Impact - this group of fields gives the user the ability to define the risk impact levels across all entities (Note: this is only applicable for compliance risks whose impact can be measured in monetary terms). All risks will be assigned an Impact Value when they are set up. This value is set out as: High, Medium or Low in a 3*3 matrix (or whatever you have selected in the Installation process). Accordingly, you will need to define what each impact level represents in monetary amounts. For example, a company using a 3*3 configuration would have a window like this:
Whatever your configuration might be, it is here where you define what is meant by these terms. For example, it may be decided that a compliance risk which could give rise to a loss/penalty of up to £1,000 might be considered Low, losses/penalties of between £1,000 to £5,000 might be medium and £5,000 – £10,000 high. These are the figures that would be inserted into the Impact fields as Min and Max. These default impact levels can be adjusted for each business unit after completing the Entity set-up exercise. The system will ensure that:
•The minimum value in “Medium” field is £1 above the maximum value in “Low” field, and similarly that the minimum value in “High” field is £1 above the maximum value in “Medium” field;
•There are no gaps in the value ranges between High, Medium and Low.
The Appetite - this part is where you set up a default tolerance level for the compliance risks that have financial impact (Note: This is applicable for compliance risks whose impact can be measured in monetary terms). Whilst nobody wants to incur penalties/fines, it is accepted that in the actual environment; it should not be an organisation’s aim to eliminate all compliance risk from its activities but to manage the major ones so as to ensure they have the least likelihood of occurrence. This Appetite figure is an attempt to set a limit above which no compliance risk should be allowed to go without every effort having been made to mitigate it. These default appetite levels can be adjusted for each entity after completing the compliance risk profiling exercise.
The Control Gap% - The whole concept behind the CAREweb™ family of products, and their associated methodology, is to establish a measurement of how well an organisation’s actual control environment compares to the best and worst scenarios likely to confront that organisation; in our terminology, we term this a “Control Gap”. Like the Appetite figure described above, whilst everyone would like to be at the best level of control possible it is accepted that there will be deviations and some of these will be acceptable while others will not. The Control Gap is no different; an Entity will probably have a few control weaknesses resulting in a Control Gap, but provided this is within tolerable limits, this can be accepted. It is the tolerable limits that are set here; Obviously, each Entity’s Control Gap will be different and depending upon the type of Entity the organisation will have a different view of how acceptable the various Control Gaps are; a gap of 30% in a Human Resources function, for example, maybe acceptable but the same gap in Treasury might not. Accordingly, while the system allows you to define a default acceptable gap percentage through the “Default Financial Impact Level screen” it is important to adjust the acceptable gap levels for each entity after completing the compliance risk profiling exercise.
