The Pentana software supports the audit process from A to Z; other pages clearly document this. This page, however, illustrates how Pentana also supports the first and second line of defence covering following topics:
- Incident management
- Entity risks and controls
- Self-assessments
- Key risks / Key issues
- Risk tolerance / Risk appetite
Incident management
Incidents
Incidents and Loss Events (or near misses) are a cornerstone of operational risk management and more generally enterprise risk management.
Incidents can be documented in Pentana based on various parameters also including a monetary value reflecting the actual loss incurred by the organisation and can optionally be linked to a Scope (entity-processes) and Entity Risks.
To manage the incidents, Actions can be created and be part of the cyclical action follow-up.
Entity risks and controls
Risk register / control framework
Once the GRC universe is defined, the appropriate Objectives, Risks, Controls and Tests (ORCT) can be documented within the Entities (either created at entity level or inherited from the library).
There is a hierarchical structure of these ORCT components and for each component there are various parameters to completely document the relevant details while Attachments can be added to any of these components (even via drag and drop).
Optionally, an Owner can be defined for these ORCT elements, giving that person augmented access to manage those elements, make self-assessments or review them.
Self-assessments
Pentana user interface
Assessments can be made for Risks and Controls. For Risks the Likelihood and Impact is documented for both the Inherent as Residual risk, while Controls are scored based on Design and Operation.
Pentana allows for two perspectives to these scores, typically one is used to document the self-assessments. These self-assessments can be made via the software, as well as via the web interface.
Browser / web interface
When the system and users have been so configured, the business users can document the risk and control self-assessments through the web interface without the need to install additional software or plug-ins.
Additionally, the self-assessments can be part of a regular cycle (monthly, quarterly, yearly) whereby the system will invite the business users via email to document these assessments. This approach would typically be used for SOx and other regular reviews.
Key risks / key issues
Strategic risks or high priority themes
The Key Issues are used to model high-level, strategic or macro risks affecting the whole organization. These Key Issues require attention, management and often operational risk management at lower levels throughout the business. The Key Issues are defined at the Universe level and can be linked to multiple Entity Risks and/or multiple Audit Problems.
Risk tolerance / Risk appetite
Risk tolerance versus actual score
Through two Custom Fields added to Pentana by Sepia Solutions, users can document the organisation’s Tolerance (appetite or acceptance level) for each of the Key Issues, as well as the actual estimated Score based on analysis (see below) and professional judgement.
Naturally, Key Issues with a score above the tolerance level should be addressed by the organisation. Pentana can play a key role in identifying these risks above tolerance.
Key risks ↔ Entity risks
Using the powerful “Report Mode“, both Key Issues and the linked Entity Risks can be displayed. In so doing, the individual Entity Risk Scores can be compared to the tolerated level of risk as defined in the Key Issue.
This allows the user to identify individual Entity Risks that need addressing. This display also provides the pertinent information to estimate the overall risk score of the Key Issue (see above).
We can tell you so much more!
Sepia Solutions specialises in this software and has a proven track record of successful implementations. This website documents just the tip of the iceberg. Invite us for an on-site presentation for a more interactive demonstration of the Pentana software. We can discuss your organisation, department and objectives to come to a tailored implementation plan.
No costs, no obligations, only additional insights.
