Having recognized and assessed compliance risks, namely the week spots in an organization or a business operation, you know what danger they represent regarding compliance, how likely it is to happen and how bad would it be, if it does.
Now you need to exactly locate these risks (if the risk assessment wasn't focused to certain business operation allready in advance). Find the exact busienss procesess/ sub-process where certain things might go wrong and the risk might materialize. The processes documents and maps can be very helpful in doing this.
These are the places you need to build in some control measures; ideally automatic (built in an IT support for specific risk area /processes) or organizational, rule based.
The outomatic controls for sensitiv data protection in the customer helath data basis for example, would be recognizing a person by its password and automative tracing of its acctions in the data base.
The organizational control would be having organized the processes in two phases, handled by two different persons, one controling the other or having a committee oversight etc.. Like 4 eye principle in approving a business deal with an off shore entity or committee approval of big donations, or having data privacy officer approval for employee e-mail supervision etc.
The rule basede controls are having writen rules for certain risk areas in which you oblige persons in charge to certify compliance or to disclose any business deal with a related person etc.
For managing certain compliance risk areas that are most important or typical for your organization or your sector, you can combine all of this types of internal controls for the same risks in the same process. You build in 'layers' of internal controls, risk based and smart.
You want to protect the company from material and moral lossess in case of incompliance, but you also want business processes to be able to operate normally and as simple as possible (given the risks).
Andrijana Bergant,
strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.
Ni komentarjev:
Objavite komentar