If this is the first time this function has been used, there will obviously be no Entities listed. To add an Entity to the system, click on “Add New” button in the top left-hand corner of the toolbar and you will be presented with a blank Entity Screen:
Data is captured as follows:
Entity Description: enter the name of the Entity you are going to work with, for example "Sales" or "London Branch".
Responsibility: use the drop-down menu to select the person responsible for the overall management of this Entity; this menu is populated from the data you set up in the "Responsibility" screen in the Reference section. If the name you want isn't there, click on the green icon next to the dropdown menu to bring up the following box:
Enter the details of the person you wish to assign the responsibility to and click "Save"; this will populate the Responsibility field in this screen and you will be required to add the employee’s name, ID number and email to the Responsibility Register for later use.
Business Line: this box is used by clients working with the Basel Capital Accord module. Clicking on the drop-down menu brings up a list of Basel Business Lines:
Simply click on one to populate this area. If this is not relevant for your organization, then leave it blank.
Location: this is where you tell the system the location of the Entity in your organizational hierarchy (earlier setup in the reference section).
Click on an item in the "tree list" and the box will be populated.
If you wish to edit the location of the entity (i.e. the location in the organisation hierarchy) in any future time, and once you make your selection and click save, the following pop-up text will appear:
Simply click ‘Yes’ if you would like users to maintain access and ‘No’ otherwise.
Date Created: this is the date on which the Entity was first set up; this is system generated.
Date Updated: This is the date on which the Entity was last updated; this is system generated.
Imported date: if this Entity has been imported into your system from another CAREweb™ system, using the Import function described earlier in the “Administration” section, the date of the import will be shown here.
Currency: as stated earlier, CAREweb™ is a multicurrency system, but you can only have one currency for each Entity; you can use the dropdown menu to tell the system which currency to be used for this Entity. This menu is populated from the data you entered in the "Currency" screen in the Reference section.
Risks: this is system generated and shows the number of individual risks captured for this Entity (this is blank for a new Entity).
Controls: this is also system generated and shows the number of individual controls captured for this Entity (this is blank for a new Entity).
Risks Exceeding Appetite: this will show the number of risks identified for to the Entity that have the potential to breach a pre-determined “risk appetite” amount once all data is entered into the Entity.
Risks Exceeding Appetite (Predicted): this is system generated; some risk will not be adequately controlled and, in some cases, the possible exposure will exceed the pre-determined risk appetite. In these cases, it is necessary to either strengthen existing controls or develop new ones; in some cases, a combination of the two would be used. The system allows "what if" modelling of the various remedial actions by showing the number of risks that are predicted to exceed the risk appetite under various control circumstances (after the implementation of relevant remedial actions).
Key Controls: this is system generated and shows the number of individual controls captured for this Entity that are considered to be “key” or important controls (this is blank for a new Business Entity); this concept is discussed later in the Entity Screen Tabs.
Email Alerts & Notifications: if you wish this Entity to use the Email Alerts & Notifications option described earlier in this manual then place a tick in the box next to this field.
Impact: these fields give the user the flexibility to establish the importance of the risks being profiled in this Entity (Note: this is only applicable for the risks whose impact can be measured in monetary terms). All risks will be assigned an Impact Value when they are set up. This value is set out as being High, Medium or Low in a 3*3 matrix (or whatever you have changed these to in the Installation process – see above); or they can be whatever descriptions you have assigned to them in other configurations. For example, a company using a 3*3 configuration would have a window like this:
Whatever your configuration, it is here where you define what is meant by these terms. For example, it may be decided that a risk which could give rise to a loss of up to £10,000 might be considered Low, losses of between £10,000 and £1 million might be medium and £1million – £10million high. These are the figures that would be inserted into the Impact fields as Min and Max. There can be different values for each Entity set up. The system will ensure that:
•The minimum value in Medium is £1 above the maximum value in Low, and similarly that the minimum value in High is £1 above the maximum value in Medium;
•There are no gaps in the value ranges between High, Medium and Low.
The Appetite is where you set up the tolerance level for the risks being profiled (Note: This is applicable for Risks whose impact can be measured in monetary terms). Whilst nobody wants risks to occur, it is accepted that in the real world some will; it should not be an organisation’s aim to eliminate all risk from its activities but to manage the major ones so as to ensure they have the least likelihood of occurrence. This Appetite figure is an attempt to set a limit above which no risk should be allowed to go without every effort having been made to mitigate it.
The Control Acceptable Gap% element will be operative if you have the Corporate Governance Module of the system. The whole concept behind the CAREweb™ family of products, and their associated methodology, is to establish a measurement of how well an organisation’s actual control environment compares to the best and worst scenarios likely to confront that organisation; in our terminology, we term this a “Control Gap”. Like the Appetite figure described above, whilst everyone would like to be at the best level of control possible it is accepted that there will be deviations and some of these will be acceptable while others will not. The Control Gap is no different; an Entity will probably have a few control weaknesses resulting in a Control Gap, but provided this is within tolerable limits, this can be accepted. It is the tolerable limits that are set here; they will almost certainly be different for each Business Unit.
For example, a Treasury function has 50 individual risks affecting several different Asset Types; some will have a High impact should they occur while others would have a Medium or Low impact. Some of these risks have a High probability of happening if controls were poor, others are less likely. There will be an absolute base risk score for this Entity, this will be the score it achieves if every one of the 50 risks were perfectly controlled. This could be set at NIL – no risk, (our system could do this) but it is more reasonable to accept that nothing is ever entirely risk free and so this base figure is set very low but not at zero. The likelihood is, however, that this Treasury Business Unit will not have all of its risks perfectly controlled, there will be some weak areas and these will result in its overall risk score being above the base figure; this percentage figure above base is the Control Gap.
Evidently, each Entity’s Control Gap will be different and depending upon the type of Entity the organisation will have a different view of how acceptable the various Control Gaps are; a gap of 30% in a Human Resources function, for example, may be acceptable but the same gap in Treasury might not. It is this level of tolerance that is inserted into this Acceptable Gap % field. The Control Gap actually present in the Entity at any point in time is shown in the “% Gap” figure below the “Gross” score. The “% IA Gap” shows the Control Gap% in the same way as the “% Gap” but the figure is determined following testing of the controls by Internal Audit; this will be explained later in the Control section. The % Predicted Gap operates in the same way as the Risks Exceeding Appetite (Predicted); showing the Gap if all relevant remedial actions are implemented.
Target, Working, Actual, Predicted, Gross Scores
These scores are generated automatically by the system as the risk profile is built and will be described later in the “Matrix” section. They are not available to be changed by the user