... making things happen
# ^ ^ ^ For resources ^ |JavaWorld^ http://www.javaworld.com/^ ^ , ^ |JavaSoft^ http://www.javasoft.com/^ ^ , ^ |Javalobby^ http://www.javalobby.org/^ ^ , ^ |jCentral^ http://www.ibm.com/developer/java/^ ^ , ^ |Java Developers Journal^ http://www.sys-con.com/java/index2.html^ ">
  Home About us Services Contact us Careers Useful links
Risk Based Monitoring

Traditionally, compliance audit programmes have been rule-based. Many firms are now developing a risk-based approach to rule-based monitoring in line with the approach being taken by the FSA and to evidence intelligent, joined up thinking.

The first step for a global business to consider is whether to introduce a consistent and co-ordinated model across all divisions of the business. In building a risk orientated system you will need to take into account various internal and external factors, including: the coverage of your existing programme; previous findings; latest business practices; management information, and; market intelligence.

The process of identifying and assessing risks and controls can be very time consuming and the involvement of senior operational staff at this stage is crucial to make sure that the latest business practices are captured. A ‘risk list’ is created. Risks having a common theme are clustered and each risk is assessed according to the probability and impact of its occurrence. You might use risk matrices to help analyse and prioritise (score) risks. Risks will typically fall into four categories: critical; housekeeping; contingent, and; insignificant. Using the matrices [and the ‘reviewers’ nose’], a risk map can be created on which to base audit programmes, and the frequency with which the tests should be carried out, that; monitor processes and the effectiveness of systems and controls; identify the need for additional controls, and; provide high quality information for senior management.

Whilst carrying out a programme of comprehensive risk assessment, risks will emerge that will not fit comfortably with regulatory compliance. If you have separate compliance, internal audit and business risk functions, each having their own responsibilities and audit programmes, you will need to involve them in the risk identification and assessment processes to ensure that each areas audit programme complements that of the others and that no risks are left unallocated.

If you need assistance to develop a risk-based compliance audit programme or just additional resource to avoid slippage in carrying out your existing programme, contact us.

< go back to Services

  Important notice