Framework for governance, risk, and compliance Flashcards

1
Q

Why are governance and compliance frameworks a necessary component of effective risk-management? (2)

Governance and compliance frameworks are not sufficient on their own. What else is equally important? (2)

When do problems arise?

Name 4 examples of risk-management-related governance compliance issues.

Name 4 consequences.

How can effective governance and compliance help?

A

(1) Without governance and compliance frameworks for RM, organisations will be vulnerable to employee bad behaviour, including negligence or criminal activity
*Effective governance and compliance frameworks for RM help all employees to understand the RM ‘rules’

(2) RM, governance and compliance are inseparable = impossible to have effective RM without appropriate governance and compliance frameworks

Risk culture and tone from the top

Problems arise when employees are incompetent in their role or do not comply with policies, procedures, and codes = inappropriate risk taking and control weaknesses

  1. Not following health-and-safety procedures
  2. Fraud and theft of company assets
  3. Not declaring conflicts of interest
  4. Accepting a bribe

Consequences could be = financial, regulatory enforcement, adverse media reporting, divert management’s attention from strategic and operational priorities

Effective governance and compliance should prevent these adverse outcomes and increase the chance that an organisation will achieve its objectives/meet the needs of its stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IMPLEMENTING EFFECTIVE RISK-MANAGEMENT POLOCIES AND PROCEDURES

For effective governance and compliance, an organisation needs to implement risk-management policies and procedures that do what 3 things?

What is the primary role of risk-management policies and procedures?

Without effective policies and procedures, what could happen?

To support effective governance and compliance, the implementation of risk-management policies and procedures require what 7 things?

A

(1) Comply with relevant governance codes, laws and regulations
(2) Are in the interests of stakeholders
(3) Ensure that the risk-taking and control decisions and actions of all employees support the effective setting and achieving of an organisation’s objectives

Purpose = ensure RM decisions and activities of all employees are consistent and appropriate in terms of both an organisation’s objectives, and legal and regulatory obligations

Employees would not know how to act and could make decisions that are not in the interest of the organisation or its stakeholders = chaos in organisation = inconsistent actions and decisions leading to serious governance and compliance breaches

  1. an explanation of why they are needed
    (= ensure regulatory compliance, to protect stakeholders, and to help the organisation set and achieve its objectives)
  2. the organisation’s RM principles in a RM policy
  3. clear and unambiguous roles and responsibilities
  4. board and senior management support
  5. sanctions for non-compliance e.g., verbal/written warning, withhold bonus/promotion
  6. communication and training
  7. regular reviews and updates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DETERMINING AND IMPLEMENTING AN EFFECTIVE RISK-APPETITE FRAMEWORK

From a governance and compliance perspective, employees should understand what 3 things?

A company may develop and monitor a set of risk metrics against agreed limits and thresholds. What does this allow management to do?

What would be required if the risk appetite was exceeded? (2)

A
  1. The risks that may be taken and any limits to the level of risk exposure that may be taken via a written risk appetite statement
  2. The risks that should not be taken where practicable
  3. The management roles and committees that have the authority to waive limits or take risks normally considered outside of appetite where this supports organisational objectives

Allows management to determine whether an organisation is within or outside its appetite for risk and to take action to address any issues

(1) immediate action would be required to rectify the situation
OR
(2) the board or risk committee may need to go through the agreed risk acceptance process to accept a degree of control weakness for a brief period of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

COMPLIANCE MANAGEMENT FRAMEWORKS

How are governance, risk and compliance activities complementary? (2)

Why are compliance-management frameworks necessary? (3)

Name 5 possible consequences of non-compliance.

A

(1) Weak governance or non-compliance with laws and regulations can create significant risks for organisations.
* these risks need to be identified, assessed, monitored and controlled using risk-management tools and techniques

(2) Organisations that have RM frameworks need to ensure that these frameworks are compatible with all applicable laws and regulations (compliance).
* also need to ensure that they meet the needs of their stakeholders (governance) and support the achievement of their objectives

Necessary to ensure compliance with:
1. an organisation’s internal policies and procedures
2. applicable laws and regulations (such as health-and-safety or environmental regulations)
3. standards, guidelines and codes of conduct that the organisation has chosen to comply with, such as ISO 31000

Compliance risks = (1) criminal sanctions or fines, (2) loss of licence to operate, (3) disrupt the efficiency of day-to-day operations, (4) long-lasting financial and reputational consequences, (5) in a plc can reduce the value of shareholder equity (VW)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

COMPLIANCE MANAGEMENT FRAMEWORKS

What are the 5 components of an effective compliance-management framework?

A
  1. Establishing compliance standards = imposed by laws or regulations or those set by an organisation
  2. Developing compliance processes and controls = including (1) compliance management policies and procedures, (2) compliance reporting and escalation processes, and (3) compliance training and communication
  3. Linking compliance management with internal control = these are closely related and sometimes the terms are used interchangeably
  4. Risk based compliance = where activities or decision that have a higher degree of compliance risk should receive more compliance management resources
  5. Roles and responsibilities = which vary according to an organisation’s sector, scale and structure, but commonly include the compliance function, board, risk and audit committees, and company secretary
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ESTABLISHING COMPLIANCE STANDARDS

An organisation’s compliance standards are a combination of what 2 things?

For both, what are the relevant degrees of compliance and levels of discretion?

A
  1. compliance standards imposed on the organisation via laws and regulations
  2. compliance standards determined by the organisation to meet its objectives and stakeholder needs

Imposed standards = must comply with very little discretion
E.g., Health and safety/environmental compliance = As Low As Reasonably Practical.
* Where discretion is used it is recommended that an organisation discusses these standards with the relevant regulatory or supervisory agency to avoid any subsequent disagreements

Voluntary standards = much more discretion over degree of compliance expected from employees
E.g., internal policies and procedures and code of conduct
* Discretion usually on cost-benefit grounds = where the costs of compliance exceed the benefits, a degree of non-compliance may be accepted BUT any case of non-compliance should be reported to the audit committee or board so directors are kept informed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - DEVELOPING COMPLIANCE PROCESSES AND CONTROLS

What are the 3 processes and controls required to ensure that the agreed compliance standards are enforced within an organisation?

What 3 things should a compliance-management policy contain?

Name 2 compliance-management common principles.

Name 2 examples of compliance-management procedures.

A
  1. Compliance-management policies and procedures
  2. Compliance reporting and escalation processes
  3. Compliance training and communication

COMPLIANCE-MANAGEMENT POLOCIES AND PROCEDURES

Detailed compliance-management policy should contain:
(1) The expected compliance standards and principles
(2) Reporting and escalation arrangements
(3) Roles and responsibilities for the board, SM, other managers and employees

Common compliance management principles include:
A. Expectation employees will act honestly and with integrity
B. Compliance-related risks must be monitored adequately, and all cases of non-compliance escalated to the appropriate level of management

There may be procedures for:
(i) Reporting and escalation
(ii) Temporarily allowing non-compliance on cost-benefit grounds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - DEVELOPING COMPLIANCE PROCESSES AND CONTROLS

What does compliance reporting provide?

What are the 2 common forms of reporting?

Why are escalation processes needed?

Who should escalation be to?

Training can be delivered to help employees understand what 2 things?

What else can supplement or support formal training?

A

COMPLIANCE REPORTING AND ESCALATION PROCESSES

Provides assurance to directors and managers that organisation is complying with relevant laws and regulations and any compliance risks are managed effectively

  1. Periodical review of compliance = prepared by cosec and reported to board
  2. Compliance monitoring and reporting to management and SM = much more regularly (daily control-effectiveness checks to ensure that compliance with financial crime regulations are adhered to)

Escalation processes are needed for when ineffective controls are detected or where employees or managers are not behaving in an appropriate manner

Escalation should be to the appropriate level of management
* Serious non-compliance that threatens whole organisation = board
*Less serious = line manager

COMPLIANCE TRAINING AND COMMUNICATION

Training (Provided in-house or externally) can be delivered to help employees understand:
(1) importance of complying with all applicable laws and regulations
(2) operate the relevant compliance controls effectively

Regular communication on compliance responsibilities e.g., emails, memos, team discussions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - LINKING COMPLIANCE AND MANAGEMENT WITH INTERNAL CONTROL

How are compliance management and internal control linked? (2)

In larger organisations where these activities may be organised into separate functions, what actions may need to be taken?

A
  1. Compliance management and internal control are closely related = 2 terms may be used interchangeably and compliance management may be viewed as part of internal control or vice-versa
  2. Ensuring that employees are complying with laws and regulations, internal policies and procedures, external standards, guidance and codes is an important part of internal control

Action may be needed to co-ordinate the activities of these functions
*Busy line-managers and employees will not want two separate functions asking them to perform very similar activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - RISK BASED COMPLAINCE

Risk-based compliance is organised on the principle of what?

Areas of higher compliance risk include what?

Risk-based compliance management will require what?

A

The principle that activities or decisions that have a higher degree of compliance risk should receive more compliance-management resources
*Greater compliance-management resources will be devoted to the areas of greater risks = more internal audits

Include laws and regulations that could result in criminal sanction or enforcement action that might affect the achievement of an organisation’s objectives

Require an assessment of compliance risk = identifying and evaluating the probability and impact of a variety of adverse compliance scenarios

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES

Roles and responsibilities for compliance management will vary according to what?

Which organisations may not have a dedicated compliance function?

What is the role of the compliance function? (6)

What should the company secretary or governance professional do?

A

An organisation’s sector, scale and structure

A small organisation = role may be performed by a nominated manager (such as the company secretary) or be outsourced to an external compliance services provider

  1. Keeping up to date with legal and regulatory changes
  2. Communicating with legal, regulatory and supervisory agencies, such as the HSE
  3. Monitoring the effectiveness of compliance procedures and controls
  4. Compliance monitoring reporting to management and the board of directors or trustees
  5. Working with all other managers and business functions to ensure that any non-compliance is rectified as quickly as possible
  6. Co-ordinating compliance-related training and communication activities

Should work with the compliance function to ensure board has the assurance information that it needs to determine whether its compliance arrangements are appropriate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES

What is the board accountable for in relation to compliance-management?

What can help with this?

What is the role of the risk and audit committees in relation to compliance-management? (2)

How often should a company’s compliance management policy be reviewed and approved?

A

Board is accountable for the effectiveness of its compliance-management activities and any cases of non-compliance

Compliance-management reviews and exception reports on any serious cases of non-compliance can provide a board with the assurance that it needs and to take action where necessary

Risk and audit committees will support the work of the board on compliance management = include
(1) looking into the detail of compliance reviews and relevant internal audits
(2) may oversee any actions taken to address identified compliance weaknesses or areas of non-compliance

Annually by risk and/or audit committee and board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

COMPONENTS OF AN EFFECTIVE COMPLIANCE-MANAGEMENT FRAMEWORK - ROLES AND RESPONSIBILITIES

Is compliance management equal responsibility of all employees within an organisation?

What are the managers responsible for? (3 and 3)

If an employee behaves in a non-compliant manner, why is it often not their fault?

A

No = all employees have a personal responsibility (and should make every effort) to comply with internal organisational policies, external laws and regulations, but not equal responsibility

Managers are responsible for ensuring that:
(1) appropriate incentives are in place to ensure compliance
(2) their staff have the training and support they need to behave in a compliant manner
(3) employees are being compliant = might include:
A. Monitoring the effectiveness of local compliance procedures and controls
B. Taking steps to address non-compliance on the part of employees
C. Escalating concerns to more senior management and the compliance function

Employee non-compliance is usually the result of ineffective management or weak organisational compliance-management arrangements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES OF DEFENCE

Governance structures for risk-management will vary according to what?

Which type of organisations use the the 3 lines of defence approach?

What is the approach based on and why?

Which 3 roles are separated? (3)

For the approach to be effective, what needs to happen?

A

Industry sector, and scale and complexity of an organisations’ structure and operations
*Small, simple organisation = governance of RM framework left to board

Organisations in the financial sector with strong support from regulators (but also large, more complex organisations)

A classic governance control = segregation of duties = ensures no conflicts of interest (this is an advantage)

Separates 3 complementary roles in the governance and operation of a RM framework:
1. Day-to-day risk-taking, assessment and control
2. Oversight of how risks are taken, assessed and controlled
3. Assurance that risk-taking, assessment and control activities are operating effectively and that the decisions made are consistent with the organisation’s objectives

Individuals need to regularly communicate and at times work together = must be trust (built up if understand each other and the value of the 3 roles) (this is an advantage)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES OF DEFENCE

What are the 1st, 2nd, and 3rd lines of defence?

What is each of the lines responsible for / what do they provide?

What is each line’s primary role?

A

1st line = operational management
* = front-line decision-makers who take, assess and control risk
* ensure decisions they make are consistent with organisation’s strategic and RM objectives

2nd line = risk management
* = design and implement RM framework and risk reporting to SM and board
* ensure that business managers follow framework and make RM decisions that are consistent with organisation’s objectives

3rd line = internal audit
* = provide assurance to SM and board that RM framework is operating effectively
* ensure any weaknesses in design or implementation of RM framework are detected and controlled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES MODEL

Who proposed the 3 lines model as an alternative approach to the 3 lines of defence?

Why? (2)

How are the 3 lines model and 3 line of defence approach similar?

How are they different? (2)

A

the Institute of Internal Auditors (IIA)

Two major criticisms of 3 lines of defence approach:

  1. The term, defence, implies a negative, threat-focused perspective on risk = inconsistent with the notion that risk can bring both opportunities and threats
  2. By segregating the roles of the first, second and third lines, staff fulfilling these roles may not work together efficiently = segregation can impact on personal relations and prevent effective communication and the building of trust

Similar = Both approaches separate front-line risk-taking and control from RM oversight and RM assurance

Differences:
(1) 3 lines model recommends that a close working relationship should be maintained between 1st and 2nd lines

(2) 3 lines model removes the word ‘defence’ to re-emphasises that RM is about pursuing risky upside opportunities as much as reducing the risk of downside threats

*the 3 lines model recently replaced the 3 lines of defence approach as recommended best practice for risk governance

17
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 3 LINES APPROACH

Name 5 core principles the 3 lines approach is built on.

A
  1. Management spans the first and second lines = these lines may be blended or separated
  2. The first line role involves delivery of products and services and management of the associated risks
  3. The second line assists the first line in the management of risk
  4. The third line provides independent and objective assurance on the effectiveness of governance and RM
  5. All lines must work together to create and protect value for the organisation and its stakeholders
18
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - 5 LINES OF ASSURANCE

In what 2 ways is the 5 lines of assurance approach different from the the 3 lines of deference approach?

What are the 5 lines of assurance?

Within the five lines approach, the CEO or equivalent is responsible for what?

Who is responsibility for managing these risk assigned to?

What is the board’s role?

A

A. The word defence is not used (as in the case of the three lines model) = the word defence implies that risk is a bad thing to be defended against

B. The five lines of assurance make more explicit the role of the board and an organisation’s executive directors in relation to RM governance

(First 3 are very similar to the 3 lines of defence approach)
1. Work units, meaning business unit/function/department managers
2. Specialist units, such as the risk function, compliance function and company secretary
3. Internal audit
4. The CEO, managing director and other senior directors and managers
5. The board of directors or trustees

Building and maintaining a robust RM framework = ensure principal risks are reduced and opportunities exploited

Senior directors and managers = act as ‘risk owners’ = ensure their teams identify, assess, monitor and control these risks in an effective way

Has ultimate responsibility for ensuring that an organisation has an effective RM framework and that the other 4 lines are performing their roles in an appropriate way

19
Q

What 5 factors should be considered when deciding between 3 lines model and 5 lines of assurance?

A
  1. Organisational complexity
    * smaller, less complex = 3 lines to avoid unnecessary complexity
    * larger, complex = 5 lines to address a wider range of potential risks and assurance providers
  2. Resource availability and resource constraints =
    5 lines requires more resources for coordination and management (financial and Human Resources may not be available)
  3. Risk landscape and diverse risks =
    If face wide range of risks then 5 lines better
  4. Communication and collaboration =
    5 lines encourages greater integration and collaboration
  5. Stakeholder preferences may impact
20
Q

GOVERNANCE STRUCTURES FOR RISK-MANAGEMENT - THE ROLE OF THE BOARD

In accordance with the UK Corporate Governance Code, what is the role of the board in terms of risk governance? (4)

A
  1. Boards are responsible for determining the risk appetite
  2. Boards should maintain sound RM and IC frameworks
  3. NEDs should satisfy themselves that financial controls and an organisation’s wider RM framework are robust and defensible
  4. Where appropriate, set up an audit committee that reviews internal financial controls
21
Q

GOVERNING RISK-MANAGEMENT WITHIN A GROUP STRUCTURE

Why can the dispersed nature of many groups make effective risk-management governance difficult?

What can help govern risk-management activity within a group structure?

What is dotted-line reporting?

What may satellite risk functions be granted?

Why might group structures have a hierarchy of risk-management policies and procedures?

Name 3 examples.

A

= Business units from different industry sectors may have different RM priorities and objectives, making it hard to implement a one-size-fits-all RM framework for the whole group

A group risk-management function supported by a series of divisional, country-level or business-unit risk functions (AKA satellite risk functions)

Dotted-line reporting = satellite risk functions may report fully or partially to the group risk function to ensure that they follow the group RM framework

Satellite risk functions may be granted a degree of discretion to modify the group RM framework to meet the needs of different industry sectors (common where 1 sector if financial services)

To ensure consistent, but locally relevant, RM activity across the group

E.g., a ‘group risk-management policy’, divisional risk-management policies, and business-unit specific policies

22
Q

ISO 19600:2014 - COMPLIANCE MANAGEMENT SYSTEMS

What is ISO 19600:2014?

What does the standard provide?

What is the view of the standard?

What does the standard say on leadership?

What does the standard offer and what philosophy is this based on?

What are the 2 phrases the standard is divided into?

A

= The international standard for compliance-management systems

Provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance-management system within an organisation
* Can be used to help benchmark existing organisational practices

View = effective compliance is an essential part of maintaining the long-term sustainability of an organisation = should create a culture of integrity and compliance where non-compliant behaviours are not tolerated

Emphasis role of board and SM = leaders must demonstrate a clear commitment in terms of the language they use and the actions they take to ensure effective compliance management

The standard offers a continuous improvement framework for compliance management that is based on the management-improvement philosophy of ‘plan-do-check-act’

Dividend into (1) establishment and (2) implementation phases = where compliance management processes and controls are first established, then implemented and improved

23
Q

ISO 19600:2014 - COMPLIANCE MANAGEMENT SYSTEMS

Explain the management-improvement philosophy of ‘plan-do-check-act’.

A

Plan = Establish the decision objectives and plan the processes necessary to deliver the results required
E.g., compliance with law or regulation

Do = Implement the planned processes and check the outcome (collecting data to support this)
E.g., compliance-monitoring data

Check = Study the results of the ‘do’ phase and compare them against what was expected from the ‘plan’ phase.

Act = Where the actual outcomes are better than planned, or at least better than previous outcomes, establish a new baseline on which the organisation should act
*If outcomes are not as good as expected or as before, then determine ways to improve on these

24
Q

ISO 19600:2014 - COMPLIANCE MANAGEMENT SYSTEMS

What are the 5 tasks in the establishment phase?

A
  1. Identify internal and external compliance issues, for example, regulatory change
  2. Identify stakeholders’ requirements
  3. Determine the scope of the compliance-management system and establish the system
  4. Establish the compliance policy
  5. Adopt good governance principles
25
Q

ISO 19600:2014 - COMPLIANCE MANAGEMENT SYSTEMS

Name 3 of the 6 tasks in the implementation phase?

A
  1. Identify compliance obligations and evaluate compliance risks
  2. Leadership commitment and establish roles and responsibilities
  3. Plan to address compliance risks and achieve compliance objectives
  4. Operational planning and control of compliance risks
  5. Performance evaluation and compliance reporting
  6. Manage non-compliance and continual improvement of the compliance-management framework
26
Q

COMBINING GOVERNANCE, RISK AND COMPLIANCE

What is a GRC framework?

Which organisations may implement one?

Why? / What are the 2 benefits of implementing a GRC management framework?

Where reporting is not integrated, what can happen?

Where single functions for governance, risk and compliance are used in organisation, what could be implemented?

A

GRC framework = a management framework that combines governance, RM and compliance-management activities

Larger organisations, especially those in highly regulated sectors (financial services)

  1. Help to prevent management of GRC issues in silos = help reduce management time and other resource costs and improve efficiency = reduced duplication of effort/tasks and prevent failure to communicate potential concerns that cross multiple functions
  2. Help to create more integrated reporting = allows managers at all levels to make connections between governance, risk and compliance activities and issues

Where reporting not integrated = separate but very similar reports are produced for governance-, risk- and compliance-related issues = management may fail to see the links between governance, risk and compliance, leaving important risk exposures or control weaknesses undetected

A GRC computer system to help co-ordinate activities and produce common reports

27
Q

COMBINING GOVERNANCE, RISK AND COMPLIANCE - THE SCOPE OF GRC

What are the 3 common areas of a GRC management system?

What is each area focused on and why?

A
  1. Financial GRC = focused on the production and distribution of financial reports, which can be subject to a range of governance requirements and other laws and regulations

*Various risks are associated with financial reporting e.g., financial misstatements, over- or underestimate an organisation’s financial performance

  1. Information technology GRC = focused on the governance, risk and compliance management of an organisation’s IT systems, processes, policies and procedures

*IT-related activities may be regulated (data protection requirements)
* Wide range of IT risks to consider = hacking attacks, systems failures, data corruption, cyberbullying, use of social media

  1. Legal GRC = focused on combining the work of an organisation’s legal department or legal specialist with other compliance management work

*Legal issues, whether criminal or civil, have a compliance-related element = include a breach of company law, environmental law or health-and-safety law

28
Q

COMBINING GOVERNANCE, RISK AND COMPLIANCE - GRC INFORMATION SYSTEMS

What are GRC information systems used for?

Name 5 elements that a GRC system usually consists of.

Why are GRC systems typically cloud-based? (3)

An organisation looking to purchase a GRC system should do what?

A

Used to help co-ordinate and integrate an organisation’s governance, risk and compliance-management activities

  1. A repository of all relevant policies and procedures = RM policies, compliance-management policies, risk appetite and internal audit procedures
  2. A library of the governance, risk and compliance controls used across the organisation
  3. Governance, risk and compliance metrics e.g., information on reported loss events or compliance breaches
  4. Results of risk assessments
  5. Action planning to address control weaknesses or audit issues

(1) to allow employees from across an organisation to access them quickly and easily (2) ensures that all data is held in one location
(3) hosted by the system vendor who maintains high levels of security/back up protocols

should weigh up the costs and benefits of several different systems before making a purchase and research = systems can cost very large amounts of money to implement and maintain AND certain systems may be incompatible with an organisation’s internal structure and processes