[PPT] - Flexibility of WRM and The Power of WRM Bob Adderley 1 Risk PowerPoint Presentation

SLIDE 1

1

Flexibility of WRM and The Power of WRM

Bob Adderley

SLIDE 2

2

Risk Management (GRCA) are the starting point but you can add on many other things including:

Internal Audit
Business Continuity Management
Incident Management
Policy Management
Project Management
Reporting
Vendor Management

SLIDE 3

3

Internal Audit

Sample Dashboard Views

SLIDE 4

4

Audits grouped by planning periods

.

SLIDE 5

5

Assigned Tests grouped by status

SLIDE 6

6

View all Audit Findings

SLIDE 7

7

Risks across departments/business units

SLIDE 8

8

Regulations & linked Risks

SLIDE 9

9

Business Continuity Management

SLIDE 10

10

Business Continuity Management is about managing disruption-related risk.
Focus is on reducing the occurrence and scale of events that could cause

disruption, and building capacity to: – Stabilise any disruptive effects as soon as possible – Continue or quickly resume operations that are most critical to the

rganisation’s objectives

– Expedite a return to normal operations and a full recovery

WRM can be used as a Business Continuity Management (BCM) application,

integrated with ERM practices.

Purpose

SLIDE 11

11

Purpose

Determine business activity / processes to be analysed Process Review

Prepare inventory list of controls / determine significance of disruption

Determine the case for risk treatment Record and review contingency plan. Add / Update Risk linked to Processes Business Impact Analysis Add / Update Risk & Control with impact of disruption Add / Update Risk Treatment Contingency Plan

SLIDE 12

12

Business Impact Analysis (BIA) process

Purpose

SLIDE 13

13

Identify Critical Processes

SLIDE 14

14

BIA

SLIDE 15

15

BIA Results

SLIDE 16

16

Contingency Plans

SLIDE 17

17

Incident Management

SLIDE 18

18

Purpose

Loss Events/Incidents Reporting is an integral part of risk management
Various applications in risk management include:

– Loss Events reporting for Operational Risk Management in Financial Institutions – Incident Reporting for healthcare organizations – Occupational health and safety accident reporting – Fraud / Irregularities reporting

Step 1: Incidents are logged directly in the system
Step 2: An investigation is then performed on the logged Incident

SLIDE 19

20

Logging Incidents

SLIDE 20

21

Fraud Incidents

SLIDE 21

22

Health and Safety Incidents

SLIDE 22

24

Incident Management

SLIDE 23

25

This view presents to the users a dashboard to input and analysis

Incidents, including those with Financial Impact

Incident Reporting

SLIDE 24

26

Policy Management

SLIDE 25

27

The standard configuration and methods available have been

developed to meet the following high-level process.

Policy Management Process

Policy Creation Policy Approval Policy Attestation

Policy Creation Policy Version Policy Authoring Policy Review Policy Approval Policy Publish Policy Testing Policy Attestation

SLIDE 26

28

The Policy document allows you define who is responsible for the policy, who can allow exemption requests

Policy Creation

SLIDE 27

29

The main policy page allows the user to determine where the policy comes from (can point to external sources

if required). Note the Status of the policy as it moves through the workflow

Policy Version

SLIDE 28

30

Policy Review

SLIDE 29

31

Policy Approval

SLIDE 30

32

Alerts with links for Policy Attestation are sent to the distribution list.
The user reads the policy. On the next screen, they can sign off that they have read it. They can also request

an exemption if required.

Publication and Attestation

SLIDE 31

33

Project Management

SLIDE 32

34

Phases Summary

SLIDE 33

35

Summary of Impacts

SLIDE 34

36

Action Plan Summary

SLIDE 35

37

Project Overview

SLIDE 36

38

Project Quantification

SLIDE 37

39

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

SSRS Reporting Integration

SLIDE 38

40

PURPOSE

MS SQL Server Reporting Services (SSRS)

MS SSRS is a reporting tool that is provided with MS SQL Server. Wynyard Risk Management (WRM)

allows for integration with SSRS using both a Reporting Component that can be added to the Dashboard views, and a reporting menu command on Dashboard Lists

SSRS reports are created using the standard SSRS Report Builder application (or other tools

compatible with SSRS) External Reporting Interface (vERI)

SQL view based approach which turns the Risk model into a number of views for reporting and data

extraction purposes

Although only SSRS reports can be integrated into the WRM dashboard, these SQL views can be

used to create reports in other external reporting tools such as Crystal Reports, Business Objects or Cognos

SLIDE 39

43

SAMPLE REPORTS - PARAMETERS

SLIDE 40

44

SAMPLE REPORTS - GRAPHS

SLIDE 41

45

SAMPLE REPORTS – PARENT REPORT

SLIDE 42

46

SAMPLE REPORTS – CHILD REPORT

SLIDE 43

47

Vendor Management

Sample Dashboard Views

SLIDE 44

48

Vendor Management Examples

Vendor is an item type: just like a Risk, Control, Incident, etc…
A Vendor can be linked to the information you’re already capturing
Premise is we’ve loaded our Vendor details into WRM
Ideally WRM sends alert email with link to Vendor
Vendors login and update their own details
Vendor owners monitor status through dashboards
Owners can assign questionnaires to the Vendors
WRM emails link – Vendor completes qnaire in WRM
Vendors are linked to the Systems/Services they provide
Systems are documented in WRM
Vendors via Systems are linked to Risks, Controls, Objectives,

BCP items, etc…

SLIDE 45

49

Criticality and Spend

SLIDE 46

50

Vendor Details

SLIDE 47

51

Issues/Concerns/Criticality tied to Vendors/Systems

SLIDE 48

52

Contract Renewal Dates

SLIDE 49

53

SLIDE 50

54

Vendor Questionnaire Overview

SLIDE 51

58

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

Advantages of upgrading to WRM

SLIDE 52

59

WRM Upgrade is an opportunity to:
Improve the way our solution supports business needs
Reduce the overhead and increase time for important work
Engage with additional groups within your organization
Share responsibility and ownership
Tune up existing process, workflows and eliminate gaps
Engage experts in directly managing the components of GRC
Centralized, timely data: ease of monitoring, updating, reporting
Flexible dashboards: analyze information in new ways
Eliminate redundancy and duplicate effort
Reduce overhead of chasing and collating data

Upgrading to WRM - Opportunity

SLIDE 53

60

Advantages

– User friendly interfaces: easy to use, fewer errors, reduced training time – Standardize approach: ensure consistent workflow across the enterprise – Engage experts in directly managing the components of GRC – Centralized, timely data: ease of monitoring, updating, reporting – Flexible dashboards: analyze information in new ways – Eliminate redundancy and duplicate effort – Reduce overhead of chasing and collating data

Upgrading to WRM - Advantages

SLIDE 54

61

– Best approach is to treat this like a standard project – Begin with Requirements Analysis – Expand focus to what we’d like to be able to do, Not limit ourselves to what we are currently doing with ERA – Engage the Subject Matter Experts throughout – Including groups that aren’t going to use immediately – Document all objectives and requirements: – Immediate short term – Medium term – Long term – Phased approach is best - Don’t boil the Ocean

Upgrading to WRM - Approach

SLIDE 55

62

Upgrading to WRM - Approach

SLIDE 56

63

Bob’s Winter Igloo Home

SLIDE 57

64

UNITED KINGDOM UNITED STATES CANADA DUBAI AUSTRALIA NEW ZEALAND

Case Studies - Recent WRM Upgrades

SLIDE 58

65

Top 20 on Fortune 500 > +125 billion $US in annual sales > 40,000

employees

Used excel to manage 4900 Controls, 7000 Tests.
WRM provided centralized data store, simple security management and

direct access for external auditors.

WRM’s configurable Methods designed for the users reduced training

1740 users to 2, 4 or 8 hour sessions depending on roles.

Built complex testing calculations, deficiency workflow and inserted

bitmaps of testing calendars

International Pharma Co. Go-Live June 2015

SLIDE 59

66

Leverage new features
After using Kairos for over a year came up with a wish list for

improvements and extensions

Desire to integrate other groups into using the solution
And combine all of these improvements and expansion into the upgrade

International Pharma Co. Kairos – WRM : Motivation

SLIDE 60

67

1.5 billion in assets, 12 branches
Upgraded from 5 users in version 7 to 48 in version 9.
Documented controls on spreadsheets but couldn’t link to risks.
WRM made linking easy and reduced redundancies
Customisability of WRM made it possible to have more than just Risk

Officers updating items.

Expanded WRM to include COSO, Vendor Management, Incident and

Complaints Management.

Banking and Trust Company Go-Live May 2015

SLIDE 61

68

Recognition that there was a lot of overhead

– Wasted low value work chasing, correcting data

Data was inaccurate

– WRM to improve quality

Process was inconsistent

– WRM to standardize

Desire to eliminate silos

– Centralize the data – reduce delays

Banking and Trust Company

SLIDE 62

69

Risk data captured in spreadsheets, scores hard to aggregate up to

categories and processes

WRM allows for clean data to be entered
Use WRM to capture Tasks including department initiatives, process

improvements, directives from Leadership Committees.

Dashboards created for committee’s/boards to track progress of the

tasks.

US Bank Go-Live January 2015

SLIDE 63

70