Enterprise Risk Management

# Integrated. Comprehensive. Automated

Enterprise Risk Management

The QC3 audit uses three key phases of a Risk Management Framework (RMF)

1.Identify risk scenario’s and determine the organisations appetite, minimum control standards, organisational exposure points and accountable risk owners.

2.Action owned risks through embedded team based inherent and residual risk assessments and automated control testing definitions.

3.Manage risks via targeted frontline assurance which executes automated key controls on every submission.

QC Three Enterprise Risk Management running on a PC and Laptop

Assurance Performance, Results and Risk

When data is received by QC3 from frontline assurance, a rich dataset is extrapolated from the submission, this includes;

  1. Performance - weighted responses calculating the % of assurance success
  2. Results - granular response level analytics enabling heat mapping and detailed analysis
  3. Risk Indication - Positive, Negative, Neutral indications of risk are derived from submitted data bridging multiple standards or key material risks


Data extrapolation is executed instantly with a rich assistance and risk data set available immediately to the organisation.

Risk Scenario and Control Library

In QC3, risk has been simplified to enable organisation wide understanding, adoption and penetration.

Risk scenarios are lead with a simplified structure which are linked to various key material risks and elements.

Risk scenarios can be raised by the organisation and work flowed to become an accepted library entry driving engagement and understanding of the enterprise risk discipline.

Controls can be raised and contributed to each risk formulating a standardised definition of risk and expected controls.

Issues and Actions Management

QC3 includes a small work order management system to trace the progress and resolution of manually created issues or automatically created issued from failed key control tests.

When risk acceptance thresholds are breached, an issue is raised on the risk owner which is centrally managed in the small work order Issues Management feature until rejection or completion of the issue.

The digitisation of control testing and immediate push notification of failed controls leapfrogs organisations risk culture and risk accountability ahead light years from the rudimentary spreadsheet solutions laboriously employed by many organisations.

Owned Risks and automated control testing

Owned Risks are allocated risks from the library which are placed in a position through the organisational structure. Owned risks are also allocated a designated responsible party within the organisation. This unique linkage allows QC3 to drive accountability and responsibility for risks appropriate for different areas of the organisation with clarity to appropriate nominated risk owners.

Using the advanced features of QC3, Risk Owners can define automated control tests which are executed on each frontline assurance data payload submitted to the organisation either by the QC3 Assurance User Interface or via the QC3 API processing endpoint.

Inter-rater Assurance Assessment

To ensure consistency and to drive a commonly high standard of assurance, QC3 applies an interrater or 'audit the audit' capability to data mine the submitted assurance data for re-processing in and against separate audits.

Inter-rater assurance assessments enable QC3 to uniquely extract seemingly un-related assurance data sets, determine if prescribed results are achieved and re-executed against configured risks and controls.

Inter-rater enables organisations to drive consistency and understanding of assurance via this automated processing.