Tip of the Month: BarnOwl Lite Enabling Embedded Risk Management
February 24, 2021
Did You Know?
BarnOwl Lite enables an organisation to embed risk management throughout its organisation effectively and non-intrusively. The BarnOwl Lite module is designed for risk champions who need to manage their risk environment at their level of the organisation.
The BarnOwl Lite module is a user friendly, web-based intranet (platform independent) application. In addition, the BarnOwl Open license which is free to unlimited users, enables users/owners to complete risk and control self-assessments (RCSA) online, complete checklists / surveys /questionnaires online and most importantly update their action plans online. BarnOwl sends out automated email notifications, reminders and escalation to the owners with a hyper link to the relevant RCSAs, Checklists and Action Plan/s. In addition, all users / owners have direct access to the BarnOwl portal via an icon on their desktop in order to update their own RCSAs, Checklists and Action Plan/s at any time.
This article outlines the basics of the BarnOwl Lite and Open modules. You can find more detailed information in the online BarnOwl Help Manual.
1. BarnOwl Lite
The BarnOwl Lite module is a simple to use, non-intrusive web-based interface for a risk champion to manage all aspects of risk management within their specific business unit/s (area/s of the organisational structure) including:
- Risk Management fundamentals: search, capture, maintain, monitor and report on Objectives, Risks, Controls, Contributing Factors, Key Indicators (KIs), Incidents (loss events) and Action Plans
- Risk Identification: Search, capture, maintain, monitor and report upside risks (that help achieve objectives) and downside risks (that threaten objectives). Includes moderation / approval mode.
- Risk Assessment: Rate risks in terms of inherent impact x inherit likelihood = inherent risk (pre-control) and residual impact x residual likelihood = residual risk (post control). Includes qualitative and quantitative rating by unit risk appetite by risk category.
- Control Identification and Assessment: Identify and rate controls in terms of control adequacy (the design of the control) and control effectiveness (how well the control is working). Residual risk is either manually rated or can be auto-calculated based on control adequacy and effectiveness. The system supports combined assurance rating of controls as well as control testing checklists / sampling (used in audit).
- Action Plans: Raise and monitor action plans against risks, controls and incidents with due dates and assign designated owners. The system sends out automatic email notifications, reminders and escalation to the action plan owners/s with a hyperlink to the relevant action plan for the owner to update his /her progress including the ability to attach evidence.
- Risk Incidents: Capture and monitor any type of incident and / or loss event (actual, potential and near misses) against a business unit or risk. Examples include: loss events, burglaries, robberies, tip-offs, management investigations, OHASA incidents, Strikes, Fraud risk, etc.
- Key Indicators: Search, capture and maintain Key Indicators such as Key Performance Indicators (KPIs), Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) with threshold limits (green, yellow, red) and period of measure (monthly, quarterly, annually etc.). The system sends out automated email notifications, reminders and escalation to the relevant key indicator owners/s at the right time with a hyperlink to the owner’s key indicator for the owner to capture the value of the key indicator. Key indicator values outside of their thresholds provide an early warning (dynamic re-assessment trigger) of objectives, risks and controls that may need to be re-rated.
- Risk and Control self-assessments: RCSAs are setup in BarnOwl Rich and using BarnOwl Open functionality enables the risk and control owners in your area (business unit/s) to rate their risks and controls on a regular basis. The system sends out automated email notifications, reminders and escalation to the relevant owners with a hyper link to the relevant RCSAs (optional functionality includes reviewer sign off ability). Results are monitored and updated to the live registers using BarnOwl Rich functionality.
- Checklists (Compliance), Surveys, Questionnaires: Checklists are setup in BarnOwl Rich and using BarnOwl Open functionality, sends out automated email notifications, reminders and escalation to the relevant owners with a hyper link to the relevant checklist (optional functionality includes reviewer sign off ability). Results are monitored and consolidated using BarnOwl Rich functionality.
Please see BarnOwl’s key functionality per license type at: https://api.barnowl.co.za/licensing/
2. BarnOwl Lite Look and Feel
Please see online help at: http://docs.barnowl.co.za/barnowlhelp/ and more specifically ‘BarnOwl web (Lite):
Viewing your risk register:
The system will automatically show you and allow you access to your specific area / business unit of responsibility
Capturing and maintaining linked items:
3. The BarnOwl Open License
Updating progress of Action Plans at any time via the BarnOwl web-portal
Owners of action plans can update the progress of their action plans at any time via the web-based portal. In addition, the system sends out automated email notifications, reminders and escalation to the owners with a hyper link to the relevant Action Plan/s. Evidence can be attached to an action plan and a full audit trail of the progress of the action plan is maintained.
Completing an online vote /RSCA (Risk / Control Self-Assessment) online
Owners, assigned to RCSAs (by a Rich user license) can within a specified time frame complete their RCSAs via the web-based portal. In addition, the system sends out automated email notifications, reminders and escalation to the owners with a hyper link to the relevant RCSAs (optional functionality includes reviewer sign off ability). Results are monitored and updated to the live registers using BarnOwl Rich functionality.
Completing a survey / checklist online
Owners, assigned to a survey/s (by a Rich user license) can within a specified time frame complete their survey/s via the web-based portal. In addition, the system sends out automated email notifications, reminders and escalation to the owners with a hyper link to the relevant survey. Results are monitored using BarnOwl Rich functionality.
Completing a questionnaire online
Owners, assigned to a questionnaire/s (by a Rich user license) can within a specified time frame complete their questionnaire/s via the web-based portal. In addition, the system sends out automated email notifications, reminders and escalation to the owners with a hyper link to the relevant questionnaire. Results are monitored using BarnOwl Rich functionality.
4. GRC is now more than ever a necessity for every organisation
Now, more than ever, under these trying economic conditions, an organisation needs to operate as a lean-mean machine, pulling in the same direction and key to this, is robust GRC (governance, risk management, compliance & assurance) which should be embedded throughout the organisation. Divisional objectives including lower-level objectives must support and be in sync with the strategic objectives of the organisation. At every level of the organisation, the risks associated with each of these objectives need to be identified, managed and monitored on an ongoing basis. Every effort should be made to minimise the risks that you wish to reduce / avoid whilst being able to take appropriate risks for reward (opportunity risk) provided that the risks are within the risk appetite and tolerance levels of the organisation.
Rogue behaviour is unacceptable in today’s business environment and can destroy an organisation overnight. Gerry Grimstone, had a message for senior executives. “You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he or she doesn’t know something.” Grimstone also discussed the “tone from the top”; a need for an organisational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.
It’s quite simple! Lack of disclosure and an ineffective risk management information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.
At every level of our organisation, we as board members, exco members, managers and employees need to ask ourselves: Do we know what our objectives are and how these contribute to the overall objectives and strategy of the organisation? Are we managing the significant risks that threaten our objectives and do we recognize the opportunities and act on them within our risk appetite? Do we want to be part of the solution or are we apathetic and part of the problem?
In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.
5. The need for risk management software:
Specialised risk software such as BarnOwl drives accountability and ownership for risk in a coordinated manner across the organisation. The BarnOwl risk management software will:
- facilitate an integrated approach rather than a silo-driven approach to risk management by the inter-linking of objectives and risks across the organisation,
- facilitate and embed a culture of risk management and control at all levels of your organisation,
- provide an early warning system through the continuous monitoring of risks and their related controls, key risk indicators, incidents / near misses, contributing factors and ‘living’ action plans,
- drive accountability for risk management at all levels of the organisation enabled by the ‘live’ updating and monitoring of action plans by designated owners,
- standardise and simplify your process, risk and control taxonomy (library lookup) throughout the organisation,
- facilitate business decision making with up-to date, consolidated dashboards of your risk universe with full drill-down capability,
- ensure Director / Accounting officer protection through a formalised system-driven approach to risk management, compliance and assurance (audit).
6. Useful Links
- Realising ROI from GRC initiatives – IT Web Governance, Risk and Compliance conference February 2021
- GRC is common sense – IT Web Governance, Risk and Compliance conference February 2021
- https://api.barnowl.co.za/essential-risk-management-guide/
- https://api.barnowl.co.za/a-step-by-step-infographic-on-how-to-implement-risk-management-software-effectively-2/
- Integrated BCM and risk explained – Steve Simmonds, Director, SynergyGRC
- Why risk management fails – Mira Butler, Managing Director, Mira Consulting
- Why King IV is not another layer of regulation but creates add-on value – Michael Judin, Partner, JUDIN COMBRINCK INC
- https://api.barnowl.co.za/insights/demystifying-risk-management/
- https://api.barnowl.co.za/selling-enterprise-risk-management-erm-to-the-board-and-the-executive/
- https://api.barnowl.co.za/insights/6-ways-risk-based-auditing-adds-value-to-your-organisation/
About BarnOwl: