Compliance, Risk and TriLine GRC
Page contents
Overview of Compliance
Overview of Risk
How TriLine GRC helps with Compliance and Risk Management
Recommended Reading
Overview of Compliance
What is Compliance?
Compliance can be defined as the activities that an organisation performs in order to comply with regulations, government Acts, Codes of Practice or other instruments that govern how an organisation operates.
For example, financial institutions are subject to many regulations, audit and transparency requirements. If such an organisation fails to comply with these requirements, the organisation is put at risk through the possibility of fines, damage to reputation and even business closure.
In TriLine GRC, each requirement to comply with a regulation, Act of government and other instrument is recorded as a Compliance Process.
Process Controls
To ensure compliance with regulatory and other obligations, an organisation can assign tasks to people so that they can check to ensure that the required compliance activities are being carried out satisfactorily.
In TriLine GRC, these tasks are called Process Controls. Process Controls not only help to ensure that your organisation’s compliance activities are regularly monitored and assessed, but also provide a valuable source of information for auditing purposes through the progressive reporting of Process Control completion.
Once you set up the Process Controls, TriLine GRC takes care of generating the tasks in accordance with schedules you set, and reminds people responsible for completing a task when it becomes due.
Overview of Risk
What is Risk?
ISO 31000:2009 defines risk as the effect of uncertainty on objectives. All organisational activity involves some risk.
Risk Assessment
Some risks have little or no impact on an organisation’s goals and objectives; other risks can have significant or catastrophic impact.
The process of determining the risks that affect an organisation, and to what level, is Risk Assessment. Risk Assessment allows you to examine the likelihood of a risk event occurring, and the consequences to the organisation if a risk event occurs.
Armed with this information, an organisation can develop strategies and routine tasks to reduce or eliminate those risks that the organisation is not prepared—or allowed—to tolerate.
Risk Treatments
In TriLine GRC, the routine tasks that are created to control a risk are called Risk Treatments. Such treatments may involve periodic checks to ensure that the organisation’s activities continue to minimise risk, or perform actions such as staff refresher training to reduce the likelihood of Workplace Health and Safety (WHS) events.
Risk Appetite
Organisations have different approaches to risk. Some are more risk-averse, perhaps due to the regulatory environment in which they operate; others may tolerate greater risk in order to maximise operational performance.
In TriLine GRC, an organisation’s attitude to risk is called Risk Appetite, and is a feature that you can use in conjunction with other risk-related features in TriLine GRC to manage risk within your organisation.
Key Risk Indicators
Key Risk Indicators (KRIs) are defined occurrences or trends that show whether a risk is more or less likely to occur over time.
You can use the KRIs feature in TriLine GRC to set up tasks to monitor Key Risk Indicators periodically and take action if the indication shows a deterioration in the management of a particular risk.
Full list of Risk definitions
ISO 31000:2009 contains a complete list of definitions for risk. We recommend that you obtain a copy of the Standard and refer to it in your day-to-day risk management activities.
How TriLine GRC helps with Compliance and Risk Management
TriLine GRC helps you to manage Compliance and Risk by automating the monitoring and scheduling Tasks that would usually be performed by a Compliance and/or Risk Manager. Such Tasks include:
- generating routine Tasks to maintain Compliance and manage Risk,
- advising people responsible for performing Tasks that a Task is due,
- escalating overdue Tasks to the next person in the ‘chain of command’,
- alerting people responsible for managing and resolving Events when Compliance and Risk Events are reported,
- maintaining a complete history of your organisation’s Compliance and Risk activity,
- automatically calculating Risk Trend and Rating,
- and more.
Using TriLine GRC frees your Compliance and Risk Managers from these routine monitoring and scheduling activities so that they can concentrate on the more strategic elements of Compliance and Risk Management.
Management by exception
If a routine Task has been completed without incident, there’s really no need to alert anyone. You only need to know if something out-of-the-ordinary has occurred so that you can take action to prevent non-compliance, or to prevent a risk factor from occurring.
TriLine GRC operates on this principle—management by exception. For example:
- reminders are only send when a Task needs to be completed,
- a Task is only escalated if it becomes overdue,
- indicators are set when Trend and Rating shows a deterioration of Risk Management or Compliance.
TriLine GRC can be tailored to your organisation’s needs
Some organisations have no Compliance obligations, but need to manage Risk. Others have simple Risk Management needs and don’t use Key Risk Indicators (KRIs).
You can configure TriLine GRC to use as many—or as few—of its comprehensive features as you need.
If you find, after a time, that your organisation has changed and now requires some of the unused features in TriLine GRC, you can easily turn these on and configure them for use.
Linking Compliance and Risk
Compliance and Risk are often linked. For example, failure to comply with a regulation may place an organisation at risk of repetitional damage, even closure of the business.
TriLine GRC lets you link related compliance process and risk records to make it easier to see the relationships and overall health of your organisation’s compliance and risk status.
A complete history for Auditing
TriLine GRC maintains a history of all events, completed tasks, exceptions and trend/rating. This information can be easily assembled into reports for audit purposes.
Having this information to hand provides assurance to auditors that your organisation is actively engaged in compliance and risk management.
Recommended Reading
International Standard for Risk Management (principles and guidelines)
ISO 3100:2009 Risk management—Principles and guidelines is the International Standard for applying the principles of Risk Management. Your TriLine GRC system has been developed around this Standard.
To obtain a copy of the Standard (Purchase required):
- Right click and Open in a new tab this link: SAI Global Store
- Type
ISO 31000:2009 in the ‘Search’ field at the top of the page
- In the search results, select the ISO Standard applicable to your country or region.
- Choose your preferred format, click ‘Add to Cart’ and follow the prompts to purchase the Standard.
Enterprise Risk Management (Thought Papers)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has produced several ‘Thought Papers’ that may be of interest to Compliance and Risk Managers.
To obtain these Thought Papers (Available for download):
- Right click and Open in a new tab this link: http://www.coso.org/guidance.htm
- Under the heading ‘Enterprise Risk Management’, select one or more of the following recommended titles:
- ERM Risk Assessment in Practice (2012)
- Enterprise Risk Management - Understanding and Communicating Risk Appetite (2012)
- Embracing Enterprise Risk Management: Practical Approaches for Getting Started (2011)
- Developing Key Risk Indicators to Strengthen Enterprise Risk Management (2011)
- Effective Enterprise Risk Oversight: The Role of the Board of Directors (2009)
Three Lines of Defense in Effective Risk Management and Control
The Institute of Internal Auditors (IIA) has produced a Position Paper: The Three Lines of Defense in Effective Risk Management and Control (January 2013).
This Position Paper discusses the key factors that organisations need to know about Risk Management and Control, framed in terms of the ‘Three Lines of Defense’ (US publication):
- The First Line of Defense: Operational Management,
- The Second Line of Defense: Risk Management and Compliance Functions, and
- The Third Line of Defense: Internal Audit.
To obtain this Position Paper (Available for download):
- Right click and Open in a new tab this link: http://www.theiia.org.
- Move your mouse cursor over the ‘Standards and Guidance’ button.
- In the drop-down list that appears, click ‘Position Papers’.
- On the ‘Downloads and Links’ page, under the heading ‘Position Papers’, locate the Position Paper title and click the pdf link for your preferred language.
