The document outlines the GRAPA Standards methodology for risk management processes including domain management, case management, and revenue stream management. It describes the key processes of forensics, corrections, and compliance and how they are used to move domains through increasing levels of confidence from unknown to compliant. Case management involves capturing, analyzing, and resolving reported revenue loss cases.

1. GRAPA Standards – Methodology

2. Risk Management Processes Domain Management Process Case Management Process Revenue Stream Management Process

3. Revenue Assurance Operations Forensics The process of investigating cases, domains and situations and providing management with well defined, credible conclusions regarding the cause and probable impact of the situation investigated Corrections Projects designed to implement changes to policies, procedures, operations or systems in order to contain risk and raise management confidence Compliance The process of verifying that proscribed controls and corrections have been implemented and are being executed as specified

4. How do you measure? Forensics ? Assign Cases to Analyst Track cases for nature, severity, time to analyze, results attained Corrections Assign project to analyst Track projects based upon how well the project is managed against budget / forecast Compliance Acquire a compliance contract for the specified domain Convert the compliance contract into tracking criteria by # controls, alarm level, frequency, precision Report escalates, alarms, results

5. How do you apply operations to Domain Management As you move from Level 1 through 5 you will either: Perform forensics Perform corrections Perform compliance Tracking each operation (FCC) as the domain moves up the confidence scale is the process

6. The Domain Management Process What is it? The process of monitoring and improving the risk exposure that a particular domain represents

7. How does it work? The RA Professional examines the domain and review the status of the standard controls for that domain Each domain is ranked by its CONFIDENCE LEVEL or CONTROLS STRENGTH The strength of the control coverage tells management how tightly run the domain currently is The higher the strength of the controls, the more confidence management can have that there are no leakages, and that the risks have been minimized to that level.

8. What are the levels? 0 – Unknown 1- Mapped 2 – Calibrated 3 – Covered 4 – Corrected 5 – Controlled 6 – Compliant

9. How do you attain levels ? In order to move from one level of strength/confidence to the next, the RA Analyst performs an operation. The operation is completed with the creation of a report.

10. ** Implementation NotesThe definitions are methods described here are highly formal and explicit in order to clearly illustrate the functions and objectives to be attained in the migration of a domain through the levels of assurance. Organizations will usually implement a methodology which relaxes these constraints to a level of operational and budget comfort.

11. ** Implementation NotesExperience RA Analysts, well developed and experienced environments, or environments with heavy compliance cultures or frameworks will often perform many, or all of these analyses at the same time. The steps are broken down here for the sake of understanding, clarity and auditability.

12. Level 0 0 – Unknown – no investigation has been done A domain is considered to be at Level 0 until a competent RA Analyst has performed the first set of forensics analysis (Mapping)

13. Level 1 – Mapping Mapping – the RA Analyst reviews the domain, and maps the real, operational domain against the standard controls. When mapping is completed, the RA Analyst knows if and where controls are in place (or not).Deliverable : Mapping Report

14. Level 2 – CalibrationCalibration is the process of examining each of the standard controls and determining their: Appropriateness : Is the right method being used to perform the control Adequacy : Is the right information being utilized in the right way to perform the control Effectiveness : Is the control performing the job it is intended to perform Reliability : Is the control likely to continue to perform at this same level? Frequency: How often is the control run and is it often enough?

15. Level 2 – Calibration Calibration requires the analyst to: Utilize GRAPA – Risk Analysis Methods to attain this Determine the most appropriate method for the execution of the control (there are usually several alternative ways to attain the desired results) Run a gradation sampling series , or perform an history series analytis in order to verify that the results that the control reports is consistent. (Gradation will provide the analyst with a known variance in the range of values reported). When the Analyst has defined the nature of the control and its performance parameters, and can provide management with an appraisal of the risk associated with the current performance level, the level has been attained.Calibration defines a risk profile for each control Deliverable : Calibration Report

16. Level 3 : Coverage Plan Development Based upon the assessment of the adequacy of the current controls, management will express an “appetite for risk” in this regard. Management preference may be laissez-faire (with a high appetite) or may be conservative (desiring an increase in the confidence)

17. L3: Coverage Plan Development When instructed by management, the analyst will make use of the calibration information in order to generate a CORRECTION in the form of: Change to policy/procedure Change to a system Change to a compliance level Creation of a control In order to attain the level of risk that management has specified Development : Coverage Plan Specification

18. Level 4 : Coverage When management has reviewed the coverage plan (including cost/benefit) and selected their choice, the RA team will implement the projects necessary to implement the coverage plan specified. The last stage of the implementation of any coverage plan is the establishment of a CONTROL Monitoring contract.

19. Triggers for the decision to raise the level of confidence for a domain # cases generated Severity of cases generated Policy / Regulation Findings from earlier stages of confidence escalation Revenue at risk (forensics based ) Revenue at stake (revenue stream based) Margin / Forecast Variance Reduction

20. Controls Monitoring Contract A controls monitoring contract establishes: Who will be responsible for running the control Who will be responsible for monitoring the control How often will the control be checked How often will the running of the monitoring operation be reported to the RA team Deliverable: Controls Monitoring Contract

21. Level 5: Compliance When a domain is at the compliance level, that means that the agreed upon coverage plan has been successfully implemented, and the RA team is performing the agreed upon level of compliance verification. Compliance monitoring is reported via the RA – Compliance Reporting framework which tracks the number of alarms, the number of checks etc. Deliverable : Compliance Verification Reports

22. The Case Management Process

23. Case Management: Objectives The case management process is dedicated to the: Capture Analysis Resolution Of reported cases of revenue loss or risk of revenue loss

24. Case Management – Sources Case management is mostly a forensics process Cases can be generated by: Harvesting sources (call center, internal audit, operational managers) Compliance – control alarms Revenue / Risk scenarios

25. How does case management work? The RA team: Establishes a mechanism for the capture and reporting of cases Cases are assigned to team members based upon skill, availability , budgeted time Cases are investigated and “findings reports” are created at the close of each case. See GRAPA Standards for Forensics Methods

26. Revenue Stream Management Revenue Mapping Margin tracking Financial report assurance

27. RA Skills Assessment Methodology