1. GRAPA Standards Methodology

2. Risk Management Processes
Domain Management Process
Case Management Process
Revenue Stream Management Process
3. Revenue Assurance Operations
Forensics
The process of investigating cases, domains and situationsand providing management with well defined, credible conclusions regarding the cause and probable impact of the situation investigated
Corrections
Projects designed to implement changes to policies, procedures, operations or systems in order to contain risk and raise management confidence
Compliance
The process of verifying that proscribed controls and corrections have been implemented and are being executed as specified
4. How do you measure?
Forensics ?
Assign Cases to Analyst
Track cases for nature, severity, time to analyze, results attained
Corrections
Assign project to analyst
Track projects based upon how well the project is managed against budget / forecast
Compliance
Acquire a compliance contract for the specified domain
Convert the compliance contract into tracking criteria by # controls, alarm level, frequency, precision
Report escalates, alarms, results
5. How do you apply operations to Domain Management
As you move from Level 1 through 5 you will either:
Perform forensics
Perform corrections
Perform compliance
Tracking each operation (FCC) as the domain moves up the confidence scale is the process
6. The Domain Management Process
What is it?
The process of monitoring and improving the risk exposure that a particular domain represents
7. How does it work?
The RA Professional examines the domain and review the status of the standard controls for that domain
Each domain is ranked by its CONFIDENCE LEVEL or CONTROLS STRENGTH
The strength of the control coverage tells management how tightly run the domain currently is
The higher the strength of the controls, the more confidence management can have that there are no leakages, and that the risks have been minimized to that level.
8. What are the levels?
0 Unknown
1- Mapped
2 Calibrated
3 Covered
4 Corrected
5 Controlled
6 Compliant
9. How do you attain levels ?
In order to move from one level of strength/confidence to the next, the RA Analyst performs an operation. The operation is completed with the creation of a report.
10. ** Implementation Notes
The definitions are methods described here are highly formal and explicit in order to clearly illustrate the functions and objectives to be attained in the migration of a domain through the levels of assurance.
Organizations will usually implement a methodology which relaxes these constraints to a level of operational and budget comfort.
11. ** Implementation Notes
Experience RA Analysts, well developed and experienced environments, or environments with heavy compliance cultures or frameworks will often perform many, or all of these analyses at the same time.
The steps are broken down here for the sake of understanding, clarity and auditability.
12. Level 0
0 Unknown no investigation has been done
A domain is considered to be at Level 0 until a competent RA Analyst has performed the first set of forensics analysis (Mapping)
13. Level 1 Mapping
Mapping the RA Analyst reviews the domain, and maps the real, operational domain against the standard controls.
When mapping is completed, the RA Analyst knows if and where controls are in place (or not).
Deliverable : Mapping Report
14. Level 2 Calibration
Calibration is the process of examining each of the standard controls and determining their:
Appropriateness : Is the right method being used to perform the control
Adequacy : Is the right information being utilized in the right way to perform the control
Effectiveness : Is the control performing the job it is intended to perform
Reliability : Is the control likely to continue to perform at this same level?
Frequency: How often is the control run and is it often enough?
15. Level 2 Calibration
Calibration requires the analyst to:
Utilize GRAPA Risk Analysis Methods to attain this
Determine the most appropriate method for the execution of the control (there are usually several alternative ways to attain the desired results)
Run a gradation sampling series , or perform an history series analytis in order to verify that the results that the control reports is consistent. (Gradation will provide the analyst with a known variance in the range of values reported).
When the Analyst has defined the nature of the control and its performance parameters, and can provide management with an appraisal of the risk associated with the current performance level, the level has been attained.
Calibration defines a risk profile for each control
Deliverable : CalibrationReport
16. Level 3 : Coverage Plan Development
Based upon the assessment of the adequacy of the current controls, management will express an appetite for risk in this regard.
Management preference may be laissez-faire (with a high appetite) or may be conservative (desiring an increase in the confidence)
17. L3: Coverage Plan Development
When instructed by management, the analyst will make use of the calibration information in order to generate a CORRECTION in the form of:
Change to policy/procedure
Change to a system
Change to a compliance level
Creation of a control
In order to attain the level of risk that management has specified
Development : Coverage Plan Specification
18. Level 4 : Coverage
When management has reviewed the coverage plan (including cost/benefit) and selected their choice, the RA team will implement the projects necessary to implement the coverage plan specified.
The last stage of the implementation of any coverage plan is the establishment of a CONTROL Monitoring contract.
19. Triggers for the decision to raise the level of confidence for a domain
# cases generated
Severity of cases generated
Policy/ Regulation
Findings from earlier stages of confidence escalation
Revenue at risk (forensics based )
Revenue at stake (revenue stream based)
Margin / Forecast Variance Reduction
20. Controls Monitoring Contract
A controls monitoring contract establishes:
Who will be responsible for running the control
Who will be responsible for monitoring the control
How often will the control be checked
How often will the running of the monitoring operation be reported to the RA team
Deliverable: Controls Monitoring Contract
21. Level 5: Compliance
When a domain is at the compliance level, that means that the agreed upon coverage plan has been successfully implemented, and the RA team is performing the agreed upon level of compliance verification.
Compliance monitoring is reported via the RA Compliance Reporting framework which tracks the number of alarms, the number of checks etc.
Deliverable : Compliance Verification Reports
22. The Case Management Process
23. Case Management: Objectives
The case management process is dedicated to the:
Capture
Analysis
Resolution
Of reported cases of revenue loss or risk of revenue loss
24. Case Management Sources
Case management is mostly a forensics process
Cases can be generated by:
Harvesting sources (call center, internal audit, operational managers)
Compliance control alarms
Revenue / Riskscenarios
25. How does case management work?
The RA team:
Establishes a mechanism for the capture and reporting of cases
Cases are assigned to team members based upon skill, availability , budgeted time
Cases are investigated and findings reports are created at the close of each case.
See GRAPA Standards for Forensics Methods
26. Revenue Stream Management
Revenue Mapping
Margin tracking
Financial report assurance
27. RA Skills Assessment Methodology