Enterprise & Operational Risk Management System
Ensuring Effective Risk Management
PRISM, Fiction2Fact’s proprietary ORM & ERM platform, can help organizations have a structured, integrated and flexible approach to risk management. Flexible workflows are available to facilitate seamless collaboration between the business and risk management. The system integrates all ORM/ERM related data including RCSA and risk registers, loss events, near misses, results from risk reviews, key risk indicators’ values, issues/breaches/deviations and remediation plans in a single framework. The philosophy encompassing the platform can be summarized as below
- Identify the risks through RCSA, Incidents, KRIs and Risk Surveys
- Assess the risks through control testing, root cause analysis etc. to arrive at a correct rating for that risk
- Monitor periodically if any risk has materialized or any risk has not been identified/assessed
- Measure the risks and the control effectiveness
- Remediate the gaps, issues, non-functional controls identified in the steps above
- Repeat the above process for a robust Risk Management Framework
- Risk & Control Self Assessment (RCSA) : The entire RCSA library of each business unit in the organization consisting of the processes, risks associated with those processes and controls for mitigating these risks shall be recorded here. RCSA changes can be initiated either on a planned or on ad-hoc basis. Flexible workflows, seeking approval from multiple levels on the business side and risk management side, can be configured. Inherent risk rating, control design effectiveness, control operating effectiveness, residual risk rating can be computed based on the organizational risk management policy. Business Unit level risk summary and the aggregation of unit-level risks to arrive at the organizational risk summary are available.
- Control Testing : Risk based control testing can be carried out and the results of the testing can be approved using a configurable workflow. Control Operating Effectiveness and residual risk rating can be computed based on the testing results. Remediation and Mitigation action plans can be put in place for failed controls.
- Loss Database : Incidents & Operational Losses, including near-misses, occurring across different locations of the organization, are recorded, analyzed and approved in this module. Remediation and Mitigation action plans can be put in place and can be tracked for implementation.
Key Risk Indicators (KRIs) : Organization-wise KRIs with their cap, collar, floor (red, amber, green) thresholds are defined and tracked in this module. Tracking of KRI values is done either by integration to the source system / data warehouse or by manual entry/excel import. Alerts are raised when KRI is outside the risk appetite of the organization and remediation and mitigation action plans defined. KRI trending summary is available.
Remediation/Mitigation Action Tracker : All the remediation action plans related to issues/breaches/gaps identified across all modules of this platform shall be tracked for closure in this module. Updates, including evidences for closed action plans, are provided by the business units and are verified by risk managers.
Risk Acceptance: Risks for which there are no controls in place and which are accepted by the business unit are recorded in the Risk Acceptance Form. This acceptance shall be valid only for a specific period after which the controls planned to be implemented (at the time of RAF creation) shall be validated.
Risk Reviews: The entire journey of Risk reviews being conducted by the risk managers is tracked in this module. The following steps are embedded in the workflow.
Risk Review Planning – Risk Review Initiation – Data Requirement and Query Management – Issue Tracker – Remediation Action Plan and Control Mapping – Draft Report Preparation and Review – Final Report Preparation and Review – Tracking of Remediation Actions for closure
Risk Sign-off: Any project/process/product across the organization which needs sign-off from the risk management function is carried out here. The following steps are embedded in the journey.
Initiation of Risk Sign-off by Business Unit – Query Tracker and Data Requirement – Risk Identification by RM – Control/Action Plan mapping by Business Unit -Verification by RM -Concurrence by Business Unit – Sign-off by Risk Team
Vendor Risk Assessment: Vendor / Third Party / Intermediary risk assessment/due diligence is carried out in this module. Based on the assessment, risk mitigation action plans are recorded and a risk rating assigned to the vendor.
Information Security Assessment Tracker: The assessment reports of different infosec activities like VA, PT, application security testing etc. are imported here and the timely closure of the issues identified is tracked here.
Reports & Dashboards: Graphical dashboard, heat maps, reports are available for business units, Senior Management and the risk management function to get clear insights into the organizational compliance status.