Frequently asked questions

Yes, the requirements of both standards can be mapped via the software.

Yes, in addition to mapping the risk management process, an internal control system can also be mapped. This can take place in a completely integrated process or in two different process organizations (1. RM and 2. ICS). It is always possible to consider the topics separately but also in an integrated manner

Yes, in addition to risks, opportunities can also be considered, recorded, evaluated and reported. Customers who simulate, in particular, use the opportunity management option, as risks can also deviate into the positive range as part of the risk assessment. Of course, the opportunities can also be viewed in isolation from the risks.

Yes, a Monte Carlo simulation is available in the application. Risks can be aggregated using a Monte Carlo simulation, individual simulation portfolios can be compiled or the overall risk situation of the company or sub-areas can be simulated. Both multi-year risk assessments and (uni- or bidirectional positive and negative) dependencies between risks are taken into account. The application can determine the risk measures Value@Risk (VaR) and Conditional Value@Risk (CVaR) for user-definable confidence levels.

In the application, there are standard reports as well as individual reports. The standard reports reflect common requirements for the risk management or internal control system (risk map, risk inventory, risk development, ISAE 3402, etc.). In addition to the standard reports, it is also possible to store your own reports. These can be fully customized in terms of both content and design/layout.

The application has a comprehensive and flexible authorization concept. Roles and rights can also be assigned to users at entity, department and division level. A wide range of standard roles are available for authorization, which can be supplemented by customer-specific roles if required.

The application has very extensive valuation options. This starts with a qualitative and/or quantitative assessment and the respective hybrid forms of these, via a multi-year assessment, gross/net/target view, EBIT/cash impact through to the assessment of risks using various distribution functions or in a multi-dimensional view (financial, reputation, liability, environment, etc...). The use of the available options is completely free and can be supplemented at any time in order to further optimize and expand your own risk assessment. In principle, all data entry screens adapt to the customer's requirements.

The resulting effects on the probability of occurrence and/or impact can be recorded for measures. These effects can be automatically offset against the risk assessment, e.g. to calculate the net assessment from the recorded gross assessment. This offsetting of measures can be combined with all other functions and assessment options.

Yes, it is possible to record loss events/indicators with date of occurrence, loss amount, risk allocation and geographical location and evaluate them in an overview page or in reports.

As an alternative to processing their tasks in the application, employees who carry out measures or confirm the implementation of controls or their effectiveness can also report their implementation via Microsoft Outlook. This allows employees to work in their familiar working environment and eliminates the need for training.

We offer our R2C_GRC application not only on premises, i.e. installed in your system, but also in the cloud. Our GRC cloud is always online, always available and fully scalable. This allows you to use the full functionality of the R2C solutions at a low cost. Security is our top priority. This is also why all data is hosted in a German data center: Certified to ISO 27001.

We take care of maintenance and support for you and guarantee high data security and reliable system availability.

The following requirements must be met:

Complying with all legal guidelines is a major challenge for companies. We take on this extensive but important task for you.

With the GRC software R2C_GRC, you can implement the requirements of IDW PS 340 n.F. professionally. The guidelines for auditing early risk detection systems were revised by the Institute of Public Auditors in Germany (IDW) in the new version of the IDW PS 340 auditing standard. The published auditing standard 340 includes the audit of the early risk identification system in accordance with Section 317 (4) HGB, which is used in risk management for both the identification of new risks and the continuous monitoring of risks.

A brief overview of the most important new regulations:

• Extended Group-wide identification of developments that could jeopardize the continued existence of the company on the basis of a holistic overall risk inventory
• Timely identification of risks in one or more action-oriented time horizons
• Determination and ongoing analysis of risk-bearing capacity
• Aggregation of risks to assess the threat to the portfolio
• Consideration of risk management measures in the assessment of "net risks"
• Introduction of the basic element of risk management into the risk early warning system
• Specification of the system documentation for the measures in accordance with Section 91 (2) AktG

The new auditing standard currently applies to listed stock corporations (Section 91 (2) AktG).

Our GRC software solution supports you in implementing the requirements of IDW PS 340 n.F.

R2C_GRC provides several options that support risk identification:

• IDENTIFICATION LIST: Example risks can be displayed via the risk categories.
• SUBJECTS: A central function can distribute topics within the organization. These are then checked and can be converted into a risk if necessary.
• OBLIGATORY RISKS: In R2C_GRC, mandatory risks can be distributed to the divisions using the scoping function. These must then be checked and evaluated by the local risk owners.
• QUESTIONNAIRE: The questionnaire function enables the risk manager to start a structured query. This can then be evaluated centrally.
   

R2C_GRC supports the early identification of risks using suitable instruments:

• Mapping of multiple time periods
• Integrated indicator management
• Integrated reporting system
   

The procedure for determining risk-bearing capacity must be clearly defined and documented accordingly. The parameters to be used are, for example, equity, EBIT, liquidity, etc. The risk-bearing capacity calculation must be reviewed on an ongoing basis and adjusted if necessary.

Determination and ongoing analysis of risk-bearing capacity
The respective risk coverage potential can be stored for each client. The risk-bearing capacity can then be calculated using the integrated Monte Carlo simulation. The result can then be evaluated and reported using reports stored in the system.

Aggregation of risks to assess the threat to the portfolio
In order to achieve optimum transparency, risks must be aggregated. In R2C_GRC, risks can be aggregated across several hierarchy levels. In addition to manual assessment and the stored standard aggregation formula, it is also possible to have aggregated risks assessed automatically using Monte Carlo simulation.

Consideration of risk management measures in the valuation of "net risks"
The new version of IDW PS 340 requires greater consideration of measures. In R2C_GRC, measures can be presented with the required points (appropriateness, effectiveness, ...). In addition to the cost effects, measure effects can also be stored. These effects are then used to show the net presentation of the risks. The net assessment can be calculated manually or automatically.

Introduction of the basic element of risk management into the risk early warning system
Integrated action management has been an integral part of R2C_GRC for years. The required points:

• Status
• Appropriateness
• Effectiveness
• Efficiency

can be documented and evaluated in corresponding fields. In addition to clear dashboards, R2C_GRC also offers the option of ensuring efficient processing and tracking of measures via stored workflows.

Prepare yourself optimally for the next audit together with our GRC experts - take the Readiness Check for IDW PS340 n.F.! As part of our readiness check, you will find out which of these points you are already implementing in full, in part or not at all and you will receive targeted implementation recommendations.

We will be happy to support you in implementing the recommendations. Alternatively, we can provide you with an action plan on how and by when you can implement the points mentioned so that you can position yourself vis-à-vis the auditors.