Direct Testing:

In its simplest form, testing is done to confirm that Controls are functioning properly. As Ronald Reagan once said “trust, but verify”. This is at the heart of SOX Compliance; ensuring and certifying that the organization has sufficient “Internal Controls over Financial Reporting”.

However, the SOX regulations don’t dictate how to meet that standard. Direct testing of key controls by independent parties is generally the most reliable (and usually the most expensive) way to confirm a control is performing properly. And while other organizations provide frameworks and guidance (COSO, COBIT, etc.), there is great latitude in the actual way to test.
Companies implement testing programs in different ways.

For example, some large firms have a separate Internal Controls staff, removed from Internal Audit. Others have Internal Auditors do the SOX testing, with the actual responsibility for SOX compliance remaining with the Business Owners (generally within the Controller’s group). I’m sure there are other combinations and permutations of these options, but they all still end up doing “testing”.

Geographically dispersed organizations (global footprint) will often times use the concept of “Peer testing” to augment lower staffing levels and reduce travel costs. Here, trained staff will conduct tests of Controls outside their area of responsibility (and outside their normal work duties). This might be Controller A testing controls in Controller B’s business unit, B’s testing C’s, etc. Or, the actual testing may be delegated to a trained tester within each Controller’s dept.

Another approach, with additional costs, is to co-source the international testing to a 3rd party accounting/advisory firm with a local presence overseas. This method is also employed by some firms for non-financial controls testing (e.g., IT Controls, PCI, etc.), regardless of the location.

For any of these methods of testing, you want a system (like that offered by DoubleCheck™) that provides the capability for designing, scheduling and managing the tests. It should also include the ability to execute specific test plans, collect and archive appropriate evidence, and sharing the findings, as appropriate, with management for review. The chosen system should also enhance your capability to follow up, post audits and to confirm agreed-to management actions have been executed.

Self-Assessments:

Self-Assessments are the other means many firms use to confirm that Controls are performing to expectations. This method requires that the organization trusts the Control Owners to police themselves, principally by responding to a set of specific questions designed to determine compliance based on the subject matter knowledge of the control owners.

By their very nature, self-assessments can carry more potential risk than direct testing. You are asking the person to potentially report a deficiency that they might be blamed for. It also requires an organizational culture that pushes tasks down the chain of command and encourages delegation and personal responsibility.

That said, some of that risk can be mitigated by requesting documentation support for the responses or doing random testing of some of the Controls after the self-assessment response is received. Once again, “trust but verify”.

The key advantage of self-assessments vs. direct testing is savings in cost and time. If you have a system like the DoubleCheck™ GRC & Audit Platform, you have unlimited FREE licenses for self-assessment respondents. This can add up to a substantial savings in staff, lost productivity (when Peer testing diverts time from normal duties), travel costs and User license fees. Self-assessments can also be very costly in man-hours if you try to do it just with Word/Excel, using manually-generated email notifications and manual response integration and analysis processes.

One key feature that DoubleCheck™ offers when doing assessments is the ability to perform what is called “Branching Assessments”. Often when executing a self-assessment, depending on the answer, you may want to ask follow up questions. For example, if (and only if) a respondent answers a question “No” for which the preferred answer is “Yes” (e.g., “Is this Control still working?”), the system can ask any number of follow up questions to help the assessment manager understand that “No” answer. It can even require an answer in the “Comment” field of the Assessment before the system will allow the response to be submitted.

Many organizations use Self-Assessments to supplement direct testing or help determine what the direct testing plan should be. Others use it for virtually all their SOX Compliance work. For either approach, you benefit from relying on a platform that provides the capability for designing, scheduling, managing and scoring individual assessments.

Assessments can also be integrated with other risk and compliance data. Issues or concerns can be forwarded immediately, as needed, or as scheduled, to appropriate individuals for awareness or action. The DoubleCheck™ Assessment Center also ensures that all respondents do in fact respond, or the system will follow up automatically and escalate as appropriate.

So, what is the correct balance between direct testing and self-assessments of SOX Controls? That answer will vary company by company, but now you have some of the factors to consider when making that decision.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA USA
Phone: 770-565-8616
Mobile: 678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters

Case in point…We have all probably faced working with a spreadsheet that had literally hundreds (or a thousand?) rows and dozens or more columns.  The lack of ease in identifying the key data cells and ensuring they were updated correctly and linked to appropriate sub-forms and workpapers was both time-consuming and had an inherently high level of risk for data corruption associated with it.  And if the spreadsheet was created by someone else, the maintenance of the formulas was a mistake waiting to happen.

Similarly, an inordinate amount of time/man hours can be spent trying to export data from multiple spreadsheets into a template report format to be delivered to the Audit Committee or Board.  Do you find spreadsheets to be the most efficient tool to use for the collection and dissemination of important information to Senior Management on a regular basis?  I would suggest “maybe not”.

I sometimes hear from the executives in charge of SOX (eg. VP-IA, VP-IC, Controller, etc.) that they already have an automated solution to “share” documents between testers, reviewers, approvers, issue owners, etc.  This is not the same as having a single electronic repository of DATA.  DATA is not the same thing as DOCUMENTS.  If the data is available in its simplest form (data points), and is housed in an architecture that allows for relational linkage and reporting, then you can truly share INFORMATION.

Importantly, you can then re-configure the various data elements to create a report that is specific to the needs of each individual user (eg. Tester), or user group (eg. Process Owners), rather than just sharing a general spreadsheet that then has to be interpreted or re-formatted by the user.  And if you can do this without requiring IT to help you, it becomes even more convenient.

Understand, I have nothing against the use of spreadsheets per se.  I use them myself on a daily basis.  But they are just one tool, like many others in your toolbox.  If the task is relatively simple and doesn’t require multiple human touchpoints (remember the need for Version Control), then spreadsheets might be sufficient.

But if your objective is to make all key data available to the appropriate people (with varying levels of security access), keep a complete audit trail of any changes to the data, view previous versions of the document, manage the data and tasks/issues via an automated workflow (with notifications to appropriate parties) and have the ability to run and share reports on both a scheduled and ad hoc basis without requiring IT support, then you may want to consider a more robust automation solution.  You should find that a more efficient SOX Controls process conducted within an automated platform will free up your staff to take on more value-added responsibilities, thereby increasing YOUR overall productivity and value to the organization.

Best regards,

Paul Fine
Director of Marketing & Business Development
Atlanta, GA  USA
Phone:  770-565-8616
Mobile:  678-360-2851
www.doublechecksoftware.com
www.doublechecksoftware.com/news/newsletters

There are two main schools of thought when acquiring new software, GRC & Audit or most other types for that matter.  Do you want to select an all-inclusive Platform at a set price (prix fixe) or pick and choose what features you want from a “menu” (ala carte)? 

For example, when you order at McDonald’s, you might tend to buy a selection from the Value Meal menu (prix fixe).  In fact, McDonald’s and other fast food companies went to this approach to avoid putting cashiers in the position of “cross-selling” the customer (the famous “you want fries with that” line).  This approach tends to work best when the purchased item is relatively low in price and there is minimal risk of making a bad decision (because you are familiar with the choices).

On the other hand, if you are dining at a fine Steak House (eg. Mortons, etc.) you are going to be presented a menu where EVERYTHING is priced separately.  You want a potato with that steak, that’s extra.  You want creamed spinach, that’s extra.  This pricing model tends to work better when the purchased item is higher in cost, the buyer is less familiar with the product (how often do you eat at a place like this?) and there is the potential for more “blowback” if your add-ons put you over your approved budget (eg. someone questions your expense report).

Coming back to the software acquisition scenario, the increasingly prevailing preference, based on our experience, is Buyers seek to purchase those features needed immediately, but want to acquire a Platform that is scalable into other areas later as need and acceptance of the new product grows.

Thus, a CAE can acquire a solution to manage traditional audit activities (eg. Planning, Scheduling, EWP, Issue Tracking & Notifications, Risk Assessments, etc.) and later scale into Controls Testing for SOX Compliance or ERM.  Under this pricing model, you are only paying for what you need when you need it.  Seems like a pretty reasonable model and one most Buyers are seeking.

A corollary menu analogy is a little less clear however.  Specifically, what are the non-licensing costs of acquiring and implementing the GRC & Audit software?  Some vendors will quote a price and say it includes “implementation and training”.  Others, like DoubleCheck™, break out the Implementation and Training costs ala carte, so the Buyer knows what they are getting and what they are paying for it.  The inherent uncertainty of the “prix fixe” model of pricing the ancillary services is not knowing what is actually included in the generic term “implementation and training”. 

Questions you should ask the vendors before signing that contract include:

1.  What services are included in your Implementation? 

            a.  Configuration to Client’s RACM vs. importation of the vendor’s template?

            b.  Importation of data to populate the system (or does the Client do that?)

            c.  Creation/importation of Client’s audit, test and assessment templates?

            d.  Creation/importation of Client’s key reports?

2.  What type of training is included in this quote? 

            a.  On site or WebEx?

            b.  How many days/hours of training?  Cost of extra time?

            c.  Remedial training after implementation?

3.  What Post-Implementation Customer Support is provided in this quote?

            a.  Configuration of additional reports?

            b.  Modified workflows?

            c.  Configuration of additional assessments or tests?

You should only pay for what you need, but you should also make sure to get what you need for that price.  Add-ons, upsells, extra professional services fees, etc. can quickly make what appears to be an inexpensive prix fixe “Value Meal” into a very expensive ala carte Steak Dinner.  Ask questions; be sure of the answers.  Don’t get surprised after the meal is bought and the check arrives; all you’ll get then is indigestion.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA
1-888-299-3980
pfine@doublechecksoftware.com

However, once we begin drilling into the specific workflow and outcome these organizations are seeking, it becomes apparent that mere “tracking” of the Issues is insufficient.  They must be able to document, assign responsibility, track progress, report on, scope the potential impact; a full management process.  They have learned (or will quickly learn) that a manual approach to this workflow-oriented Issue Management process is both difficult, time-consuming and error-prone.

Common capabilities these organizations are seeking, regardless of their industry, include being able to:

• Create and describe issues
• Score issues based on impact, urgency or other criteria
• Store and access documents and evidence associated with the Issue
• Optionally have issues reviewed before formally accepted
• Assign issues to appropriate responsible parties
• Capture ongoing status, response and remediation actions, losses or related information
• System-based follow up until the resolution is completed, reviewed and accepted
• Visibility of information: Role-based reports and notifications delivered on schedule or ad-hoc based on urgency

A key impetus in this increasing interest in managing the Issue process is that various government regulations are increasingly coming into play if certain types of Issues are not identified, reported and remediated in a timely fashion.  Failure to meet specified due dates can result in heavy fines, censure, negative publicity, etc. for the firm. 

Examples include PCI breaches (anyone doing business with credit cards), RAC Audit claims (any provider submitting claims to Medicare), Customer Data breaches (anyone with customer data on their computer system), Code of Conduct violations (Internal impact or external; eg. FCPA), etc.

There are also the seemingly mundane Incidents that can be scoped as Issues that might leave a firm open to civil lawsuits if not properly addressed in a timely manner at the appropriate level of the organization.  A key to avoiding or mitigating the cost of such issues is to be able to prove that there are Policies in place, and properly disseminated to the appropriate staff (and confirmed “read” by the recipients), to demonstrate that “reasonable measures” were taken to mitigate the likelihood of the negative event occurring.

Examples include accidents occurring on company property (eg. slip and fall on a spill in a hospital lobby, hazardous materials stored improperly contributing to the impact of a seemingly small fire, insufficient security at a hotel leading to an attack on a guest, etc.).  We live in a litigious society and the key (as any Insurance Company can tell you) to reducing the financial and reputational impact of a negative event (ie. Issue) is a quick response, with follow up assigned to the appropriate person until the matter has been properly resolved to the satisfaction of all constituencies.

This goal is made simpler and more foolproof if you have a robust software platform ensuring the proper steps are being taken in the necessary timeframe.  The cost of missing the deadlines, regulatory or otherwise, can far outweigh the initial investment in a support system.

Best regards,

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA
1-888-299-3980
pfine@doublechecksoftware.com

1.  Any deal is better than no deal

2.  A bad deal is worse than no deal

As we all learn more about the details of the last-minute deal brokered between the Senate, House and President a week ago, it behooves us as business people to consider the impact not just on our personal lives but our corporate lives as well.

If you were to look at the deal in its totality through the prism of a traditional Risk/Control framework, would you consider the passing of the Bill as a “Risk Event”?

If so, what is your opinion on the Root Cause?  Was there a lack of Controls in place, or did they fail?  On paper, I submit we had ample Prevent Controls in place (eg. 3 branches of government) and Mitigating Controls as well (two political parties with very different philosophies and agendas).  That would suggest that the Controls failed, allowing a Risk Event to occur. 

Now, we have to score the Event.  What is the Residual Risk Impact your company will incur as a result of this Control failure?  For example, will there be a short-term transactional impact (eg. temporary reduction in purchases of your goods as consumers adjust to a reduction in take-home pay due to re-instatement of the previous level of Payroll tax rate), or a longer-term impact on your market capitalization as your dividend-paying stock is no longer as attractive to investors due to the increased tax rate on dividends (yes, I understand the capital gains tax rate also increased, but this impact can be deferred until you sell the stock; dividends are taxable the year they are awarded)?

Is there a Mitigation Plan that you can put into effect that will further reduce the severity of the Event impact?  For example, can you reduce employee turnover driven by a desire/need to avoid a drop in take-home pay (eg. finding another higher paying job) by offering a special one-time 2% bonus (similar to the old COLA payments back in the Carter era) to offset the FICA tax increase for the first year?  Most HR experts will tell you it costs less to retain an employee than to hire a new one.

A key point, in my opinion, is to decide if this is an Operational Risk event, or something better scoped under “ERM”, with the corresponding C-Suite and Board focus.  I submit this “Fiscal Cliff deal” is not only a Risk Event in and of itself, but a KRI for the next potential Event coming in a few months; the “Debt Ceiling” battle (too soon to assume it will result in a “deal”).

What will your company do now to mitigate the impact of another Risk Event occurring as a result of that battle?  If you believe that whatever comes from that “event” will impact the country’s debt rating (something Moody is hinting at), should you borrow/issue bonds beforehand to avoid higher rates later?  Are there other more complicated strategies you Risk Managers out there would recommend to your Boards to minimize the impact of one of the possible outcomes of this next “event”?

One thing is certain given our recent experiences regarding the so-called Fiscal Cliff.  Doing nothing to mitigate your own potential Risk Impact, on the assumption that the political controls we supposedly have in place will function properly, will leave you with the illusion of control, not working Controls.

Personally, I hope that I can write on a different theme in my March Newsletter.

Best regards and Happy New Year,

Paul Fine

Director of Marketing & Business Development
DoubleCheck LLC
Atlanta, GA  USA
1-888-299-3980
pfine@doublechecksoftware.com

(sung to the tune of “The Twelve Days of Xmas”…)

1.  On the first day of the Risk review, my CRO gave to me…

            One Global Risk Register to see…

2.  On the second day of the Risk review, my CRO gave to me…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

3.  On the third day of the Risk review, my CRO gave to me…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

4.  On the fourth day of the Risk review, my CRO gave to me…

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…    

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

5.  On the fifth day of the Risk review, my CRO gave to me…

            Five Residual Risk levels to score…

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

6.  On the sixth day of the Risk review, my CRO gave to me…

            Six Key Detect controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

7.  On the seventh day of the Risk review, my CRO gave to me…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

8.  On the eighth day of the Risk review, my CRO gave to me…

            Eight Global Risk Event reports to reconcile…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

9.  On the ninth day of the Risk review, my CRO gave to me…

            Nine Business Objectives to link my Risks to…

            Eight Global Risk Event reports to reconcile…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

10.  On the tenth day of the Risk review, my CRO gave to me…

            Ten Policies to cross-reference to my Risks…

            Nine Business Objectives to assign my Risks to…

            Eight Global Risk Event reports to reconcile…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

11.  On the eleventh day of the Risk review, my CRO gave to me…

            Eleven KRIs to review…

            Ten Policies to cross-reference to my Risks…

            Nine Business Objectives to assign my Risks to…

            Eight Global Risk Event reports to reconcile…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to see…

12.  On the twelfth day of the Risk review, my CRO gave to me…

            Twelve page Annual Board Meeting presentation to complete…

            Eleven KRI’s to review…

            Ten Policies to cross-reference to my Risks…

            Nine Business Objectives to assign my Risks to…

            Eight Global Risk Event reports to reconcile…

            Seven Issues to remediate on my Risks…

            Six Key controls to test per Risk…

            Five Residual Risk levels to score

            Four Inherent Risk levels to rate…

            Three Branching Risk Assessments…

            Two Bow-Tie Risk analyses…

            And One Global Risk Register to seeeeeeee…

I would love to hear how many of these “Days in the Life of a Risk Owner” resonate with you. 

If you want to read my first missive from last year (“The 12 Days of Audit”), just click on this link:

http://www.doublechecksoftware.com/monthly-newsletter-dec-11-the-12-days-of-audit/

Happy Holidays to one and all.  See you next year…

Paul Fine

Director of Marketing & Business Development

DoubleCheck LLC

However, much of what you find will be focused on quantitative modeling using a variety of statistical techniques, such as Monte Carlo simulations.  Or, a intense debate about the use of various ISO standards for ERM (eg. 27000 vs. 31000) 

There are other approaches, as an alternative, that might lead you down an entirely different path when you attempt to determine the actual “causes” of a risk event vs. only quantifying the “consequence”.  One such approach is referred to as a “Bow-tie Risk Analysis”.

The Bow-tie can be used to help simplify risk assessment by allowing one to conceptualize the interaction of causes, controls and consequences of a risk. The following diagram illustrates the process:

 Risk Analysis using Bow-Ties

 The steps to undertaking a risk analysis using the bow-tie method are as follows:

1)       Of all the possible consequences resulting from the risk (these are the yellow boxes above), identify which is the most foreseeable, as opposed to the worst-case

2)       Identify the consequence level of the most foreseeable consequence

3)       Identify the likelihood level of the risk occurring and resulting in the consequence identified in Step 1.

Example: Kitchen Fire

In this case, we might identify that the most foreseeable consequence of a kitchen fire would be asset destruction. Our analysis would thus be:

 What is the consequence of asset destruction due to fire?

 What is the likelihood that there will be a fire which causes asset destruction?

By constructing a bow-tie diagram, one can simply see how multiple causes with failed preventative controls result in a risk occurring. If the preparedness controls also fail, the risk will occur and have a negative consequence. Mapping risks using the bow-tie can provide a sound starting point from which to ensure controls are actually addressing the real causes and consequences.

Once you have properly mapped your key controls to the proper processes and risks, after your bow-tie risk analysis, you are in a better position to determine the best tool set to automate the ongoing oversight, testing and auditing of those controls.  The better tools available, such as DoubleCheck™, will also give you the ability to automate the notification process should a control fail or a risk event occurs.  Remember, you don’t need a control to fail to suffer a risk event occurrence.  While some controls are scoped as “prevent”, others are intended to “mitigate” the impact of the consequence, not eliminate it completely.

For example, in our Kitchen Fire scenario, the Inherent Risk of Asset Destruction is the kitchen is completely engulfed in fire; nothing is left.  However, a mitigating control (as in a commercial kitchen vs. the fire extinguisher in a residential kitchen) might be a sprinkler system.  In this case, the sprinkler system puts out the fire, saving the kitchen, but you still sustain water damage.  The mitigating control worked, but you still suffered “residual risk impact” from the water.

I hope this helps provide another perspective on how to look at Risk, and how to monitor and manage its “workflow”.

Paul Fine

Director of Marketing & Business Development
DoubleCheck LLC
1-888-299-3980
pfine@doublechecksoftware.com
www.doublechecksoftware.com
 Atlanta, GA USA

Over time, however, many organizations realized there were internal benefits from ensuring that the proper policies and procedures were in place to identify, minimize and mitigate a broader array of Risks within the company.  Not all Risk events will have a direct significant impact on the financials reported within any particular public reporting period (eg. 3^rd Qtr, FY 2012, etc.), but could have longer term or cumulative negative impact that would reach the level scoped as “significant” over time. 

A particularly difficult type of Risk to control could be one that affects the reputation of the company.  This is especially true when it involves high-level executives of the organization.  There have been multiple examples of this type of Risk event in 2012 (eg. Best Buy) where the behavior of a single individual caused embarrassment and change of leadership at the company.  This is different than the “rogue trader” scenario where their actions had a direct and immediate impact on the financial status of a firm.

I am referring to the Risk of a senior executive behaving in a manner contrary to company policies, culture or contract guidelines.   Most medium-large firms (and some small firms) have a Corporate Code of Conduct or Ethics that all employees have to abide by.   However, this Code is oftentimes scoped against Business Ethics such as FCPA, vendor gifts, etc.  It might not directly address employee fraternization or similar “softer” issues.

It is true that many of these types of cases end up with a dismissal or resignation driven by falsified or improper expense reporting related to the underlying misbehavior; that is akin to Al Capone finally being jailed for tax evasion.  The greater damage is done to the “brand” of the organization and this Reputational Risk Event can have longer term and far reaching implications (such as replacing a CEO, hiring expensive “ethics” consultants, etc).

So, what types of Controls can be put in place to detect, prevent or mitigate these types of Reputational Risk Events?  In some firms, employees have to actually attest annually that they have read the Code, not violated it or know of anyone else who has.  There may also be a Hotline to report problems.  However, once again, much of the focus is on financial misdeeds. 

It would appear that the Code of Conduct has to include more than “Business Ethics”, but also other potential behavioral misdeeds.  Yes, this can open Pandora’s Box as far as any perceived slights by another employee based on favoritism, but it can also reinforce the premise that this type of social misconduct (vs. overt financial malfeasance) also will not be tolerated at any level of the organization. 

It can also be useful to have an automated system to issue, track and maintain records on the annual employee attestation process, especially in large organizations.  Relying on a manual email system, or manual tally system in Human Resources, can be prone to omissions or other audit problems.

This would seem more important now in the days of social messaging platforms (eg. Twitter, Facebook, etc.), coupled with the proliferation of cell phone cameras to document and report misdeeds via unofficial (and very public) channels.  As any politician will tell you, if you can control the news cycle, you can control the impact of the news.

Not a week goes by that I don’t see the subject of Risk (what it is, how to measure it, etc.) posted as a discussion item on numerous LinkedIn boards.  There seems to be a never-ending debate on the relationship of Risk to Compliance, where Policies come into play and how to calculate ERM scores (eg. Likelihood X Impact, Likelhood + Impact, etc.).

I suggest you think of Risk as an elephant, with ten blind men grasping at it and trying to describe it.  If you grab the trunk, you describe it one way; if you grab the tail you describe it differently, and so on.  Some people try to put Risk into a specific framework to give it context, but even that cannot be agreed upon (eg. COSO vs. ISO 31000). 

Personally, as a generally optimistic person, I like to think of Risk as an integral part of Opportunity.  We all strive to reach our goals; risks are what we have to steer around to get there.  If we only think of Risks as a brake to slow us down, or stop us, we will seldom achieve our goals.  So, you can think of Risk being the glass half empty, or (like me) the glass half full.

Part of mapping a “plan of action” to avoid or minimize the Risks as we pursue our goals is to consider the perspective of the person responsible for assessing what risks are in our way.  Few of us are like Star Trek’s Dr. Spock; creatures devoid of emotion reliant only on logic to guide our actions.  How we scope a Risk (eg. Likelihood and Impact) can be highly influenced by our own personality makeup, experience and vested interests. 

Therefore, when you are considering fielding an ERM Assessment, you should approach it the same way your Market Research department would approach any survey.  First, you must identify what people make up a representative sample of your universe.  For example, if you only gather feedback from the entity level Risk Owners, you may miss the differing view of Senior Management or Subject Matter experts. 

You can also use software to help assign algorithms to questions, answers and respondents, so that you are applying weighting to the data you gather, further refining and enhancing the value of the information you collect.   This will allow you to provide quantification to your scoping and not have to rely on merely qualitative measurements (eg. High, Medium, Low).  You can also include “branching” workflows, so that if someone answers Q. 4 “yes”, it takes them to a different follow up question than if they answered “no”. 

That said, assigning overly granular quantification levels on factors that are subjective at best (eg. Likelihood of an earthquake in the next three years near your key Mfg. Plant) becomes merely a mathematical exercise with no real basis in fact.  This can lead to a false sense of security in your conclusions. 

You can perhaps put a dollar cost on the worst case Impact (the Plant is totally destroyed), but it is much harder to assign a Likelihood value.  I speak from experience; my backyard is in what the government classified as a “100 year flood plain”, meaning there was a 1% chance of a flood occurring in any given year.  That flood hit the 4^th year I lived here.  So much for statistics.

So, when your company is looking at Risk, bear in mind that you are unlikely to have a narrow consensus on the definition, likelihood or impact unless you have a Risk Committee made up of a narrow profile of individuals who are of like minds.  And that in of itself should be a red flag, because in the real world “Risk is a many-splendored thing…”.

“The set of principles on which a program of actions is adopted…”

Policies need to be memorialized from a corporate perspective, so they can be referenced and referred to when deciding upon a “program of action”.  The form in which these Policies are stored is usually some type of Document.  This is the likely reason why “Policy Management” and “Document Management” can be confused as singular; they are not. 

There are many automation tools which can perform Document Management to varying degrees. They can employ different methods of version control, manage multiple formats (eg. Word, PDF, etc.) and act as a general document repository.

The additional feature set required for Policy Management include (but is not limited to):

 1.  A workflow system to route policies to people who may affect them, or be affected by them

2.  A notification process to alert appropriate people when a Policy changes (or needs changing)

3.  A workflow system to capture recommendations for edits to Policies

4.  A workflow process to route Policy edits for review and approval

5.  A means to scope Policies according to type (eg. Internal, Gov’t Regs, etc.)

6.  A robust reporting mechanism to show status, timing, ownership, etc. of Policies

7.  A means of linking Policies to related items such as Processes, Risks, Controls and Audits

8.  A scoping mechanism to set permissions to access, view or edit specific Policies 

Many of these features can perhaps be managed manually, but all of them can be managed more efficiently from a time and security standpoint within an automated software platform.  A simple document repository houses Policies, but it generally won’t allow customized workflows, scoping options and an electronic audit trail, for example. 

Policies are the bedrock of a company’s core beliefs, guiding principles and external constraints.  They tell employees which behaviors and actions are acceptable and which are not.  Having a library of Policies without providing context or linkages to the items those Policies apply to is insufficient protection from risky behavior, be it intentional or unintended.

With more and more attention being paid to Enterprise Risk Management by Boards, Audit Committees and C-Level Officers, there is also an increased understanding by those constituencies that a clear set of Policies help define the Risk Appetite and map the actions pertaining to those Risk criteria. 

An automated system for Policy Management is one of the simplest and most cost-effective ways to minimize the risk of non-compliance.  People can’t follow rules and procedures they haven’t been made aware of, despite the best of intentions.  An effective Policy Management process, with supporting automation tools, has proved to be an investment well worth making for many companies.  The absence of such has also proven to be the downfall of others (eg. government fines, loss of confidence in the company, significant financial losses, etc.)

Which one do you want to be?

Paul Fine
Director of Marketing & Business Development
DoubleCheck LLC
1-888-299-3980
pfine@doublechecksoftware.com
Atlanta, GA USA