Risk Process Management Model

Achieve Regulatory Compliance Through Self-Assessments & Strong Operating Controls!

© P.I.E. Consortium

Methodology to Address Risks Across Business

VW Diesel Galaxy 7UberEpiPen Bank AcctRisks

Lesly Regislesregis@icloud.com

(203) 767-7521

Table of Contents

q Challenges of Risk Assessment And Mitigation page 3

q Methodology For Meeting Regulatory Requirements page 4

q Technical Foundation page 5

q Model Capabilities (Financial & Pharma) page 6 - 8

q Suggestions For Deployment page 9

q Application Examples page 10 -13

q Failure Modes & Effects Analysis Appendix A

© P.I.E. Consortium2

• Assessment must be comprehensive but not exhaustive

• Perspective must be maintained to avoid getting lost in details

• Assessment must be done upfront to obtain maximum benefits

Challenges Key Phases(Note: For Any Risk Methodology)

Identification Analysis

MitigationMonitor & Control

Challenges of Risk Management: Assessment and Mitigation

Finding The Vital Few Over The Trivial Many Is Critical

3© P.I.E. Consortium

Risk Process Management Model – Seven Step Methodology To Meet Regulatory Requirements

The Risk Process Management Model Is an Effective Method To Assess & MeetRegulatory Compliance Requirements For All Businesses

•Identification

•Analysis

•Mitigation

•Monitor & Control

Ass

essm

ent

Trea

tmen

t

Risk Mgt. Phases RPM Steps

1. Identify & Map Process

2. Remedy Controls Gaps Proactively

3. Classify Controls by Types

4. Identify and Mitigate Risk

5. Remediate

6. Establish Metrics and Implement Monitoring Plan

7. Establish Structure to Control

Toolso Block Diagram o Deployment Flowchartso Samplingo Basic Structured

Problem Solvingo Measurement System

Analysis

o Failure Modes & Effects Analysis (FMEA (appendix a))

o Statistical Process Control (SPC)

o Business Process Mgmt. (BPM)

o Scorecard / Dashboardo Standard Operating

Procedures (SOP)

4© P.I.E. Consortium

Risk Process Management Model – Technical Foundation

* ISO31000 : risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected

Ø Begins by using broadest definition of risk as “missing any expected outcomes”*, around a broad frame

Ø Analyzes risks as outcomes of any process

Ø Disaggregates process into its components and controls to allow analysis and mitigation of risks

Process

5© P.I.E. Consortium

Risk Process Management Model – Model Capabilities (Financial Services)

Ø Model can be used on simple or complex processes

Ø Facilitates a wide range of usage at: enterprise level, a specific crisis, a performance goal or product failures

Ø Interdependencies and controls are documented and controls improved to reduce risks

6

CTR* Reqt's CTR Reqt's

Bus

ines

s

Com

plia

nce

Tech

nolo

gy

Mon

ey C

ente

rs

CTR

Ope

r.

Com

plia

nce

Ope

ratio

ns

IRS

End to End Process View

Operations Currency Transactions Reporting Function

oOver 20 Major Process Steps at Macro Level…o 1 MM Possible Two Level Interactions Between

Process Steps. (Note : 2k-1, k = process steps)

Example of a Currency Transactions Reporting (CTR) Process

*CTR = Currency Transactions Reporting

Functions

© P.I.E. Consortium

Risk Process Management Model – Model Capabilities (Pharma)

Ø Model can be used on simple or complex processes

Ø Facilitates a wide range of usage at: enterprise level, a specific crisis, a performance goal or product failures

Ø Interdependencies and controls are documented and controls improved to reduce risks

7

Temp. Reqt's

End to End Process View

Example of Temperature Risk Management Pharma Supply Chain

Temp. Reqt's

Goal: Maintain product quality, safety and efficacy by preventing product adulteration, counterfeiting, theft, and diversion.

Source: Erik van Asselt, PhD MSD, PCCIG EU Branch Leader

© P.I.E. Consortium

Risk Process Management Model – Model Capabilities (cont’d)

Best

Less

Effe

ctiv

e

Ø Consistent method to analyze controls to mitigate risk

Ø Uses statistically based tools for both diagnostic and remediation effort

P = Preventive; D = Detective

o Outcome basedo Involves inspection or reviewo Segregation of dutyo Mostly detective, unless SPC

(Statistical Process Control) is used as a controlling tool

o Predictive o Involves inspection or reviewo Segregation of dutyo Most effective in abating riskso Greater influence on the outputso A wide number of Quality Engineering

& Problem Solving tools can be used

Process Output / Requirements

ProcessInputs Outputs=

Control Types Control Types

*

8

© P.I.E. Consortium

9

Risk Process Management Model – Suggestions For Deployment

q Set the right frame, keep the enterprise level perspective. Wrong frame greatly reduces the likelihood of identifying and mitigating the risk

q Use a project based deployment approach with cross-functional teams for complex processes

q Use Block diagram & Deployment Charts (swim lane) for process mapping

q Develop Process Mapping Taxonomy. Maintain time sequence and lane subdivision rules. Otherwise, analytical value will be greatly reduced.

q Governance: Leverage / Build an infrastructure to drive execution:People:

o Use existing Subject Matter Expert resources (as much as possible)o Target and complement some roles, as needed

Skills:o Provide targeted training to enhance skills for different roles and responsibilities:

Governance:o Senior Mgmt. set strategy, monitor progresso Risk based prioritized deploymento Phase gate reviews around each step

Reqt's Reqt's

Geo

grap

hy

Supp

liers

Sale

s

Mar

ketin

g

Ope

ratio

ns

QA Sh

ippi

ng

Reg

ulat

or

End to End Process View

Bus

ines

s

© P.I.E. Consortium

Ø A macro view of a High Value Payments Parameter Set UP process using a block diagram chart

Ø Another way of depicting the macro view is through the use of a deployment chart

High Value Payments Parameter Set Up (Example) – Step1

*Significant inputs other functions*Significant inputs other functions

Size & or location within lane Shows sole or joint execution of task

*

Must Have:o Maintain process flow in time sequenceo Do not use the activity flowchart – Use the deployment flowcharto Develop a taxonomy to ensure consistency

ProcessRequest Set-up Activate Service&

MonitorSubmitRequest

ReceiveServices

ProcessRequest

Set-up Activate

Service&Monitor

SubmitRequest

ReceiveServicesCustomer

ProductMgt.

Operations

FIG

Compliance

Credit

* *

10© P.I.E. Consortium

11

High Value Payments Parameter Set Up (example) – Step 2-3

Custo

mer

PCM

Servi

ceDe

livery

Comp

liance

Cred

it

Ameri

cas

Financia

lIns

tituti

on

Grou

p(FIG

)

ClientRequest1

ClientRequest1

Setup

2

Setup

2

Activation

3

Activation

3

ServiceandMonitor

4

ServiceandMonitor

4

SubmitRequestSubmitRequest

ReceiveServicesReceiveServices

ClientRequest

1

Setup

2

Activation

3

ServiceandMonitor

4

ServiceandMonitor

4

SubmitRequestSubmitRequest

ReceiveServicesReceiveServices

DraftDraftR&C-A.FasolinoR&C-A.Fasolino

Est%complete–90%Est%complete–90% ConfidenceLevel–90%ConfidenceLevel–90%06/12/1206/12/12

SMEApproved–datetbdSMEApproved–datetbdSME-Nhedges/ARamkumaranKJCaseSME-Nhedges/ARamkumaranKJCase

ServiceDelivery–HVPParameterSetupL0–AnalysisDraft1.0ServiceDelivery–HVPParameterSetupL0–AnalysisDraft1.0

Yes.Addressedin2011.

1.4.3InternalControls

Yes.Addressedin2011.

1.4.3InternalControls

OprLossesyes2009

OprLossesyes2009

2 1

9

1

3

1

5 4 62 1

8 1 181

RPN

(2)=250

(1)=500

RPN

(2)=250

(1)=500 RPN

(2)=500

RPN

(2)=500

RPN

(2)=250

(8)=500

RPN

(2)=250

(8)=500

RiskArea

RPN250-500

RiskArea

RPN250-500

HighRisk

Area

RPN=1000

HighRisk

Area

RPN=1000 Control

Type

s

Control

Type

s

Systemic

Preventative

Detective

Seg.OfDuties

Procedures

GapsAUDIT

FINDINGS

AUDIT

FINDINGS OtherOther

ProductMgmt..

Ope

ratio

ns

Inventory of Controls - Part 2 Control Types (# of controls)

L0Seq

#

L0&L1

Seq #

Process Tasks (time sequence)

- L0 - L1 S

yste

mic

Pre

vent

ive

Det

ectiv

e

Seg

Dut

y

Pro

cedu

res

Tota

l

1 1 Client Request 1 2 3 62 2 Setup 4 2 3 1 4 143 3 Activate 3 34 4 Service and Monitor 8 1 1 18 28

Totals 13 3 6 1 28 51

Summary of Findings :qAudit: None outstanding – 2 closed since 2011

qControls Gaps: 28

qControl Types: 51

qOther: Additional steps were added to account setup to prevent an issue where credit was incorrectly posted

Control Summary o 25% Systemic

o 12% Detective

o 6% Preventive

o 2% Segregation of Duty

o 55% Procedural

© P.I.E. Consortium

12

High Value Payments Parameter Set Up (Example) – Step 4-5} Process Failure Modes & Effects Analysis (FMEA) – Summary of high risks by major sub-process areas.

Summary of Insights

o Heavily reliant manual paper. Recommended enhancement changes should improve controls (i.e. the use of an email attachment and a GPS queue driven solution to email exchanges).

o QC review of parameter changes remained high. The solution to the 2011 audit finding is working. Further discussions were held with senior management to explore a systemic solution to further mitigate risks.

o The Halt Payment Notification process within the payment operation was informal and undocumented. We worked with the Credit function to establish a formalized and efficient process.

Parameter Setups Process Steps Potential Failures I L D

RP

N Audit Finding

HVP DB sets up account on GPS Incorrectly setup. 10 5 10 500 N

PCM Client Svs checks GPS to confirm acct setup (existing accts)

Fail to perform check. 5 5 10 250 NHVP PM completes setup in Production

Incorret setup . 10 5 10 500 NHVP Program Mgmnt approves GPS input and Activation

Approves incorrect setup. 10 5 10 500 NHVP Program Mgmnt performs QC / signoff

QC overlooks issue. 10 5 10 500 Y

HVP Program Mgmnt & PCM Client Svs monitor 1 day after setup

Monitored, but issues undetected. 10 5 5 250 NHVP PM Decision: PM &Client Svs monitor for accuracy else fallback to setup

Issues not detected, are not referred back for resolution. 10 5 10 500 N

Not detected timely. 10 5 10 500 NMisinterpret what issue could be, so don't find. 10 5 10 500 N

HVP Database closes account on GPS and files paper work

Misplace paperwork for file. 5 5 10 250 NHVP SDI/Risk monitors payment NSF Queue.

Fail to monitor timely. 10 5 10 500 NHVP SDI/Risk advise Credit of payments.

Advises wrong / incomplete information. 10 5 10 500 NCredit advise disposition to HVP SDI/Risk area.

Give wrong instructions. 10 5 10 500 NCredit misunderstands verbal information provided. 10 5 10 500 NSDI misunderstands verbal instructions provided. 10 5 10 500 N

SE

TUP

AC

TIV

ATI

ON

SE

RV

ICE

AN

D M

ON

ITO

R

© P.I.E. Consortium

13

Deployment – Results - Step 6-7

High Value Payments ResultsØ 26 control gaps remedied, within first three weeks of the deployment

Ø Plans in place to address remaining gaps

Ø Over 33 high risk failure modes mitigated

Ø High risk process failure modes prioritized and plan in place to resolve

Additional Deployment Results five processes:üHigh Value Payments Parameters Set upüReturns items processingüAbandoned propertyüTax Certification ReportingüCurrency Transactions Reporting

System

ic

Prventive

Detective

SegofDuty

Proced

ures

ReturnItemsProcessing 48 24 76 16 22 21 1 16 117

AbandonnedProperty 70 36 84 13 7 50 4 10 344

TaxCertification&Reporting 83 21 101 25 2 29 33 12 321

HVPParametersSet-Up 74 28 51 13 3 6 1 28 211

CurrencyTransactionsReporting 63 0 83 8 9 22 11 33 100Total 338 1093

FailureM

odes/

Proc.Steps

ControlTypes

ProcessName

#ofProcessSteps

ControlGaps

ExistingControls

Abandoned Property

Prev

entiv

e

© P.I.E. Consortium

Steps For Identifying & Mitigating Risks Using Failure Modes & Effects Analysis (FMEA)

§ Be comprehensive but not exhaustive

§ Do not get lost in details

§ Complete upfront to obtain maximum benefits

Approach

How

§ Best to process map the process in question or have the SME’s identify the project or process steps

§ Brainstorm ways things can go wrong

§ Stick to what can go wrong instead of why it went wrong to avoid listing of causes

§ Use a ranking method to rank each risk§ Severity / Impact§ Occurrence

(Likelihood)§ Detection

§ Ranking (Risk Priority Number (RPN)= S*O*D

§ Make use of the FMEA ( Failure Modes & EffectsAnalysis) tool

§ Use a pre-emptive strategy to address control gaps to implement quick remediation

§ First attempt must be to pre-empt or prevent the occurrence

§ If prevention cannot be achieved then use controls to lessen risk§ First: Preventive

controls§ 2nd Reactive controls§ Last: Segregation of

duty

§ Use wide range QA tools

§ Develop contingency

§ Use a “Mistake Proofing” methodology

§ Design in systemic controls

§ Develop or use parallel runs to lessen operation related risks (when major conversion is being done)

§ Build a robust contingency plan

§ Start by looking for ways to enhance detectability, then improve occurrence by reducing frequency

§ Use SPC (Statistical Process Control) as a tool

§ Use good Root Cause Corrective Action (RCCA) problem solving

§ If risk level is unacceptable, process must be re-engineered

§ Use a structured problem solving methodology e.g. Six Sigma

1 2 3 4 5

Identify Prioritize Eliminate Use Controls to Mitigate Risks

Change Processes

Phase 1 Phase 2

Appendix A

14© P.I.E. Consortium