Académique Documents
Professionnel Documents
Culture Documents
Risk Management
Usage Guide
May, 2013
Important
Terms, conditions, features, service offerings, and prices referenced in this document are subject to
change without notice. We at ACL Services Ltd are committed to bringing you great online services.
Occasionally, we may decide to update our selection and change our product and service offerings, so
please check at www.acl.com for the latest information, including pricing and availability, on our
products and services.
Table of Contents
Welcome to ACL GRC Risk Management! .................................................................................................. 4
How Does ACL GRC Support Your ERM Process?.......................................................................................... 4
Overview of Enterprise Risk Assessment Methodology ............................................................................... 6
Getting Started Configure Your System ..................................................................................................... 7
Set Up Your Org Map .................................................................................................................................. 10
Overview of System Methodology States & Flow.................................................................................... 12
How do I Assess Risks? ................................................................................................................................ 13
Accepted or Unactionable Risk ................................................................................................................... 19
Audit or Action Risk..................................................................................................................................... 19
Continuous Audit or Automate Action of Risk ............................................................................................ 20
Mitigated completed mitigation efforts .................................................................................................. 21
Filters for Risk Profile and Visualize Reports............................................................................................... 21
Risk Mitigation Planning Integrated in Project Manager ............................................................................ 22
Associating Risks with Projects (Risk Mitigation Planning) ......................................................................... 23
The Mitigation Project List .......................................................................................................................... 23
Associate Projects to Mitigation Efforts ..................................................................................................... 23
Associating Results with Tests in Project Manager .................................................................................... 24
Finding generated from linked Control Test ............................................................................................... 26
Risk Track Aggregated Issues & Data ....................................................................................................... 27
Technical Requirements.............................................................................................................................. 28
Where to Find More Information ............................................................................................................... 28
Have Questions or Feedback?..................................................................................................................... 28
One clear view of the risk landscape users can categorize and track risks by critical
characteristics, organizational structure and mitigation approach.
Assess and prioritize risks supports COSO, ISO 31000 and most risk management frameworks.
Zero-in on the details with rich capabilities for key word tagging, searching and time-based
filtering.
Identify, quantify and act on issues seamless and visual integration between the enterpriselevel risk profile, audit and risk mitigation projects, project findings, test results and remediation
activity.
The purpose of this guide is to provide Audit, Risk and other GRC leadership professionals tasked with
Enterprise Risk Management (ERM) with how-to guidance on applying these functionalities to automate
your risk management process with ACL GRC.
Risk Manager is used to assess and manage enterprise risks, associate risks with mitigation
efforts and projects in Project Manager. For Internal Audit, this process would be used by audit
leaders to determine the annual audit plan, but the same would apply to any assurance group
outside of audit as well.
Projects in Project Manager could be assessments, investigations, examinations, or pure audit
engagements. While annual assessments tend to be common, organizations are moving
towards a dynamic and ongoing process and Risk Manager is designed to support that real-time
assessment so you can action critical risks that require immediate mitigation efforts.
Results Management provides the detailed data analysis thats needed to support project
findings, provide insight into issues, and ultimately, inform on going assessment and disposition
of enterprise risk.
To assemble this information, most risk assessment leaders would perform some or all of the following
activities outside of the system:
Risk Manager is very flexible so you can continuously update your risk assessments as the organization
evolves, risk assessments change, and new risks are identified. You dont need a complete
understanding of your risk portfolio to get started.
+ Add
Email address
Full name
Add an optional message
Send invite
Cancel
User Name
Email
Status
Remove
Role
3x3 scoring to support a COSO risk framework; [1-3] x [1-3] for likelihood x impact
5x5 scoring to support an ISO 31000 risk framework; [1x5] x [1-5] for likelihood x impact
10x10 scoring; [1-10] x [1-10] for likelihood x impact
Create tags with a materiality value based on < 1MM, > 1MM, > 5MM, > 10MM
Assign an executive owner to risk by name or Title i.e. CEO, CFO, COO, CIO, CAE
Assign risk as Strategic, Operational, Financial or External
Assign risk as SOX related
Assign any of the elements of the COSO cube for tracking
Assign strategic elements from the executive agenda
Assign additional entities such as Regions, Business Units, Divisions, or Locations
+ Add
Title
Choose a Business Process
Save
Cancel
10
+ Add
Title
Choose an auditable entity
Save
Cancel
11
Risk Profile
The Risk Profile is meant to be the one screen that leaders use to create, assess, and assign risks to
different risk states. Ultimately, the highest impact risks to the organization would help drive out the
annual or quarterly audit/project plan, although the system is designed to support a dynamic risk
assessment process that could be used throughout the year, as risks are raised projects are assigned.
12
Risk Tile
Each Risk Tile corresponds to one documented risk. Risk assessment, risk tracking and associated
mitigation efforts are all accessed through the Risk Tile.
13
Delete link
Mitigation Efforts
14
Title
Accept
Mitigate
x
Risk Score
Risk Heat
To edit the title, open the risk tile and double click
the title field, edit title and click save.
This field can be used to set a risk to Accepted
state; the system will prompt for duration: 1mo, 1
quarter; 1 year; Permanent; Future Date. The
system will automatically move the risk back to
Assess at the end of all durations except
permanent.
This field can be used to set a risk to Mitigated
state; the system will prompt for duration: 1mo, 1
quarter; 1 year; Permanent; Future Date. The
system will automatically move the risk back to
Assess at the end of all durations except
permanent.
Click to close risk modal.
Sum of aggregated score by entity.
Calculated by dividing the Risk Score by the total
highest score across all entities using the scoring
15
Description
Tags
Auditable Entities
Likelihood
Impact
Entity Score
Processes
Comments Tab
The comments tab provides the ability to add a comment and/or add an attachment to the risk.
Attachments might include detailed documentation of a risk, risk assessment survey results or other
evidence to support the assessment and disposition of the risk.
Add comment
Choose File
Post
Cancel
Comment / Attachment toggle
Delete file
History Tab
The history tab displays the history of each risk as its moved through the risk profile states. His tory can
be filtered by state, user, and date.
Filter by state
Filter by user
Filter by date
17
Visualize Risks
Org Heatmap
The Org Heatmap illustrates where in the organization the clusters of risks lie once they have been
assessed. The bubbles are clusters of individual risks that impact the same process and entity.
The order of processes down the vertical and entities across the horizontal are dictated by the order of
each in the audit universe. To change order simply drag and drop the respective tile to a preferred
location in the audit universe, which will manifest in the Heatmap.
How to interpret the Org Heatmap:
Risk Heatmap
The Risk Heatmap illustrates your enterprise risks in relation to each other plotted in a risk quadrant of
likelihood by impact, in order of each individual Risk Heat expressed as a %.
18
Create Project
Mitigation Efforts +
Add new Mitigation Effort
Save
Cancel
20
Assign Risks
To assign to this state, drag and drop the Risk from any other state/column, or open the Assess modal
and select duration under the Mitigate field in the top right corner.
Remove Risks
Risks can be removed from this state by drag and drop to another state.
Keyword search
By tag
By Risk Heat using the slider
By History, go back to last quarter or last years assessment to see trending of your reports
By Entity or Process
21
22
The Mitigation Efforts defined in the Audit or Continuous Audit columns can be thought of as the
desired list of projects for your assurance group to perform in the coming year (the annual audit plan),
next quarter or on an on-going basis to support SOX and other compliance efforts.
23
24
You are now able to view the title of the analysis and the number of transactions in Project Manager,
and click on the link to view the detailed result table in Results Manager.
25
26
27
Technical Requirements
ACL GRC supports the following browsers:
Google Chrome
Mozilla Firefox (v3 and later)
Internet Explorer 9 or 10 [compatibility view must be turned off]
Safari
Internet Explorer 8 [compatibility view must be turned off]
ACL recommends having one other modern browser installed in addition to one of the IE browsers for a
superior experience. There are sometimes browser specific issues where having another browser to
allow your team to continue working uninterrupted.
Note: IE7 is not a supported browser; nor is IE8, IE9 or IE10 when compatibility view is turned on.
Compatibility view is a simple toggle that can be turned on and off with a single click.
Flash is required in order to attach files, but most browsers come with Flash installed. If you are
unsure whether you have Adobe Flash installed, you can use the following page to check if it is available
on your computer, copy and paste the following link into your browser:
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html
28