CERRIX now also suitable for GDPR

It took a while before the GDPR / AVG deadline came in sight (May 2018). Many companies have since started a project to steer implementation in the right direction. However, it is important how the processes that result from this can be anchored in the organization. A tool ensures that your process is safeguarded in the organization. CERRIX gives you the possibility to visualize data processing processes, to bring privacy sensitive data elements in relation to these processes and responsible officers, to perform Privacy Impact Assessments (PIAs), to collect data breach reports (with worklow) and to provide E-learning sessions.

Risk information as a steering tool

Risk information as a steering tool for achieving your business objectives.

Risk management is no longer limited to the periodic identification, assessment and management of risks. Risk management is a continuous process that is part of the daily processes of the company. Sound risk information together with performance information can be used as a steering tool for achieving your business objectives. We therefore see an increasing need for real-time risk information that, together with the performance information, can be presented visually and comprehensibly so that sound decisions can be made. This concerns, among other things, risk information on: real-time reported risks and incidents / losses in business processes and transactions, data on the operation of your control measures, key risk indicators and the status of improvement measures implemented.

How do we get from risk data to risk information?

In order to convert the risk data into relevant risk information that can be used by you as a controller, it is first of all important to define uniform data definitions. For example, if everyone within the organization understands what the definition of an incident or loss is, this will generally lead to company-wide understanding of and uniformity in the recording of incidents and losses.

It must also be determined which risk information can be of added value for which echelon. By establishing the relationships between, for example, objectives, related processes and related risk categories on the one hand and the required related risk information on the other hand, it is possible to determine what risk data is needed to create this information.

How do we achieve efficiency in the preparation of risk information?

Now that we know which risk information is required, we must focus in the next step on achieving efficiency strokes in the preparation of the risk information. Risk data is now often collected manually from many different sources (incident registration systems, Excel, risk management systems, source systems, etc.) and is subsequently manually converted into relevant risk information or reports. The first step is to centralize the recording of all relevant risk data as much as possible in 1 risk management system or respository. This offers advantages because in this way relationships between different types of risk data can be established more efficiently. A second step is to automate the recording of risk data as much as possible by transporting risk data from the source systems via interfaces to the central risk management system or repository.

How do we present the available risk information?

Finally, the presentation of the risk information to the user deserves special attention. The risk information is best used if it can be visually layered both horizontally and vertically or in a combination of the two. The best in the form of a flexible dashboard. By vertically layered presentation is meant that the risk information can be filtered / aggregated organizationally from the highest to the lowest level. With horizontal layered presentation it is meant that the risk information can be filtered / aggregated for example at objective level, process (chain) level or risk category.

Do you want to know more about how you can organize your risk information provision in your organization? Then contact Maurits Toet of CERRIX on tel 06-55781325 or via maurits.toet@cerrix.com.

Risk conference well attended

The risk conference that CERRIX organized on June 23, 2016 in Hotel Karel V in Utrecht was well attended. The various themes raised by the speakers have led to many discussions among those present. It became clear that there are still many differences in the risk of maturity level at the various organizations. The coupling of GRC systems with operational systems is seen as an important new step in the further development of GRC systems. CERRIX will also show the results there next time.

Risk Aggregation & Risk Reporting

Guideline BCBS 239: Aggregation of risk data and risk reporting.

The Basel Committee published Article 239 in January 2013. This article describes 11 Principles for effective risk data aggregation and risk reporting. The article has a major impact on the flexibility and robustness of banks in the short term. The essence of BCBS 239 is that a bank must at all times have access to and insight into every cross-section of risk data at any desired aggregation level. The principles of the 11 principles are summarized below: • The governance of the risk organization, data architecture and IT infrastructure must support flexible, reliable and robust access to and reporting on risk data.
• Data must be available at any desired level and at any time. High demands are made on this data with regard to accuracy, completeness and integrity. This risk data must be reconcilable at all times and be compatible with the finance data of the company.
• Based on this data, risk reports must be generated that meet the requirements of Accuracy, Comprehensiveness, Frequency Distribution, Clarity and Usefulness. DNB is considering how this guideline should be implemented within financial institutions. The expectation is that this will become clear in 2016. Banks would do well not to wait but to act on this directive now. The full article can be found here: http://www.bis.org/publ/bcbs239.pdf

DNB uses the ORM Assessment Framework

The Assessment Criteria

The DNB is open about the way in which it carries out the assessment on banks that use the standardized approach. The assessment framework (Reference Framework 2015) is available for the bank itself so that it is able to periodically carry out a Self Assessment for its own organization (parts) on the basis of the criteria of this Assessment Framework. The assessment is based on a number of topics such as:

Risk Culture;
Oprisk Appetite;
Policies & procedures;
Identification & assessment;
Reporting, Monitoring & Disclosure;
Control & Mitigation;
Change Management;
Internal Audit.

The maturity level per criterion is determined by the degree to which a criterion can be met. A four-point ordinal scale is used for this. Ultimately, the assessment leads to an overall picture of possible room for improvement.

Is it useful to perform this Self Assessment?

We think so. It gives a good picture of how the regulator looks at you. We do believe that this assessment framework is a framework about the design and existence of ORM, but it says nothing about how your bank works. In practice, banks have of course implemented numerous control measures to avoid the risks.

How can CERRIX help with this?

We can help you carry out this Self Assessments and prepare a report for this. It is better if we can process this Self Assessment in our CERRIX tooling. In that case, we will use the DNB Assessment Framework as standard Control Frameworkdeliver along. In that case, you can periodically re-assess the assessment so that you can properly monitor the extent to which you increase the maturity of ORM in your organization. Improvement actions can be closely monitored. It is obvious that this will also help you in reporting to the regulator.

Pension fund invests in Risk Dashboard

A large industry-wide pension fund has been using CERRIX for its risk management for several years. Recently the new CERRIX Dashboard module was purchased that presents management information in real time. The dashboard is subdivided into a number of blocks in which the information is presented. For example, the current risk profile can be presented and compared with the previous period, the degree of control based on recent tests, the status of Riks Indicators in relation to the predefined Risk Appetite, information about incidents and pending actions. This information can differ per responsible board committee and can therefore also be filtered per committee and / or risk category. Stakeholders can leave comments for each information item so that a post arises from comment. This prevents the sending of PDF documents back and forth and makes the dashboard interactive so that it will be used more often. In short, this ultimately benefits the Risk Control process.