Risk Management

Assertions represents claims, for example by management, regarding risks, action plans and accounts. The Assertion can be linked to Accounts and Control Activities. They are linked to risks through Control Activities, which represents the risk’s remedial action plans.

The Assertion can be described using its description field.

The purpose of the Account template is to enable Financial Risk Management as documented in the Account Context Diagram.

The Account can in its properties be described with:

• a text description
• an account number
• a type (“Profit and loss” or “Balance Account”)
• link to a responsible Organization Unit
• description of purpose
• dates from which the account is valid from and to
• the currency of the amounts in the account
• the opening balance of the account
• the closing balance of the account
• the amount of the movements on the account
• a assessment of the account’s significance
• a rationale behind the account’s significance assessment
• furthermore, the account can be decomposed into several other accounts

The template can without graphics be linked to other objects under the “Risk – Influences” tab in their properties:

As such, the Account template is linked to objects the same way as the Financial Statement template:

The Purpose of the Control Deficiency template is to register a shortcoming of a Control Activity.

The Control Deficiency is used for managing Risk. It can be described with:

• Date of observation
• Type of deficiency
  • Design (if the control is not designed properly)
  • Operating (if the control is designed properly, but not performed correctly)
• Significance (High, medium or low)
• Observation – description of the deficiency in further detail and/or link to relevant documentation.
• Link to related process
• Link to the Control Activity it concerns.
• Description of any immediate actions taken
• Link to the person who registered the Control Deficiency
• Link to other Control Deficiency if it is not the first time it occurs.
• Description of presumed cause of the deficiency
• Description of the presumed consequence of the deficiency
• Recommended actions and their estimated cost and resource requirement

The Recommended action can also be registered in the form of a Corrective Action.

The Risk template is used for Risk Management purposes and can be linked to all objects in the repository. The Risk template supports the evaluation and continuous handling of the risk.

The Risk can be scored manually on its main tab: “Risk”, where it can also be given a Short Description, Type and Cause:

If you want to score the risk according to more specific categories, you can do so in under the Scoring tab:

You link a risk to the activity it concerns under the “Concerns” tab. Once it has been inserted here, the risk will appear as a “backwards relation” to the Activity. You can also create the risk from the activity and create the backwards relation automatically by using the inherent risk tab on the Activity and click on “Create risk”:

From the Risk-Control tab of Activities, you can also link to the risk. This link indicates that the Activity acts as a mitigating control for the risk. As such, there are two ways a risk can be linked to an activity: either as the activity where the risk is prevalent, or as the control activity that mitigates the likelihood or impact of the risk occurrence:

For more information about how to document Risks in QualiWare, please read our Risk Management Guide.

The Evaluation template is used for evaluating the effectiveness of a Control Activity.

In it, you can document findings in the form of Non-Conformances, Control Deficiencies and Change Requests. You can link to involved parties in the form of Organization Units, Persons and Business Connections, and link to the Responsible in the form of a Person. The conclusion results in the control activity be found either effective or ineffective. Clarifying concluding comments can be added.

The Financial Statement object is used to describe the upper level in a company’s accounts. It can be described using its Short Description field and you can link to Accounts and other financial statements in its “Top Accounts” field.

The Financial Statement can be linked to objects as an Influence under their Risk tab:

The purpose of a Corrective Action is to repair the consequences of an incident, a Non-conformance or a Control Deficiency.

The Corrective Action can in its properties be described with

• a short description
• link to the one responsible for it
• link to related Non-conformances (or incident/control deficiency)
• Link to relevant  Goals
• description of recommended corrective actions
• the date of the recommendation
• the due date of implementing the recommendation
• estimated cost of the recommended corrective action
• link to the person responsible for making the recommendation
• the start and end date of the implementation of the recommended action
• link to the person responsible for the implementation of the recommended corrective action
• actual cost of the non-conformance (or incident/control deficiency)
• actual cost of the corrective action
• a description of the corrective action taken
• the closing date of the non-conformance/incident/control deficiency

An activity is a work process that is carried out by the organization. Activities can be defined at a high abstraction level where they constitute business guidelines or top-level business structures. Activities can also be working procedures or even work instructions at a low level of abstraction. Using ‘BreaksDownTo’ functionality a total description of the workstructure of an organization can be created, starting from the strategic level, going down through the tactical level to the operational level.

Activies appear among other in WorkFlowDiagrams and BusinessProcessDiagram. In this case the activities are part of a documented workprocess, where different parts of the organization plays different Role.

A BusinessDiagram or a BusinessProcessNetwork will often show the structure of the work, whereas a WorkFlowDiagram will show the flow of the work – sequence of activities, conditions etc., like a flowchart. When activites are used on a WorkFlowDiagram the purpose will often be to simulate the described business process in order to improve it. Therefore, activity information like duration, cost, iteration and uncertainties are essential.

Control Activities

The Activity can, under its risk tab, be defined as a Control or a Key Control. Here, you can also add information about Control type, mode, frequency and monitoring:

The control type of the activity can be set as either preventive (minimize the likelihood of a given risk occurring), or detective (minimize the impact when the risk occurs). A Control Activity is typically created from the Risk template (under its control tab in its properties) as a backwards relation.

The Control Activity may be enriched by linking Control Coverage, Influences (that may consist of Accounts or Financial Statements) Evaluations, Control Deficiencies, Assertions and COSO Categories to it. Below, you can see how the Control Activity relates to the Risk and other relevant templates:

Arrows that point away from the Control Activity are items the Activity link to. Arrows that point towards the Control Activity illustrate that it is the objects that link to the activity. The Control Activity should be inserted into the Workflow Diagram or Business Process Diagram where it belongs. This could be in the workflow where the risk occurs or it could be in a separat Workflow Diagram.