Risk and control management
Enterprise Risk Management policies should establish communication and consultation methods with respect to critical risks in order to achieve an organization’s business objectives. It formalizes the risk management process and content accountability.
Enterprise risk management
Using taxonomies, multi-level risk assessments, and standardized definitions, CERRIX will assist you in ensuring consistency throughout your organization’s risk framework. ERM can be supported with:
- Multi-level risk taxonomies pre-configured for organizational units;
- Flexible risk scoring models (also quantitative);
- Time-travelling giving insights in risk exposure trends;
- Checks for alignment with Risk Appetite;
- Flexible links with mitigating controls, required actions, business processes, projects, frameworks etc.;
- Enable periodic Risk Assessments.
Control your end-to-end processes in CERRIX with Risk and Performance views. Avoid maintain separate applications for risk and process management. In CERRIX you will surely benefit from its integration. Besides the nice drawing designs, risks, controls, incidents, performance indicators, improvement actions and data processing items can all be integrated. In this way, business process owners are automatically requested to assess their business process and they must state their In-Control status.
- Easy design of business processes (swimming lane, free format);
- Rich formatting features;
- Hierarchical setup allows for drill-down;
- Risks & Controls are linked to process steps;
- Direct use in risk assessment workshops: draw, discuss, map, create risks & controls direct in design mode;
- Work instructions & RACI are included;
- Design & View mode;
- MS Visio import;
- BMPN 2.0;
- Share you processes on you dashboards;
- Print integrated overview.
Any employee as well as key vendors must be able to report an event as quickly as possible. Following the notification of the occurrence, management should evaluate it and determine its appropriateness. Considered to be pertinent, the registered incident can be enriched with relevant data, but also foreseen with necessary actions. CERRIX provides workflows to address the incident’s proper routing and notify the parties involved as necessary.
- A flexible Form is defined for employees to report incidents;
- Incident Form on all home-dashboards;
- Workflow directs the route for incident handling;
- Incidents related to Data Breaches require additional data;
- Actions for improvement can be issued;
- Root-cause analysis and link with risks & controls;
- Store relevant documents.
Whether you want to utilize CERRIX Audit module independently or for a company wide integrated approach, either way you will benefit from the powerful and rich functionality that CERRIX can bring.
- Highly secure separated module;
- Fully integration with all other modules;
- Use Audit Universe for risk assessment and audit planning;
- Audit planning & preparation;
- Templates by Audit types (risk assessments; work programs);
- Document requests for Auditees;
- Fieldwork Planning & Execution;
- Directly editable documents (Office Integration);
- Findings Management & Follow-up;
- Quality reviews (IIA standards).
KPI's & KRI's
Timely intervention is only possible with timely insights. CERRIX provides data gathering for KRI’s and KPI’s. Whenever a data-points trespasses a preset indicator threshold, managers may decide for adequate responses. Indicator data points can be uploaded or obtained via API’s from source systems. Risk indicators may be deployed as an alarming Risk Driver for a potential risk whereas Performance Indicators warn business owners for potential deviations from (financial) targets.
- Link KPI/KRI to risk categories, business processes, organizations;
- Easy enter, upload or get data points;
- Automatic summing, aggregation, selection of data for a period;
- Multiple presentation options;
- API’s for connecting to data sources.
3rd party management
Enterprises are interconnected with many parties and so they might suddenly be confronted with undesired effects for business continuity, supply chain, reputation or product quality all caused by a business partner. Frequent assessment of your vendors is key. Onboarding, monitoring and exiting of a vendor is fully supported with CERRIX. Likewise, this module can be used for clients. With connected Forms you will be able to issue questionnaires, review and reject or approve these.
- Maintain 3rd parties like vendor and clients;
- Periodic Assessments;
- Maintain business contracts, Service Level Agreements and reports;
- Link with external sources, risk and controls;
- Define and monitor improvement actions;
- Link to Data Privacy;
- Issue questionnaires.
Data (privacy) management
With CERRIX you will be able to integrate your privacy protection program into Enterprise Risk & Compliance management. CERRIX supports the implementation of a data processing register (GDPR article 30 records of processing activities). Very powerful is the seamless interconnection with privacy risks and controls, business processes and 3rd parties module. In this way, privacy responsibilities are linked to business process owners. Compliance officers can benefit from integrated overview, define and monitor measures-of-improvement, invoke Data Processing Impact Assessments and enrich Data Breaches with required data.
- Complete records of processing activities;
- Applications and Data-structures with archiving policies and sensitivity tags;
- Define, maintain and initiate DPIA’s;
- Register and assess external data processors;
- Assess and report compliance regulations;
- Workflow for managing Data Breaches.