October 28, 2014 - RiskBusiness International Limited, the leading international operational risk advisory firm, today announced enhancements to the audit, compliance and governance aspects of the RiskBusiness OpRisk IntelliSet.

"We originally included support for internal audit more from a risk management perspective," explains Mike Finlay, CEO at RiskBusiness International, "allowing for the import or creation of audit findings to link to loss events and risk assessments. We subsequently extended that capability to include full audit reports, but have now enhanced the service to cater for all aspects of internal auditing, ranging from scheduling audits, managing audit personnel, undertaking the audit and managing all aspects of reports, findings, remedial actions, management attestation and general status reporting".

Depending on how the firm wishes to structure its access rights, auditors can incorporate risk and compliance related information into their audits, while risk and compliance personnel can incorporate audit information into compliance assessments and risk assessments. Within the compliance area, a Regulations Library has been added which allows the firm to maintain a central repository of all external and internal regulations, then allocate specific sections to those business entities required to comply with the requirements. Assisted by pre-defined templates of required, recommended and optional control types, compliance profiles can be established by product, distribution channel, client type, location and/or entity whereby the degree of compliance by process type against applicable regulatory sections can be measured, with compliance findings and remedial action plans established and managed.

"Compliance profiles provide management with an easy holistic view of where the risk of non-compliance exists across the enterprise," says Finlay. "The business entity or compliance function can then drill down, examine the existing control infrastructure, quantify the potential implications of non-compliance in terms of financial impact, time and efficiency implications, regulatory relationship and reputational consequence, then make informed decisions on the best remedial action required."

"In the governance area, most firms are struggling to define and implement an appropriate three lines of defence model," adds Finlay. "Recognising this, the RiskBusiness OpRisk IntelliSet allows a firm to define its three lines of defence structure, define principles and objectives by line of defence and to allocate each business entity to the appropriate line of defence in which it sits. Ownership by risk type or risk theme, such as "information security" or "regulatory risk" which cuts across concepts such as errors and omissions, culture and ethics, business disruption and fraud can be allocated by line of defence and/or business entity. Periodic maturity assessments against the appropriate three lines of defence principles and objectives can be performed, comparing maturity by entity and between entities over time, coupled to management attestation as to compliance with either the three lines of defence model or the principles."