Datasec - IT Security & Control

Meycor GRC for Managing Operational Risks and Audits Print
Operational Risks are rooted in human mistakes, system failures and the ever present possibility of having inadequate controls and procedures in place. Implementing international standards such as Basil II and Solvency II has been enforced after several regrettable examples of operational risk mismanagement as was the case of the Barings Bank, one of the oldest merchant banks in England that vanished from the market after accruing operational losses of USD 850 millions as a result of the reckless operations of one of his agents in the east.

Potential threats are manifold, and they are the reason why a joint-effort approach requires identifying and managing all the different business areas.

This management demands an specific software solution that contributes with methodologies, alerts, analysis tools and an appropriate information security level considering the criticality of the information being managed.

Meycor GRC has evolved through several successful experiences in order to support organizations of all sizes concerned with these issues by providing a modular solution that can be customized to each case. This solution contributes to minimize costs and show due diligence in complying with standards and best practices.

Meycor GRC encompasses the most widely-know standards such as ISO 31000, AS NZ 4360:2004, COSO, ERM, CobiT, & ISO/IEC 27001.

The solution also acknowledges that business units need to manage their own risks. Nonetheless, the Risks, Compliance and Audit unit should be able to monitor all progress and obtain global information for their analyses.

The Senior Board is continuously provided with solid evidence of proper management that protects the interests of all stakeholders.



As shown in the next diagram the solution allows you to:

  • Qualitatively Analyze Risks (including sample threat templates that can be fully and easily customized to fit your specific case).
  • Record Loss and Near-loss Events (linking events to managed threats and providing alerts for unidentified threats).
  • Receive instant Alerts (when recorded events reach a set threshold in either quantity or cost an automatic alert is sent to designated parties).
  • Obtain Key Risk Indicators (KRIs) (that allow you to identify metrics, define them manually or automatically, and obtain a comprehensive view of all measurements in a Balanced Scorecard).
  • Perform Quantitative Analyses (based on all the events recorded the software suggests probability and impact distributions that automatically adjust the loss expected for each business line).

 

Next we will introduce some of the features of Meycor GRC:

Assessing and Managing IT Risks

  1. Meycor GRC defines a structure of units-processes-objectives and threats.

  2. It also integrates the analysis with the Event Registration Module for Loss Events. This allows you to define custom fields, statuses, and who is responsible for completing the records. Events are also linked to the identified risks.

  3. Alerts System - The system includes several alerts. A great feature is that you can enter alert thresholds for threats or categories. This dynamic check is performed every time a new event is recorded. Whenever a value reaches the threshold an automatic alert is sent by e-mail. This system complements the KRI management (which is considered in the solution using an additional module).

  4. Integrating @Risk to the Solution - Based on the recorded Loss Events an automated process allows you to perform a quantitative assessment, determining for each threat the probability distribution that best fits the data (Poisson, Binomial, etc.) to represent the likelihood and impact. In addition to this you can run a Montecarlo simulation to double check the values. You can generate several reports and charts so the analysts can better assess the results.



  5. Reporting Estimated Loss per Business Line - You can obtain annual average values for the likelihoods and impacts based on the information provided. Based on this classified information you can group threats by business lines and categories (which could for example correspond to the Basil II levels). This allows you to obtain a clear monetary value to justify investing in controls or contingency funds.

  6. Tools for Analyzing Threats - Each business area (as well as the Risk Unit) has several reports and charts available to analyze their own risks and ascertain the risk tendencies that must be managed. A good example of this is the Browse Risks report that includes several useful filters.



Meycor GRC Audit Solution

In addition to the traditional Meycor approach of auditing the processes considering their risks, now you can perform other types of audits (such as operational, compliance or financial audits) that benefit from the different management features without needing a link to the information in the Assessment Module.

For example, you can use the Meycor Audit Module to determine if the accounting assessment of the fixed assets is accurate, or to check if a process complies with the information security management system directives currently in place in the organization.

In short, this module allows you to:

  • Customize most of its features
  • Assign roles (Officers, Administrators, Team Managers, Auditors)
  • Enter your own Audit Guidelines
  • Create Audit Projects and assign Auditors
  • Record observations
  • Record tasks
  • Manage workpapers
  • Control the resources assigned to projects
  • Set up alerts
  • Follow-up observations
  • Automatically generate a final report


Defining the type of audit you want to perform:


 
Sample automated report based on the findings and observations:


Project Progress Control: