domain management methdology
TRANSCRIPT
- 1. GRAPA Standards Methodology
2. Risk Management Processes
Domain Management Process
Case Management Process
Revenue Stream Management Process
3. Revenue Assurance Operations
Forensics
The process of investigating cases, domains and situationsand
providing management with well defined, credible conclusions
regarding the cause and probable impact of the situation
investigated
Corrections
Projects designed to implement changes to policies, procedures,
operations or systems in order to contain risk and raise management
confidence
Compliance
The process of verifying that proscribed controls and corrections
have been implemented and are being executed as specified
4. How do you measure?
Forensics ?
Assign Cases to Analyst
Track cases for nature, severity, time to analyze, results
attained
Corrections
Assign project to analyst
Track projects based upon how well the project is managed against
budget / forecast
Compliance
Acquire a compliance contract for the specified domain
Convert the compliance contract into tracking criteria by #
controls, alarm level, frequency, precision
Report escalates, alarms, results
5. How do you apply operations to Domain Management
As you move from Level 1 through 5 you will either:
Perform forensics
Perform corrections
Perform compliance
Tracking each operation (FCC) as the domain moves up the confidence
scale is the process
6. The Domain Management Process
What is it?
The process of monitoring and improving the risk exposure that a
particular domain represents
7. How does it work?
The RA Professional examines the domain and review the status of
the standard controls for that domain
Each domain is ranked by its CONFIDENCE LEVEL or CONTROLS
STRENGTH
The strength of the control coverage tells management how tightly
run the domain currently is
The higher the strength of the controls, the more confidence
management can have that there are no leakages, and that the risks
have been minimized to that level.
8. What are the levels?
0 Unknown
1- Mapped
2 Calibrated
3 Covered
4 Corrected
5 Controlled
6 Compliant
9. How do you attain levels ?
In order to move from one level of strength/confidence to the next,
the RA Analyst performs an operation. The operation is completed
with the creation of a report.
10. ** Implementation Notes
The definitions are methods described here are highly formal and
explicit in order to clearly illustrate the functions and
objectives to be attained in the migration of a domain through the
levels of assurance.
Organizations will usually implement a methodology which relaxes
these constraints to a level of operational and budget
comfort.
11. ** Implementation Notes
Experience RA Analysts, well developed and experienced
environments, or environments with heavy compliance cultures or
frameworks will often perform many, or all of these analyses at the
same time.
The steps are broken down here for the sake of understanding,
clarity and auditability.
12. Level 0
0 Unknown no investigation has been done
A domain is considered to be at Level 0 until a competent RA
Analyst has performed the first set of forensics analysis
(Mapping)
13. Level 1 Mapping
Mapping the RA Analyst reviews the domain, and maps the real,
operational domain against the standard controls.
When mapping is completed, the RA Analyst knows if and where
controls are in place (or not).
Deliverable : Mapping Report
14. Level 2 Calibration
Calibration is the process of examining each of the standard
controls and determining their:
Appropriateness : Is the right method being used to perform the
control
Adequacy : Is the right information being utilized in the right way
to perform the control
Effectiveness : Is the control performing the job it is intended to
perform
Reliability : Is the control likely to continue to perform at this
same level?
Frequency: How often is the control run and is it often
enough?
15. Level 2 Calibration
Calibration requires the analyst to:
Utilize GRAPA Risk Analysis Methods to attain this
Determine the most appropriate method for the execution of the
control (there are usually several alternative ways to attain the
desired results)
Run a gradation sampling series , or perform an history series
analytis in order to verify that the results that the control
reports is consistent. (Gradation will provide the analyst with a
known variance in the range of values reported).
When the Analyst has defined the nature of the control and its
performance parameters, and can provide management with an
appraisal of the risk associated with the current performance
level, the level has been attained.
Calibration defines a risk profile for each control
Deliverable : CalibrationReport
16. Level 3 : Coverage Plan Development
Based upon the assessment of the adequacy of the current controls,
management will express an appetite for risk in this regard.
Management preference may be laissez-faire (with a high appetite)
or may be conservative (desiring an increase in the
confidence)
17. L3: Coverage Plan Development
When instructed by management, the analyst will make use of the
calibration information in order to generate a CORRECTION in the
form of:
Change to policy/procedure
Change to a system
Change to a compliance level
Creation of a control
In order to attain the level of risk that management has
specified
Development : Coverage Plan Specification
18. Level 4 : Coverage
When management has reviewed the coverage plan (including
cost/benefit) and selected their choice, the RA team will implement
the projects necessary to implement the coverage plan
specified.
The last stage of the implementation of any coverage plan is the
establishment of a CONTROL Monitoring contract.
19. Triggers for the decision to raise the level of confidence for
a domain
# cases generated
Severity of cases generated
Policy/ Regulation
Findings from earlier stages of confidence escalation
Revenue at risk (forensics based )
Revenue at stake (revenue stream based)
Margin / Forecast Variance Reduction
20. Controls Monitoring Contract
A controls monitoring contract establishes:
Who will be responsible for running the control
Who will be responsible for monitoring the control
How often will the control be checked
How often will the running of the monitoring operation be reported
to the RA team
Deliverable: Controls Monitoring Contract
21. Level 5: Compliance
When a domain is at the compliance level, that means that the
agreed upon coverage plan has been successfully implemented, and
the RA team is performing the agreed upon level of compliance
verification.
Compliance monitoring is reported via the RA Compliance Reporting
framework which tracks the number of alarms, the number of checks
etc.
Deliverable : Compliance Verification Reports
22. The Case Management Process
23. Case Management: Objectives
The case management process is dedicated to the:
Capture
Analysis
Resolution
Of reported cases of revenue loss or risk of revenue loss
24. Case Management Sources
Case management is mostly a forensics process
Cases can be generated by:
Harvesting sources (call center, internal audit, operational
managers)
Compliance control alarms
Revenue / Riskscenarios
25. How does case management work?
The RA team:
Establishes a mechanism for the capture and reporting of
cases
Cases are assigned to team members based upon skill, availability ,
budgeted time
Cases are investigated and findings reports are created at the
close of each case.
See GRAPA Standards for Forensics Methods
26. Revenue Stream Management
Revenue Mapping
Margin tracking
Financial report assurance
27. RA Skills Assessment Methodology