The first line of defense is a set of procedures and processes that are embedded at the department level and implemented by the departments themselves, for example:
1. A single organization information space with access to the information system through a single personal account, a system of notifications, visualization (dashboards) and task management.
2. IC and RM at the level of each department with integration with the operational activities systems, departments KPIs and corresponding monitoring.
3. Continuous work with risks, identification and assessment, predictive analytics, accounting and scenarios monitoring for the implementation of risks.
4. Access control and separation of duties to minimize fraud and errors risks, including differentiation of functionality.
The second line of defense is the availability of appropriate IC, RM and internal audit (IA) services, which are responsible for the availability and effective functioning of centralized IC, RM and IA system, appropriate methodologies and working instructions, for example:
1. Risk management through level of risk culture assessing with risk appetite establishment and monitoring.
2. Centralized system of internal control formalization with documentation of organization internal processes, control procedures effectiveness monitoring and assessment.
3. Availability of a compliance service, legislation and compliance with state regulation system monitoring, conflicts of interest analysis.
4. Ensuring business continuity, formalizing, updating and testing plans for the restoration of activities. Creation of a warning system and group interaction in case of force majeure.
5. Creation of information security and anti-fraud service with relevant indicator and incident management. Centralized system automation, including investigations, reports and analytics of IC, RM and IA.
The third line of defense is risk control, requirements for of IC, RM and IA systems on the part of owners and the board of directors (BoD). It is the owners and BoD who form the organization's strategy and determine the risk appetite, as well as ensure the achievement of goals through the monitoring and control system, including using committees (risk committee, audit committee, etc.), for example:
1. A risk-based internal audit plan with formalization of the audit universe, identification and verification of risk factors. Continuous audit and data analysis with integration into the organization's management system (integration with data sources, the presence of an automated audit system with dashboards and reports, the formation of verification programs and checklists, document management during the audit process).
2. Requirements for the quality of initial data formalization, the presence of a trace in systems, documentation quality control. For example: activity logs in the system, documenting all changes in the software, the availability of the necessary instructions, the delineation of powers, etc.
3. Business processes automation with stages and timing control. Use of process designers and constant monitoring of effectiveness.
In the next article, we'll take a closer look at risk management in projects. If you are interested in the implementation of IC, RM and IA systems in your company, then I will be happy to help you. Please contact me through my website: https://akonnov.ru/ or through my Telegram channel: https://t.me/biz_in.