for tracking
Assign strategic elements from the executive agenda
Assign additional entities such as Regions, Business Units, Divisions, or Locations

Add new tag


Delete existing tag
Search for tag to modify

Type value in field and press enter to create tag.


Click x in tag value to delete.
Type tag name in search field.

Set Up Your Org Map


The Org Map is meant to model your organization at the highest level, and is comprised of a major
category, such as Regions, Business Units, Divisions or Locations mapped to a minor category, such as
business processes, functional or operational areas, auditable or assurance areas, projects, or strategic
elements.
Hover on an entity or process, and its associations will be highlighted.

Figure 4: GRC Map

Add a new entity

Figure 5: Add Entity

+ Add
Title
Choose a Business Process
Save
Cancel

Click to add a new entity


Enter a title for your entity. Keep titles brief.
Click the field, once you have business processes in
your universe, they will be available in a smart
drop down list to associate to the entity.
Click Save to save the entity.
Click cancel to close field, nothing saved.

10

Add a new process

Figure 6: Add Process

+ Add
Title
Choose an auditable entity
Save
Cancel

Click to add a business process


Enter a title for your process. Keep titles brief.
Click the field, once you have entities in your
universe, they will be available in a smart drop
down list to associate to your process.
Click Save to save the new process.
Click cancel to close field, nothing saved.

Expand / Collapse Toggle


Use the expand/collapse toggle to view the associations within an entity or process, and click the
respective associated items x to remove it from expanded view.

Figure 7: Expand Tiles in GRC Map

11

Overview of System Methodology States & Flow

Fig 8: Risk Assessment Flow and States

Risk Profile
The Risk Profile is meant to be the one screen that leaders use to create, assess, and assign risks to
different risk states. Ultimately, the highest impact risks to the organization would help drive out the
annual or quarterly audit/project plan, although the system is designed to support a dynamic risk
assessment process that could be used throughout the year, as risks are raised projects are assigned.

Figure 9: Risk Profile screen

12

States & Flow


Each state is represented by a column on the Risk Profile screen. Risks can be dragged from one state to
another based on its assessment and your risk tolerance:

Assess create new risks to be scored and assessed


Accepted risks that lie within the organizations risk tolerance or are unactionable
Audit risks that require resources and projects assigned to address
Continuous Audit risks that may be addressed by automated analytics
Mitigated risks that have been mitigated by completing projects, or having
controls/programs/resources already in place to mitigate them

Drag & drop tips


Each risk is represented by a tile in its respective state. To drag a tile from one state [column] to
another, place your mouse over it and the cursor will turn to the four arrows icon. Left click your mouse
to select tile and drag it to the desired state with the mouse button depressed slightly overlap the tile
in the desired location of the new state, and when a dashed border with a shadowed background
appears you can drop it in place. The tile can be freely moved to re-order once inside a state by
following the same steps, or dragged to another state when needed for what-if scenarios.

Figure 10: Risk tile drag and drop

Toggle to Hide or View State


Simply click the blue buttons to toggle a state, represented by a column on the screen, from being
visible or hidden. This allows users to maximize real estate of the screen. For instance, if automated
analytics are not yet used to perform entire projects, then simply toggle that state/column to hidden
view.

How do I Assess Risks?


Create Risks
Click the + button to add a new risk. You must enter a title, you can optionally add a description, and
optionally select the business processes from your audit universe which the risk impacts. Click save. A
risk is represented by a Risk Tile in the Risk Profile.

Risk Tile
Each Risk Tile corresponds to one documented risk. Risk assessment, risk tracking and associated
mitigation efforts are all accessed through the Risk Tile.
13

Figure 11: Risk tile expanded

Score and Heat %


Risk Title
Expand/collapse icon
Description
Assess button
Edit button
Track button

Delete link
Mitigation Efforts

Displays the Risk Score and Risk Heat visible in


both expanded and collapsed state for easy
comparison.
The title of the Risk is displayed on the title in
collapsed and expanded states.
Click icon to expand or collapse Risk Tile.
Field describes the risk.
Click Assess to open the Risk Modal for scoring and
other functions.
Click Edit to modify the title or description fields.
Click Track to display issues and exceptions
associated with the risk. (Requires association of
risks mitigation efforts with projects in Project
Manager, and optionally - tests in Results
Manager discussed later in this guide).
Click Delete to delete the Risk from the system.
Click the + button to add mitigation efforts (i.e. risk
mitigation projects) to the Risk Tile. Risk mitigation
planning is discussed later in this guide

14

Assessing the Risk


Once saved, a risk can be assessed, click the Assess button by opening the risk tile.
Overview Tab
The overview tab displays the risk score, risk heat, description, and tags that have been attached to the
risk, the detailed likelihood and impact scoring, and the mapped business processes. The risk state can
be changed to accepted or mitigated via the dropdown boxes at the upper right.

Figure 12: Assess Modal

Title
Accept

Mitigate

x
Risk Score
Risk Heat

To edit the title, open the risk tile and double click
the title field, edit title and click save.
This field can be used to set a risk to Accepted
state; the system will prompt for duration: 1mo, 1
quarter; 1 year; Permanent; Future Date. The
system will automatically move the risk back to
Assess at the end of all durations except
permanent.
This field can be used to set a risk to Mitigated
state; the system will prompt for duration: 1mo, 1
quarter; 1 year; Permanent; Future Date. The
system will automatically move the risk back to
Assess at the end of all durations except
permanent.
Click to close risk modal.
Sum of aggregated score by entity.
Calculated by dividing the Risk Score by the total
highest score across all entities using the scoring
15

Description
Tags
Auditable Entities
Likelihood
Impact
Entity Score
Processes

system. If there are 5 entities using a 3x3 scoring


system, 13/45=29%.
To edit the description, open the risk tile and
double click the title field and edit description,
click Save.
Apply tags to risks for additional filtering ability.
Entities automatically are listed based on business
processes selected. Risks are scored against each
entity and process.
The scoring system selected in System settings will
determine if the scores are 3x3, 5x5 or 10x10.
The scoring system selected in System settings will
determine if the scores are 3x3, 5x5 or 10x10.
Simply the score for likelihood x score for impact
Add a process by clicking the field and selecting a
process from the drop down list. Remove a
process by clicking the x of an existing process in
the field.

Comments Tab
The comments tab provides the ability to add a comment and/or add an attachment to the risk.
Attachments might include detailed documentation of a risk, risk assessment survey results or other
evidence to support the assessment and disposition of the risk.

Figure 1: Comment box

Add comment
Choose File
Post
Cancel
Comment / Attachment toggle

Type in the make a comment or attach a file field.


Comments are required; even to attach a file only.
To attach a file, click Choose File and select from
your network directory.
Click Post to save comment / attachment.
Click cancel to close add comment field, changes
will not be saved.
To view all attachments without comments, click
16

Delete file

the Paper icon. To view comments click the


caption icon.
Click attachment toggle and click delete for
selected file.

History Tab
The history tab displays the history of each risk as its moved through the risk profile states. His tory can
be filtered by state, user, and date.

Figure 2: History Tab

Filter by state
Filter by user
Filter by date

Each creation or change in state will create an item


in the History log. Users can additionally filter by
State.
The user that performed the action item in the log
is captured, and can be additionally filtered.
The date which the action item is performed

17

Visualize Risks
Org Heatmap
The Org Heatmap illustrates where in the organization the clusters of risks lie once they have been
assessed. The bubbles are clusters of individual risks that impact the same process and entity.

Figure 3: Org Heatmap

The order of processes down the vertical and entities across the horizontal are dictated by the order of
each in the audit universe. To change order simply drag and drop the respective tile to a preferred
location in the audit universe, which will manifest in the Heatmap.
How to interpret the Org Heatmap:

The size of bubble indicates volume of clustered risks


Color of bubble indicates severity of clustered risks. There are 10 bands of colors representing a
10% range; risks within each range will be the same color; with green being the lowest severity
and red being the highest severity
Score hover on a bubble to see the aggregated score
View risks by clicking on a bubble

Risk Heatmap
The Risk Heatmap illustrates your enterprise risks in relation to each other plotted in a risk quadrant of
likelihood by impact, in order of each individual Risk Heat expressed as a %.

18

Figure 16: Risk Heatmap

Accepted or Unactionable Risk


For risks that are within your organizations risk tolerance, audit and risk leaders will assign those risks to
an Accepted state. When Accepting risks, the system will prompt to choose duration to accept the risk
for, with options being: 1mo; 1 quarter; 1 year; Permanently or Future Date [calendar picker]. For all
durations except permanent, the system will move that Accepted risk back to Assess state upon expiry
of the set duration.

Audit or Action Risk


The Audit state is for enterprise risks that lie outside your organizations risk tolerance and for which
you want to action mitigate efforts for a coming period, such as to develop your annual audit plan.

Assign Risks via Drag and Drop


To assign to this state, drag and drop the Risk to the Audit state column.

Create Project
Mitigation Efforts +
Add new Mitigation Effort

Select existing Mitigation Effort

Click the + button to open the create form.


Type a unique name in the title field and click
Save. Each Risk can only contain one unique
Mitigation Effort, but the same Mitigation Effort
can be added to many Risks.
Click the title field to display the list of existing
mitigation efforts and select an existing name from
the list or type the name and click Save.
19

Save
Cancel

You can associate one mitigation effort to many


Risks.
Click Save to assign the Project name to the Risk.
Click Cancel to remove text from the field and
close the form.

Figure 4: Create Mitigation Efforts in Risks

Edit Mitigation Effort


Click the Edit icon on the Project to change the title or description.

Delete Mitigation Effort


Click the trash icon on the Project to delete it from the Risk.

Continuous Audit or Automate Action of Risk


The Continuous Audit state is for enterprise risks that you can assign automated analytics for
continuous monitoring or transactions. If you dont perform automate or recurring analytics you can
turn off this column system-wide from your Settings link.

20

Mitigated completed mitigation efforts


The Mitigated state is for enterprise risks where the mitigation effort is completed, or the risk may
already have a control, program, or resource in place to mitigate it, such as when all projects are
completed for a given risk or when there is already a control, resource or program in place to mitigate it.

Assign Risks
To assign to this state, drag and drop the Risk from any other state/column, or open the Assess modal
and select duration under the Mitigate field in the top right corner.

Remove Risks
Risks can be removed from this state by drag and drop to another state.

Filters for Risk Profile and Visualize Reports


Click the Filter tab in the Risk Profile screen to expand the filter bar. You can perform the following
filters that will apply to both your Risk Profile and Reports.

Keyword search
By tag
By Risk Heat using the slider
By History, go back to last quarter or last years assessment to see trending of your reports
By Entity or Process

21

Risk Mitigation Planning Integrated in Project Manager


A unique and key feature of ACL GRC is the ability to link and associate information about high-level
enterprise risks, specific risk mitigation efforts (or projects), controls and test results together across the
platform. The following diagram illustrates the linkages that are available in ACL GRC, working from risk
management mitigation efforts (projects) through to project-level risks, controls and control tests,
through to analytic results generated by ACL Analytics or ACL Analytics Exchange.

22

Associating Risks with Projects (Risk Mitigation Planning)


Risk mitigation planning is configured in ACL GRC Project Manager, in the Organization Planning area.

The Mitigation Efforts defined in the Audit or Continuous Audit columns can be thought of as the
desired list of projects for your assurance group to perform in the coming year (the annual audit plan),
next quarter or on an on-going basis to support SOX and other compliance efforts.

The Mitigation Project List


The Risk Mitigation Planning page displays the mitigation efforts defined by your leadership team
through the Risk Manager process.
The Risk Mitigation Planning page in Project Manager is designed for management and staff to plan,
build, and execute their respective projects. The projects themselves will be built or re-used within
Project Manager, but a critical step is to associate projects within Project Manager to the Risk Mitigation
Efforts, so that issues and data exception results can be aggregated back into the Enterprise Risk for
quantitative weighting and tracking.

Associate Projects to Mitigation Efforts


Click a Mitigation Effort to associate one or many engagements within Project Manager. Any
engagement that is associated will have its issues [Findings] aggregated to a respective Risk.

23

Associating Results with Tests in Project Manager


Once the analysis is set-up and the result is available in Results Manager, its possible to give Project
Manager users visibility and access to the detailed test and remediation status information in Results
Manager. This is accomplished by linking a control test in Project Manager with one or more analysis
results. The association and linking step is performed from Project Manager. To associate a result,
navigate to the relevant test in the Fieldwork area of your audit or control testing program. At the foot
of the test page, click on the Link Data Analysis button, and select one or more analysis to link. To save
the link click the Save Link button, and close the analysis selection window.

24

You are now able to view the title of the analysis and the number of transactions in Project Manager,
and click on the link to view the detailed result table in Results Manager.
25

Finding generated from linked Control Test


When a Control Test is linked to a Data Test, and a finding is generated from that Control Test page, the
corresponding Finding will display the number of records identified in the data test and provide a link to
drill down to the data test.

26

Risk Track Aggregated Issues & Data


Risk tracking is another unique and defining feature of ACL GRC. This is the ability to aggregate and
display findings and issues arising from audit and other types of risk mitigation projects and exceptions
arising from detailed data analysis against the underlying enterprise risks. Risk tracking is available if
projects have been associated with risk mitigation efforts defined in the Risk Profile screen. Click on the
Track button in an project tile to view the issues and transactions associated with the risk.

27

Technical Requirements
ACL GRC supports the following browsers:

Google Chrome
Mozilla Firefox (v3 and later)
Internet Explorer 9 or 10 [compatibility view must be turned off]
Safari
Internet Explorer 8 [compatibility view must be turned off]

ACL recommends having one other modern browser installed in addition to one of the IE browsers for a
superior experience. There are sometimes browser specific issues where having another browser to
allow your team to continue working uninterrupted.
Note: IE7 is not a supported browser; nor is IE8, IE9 or IE10 when compatibility view is turned on.
Compatibility view is a simple toggle that can be turned on and off with a single click.
Flash is required in order to attach files, but most browsers come with Flash installed. If you are
unsure whether you have Adobe Flash installed, you can use the following page to check if it is available
on your computer, copy and paste the following link into your browser:
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html

Where to Find More Information


ACL GRC will continuously evolve in response to customer feedback over the coming months and as we
build out ACLs product roadmap. As new features and improvements are added, details will be
documented and posted on acl.com.
We look forward to receiving your comments and feedback as you begin to work with ACL GRC!

Have Questions or Feedback?


Please contact us:
grc@acl.com
Kris Hutton, Product Manager
Nigel Matthews, Product Marketing Manager

28

Potrebbero piacerti anche