ACL GRC Risk Manager - Usage Guide V1.1

7/26/2019 ACL GRC Risk Manager - Usage Guide V1.1

1/28

ACL GRC

Risk Management

Usage Guide

May, 2013


2/28

Copyright 2013 ACL Services Ltd. All rights reserved.

No part of these materials may be reproduced, stored in a retrieval system, or transmitted, in any

form or by any means (photocopying, electronic, mechanical, recording, or otherwise), without

permission in writing from the publisher, except by a reviewer who may quote brief passages in a review.

These materials may not contain all the information, or the most current information relevanttoyour

situation or intended application.

Version 1.1, May 2013

ACL Services Ltd.

1550 Alberni Street Vancouver,

BC Canada V6G 1A5

Telephone: +1-604-669-4225

E-mail:[email protected]

Web:www.acl.com

ACL, and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other

trademarks are the property of their respective owners.

ImportantTerms, conditions, features, service offerings, and prices referenced in this document are subjectto

change without notice. We at ACL Services Ltd are committed to bringing you great online services.

Occasionally, we may decide to update our selection and change ourproduct and service offerings, so

please check atwww.acl.comfor the latest information, includingpricing and availability, on our

products and services.

2
mailto:[email protected]:[email protected]://www.acl.com/http://www.acl.com/http://www.acl.com/http://www.acl.com/http://www.acl.com/http://www.acl.com/http://www.acl.com/mailto:[email protected]


3/28

Table of Contents

Welcome to ACL GRC Risk Management! .................................................................................................. 4

How Does ACL GRC Support Your ERM Process?.......................................................................................... 4Overview of Enterprise Risk Assessment Methodology ............................................................................... 6

Getting Started Configure Your System ..................................................................................................... 7

Set Up Your Org Map .................................................................................................................................. 10

Overview of System Methodology States & Flow .................................................................................... 12

How do I Assess Risks? ................................................................................................................................ 13

Accepted or Unactionable Risk ................................................................................................................... 19

Audit or Action Risk ..................................................................................................................................... 19

Continuous Audit or Automate Action of Risk ............................................................................................ 20

Mitigated completed mitigation efforts .................................................................................................. 21

Filters for Risk Profile and Visualize Reports............................................................................................... 21

Risk Mitigation Planning Integrated in Project Manager ............................................................................ 22

Associating Risks with Projects (Risk Mitigation Planning) ......................................................................... 23

The Mitigation Project List .......................................................................................................................... 23

Associate Projects to Mitigation Efforts ..................................................................................................... 23

Associating Results with Tests in Project Manager .................................................................................... 24

Finding generated from linked Control Test ............................................................................................... 26

Risk Track Aggregated Issues & Data ....................................................................................................... 27

Technical Requirements.............................................................................................................................. 28

Where to Find More Information ............................................................................................................... 28

Have Questions or Feedback?..................................................................................................................... 28

3


4/28

Welcome to ACL GRC Risk Management!ACL GRC helps executives and risk managers catalog, assess, prioritize and communicate enterprise-risks

across the leadership team. It provides a simple, straight-forward way to capture and maintain a

complete view of risks across the organization, track the risks that are most important and plan audit

and risk mitigation projects for the greatest impact.

Key capabilities of ACL GRC risk management discussed in this guide include:

One clear view of the risk landscape users can categorize and track risks by critical

characteristics, organizational structure and mitigation approach.

Assess and prioritize risks supports COSO, ISO 31000 and most risk management frameworks.

Zero-in on the details with rich capabilities for key word tagging, searching and time-based

filtering.

Identify, quantify and act on issues seamless and visual integration between the enterprise-

level risk profile, audit and risk mitigation projects, project findings, test results and remediation

activity.

The purpose of this guide is to provide Audit, Risk and other GRC leadership professionals tasked with

Enterprise Risk Management (ERM) with how-to guidance on applying these functionalities to automate

your risk management process with ACL GRC.

How Does ACL GRC Support Your ERM Process?Figure 1 illustrates the overall methodology thats built into ACL GRC. From left to right:

Risk Manager is used to assess and manage enterprise risks, associate risks with mitigation

efforts and projects in Project Manager. For Internal Audit, this process would be used by auditleaders to determine the annual audit plan, but the same would apply to any assurance group

outside of audit as well.

Projects in Project Manager could be assessments, investigations, examinations, or pure audit

engagements. While annual assessments tend to be common, organizations are moving

towards a dynamic and ongoing process and Risk Manager is designed to support that real-time

assessment so you can action critical risks that require immediate mitigation efforts.

Results Management provides the detailed data analysis thats needed to support project

findings, provide insight into issues, and ultimately, inform on going assessment and disposition

of enterprise risk.

4


5/28

Fig 1: Overall ACL GRC Methodology Flow

5


6/28

Overview of Enterprise Risk Assessment MethodologyRisk Manager is designed to support most enterprise risk management (ERM) methodologies in use

today. Examples include the COSO and ISO 31000 frameworks, as well in-house frameworks created in

response to enterprise risk management initiatives.

In general, all risk assessment methodologies include some way of identifying strategic risks,

categorizing and rating those risks and managing them throughout their lifecycle. Risk Manager

accommodates different methodologies with a flexible system of category and thematic tags to help you

organize and document risks, and provides a choice of 3 x 3 (COSO), 5 x 5 (ISO 31000) or 10 x 10 scoring

models to help you assess the impact and likelihood of risks. Most organizations manage risks on a

quarterly to yearly cycle; Risk Manager includes the ability to manage the risk portfolio continuously and

dynamically as the organization changes, but is equally useful if you perform an annual risk assessment

to drive out your annual audit plan for internal audit groups, or the list of engagements to mitigate

enterprise risk for other assurance groups.

Fig 2: Risk Assessment Methodology

Gather Raw Input: Align with Management and Organizational Objectives

Risk Manager is designed to help you document and manage your organizations risk portfolio, and

associate high priority risks to audit and assurance projects in ACL GRC Project Manager. Figure 2

illustrates a typical approach to this process. Before using Risk Manager you should be prepared withsome initial information about your risk environment. This information should include an understanding

of your organizations business processes, reporting and/or assurance entities, a list of the risks you

have identified, and a basis to arrive at likelihood and impact ratings for each of these risks. Most

importantly, this processes allows Audit, Risk and GRC leaders to align with management and their

organizational objectives to ensure the assurance work that is performed is adding the most value to the

enterprise.

6


7/28

To assemble this information, most risk assessment leaders would perform some or all of the following

activities outside of the system:

Interview C-Suite executives

Interview business unit leaders

Hold assessment workshops with c-suite / VPs

Distribute risk self-assessment surveys

Collate internal and external sources of information to drive risk identification and grading.

Risk Manager is very flexible so you can continuously update your risk assessments as the organization

evolves, risk assessments change, and new risks are identified. You dont need a complete

understanding of your risk portfolio to get started.

Overview of Risk Configuration Methodology and Steps

To get up and running with Risk Manager, you will need to work through eight steps, from core system

settings, through to managing your risk portfolio by the state of each risk:

1.

Configure Your System & Related Settings

2.

Setup Your Org Map

3.

Overview of System Screens, States & Flow

4.

Create, Assess & Score Your Risks

5.

Accepted State For risks that are acceptable and fall within your risk tolerance

6.

Audit State For risks that you choose to address through an audit plan; create your list of

projects to perform in your audit plan

7.

Continuously Monitor State For risks that you choose to address by continuous monitoring;

create a list of projects monitored by automated analytics

8.

Mitigated State For risks that can be mitigated by existing/assigned resources and capabilities.

Getting Started Configure Your SystemTo start all users will be administrators with full read/write permissions and access to Settings. There

are additional roles available for executives or other business leaders that may need or want read-only

access; for example read-only with collaborative access to Comments and no access to System Settings.

Those roles are optional and only for GRC groups that want or need to extend that functionality to

collaborate with executives or management leaders.

Manage and Add Users

The Manage Users screen allows you to add and remove users and set user roles.

7


8/28

Figure 3: Manage Users

+ Add Click the Add button to add a new user

Email address Enter email address of user to add.Full name Enter Full name of user to add.

Add an optional message Enter optional message which will display on

activation email.

Send invite Click send invite to add user.

Cancel Click to cancel add process, changes not saved.

User Name Once users are added to the system they are listed

on the Manage Users page

Email Username and email address of user

Status Shows the state of the user. Newly added users

are in a state of Pending until they click their

activation link and become Active.Remove Remove Risk Manager access for the user

Role Assign the user role: Admin, Executive or Reviewer

Set the Scoring System

The system currently supports three scoring frameworks and cannot be customized at this time. Please

select one framework for the entire system. Please note: switching scoring frameworks will reset the risk

scoring on all risks, so each risk will need to be re-scored on the basis of the new setting.

3x3 scoring to support a COSO risk framework; [1-3] x [1-3] for likelihood x impact

5x5 scoring to support an ISO 31000 risk framework; [1x5] x [1-5] for likelihood x impact

10x10 scoring; [1-10] x [1-10] for likelihood x impact

8


9/28

Manage Your Tags

Tags can be used to apply to individual risks for additional searching and filtering capability, and will add

a 3rd

dimension to your Org Map but applied at the Risk level. This page is about managing tags, either

creating new, or modifying or deleting existing tags.

Create tags with a materiality value based on < 1MM, > 1MM, > 5MM, > 10MM

Assign an executive owner to risk by name or Title i.e. CEO, CFO, COO, CIO, CAE

Assign risk as Strategic, Operational, Financial or External

Assign risk as SOX related

Assign any of the elements of the COSO cube for tracking

Assign strategic elements from the executive agenda

Assign additional entities such as Regions, Business Units, Divisions, or Locations

Add new tag Type value in field and press enter to create tag.

Delete existing tag Click x in tag value to delete.

Search for tag to modify Type tag name in search field.

9


10/28

Set Up Your Org MapThe Org Map is meant to model your organization at the highest level, and is comprised of a major

category, such as Regions, Business Units, Divisions or Locations mapped to a minor category, such as

business processes, functional or operational areas, auditable or assurance areas, projects, or strategic

elements.

Hover on an entity or process, and its associations will be highlighted.

Figure 4: GRC Map

Add a new entity

Figure 5: Add Entity

+ Add Click to add a new entity

Title Enter a title for your entity. Keep titles brief.

Choose a Business Process Click the field, once you have business processes in

your universe, they will be available in a smart

drop down list to associate to the entity.

Save Click Save to save the entity.

Cancel Click cancel to close field, nothing saved.

10


11/28

Add a new process

Figure 6: Add Process

+ Add Click to add a business process

Title Enter a title for your process. Keep titles brief.

Choose an auditable entity Click the field, once you have entities in your

universe, they will be available in a smart drop

down list to associate to your process.

Save Click Save to save the new process.

Cancel Click cancel to close field, nothing saved.

Expand / Collapse Toggle

Use the expand/collapse toggle to view the associations within an entity or process, and click the

respective associated items x to remove it from expanded view.

Figure 7: Expand Tiles in GRC Map

11


12/28

Overview of System Methodology States & Flow

Fig 8: Risk Assessment Flow and States

Risk Profile

The Risk Profile is meant to be the one screen that leaders use to create, assess, and assign risks to

different risk states. Ultimately, the highest impact risks to the organization would help drive out the

annual or quarterly audit/project plan, although the system is designed to support a dynamic risk

assessment process that could be used throughout the year, as risks are raised projects are assigned.

Figure 9: Risk Profile screen

12


13/28

States & Flow

Each state is represented by a column on the Risk Profile screen. Risks can be dragged from one state to

another based on its assessment and your risk tolerance:

Assess create new risks to be scored and assessed

Accepted risks that lie within the organizations risk tolerance or are unactionable

Audit risks that require resources and projects assigned to address

Continuous Audit risks that may be addressed by automated analytics

Mitigated risks that have been mitigated by completing projects, or having

controls/programs/resources already in place to mitigate them

Drag & drop tips

Each risk is represented by a tile in its respective state. To drag a tile from one state [column] to

another, place your mouse over it and the cursor will turn to the four arrows icon. Left click your mouse

to select tile and drag it to the desired state with the mouse button depressed slightly overlap the tile

in the desired location of the new state, and when a dashed border with a shadowed background

appears you can drop it in place. The tile can be freely moved to re-order once inside a state by

following the same steps, or dragged to another state when needed for what-if scenarios.

Figure 10: Risk tile drag and drop

Toggle to Hide or View StateSimply click the blue buttons to toggle a state, represented by a column on the screen, from being

visible or hidden. This allows users to maximize real estate of the screen. For instance, if automated

analytics are not yet used to perform entire projects, then simply toggle that state/column to hidden

view.

How do I Assess Risks?

Create Risks

Click the + button to add a new risk. You must enter a title, you can optionally add a description, andoptionally select the business processes from your audit universe which the risk impacts. Click save. A

risk is represented by a Risk Tile in the Risk Profile.

Risk Tile

Each Risk Tile corresponds to one documented risk. Risk assessment, risk tracking and associated

mitigation efforts are all accessed through the Risk Tile.

13


14/28

Figure 11: Risk tile expanded

Score and Heat % Displays the Risk Score and Risk Heat visible in

both expanded and collapsed state for easy

comparison.

Risk Title The title of the Risk is displayed on the title in

collapsed and expanded states.

Expand/collapse icon Click icon to expand or collapse Risk Tile.

Description Field describes the risk.

Assess button Click Assessto open the Risk Modal for scoring and

other functions.

Edit button Click Editto modify the title or description fields.

Track button Click Trackto display issues and exceptions

associated with the risk. (Requires association of

risks mitigation efforts with projects in Project

Manager, and optionally - tests in Results

Manager discussed later in this guide).

Delete link Click Deleteto delete the Risk from the system.

Mitigation Efforts Click the +button to add mitigation efforts (i.e. risk

mitigation projects) to the Risk Tile. Risk mitigation

planning is discussed later in this guide

14


15/28

Assessing the Risk

Once saved, a risk can be assessed, click the Assess button by opening the risk tile.

Overview Tab

The overview tab displays the risk score, risk heat, description, and tags that have been attached to the

risk, the detailed likelihood and impact scoring, and the mapped business processes. The risk state can

be changed to accepted or mitigated via the dropdown boxes at the upper right.

Figure 12: Assess Modal

Title To edit the title, open the risk tile and double click

the title field, edit title and click save.

Accept This field can be used to set a risk to Accepted

state; the system will prompt for duration: 1mo, 1

quarter; 1 year; Permanent; Future Date. The

system will automatically move the risk back to

Assess at the end of all durations except

permanent.

Mitigate This field can be used to set a risk to Mitigated

state; the system will prompt for duration: 1mo, 1

quarter; 1 year; Permanent; Future Date. The

system will automatically move the risk back to

Assess at the end of all durations except

permanent.

x Click to close risk modal.

Risk Score Sum of aggregated score by entity.

Risk Heat Calculated by dividing the Risk Score by the total

highest score across all entities using the scoring

15


16/28

system. If there are 5 entities using a 3x3 scoring

system, 13/45=29%.

Description To edit the description, open the risk tile and

double click the title field and edit description,

click Save.

Tags Apply tags to risks for additional filtering ability.

Auditable Entities Entities automatically are listed based on businessprocesses selected. Risks are scored against each

entity and process.

Likelihood The scoring system selected in System settings will

determine if the scores are 3x3, 5x5 or 10x10.

Impact The scoring system selected in System settings will

determine if the scores are 3x3, 5x5 or 10x10.

Entity Score Simply the score for likelihood x score for impact

Processes Add a process by clicking the field and selecting a

process from the drop down list. Remove a

process by clicking the x of an existing process in

the field.

Comments Tab

The comments tab provides the ability to add a comment and/or add an attachment to the risk.

Attachments might include detailed documentation of a risk, risk assessment survey results or other

evidence to support the assessment and disposition of the risk.

Figure 1: Comment box

Add comment Type in the make a comment or attach a file field.Comments are required; even to attach a file only.

Choose File To attach a file, click Choose File and select from

your network directory.

Post Click Post to save comment / attachment.

Cancel Click cancel to close add comment field, changes

will not be saved.

Comment / Attachment toggle To view all attachments without comments, click

16


17/28

the Paper icon. To view comments click the

caption icon.

Delete file Click attachment toggle and click delete for

selected file.

History Tab

The history tab displays the history of each risk as its moved through the risk profile states. His tory canbe filtered by state, user, and date.

Figure 2: History Tab

Filter by state Each creation or change in state will create an itemin the History log. Users can additionally filter by

State.

Filter by user The user that performed the action item in the log

is captured, and can be additionally filtered.

Filter by date The date which the action item is performed

17


18/28

Visualize Risks

Org Heatmap

The OrgHeatmapillustrates where in the organization the clusters of risks lie once they have been

assessed. The bubbles are clusters of individual risks that impact the same process and entity.

Figure 3: Org Heatmap

The order of processes down the vertical and entities across the horizontal are dictated by the order of

each in the audit universe. To change order simply drag and drop the respective tile to a preferred

location in the audit universe, which will manifest in the Heatmap.

How to interpret the OrgHeatmap:

The size of bubble indicates volume of clustered risks

Color of bubble indicates severity of clustered risks. There are 10 bands of colors representing a

10% range; risks within each range will be the same color; with green being the lowest severity

and red being the highest severity

Score hover on a bubble to see the aggregated score

View risks by clicking on a bubble

Risk Heatmap

The Risk Heatmap illustrates your enterprise risks in relation to each other plotted in a risk quadrant of

likelihood by impact, in order of each individual Risk Heat expressed as a %.

18


19/28

Figure 16: Risk Heatmap

Accepted or Unactionable RiskFor risks that are within your organizations risk tolerance, audit and risk leaders will assign those risks to

an Accepted state. When Accepting risks, the system will prompt to choose duration to accept the risk

for, with options being: 1mo; 1 quarter; 1 year; Permanentlyor Future Date[calendar picker]. For all

durations except permanent, the system will move that Accepted risk back to Assessstate upon expiry

of the set duration.

Audit or Action RiskThe Audit state is for enterprise risks that lie outside your organizations risk tolerance and for which

you want to action mitigate efforts for a coming period, such as to develop your annual audit plan.

Assign Risks via Drag and Drop

To assign to this state, drag and drop the Risk to the Auditstate column.

Create Project

Mitigation Efforts + Click the + button to open the create form.Add new Mitigation Effort Type a unique name in the title field and click

Save. Each Risk can only contain one unique

Mitigation Effort, but the same Mitigation Effort

can be added to many Risks.

Select existing Mitigation Effort Click the title field to display the list of existing

mitigation efforts and select an existing name from

the list or type the name and click Save.

19


20/28

You can associate one mitigation effort to many

Risks.

Save Click Saveto assign the Project name to the Risk.

Cancel Click Cancelto remove text from the field and

close the form.

Figure 4: Create Mitigation Efforts in Risks

Edit Mitigation Effort

Click the Edit icon on the Project to change the title or description.

Delete Mitigation Effort

Click the trash icon on the Project to delete it from the Risk.

Continuous Audit or Automate Action of RiskThe Continuous Auditstate is for enterprise risks that you can assign automated analytics for

continuous monitoring or transactions. If you dont perform automate or recurring analytics you can

turn off this column system-wide from your Settingslink.

20


21/28

Mitigated completed mitigation effortsThe Mitigated state is for enterprise risks where the mitigation effort is completed, or the risk may

already have a control, program, or resource in place to mitigate it, such as when all projects are

completed for a given risk or when there is already a control, resource or program in place to mitigate it.

Assign RisksTo assign to this state, drag and drop the Risk from any other state/column, or open the Assess modal

and select duration under the Mitigate field in the top right corner.

Remove Risks

Risks can be removed from this state by drag and drop to another state.

Filters for Risk Profile and Visualize ReportsClick the Filter tab in the Risk Profile screen to expand the filter bar. You can perform the following

filters that will apply to both your Risk Profile and Reports.

Keyword search

By tag

By Risk Heat using the slider

By History, go back to last quarter or last years assessment to see trending of your reports

By Entity or Process

21


22/28

Risk Mitigation Planning Integrated in Project ManagerA unique and key feature of ACL GRC is the ability to link and associate information about high-level

enterprise risks, specific risk mitigation efforts (or projects), controls and test results together across the

platform. The following diagram illustrates the linkages that are available in ACL GRC, working from risk

management mitigation efforts (projects) through to project-level risks, controls and control tests,

through to analytic results generated by ACL Analytics or ACL Analytics Exchange.

22


23/28

Associating Risks with Projects (Risk Mitigation Planning)Risk mitigation planning is configured in ACL GRC Project Manager, in the Organization Planning area.

The Mitigation Efforts defined in the Audit or Continuous Audit columns can be thought of as the

desired list of projects for your assurance group to perform in the coming year (the annual audit plan),

next quarter or on an on-going basis to support SOX and other compliance efforts.

The Mitigation Project List

The Risk Mitigation Planning page displays the mitigation efforts defined by your leadership teamthrough the Risk Manager process.

The Risk Mitigation Planning page in Project Manager is designed for management and staff to plan,

build, and execute their respective projects. The projects themselves will be built or re-used within

Project Manager, but a critical step is to associate projects within Project Manager to the Risk Mitigation

Efforts, so that issues and data exception results can be aggregated back into the Enterprise Risk for

quantitative weighting and tracking.

Associate Projects to Mitigation EffortsClick a Mitigation Effort to associate one or many engagements within Project Manager. Any

engagement that is associated will have its issues [Findings] aggregated to a respective Risk.

23


24/28

Associating Results with Tests in Project ManagerOnce the analysis is set-up and the result is available in Results Manager, its possible to give Project

Manager users visibility and access to the detailed test and remediation status information in Results

Manager. This is accomplished by linking a control test in Project Manager with one or more analysis

results. The association and linking step is performed from Project Manager. To associate a result,

navigate to the relevant test in the Fieldwork area of your audit or control testing program. At the foot

of the test page, click on the Link Data Analysis button, and select one or more analysis to link. To save

the link click the Save Link button, and close the analysis selection window.

24


25/28

You are now able to view the title of the analysis and the number of transactions in Project Manager,

and click on the link to view the detailed result table in Results Manager.

25


26/28

Finding generated from linked Control TestWhen a Control Test is linked to a Data Test, and a finding is generated from that Control Test page, the

corresponding Finding will display the number of records identified in the data test and provide a link to

drill down to the data test.

26


27/28

Risk Track Aggregated Issues & DataRisk tracking is another unique and defining feature of ACL GRC. This is the ability to aggregate and

display findings and issues arising from audit and other types of risk mitigation projects andexceptions

arising from detailed data analysis against the underlying enterprise risks. Risk tracking is available if

projects have been associated with risk mitigation efforts defined in the Risk Profile screen. Click on the

Trackbutton in an project tile to view the issues and transactions associated with the risk.

27


28/28

Technical RequirementsACL GRC supports the following browsers:

Google Chrome

Mozilla Firefox (v3 and later)

Internet Explorer 9 or 10 [compatibility view must be turned off] Safari

Internet Explorer 8 [compatibility view must be turned off]

ACL recommends having one other modern browser installed in addition to one of the IE browsers for a

superior experience. There are sometimes browser specific issues where having another browser to

allow your team to continue working uninterrupted.

Note: IE7 is not a supported browser; nor is IE8, IE9 or IE10 when compatibility view is turned on.

Compatibility view is a simple toggle that can be turned on and off with a single click.

Flash is required in order to attach files, but most browsers come with Flash installed. If you areunsure whether you have Adobe Flash installed, you can use the following page to check if it is available

on your computer, copy and paste the following link into your browser:

http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html

Where to Find More InformationACL GRC will continuously evolve in response to customer feedback over the coming months and as we

build out ACLs product roadmap. As new features and improvements are added, details will be

documented and posted on acl.com.

We look forward to receiving your comments and feedback as you begin to work with ACL GRC!

Have Questions or Feedback?Please contact us:

[email protected]

Kris Hutton, Product Manager

Nigel Matthews, Product Marketing Manager
mailto:[email protected]:[email protected]:[email protected]

Documents

ACL GRC Risk Manager - Usage Guide V1.1