Enterprise Risk Management Software

The vendor is required to provide enterprise risk management software solution must: (1) automate the collection of risk assessment data and streamline the reporting of risks to executive management; and (2) integrate with the committee of sponsoring organizations of the treadway commission (“COSO”) internal control – integrated framework.
- Risk register
1. The risk register must allow administrators and business users to:
•    Describe the risk;
•    Identify risk ratings (scores or risk levels) such as high, medium, low;
•    Relate the office functions affected by the risk;
•    Identify risks as being unmitigated (deficient, significant, major, etc.);
•    Assign controls to risks;
•    Allow creation of an action plan for unmitigated risks including steps required to be completed;
•    Allow status updates to the corrective actions, including date completed; and
•    Identify when a risk is no longer unmitigated and applicable.
2. The risk register must allow administrators to:
•    Administer risks;
•    Relate risks to office strategic priorities;
•    Rate risks in multiple categories (e.g., it, privacy, operational); and
•    Allow for the ability to edit and update any information including creating, updating, and deleting risks.
3. The solution must restrict business users’ access to only their organizational unit’s risk data.
4. Preferred - office prefers a solution that can store and relate risk to office organizational structure, a/k/a “org chart.
- Risk assessment
1. Allow office users to:
•    Perform risk assessments using risk questionnaires distributed through the solution to various organizational units;
•    Test organizational unit functions; and
•    Certify results;
2. Allow users to configure risk questionnaires, including the ability for users to:
•    Use boilerplate questions and announcements;
•    Develop customized questions specific to the organizational unit;
•    Restrict the format of answers (e.g., dates, dropdowns, lookup fields); and
•    Display questions based on branching logic;
3. Provide risk assessment functionality that allows business users to:
•    Designate which functions are required to be tested;
•    Identify new key controls;
•    Identify new risks;
•    Document all testing performed and the results with respect to the user’s key controls;
•    Identify exceptions in their internal control testing and designate them as “major” or “minor” (e.g., significant, not significant);
•    Identify corrective action plans related to exceptions identified in their internal control testing (i.e., steps to address the exception and expected date the step will be completed); and
•    Certify the results of their risk assessment;
4. Allow administrators to include a certification statement that business users can electronically sign and acknowledge upon completion of the business users’ risk assessment. 
5. Allow administrators to track business functionality by organizational unit:
•    Allow administrators to rate the business functions using office -identified criteria;
•    Provide a calculated rating (such as high, medium, or low) based on the administrators’ rating of the business functions;
•    Allow administrators to override the calculation; and
•    Allow business users to view and edit their list of functions and ratings; preferred - office prefers the solution allows administrators to confirm edits made by business users to their list of functions and ratings.
6. Allow administrators to notify office organizational units of their required risk assessments;
7. Allow administrators to send automated reminders to business users to complete unfinished work;
8. Allow administrators to respond to risk assessments submitted by organizational units;
9. Allow business users and administrators to provide an update on corrective actions that have not been marked as completed;
10. Allow administrators to schedule risk assessment workflows;
11. Allow administrators to configure risk assessment workflows; and
12. Allow administrators to determine the certification year of the testing exceptions identified by business users.