Recently we have received some positive and very helpful feedback on our central risk library and modeling capability. Most of our customers choose BPS in part because they recognize our investment in what we call our Risk Management Library (RML). This facility is the central point from which a risk management committee can drive an integrated controls framework that spans audit, corporate compliance, BCP, operational risk and the like.  There are a number of concepts in the BPS RML that make it effective:

First: The ability to create sophisticated hierarchical relationships that model all the different ways your company looks at governance risk and compliance.  In the RML you build any conceivable structure that expresses where you are today: legal hierarchies, operational, process organization, GL accounts, policy and procedure, auditable and assessable units, regions and the like.

Second: The ability to profile risks and controls in a way that different groups can score and report against them.  This recognizes the common fields and descriptors between say audit and sox groups, but also allows additional attributes to be defined that are specific to each. These risk and controls are can be connected to one another in a many-to-many fashion. They are also connected to KRIs, loss information, policy and procedures and the like. These relationships persist in the system and provide some neat automation and data richness when it comes to assessment scoring and reporting.

Third: A way to group risks and controls non-exclusively and attach testing programs, certification protocols and scoring rules to this group. As before these groupings are placed at the intersection of the appropriate hierarchical structures (say a testing program for certain risk and control profiles existing in legal hierarchy of corporate risk, for the Americas as related to the money transfer process)

Using combinations of these three concepts, we have seen our clients accurately build living models of how their GRC functions work today and automate their testing and compliance activities around this structure.  This has helped add value without required too much process re-engineering up front.

The real value however, comes from one simple and rather non-trivial ability.  With our tool, you can manipulate any of the aforementioned concepts without breaking your ongoing activities or historical reporting.  This means that our clients are able to use the system to optimize their approaches over time.  Standardizing testing plans where possible, refining definitions and achieving the balance between methodological imperatives for regulatory compliance and internal efficiencies and information value (a fancy way of saying doing what you have to do and also what you think will be the most valuable for the company).

More than an few of our customers convene risk management working committee meetings around our RML and work together to establish common ground and refine their activities directly in the system.  The meetings, we are told, are high impact because they can visualize the structures and data, make  adjustments right away, test them and bring them into practice safely when they are ready.

We are pleased our RML facility is being used this way.  Making it a “living thing” that adds value to multiple groups and helps companies move to a common set of practices was our ultimate goal. Naturally we are still investing in this part of our product and working hard to make it better every day.  The feedback from our clients and some of the analyst that follow us has been invaluable.