Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
30 November 2012

GRC Process Control - It's All About Risk (Part 2)

In the 1st part of this series I explained why risks are an essential element of GRC Process Control as they provide focus, direction and guidance - the foundation of an enterprise GRC solution. In this second and final part I will provide a brief guide to the different ways in which you can manage risks within GRC Process Control which, perhaps unsurprisingly, is more complicated than you might expect.

The first thing to appreciate is that within GRC Process Control risks are master data objects themselves. Therefore, to be able to assign risks to other master data objects (e.g. controls, control objectives etc) they have to already exist within the Risk Catalogue. If you have an established control framework which you are simply moving into GRC Process Control, then the risks have already been defined and it will be a case of simply copying them into the Risk Catalogue for assignment later on. However, if you are creating a new control framework then the initial phases of this work should be focused on mapping out the enterprise risks prior to documenting the controls which mitigate them. It might still be challenging to define all of your risks up-front. This is not a problem as you can continually add to, and modify, the risk catalogue at any time, making new or updated risks available for assignment but care should be taken to ensure that they align with wider risk management strategies rather than simply polluting the GRC Process Controls catalogue.

Risks are also used in GRC Process Control to provide a link between some master data objects. It may be surprising to learn that control objectives cannot be directly linked to controls in GRC Process Control. However, both master data objects are linked when they share common risk assignments, and these indirect relationships can be seen using some available standard risk reports.

The main purpose for identifying and documenting risks is so that you can ensure the relevant measures are in place to mitigate them in line with your company's risk appetite. This helps to maintain the right balance between implementing controls and maintaining operational efficiencies. Therefore, it’s important to have the ability to perform a risk gap analysis to understand whether those risks relevant to your organisation have been mitigated or not.

Within GRC Process Control, all of the risks which need to be addressed reside at the sub-process level.

These are made up of risks which are either:

(a) Inherent to the sub-process and so are assigned from within the sub-process itself;

(b) Inherited automatically by the sub-process via control objective assignment (whereby the risk has previously been assigned to the control objective master data); and

(c) Inherited automatically by the sub-process via account group assignment (whereby the risk has previously been assigned to the account group master data). Note: The use of account groups is usually required when dealing with financial regulations e.g. SOX.

This indicates those risks that need to be mitigated by controls assigned to the same sub-process. The risk(s) a control mitigates is specified in the control master data objects themselves which are also assigned to the sub-process. Therefore, the risk gap analysis can be performed at the sub-process level. GRC Process Control achieves this analysis by automatically comparing the risks that reside on the sub-process with those risks mitigated by the controls assigned to the same sub-process. Standard reports such as 'Risk Coverage' can be used to display whether all risks per organisation/process/sub-process have been mitigated or not by the relevant assigned controls. Alternatively, you can display risk coverage in the 'Risk' tab within the sub-process master data object itself, although this will only give you a view for the individual sub-process you are currently viewing.

As you can see, there is a quite a lot of functionality and flexibility available to identify, assign and mitigate sub-process level risks in your organisation. However, it's important to fully understand the relationships between these risks and the relevant master data objects, and map these out carefully in your implementation in order to manage risk effectively using GRC Process Control.