GuardianERM.Net Help       Table of Contents

Risk and Control Review Criteria

While an organisation should specify what should be included in the periodic risk and control review,  InConsult recommends that the review should include, at a minimum, the following actions in relation to the organisation units under the control of the reviewer:
  1. Check organisation units in the library to make sure all details, in particular the email addresses, are correct.
  2. Consider all changes to the organisation units and the organisation as a whole, including the environment the organisation operates in, and identify risks that have not been identified before and add that to the library and attach them to the appropriate organisation units.
  3. Review documented risks to ensure that they are still applicable, current and the risk levels and values are appropriate.
  4. Review outstanding action plans, investigate as to why they are still not implemented and take the corresponding action.
  5. Review accepted residual risks to ensure that they should be accepted and the reason for acceptance is correctly recorded.
  6. Review the implemented controls to ensure that they are still in place and effective.
  7. Review proposed and agreed controls and determine if they should be implemented and if so, why they are not implemented.
  8. Review recent audit results paying particular attention to failed audit items and proposed resolutions.
  9. Review incidents and ensure that proposed treatments are implemented.
  10. Add the implemented controls to the corresponding risks.
  11. Review the Detail section of the System Health Check on the Main Menu to ensure all outstanding items within the control of the reviewer are completed.

Note: Many reports in the system can be used to assist the review, for example the Failed Audits, Incident Causes and Treatment, Residual Risk Listing, Risk and Control Listing reports. Filters can be set on the various reports to pin-point areas requiring attention, for example, the Risk and Control Listing report with Control Status set to Agreed will list all agreed controls which can be used with action item 7 above.