The GoCompliant Tool Suite is based on the Operational Risk Management Model, which places risks in the context of business processes and facilitates assessment, mitigation and taking of measures as well as continuous evaluation and reporting of these elements (more about the integrated model).
The identification, documentation, analysis and assessment of risks is conducted in the so-called risk inventory. The estimation of inherent and residual risks takes place via a risk matrix (3x3, 4x4, etc.) along the dimensions of probability and impact. A risk kann be evaluated in this matrix either overall or per impact type (financial loss, reputation etc.).
Business processes and their sub-processes can be modeled in any depth and mapped to risks from the risk inventory.
Based on the risk analysis, mitigating controls are defined and residual risks are estimated. The risk exposure of the business processes is identified on the basis of the aggregated inherent and residual risks that are mapped to each process. Likewise, the number and details of the controls that are in place are shown per process.
Risk mitigation measures can be captured, tracked and mapped not only as controls, but as well in the form of actions.
The GoCompliant Tool Suite does not enforce a certain procedure, but rather allows an individual approach that corresponds to the respective company philosophy (Process First versus Risk First versus Control First). This offers a flat learning curve, rapid results and a gradual evolution into an integrated oprisk management.
Ultimately, an overall picture of risks, processes, controls, control tasks and actions emerges that can be continually observed and analyzed.
Big companies or corporate groups profit from the possibility to represent their organisation structure as segments and model risks, controls and actions within these segments. While each segment has the possibility to do individual adjustments, concepts across all segments can still be enforced (e.g. key controls or level 1 and 2 of the primary risk tree). This way consistency and comparability can be achieved without overlooking segment-specific particularities.
Control documentation, definition of control assignments as well as automatic scheduling and routing of control tasks are core functionalities of the GoCompliant Tool Suite. Thanks to a modular concept that separates the control definition (what) from the scheduling (when) and the routing to employees and/or organization units (who), the control assignments become transparent and maintainable.
The ICS module adapts to your company philosophy by offering configurable additional fields, e.g. for standardized control models and audit standards (COSO, COBIT, SOX etc). Controls can be mapped to a risk or directly to a process and be evaluated in this context.
Not only is the application itself available with four different language packs (EN, DE, FR, IT), but as well control title, description and guidance can be maintained multilingually.
Control performances are seamlessly integrated into the enduser's daily work via the dashboard and via sophisticated emails and thus increase acceptance and awareness: the goal is not to impose a nuisance, but to support the user and bring meaning to the control performances.
To render the control performances even more meaningful and at the same time facilitate the work of the control performer, we offer so-called SmartControls: Data records that form the basis for the control rating (e.g. sample data) are directly embedded into the screen during the control performance. This allows for a direct and reportable reference to the data to be controlled and increases the traceability.
Manifold governance and documentation needs can be met thanks to configurable action types, flexible workflows and freely definable additional fields.
Actions can be created and tracked in two forms: as so-called standalone actions (e.g. a single compliance issue or a measure proposed by an enduser that discovered a weakness during a control performance), or in the context of an audit finding report. Both types of actions run through a configurable workflow that involves endusers and action experts for capture, validation, activation, implementation and final review.
Just as for the control performance, the endusers are involved for the action implementation via dashboard and emails. As so-called action owners they receive an overview about their pending actions and are supported during implementation. Responsibilities and access rights for the action owners can be assigned in a fine-grained way. At the same time, coordinating action experts (e.g. COO, CFO, compliance) and line managers have full overview over the implementation progress up until the highest levels.
Actions are completely embedded into the oprisk management model: References to risks, processes, control performances as well as to other actions and audit reports are supported and reportable.
Our strength lies in the data model that was designed from scratch to be the base of the entire tool suite. The individual modules reference this model and thus integrate seamlessly with each other. This increases the maintainability, visualizes connections and avoids redundancy. Simple and high-performance reporting is another advantage of the integrated model.
We offer various cross-cutting functionalities whose value has proven itself over years in day-to-day business, und which have been continuously enhanced thanks to feedback from our customers.
In addition to the above described core modules we offer and develop additional modules that may interest you depending on your industry sector or ICS focus.