Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Risk Process Management Model
Achieve Regulatory Compliance Through Self-Assessments & Strong Operating Controls!
© P.I.E. Consortium
Methodology to Address Risks Across Business
VW Diesel Galaxy 7UberEpiPen Bank AcctRisks
Lesly [email protected]
(203) 767-7521
Table of Contents
q Challenges of Risk Assessment And Mitigation page 3
q Methodology For Meeting Regulatory Requirements page 4
q Technical Foundation page 5
q Model Capabilities (Financial & Pharma) page 6 - 8
q Suggestions For Deployment page 9
q Application Examples page 10 -13
q Failure Modes & Effects Analysis Appendix A
© P.I.E. Consortium2
• Assessment must be comprehensive but not exhaustive
• Perspective must be maintained to avoid getting lost in details
• Assessment must be done upfront to obtain maximum benefits
Challenges Key Phases(Note: For Any Risk Methodology)
Identification Analysis
MitigationMonitor & Control
Challenges of Risk Management: Assessment and Mitigation
Finding The Vital Few Over The Trivial Many Is Critical
3© P.I.E. Consortium
Risk Process Management Model – Seven Step Methodology To Meet Regulatory Requirements
The Risk Process Management Model Is an Effective Method To Assess & MeetRegulatory Compliance Requirements For All Businesses
•Identification
•Analysis
•Mitigation
•Monitor & Control
Ass
essm
ent
Trea
tmen
t
Risk Mgt. Phases RPM Steps
1. Identify & Map Process
2. Remedy Controls Gaps Proactively
3. Classify Controls by Types
4. Identify and Mitigate Risk
5. Remediate
6. Establish Metrics and Implement Monitoring Plan
7. Establish Structure to Control
Toolso Block Diagram o Deployment Flowchartso Samplingo Basic Structured
Problem Solvingo Measurement System
Analysis
o Failure Modes & Effects Analysis (FMEA (appendix a))
o Statistical Process Control (SPC)
o Business Process Mgmt. (BPM)
o Scorecard / Dashboardo Standard Operating
Procedures (SOP)
4© P.I.E. Consortium
Risk Process Management Model – Technical Foundation
* ISO31000 : risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected
Ø Begins by using broadest definition of risk as “missing any expected outcomes”*, around a broad frame
Ø Analyzes risks as outcomes of any process
Ø Disaggregates process into its components and controls to allow analysis and mitigation of risks
Process
5© P.I.E. Consortium
Risk Process Management Model – Model Capabilities (Financial Services)
Ø Model can be used on simple or complex processes
Ø Facilitates a wide range of usage at: enterprise level, a specific crisis, a performance goal or product failures
Ø Interdependencies and controls are documented and controls improved to reduce risks
6
CTR* Reqt's CTR Reqt's
Bus
ines
s
Com
plia
nce
Tech
nolo
gy
Mon
ey C
ente
rs
CTR
Ope
r.
Com
plia
nce
Ope
ratio
ns
IRS
End to End Process View
Operations Currency Transactions Reporting Function
oOver 20 Major Process Steps at Macro Level…o 1 MM Possible Two Level Interactions Between
Process Steps. (Note : 2k-1, k = process steps)
Example of a Currency Transactions Reporting (CTR) Process
*CTR = Currency Transactions Reporting
Functions
© P.I.E. Consortium
Risk Process Management Model – Model Capabilities (Pharma)
Ø Model can be used on simple or complex processes
Ø Facilitates a wide range of usage at: enterprise level, a specific crisis, a performance goal or product failures
Ø Interdependencies and controls are documented and controls improved to reduce risks
7
Temp. Reqt's
End to End Process View
Example of Temperature Risk Management Pharma Supply Chain
Temp. Reqt's
Goal: Maintain product quality, safety and efficacy by preventing product adulteration, counterfeiting, theft, and diversion.
Source: Erik van Asselt, PhD MSD, PCCIG EU Branch Leader
© P.I.E. Consortium
Risk Process Management Model – Model Capabilities (cont’d)
Best
Less
Effe
ctiv
e
Ø Consistent method to analyze controls to mitigate risk
Ø Uses statistically based tools for both diagnostic and remediation effort
P = Preventive; D = Detective
o Outcome basedo Involves inspection or reviewo Segregation of dutyo Mostly detective, unless SPC
(Statistical Process Control) is used as a controlling tool
o Predictive o Involves inspection or reviewo Segregation of dutyo Most effective in abating riskso Greater influence on the outputso A wide number of Quality Engineering
& Problem Solving tools can be used
Process Output / Requirements
ProcessInputs Outputs=
Control Types Control Types
*
8
© P.I.E. Consortium
9
Risk Process Management Model – Suggestions For Deployment
q Set the right frame, keep the enterprise level perspective. Wrong frame greatly reduces the likelihood of identifying and mitigating the risk
q Use a project based deployment approach with cross-functional teams for complex processes
q Use Block diagram & Deployment Charts (swim lane) for process mapping
q Develop Process Mapping Taxonomy. Maintain time sequence and lane subdivision rules. Otherwise, analytical value will be greatly reduced.
q Governance: Leverage / Build an infrastructure to drive execution:People:
o Use existing Subject Matter Expert resources (as much as possible)o Target and complement some roles, as needed
Skills:o Provide targeted training to enhance skills for different roles and responsibilities:
Governance:o Senior Mgmt. set strategy, monitor progresso Risk based prioritized deploymento Phase gate reviews around each step
Reqt's Reqt's
Geo
grap
hy
Supp
liers
Sale
s
Mar
ketin
g
Ope
ratio
ns
QA Sh
ippi
ng
Reg
ulat
or
End to End Process View
Bus
ines
s
© P.I.E. Consortium
Ø A macro view of a High Value Payments Parameter Set UP process using a block diagram chart
Ø Another way of depicting the macro view is through the use of a deployment chart
High Value Payments Parameter Set Up (Example) – Step1
*Significant inputs other functions*Significant inputs other functions
Size & or location within lane Shows sole or joint execution of task
*
Must Have:o Maintain process flow in time sequenceo Do not use the activity flowchart – Use the deployment flowcharto Develop a taxonomy to ensure consistency
ProcessRequest Set-up Activate Service&
MonitorSubmitRequest
ReceiveServices
ProcessRequest
Set-up Activate
Service&Monitor
SubmitRequest
ReceiveServicesCustomer
ProductMgt.
Operations
FIG
Compliance
Credit
* *
10© P.I.E. Consortium
11
High Value Payments Parameter Set Up (example) – Step 2-3
Custo
mer
PCM
Servi
ceDe
livery
Comp
liance
Cred
it
Ameri
cas
Financia
lIns
tituti
on
Grou
p(FIG
)
ClientRequest1
ClientRequest1
Setup
2
Setup
2
Activation
3
Activation
3
ServiceandMonitor
4
ServiceandMonitor
4
SubmitRequestSubmitRequest
ReceiveServicesReceiveServices
ClientRequest
1
Setup
2
Activation
3
ServiceandMonitor
4
ServiceandMonitor
4
SubmitRequestSubmitRequest
ReceiveServicesReceiveServices
DraftDraftR&C-A.FasolinoR&C-A.Fasolino
Est%complete–90%Est%complete–90% ConfidenceLevel–90%ConfidenceLevel–90%06/12/1206/12/12
SMEApproved–datetbdSMEApproved–datetbdSME-Nhedges/ARamkumaranKJCaseSME-Nhedges/ARamkumaranKJCase
ServiceDelivery–HVPParameterSetupL0–AnalysisDraft1.0ServiceDelivery–HVPParameterSetupL0–AnalysisDraft1.0
Yes.Addressedin2011.
1.4.3InternalControls
Yes.Addressedin2011.
1.4.3InternalControls
OprLossesyes2009
OprLossesyes2009
2 1
9
1
3
1
5 4 62 1
8 1 181
RPN
(2)=250
(1)=500
RPN
(2)=250
(1)=500 RPN
(2)=500
RPN
(2)=500
RPN
(2)=250
(8)=500
RPN
(2)=250
(8)=500
RiskArea
RPN250-500
RiskArea
RPN250-500
HighRisk
Area
RPN=1000
HighRisk
Area
RPN=1000 Control
Type
s
Control
Type
s
Systemic
Preventative
Detective
Seg.OfDuties
Procedures
GapsAUDIT
FINDINGS
AUDIT
FINDINGS OtherOther
ProductMgmt..
Ope
ratio
ns
Inventory of Controls - Part 2 Control Types (# of controls)
L0Seq
#
L0&L1
Seq #
Process Tasks (time sequence)
- L0 - L1 S
yste
mic
Pre
vent
ive
Det
ectiv
e
Seg
Dut
y
Pro
cedu
res
Tota
l
1 1 Client Request 1 2 3 62 2 Setup 4 2 3 1 4 143 3 Activate 3 34 4 Service and Monitor 8 1 1 18 28
Totals 13 3 6 1 28 51
Summary of Findings :qAudit: None outstanding – 2 closed since 2011
qControls Gaps: 28
qControl Types: 51
qOther: Additional steps were added to account setup to prevent an issue where credit was incorrectly posted
Control Summary o 25% Systemic
o 12% Detective
o 6% Preventive
o 2% Segregation of Duty
o 55% Procedural
© P.I.E. Consortium
12
High Value Payments Parameter Set Up (Example) – Step 4-5} Process Failure Modes & Effects Analysis (FMEA) – Summary of high risks by major sub-process areas.
Summary of Insights
o Heavily reliant manual paper. Recommended enhancement changes should improve controls (i.e. the use of an email attachment and a GPS queue driven solution to email exchanges).
o QC review of parameter changes remained high. The solution to the 2011 audit finding is working. Further discussions were held with senior management to explore a systemic solution to further mitigate risks.
o The Halt Payment Notification process within the payment operation was informal and undocumented. We worked with the Credit function to establish a formalized and efficient process.
Parameter Setups Process Steps Potential Failures I L D
RP
N Audit Finding
HVP DB sets up account on GPS Incorrectly setup. 10 5 10 500 N
PCM Client Svs checks GPS to confirm acct setup (existing accts)
Fail to perform check. 5 5 10 250 NHVP PM completes setup in Production
Incorret setup . 10 5 10 500 NHVP Program Mgmnt approves GPS input and Activation
Approves incorrect setup. 10 5 10 500 NHVP Program Mgmnt performs QC / signoff
QC overlooks issue. 10 5 10 500 Y
HVP Program Mgmnt & PCM Client Svs monitor 1 day after setup
Monitored, but issues undetected. 10 5 5 250 NHVP PM Decision: PM &Client Svs monitor for accuracy else fallback to setup
Issues not detected, are not referred back for resolution. 10 5 10 500 N
Not detected timely. 10 5 10 500 NMisinterpret what issue could be, so don't find. 10 5 10 500 N
HVP Database closes account on GPS and files paper work
Misplace paperwork for file. 5 5 10 250 NHVP SDI/Risk monitors payment NSF Queue.
Fail to monitor timely. 10 5 10 500 NHVP SDI/Risk advise Credit of payments.
Advises wrong / incomplete information. 10 5 10 500 NCredit advise disposition to HVP SDI/Risk area.
Give wrong instructions. 10 5 10 500 NCredit misunderstands verbal information provided. 10 5 10 500 NSDI misunderstands verbal instructions provided. 10 5 10 500 N
SE
TUP
AC
TIV
ATI
ON
SE
RV
ICE
AN
D M
ON
ITO
R
© P.I.E. Consortium
13
Deployment – Results - Step 6-7
High Value Payments ResultsØ 26 control gaps remedied, within first three weeks of the deployment
Ø Plans in place to address remaining gaps
Ø Over 33 high risk failure modes mitigated
Ø High risk process failure modes prioritized and plan in place to resolve
Additional Deployment Results five processes:üHigh Value Payments Parameters Set upüReturns items processingüAbandoned propertyüTax Certification ReportingüCurrency Transactions Reporting
System
ic
Prventive
Detective
SegofDuty
Proced
ures
ReturnItemsProcessing 48 24 76 16 22 21 1 16 117
AbandonnedProperty 70 36 84 13 7 50 4 10 344
TaxCertification&Reporting 83 21 101 25 2 29 33 12 321
HVPParametersSet-Up 74 28 51 13 3 6 1 28 211
CurrencyTransactionsReporting 63 0 83 8 9 22 11 33 100Total 338 1093
FailureM
odes/
Proc.Steps
ControlTypes
ProcessName
#ofProcessSteps
ControlGaps
ExistingControls
Abandoned Property
Prev
entiv
e
© P.I.E. Consortium
Steps For Identifying & Mitigating Risks Using Failure Modes & Effects Analysis (FMEA)
§ Be comprehensive but not exhaustive
§ Do not get lost in details
§ Complete upfront to obtain maximum benefits
Approach
How
§ Best to process map the process in question or have the SME’s identify the project or process steps
§ Brainstorm ways things can go wrong
§ Stick to what can go wrong instead of why it went wrong to avoid listing of causes
§ Use a ranking method to rank each risk§ Severity / Impact§ Occurrence
(Likelihood)§ Detection
§ Ranking (Risk Priority Number (RPN)= S*O*D
§ Make use of the FMEA ( Failure Modes & EffectsAnalysis) tool
§ Use a pre-emptive strategy to address control gaps to implement quick remediation
§ First attempt must be to pre-empt or prevent the occurrence
§ If prevention cannot be achieved then use controls to lessen risk§ First: Preventive
controls§ 2nd Reactive controls§ Last: Segregation of
duty
§ Use wide range QA tools
§ Develop contingency
§ Use a “Mistake Proofing” methodology
§ Design in systemic controls
§ Develop or use parallel runs to lessen operation related risks (when major conversion is being done)
§ Build a robust contingency plan
§ Start by looking for ways to enhance detectability, then improve occurrence by reducing frequency
§ Use SPC (Statistical Process Control) as a tool
§ Use good Root Cause Corrective Action (RCCA) problem solving
§ If risk level is unacceptable, process must be re-engineered
§ Use a structured problem solving methodology e.g. Six Sigma
1 2 3 4 5
Identify Prioritize Eliminate Use Controls to Mitigate Risks
Change Processes
Phase 1 Phase 2
Appendix A
14© P.I.E. Consortium