Field of the Invention
The present invention relates to systems and methods for analyzing effectiveness of controls within an Enterprise Risk Management (ERM) system. More particularly, the present invention relates to risk profiling for enterprise risk management.
Related Art
Enterprise Risk Management (ERM) systems are used by business organizations to define response strategies for business events. These business events may include either internal or external risks or opportunities. By defining the response strategies in advance of the business events, the enterprise may better respond to the events. ERM systems provide data for business governance and documentary evidence for audit and compliance activities. As such, ERM systems allow organizations to better comply with regulatory requirements.
Conventional ERM systems are typically designed to comply with published standards. Two bodies that publish ERM standards are the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Risk and Insurance Management Society (RIMS). For example, the COSO framework defines, among other things, risk assessment, risk response, control activities, and monitoring activities within a systematic hierarchy.
An enterprise may use such an ERM system to respond to risks or opportunities that are related to its business objectives and to derive information about opportunity management. These ERM systems provide a framework within which relationships between business processes may be documented. Risks and opportunities associated with these business relationships and the controls to mitigate those risks or take advantage of the opportunities are also documented.
An ERM control catalog provides data for business governance and also provides documentary evidence for audit and regulatory compliance activities. These ERM control catalogs are typically large and complex. As such, as systems increase in size, conventional ERM systems require increasing time and effort to compile and comprehend the results of current controls in defending against identified business risks or in taking advantage of business opportunities.