Having dealt with the Corporate Risks it is now necessary to provide some summary data on the control environment surrounding all of the other Entities in the Risk Database. Click on the "Corporate Entities" button to bring up data on all of the Entities within the database:
One of the key criteria used in determining the acceptability or otherwise of the control environment for an Entity is how close to an “acceptable” range the Entity has managed to maintain its control environment. This “acceptable” range, or Gap Tolerance, is determined for each Entity separately. The whole concept behind the CAREweb™ family of products, and their associated methodology, is to establish a measurement of how well an organization’s actual control environment compares to the best and worst scenarios likely to confront that organisation; in our terminology, we determine a “Control Gap”. Whilst everyone would like to be at the best level of control possible it is accepted that there will be deviations and some of these will be acceptable others will not. The Control Gap is no different; an Entity will probably have a few control weaknesses resulting in a Control Gap but provided this is within tolerable limits this can be accepted. The tolerable limits are set for each Entity (refer to the Entity Screen details in the Using the System section of this manual); they will almost certainly be different for each Entity.
For example, a Treasury function has 50 individual risks affecting several different Asset Types; some will have a High impact should they occur others will have a Medium or Low impact. Some of these risks have a High probability of happening if controls were poor, others are less likely. There will be an absolute base risk score for this Entity, this will be the score it achieves if every one of the 50 risks were perfectly controlled. This could be set at NIL – no risk (our system could do this), but it is more reasonable to accept that nothing is ever entirely risk free and so this base figure is set very low but not at zero. The likelihood is, however, that this Treasury Entity will not have all of its risks perfectly controlled, there will be some weak areas and these will result in its overall risk score being above the base figure; this percentage figure above base is the Control Gap.
Evidently, each Entity’s Control Gap will be different and depending upon the type of Entity the organisation will have a different view of how acceptable the various Control Gaps are; a gap of 30% in a Human Resources function, for example, may be acceptable but the same gap in Treasury might not. It is this level of tolerance that is referred to as the Gap Tolerance.
The system will show this Gap Tolerance percentage in the “Agreed Gap%” column; next to it, in the “Actual Gap” column it will show the current percentage gap between the Target Score and the Actual Score. Using this data, and any other relevant information, a determination can be made as to the rating to be assigned to the Entity. This is done in the “Control Rating” column by using the "Edit" button on the toolbar and then selecting an item from a “pick list” revealed using the downward arrows. This “pick list” is generated by the ratings put into the system in the earlier, Corporate Risk screen. Click on “
” to save the record.
It is important for the Board to understand who has assigned this rating to each individual Entity; was it done by Internal Audit, Risk Management, Compliance. This detail is provided in the “Rated by” column. Clicking on “Edit” button again and then the downward arrow brings up a Responsibility List; this is the same list as is used when assigning responsibility for an Entity (see earlier in this manual). Select a name from the list and click on it to enter the data; click on “” to save the record. If the detail required is not on the list – CRSA for example – you need to go back to the Reference section of the system and then into Responsibility and set up the detail there.