System and methods for integrated compliance monitoring

US 7,853,468 B2
Filed: 08/30/2002
Issued: 12/14/2010
Est. Priority Date: 06/10/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of monitoring compliance for an organization, the computer-implemented method comprising the steps of:

providing, using a central processing unit (CPU), a plurality of compliance-related questions to participants of compliance monitoring for an organization, wherein the participants include at least one question designer and at least one assessor;

assigning by the at least one question designer, in a data processing system, a probability of occurrence value to each of the plurality of compliance-related questions, wherein the probability of occurrence value is a rating for a probability of occurrence for a threat posed by a compliance-related question;

collecting from the at least one assessor, in the data processing system, a plurality of responses to the plurality of compliance-related questions, wherein the plurality of responses include assigning a residual risk value and an impact value to each of the plurality of compliance-related questions, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized;

establishing, using the CPU, a risk rating for each of the compliance-related questions, the risk rating determined from averaging together the values for residual risk, probability of occurrence, and impact, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value for each of the plurality of compliance-related questions; and

producing, using the CPU, an assessment including at least some of the plurality of responses and the risk rating for at least some of the plurality of compliance-related questions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods for integrated compliance monitoring. Various application modules work together to accomplish risk assessment and compliance monitoring. A risk assessment module facilitates the development of risk ratings based on responses to a plurality of compliance-related questions. The system can also include an action tracking module, and can further include a training module and a self-assessment module to determine individual compliance gaps. A common database is operatively connected to the modules to monitor the completion of assessments and to track actions based on remediation plans. In some embodiments, the invention is implemented via a computing platform or a collection of computing platforms interconnected by a network, such as a corporate intranet, in which case a web browser can facilitate use of the invention.

311 Citations

41 Claims

1. A computer-implemented method of monitoring compliance for an organization, the computer-implemented method comprising the steps of:
- providing, using a central processing unit (CPU), a plurality of compliance-related questions to participants of compliance monitoring for an organization, wherein the participants include at least one question designer and at least one assessor;
  
  assigning by the at least one question designer, in a data processing system, a probability of occurrence value to each of the plurality of compliance-related questions, wherein the probability of occurrence value is a rating for a probability of occurrence for a threat posed by a compliance-related question;
  
  collecting from the at least one assessor, in the data processing system, a plurality of responses to the plurality of compliance-related questions, wherein the plurality of responses include assigning a residual risk value and an impact value to each of the plurality of compliance-related questions, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized;
  
  establishing, using the CPU, a risk rating for each of the compliance-related questions, the risk rating determined from averaging together the values for residual risk, probability of occurrence, and impact, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value for each of the plurality of compliance-related questions; and
  
  producing, using the CPU, an assessment including at least some of the plurality of responses and the risk rating for at least some of the plurality of compliance-related questions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1 further comprising the step of calculating, using the CPU, an overall risk rating based on the risk rating for at least some of the plurality of compliance-related questions and wherein the assessment further includes the overall risk rating.
  - 3. The computer-implemented method of claim 2 further comprising the step of acquiring, in the data processing system, an approval for the assessment.
  - 4. The computer-implemented method of claim 3 further comprising the step of recording, in the data processing system, a remediation plan associated with at least one of the plurality of compliance-related questions and wherein the assessment includes the remediation plan.
  - 5. The computer-implemented method of claim 4 further comprising the step of tracking actions associated with the remediation plan in the CPU.
  - 6. The computer-implemented method of claim 2 further comprising the step of recording, in the data processing system, a remediation plan associated with at least one of the plurality of compliance-related questions and wherein the assessment includes the remediation plan.
  - 7. The computer-implemented method of claim 6 further comprising the step of tracking actions associated with the remediation plan using the CPU.
  - 8. The computer-implemented method of claim 1 further comprising the step of acquiring, in the data processing system, an approval for the assessment.
  - 9. The computer-implemented method of claim 8 further comprising the step of recording, in the data processing system, a remediation plan associated with at least one of the plurality of compliance-related questions and wherein the assessment includes the remediation plan.
  - 10. The computer-implemented method of claim 9 further comprising the step of tracking actions associated with the remediation plan using the CPU.
  - 11. The computer-implemented method of claim 1 further comprising the step of recording, in the data processing system, a remediation plan associated with at least one of the plurality of compliance-related questions and wherein the assessment includes the remediation plan.
  - 12. The computer-implemented method of claim 11 further comprising the step of tracking actions associated with the remediation plan using the CPU.

13. A non-transitory computer readable medium having stored thereon a computer program code, the computer program code including instructions which, when executed by a processor, cause the processor to perform the method comprising:
- providing a plurality of compliance-related questions to participants of compliance monitoring for an organization, wherein the participants include at least one question designer and at least one assessor;
  
  assigning by the at least one question designer a probability of occurrence value to each of the plurality of compliance-related questions, wherein the probability of occurrence value is a rating for a probability of occurrence for a threat posed by a compliance-related question;
  
  collecting from the at least one assessor a plurality of responses to the plurality of compliance-related questions;
  
  assigning by the at least one assessor a residual risk value and an impact value to each of the plurality of compliance-related questions, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized;
  
  establishing risk ratings comprising at least a risk rating for each of the plurality of compliance-related questions based on the responses, the risk rating determined from averaging together the values provided for residual risk, probability of occurrence, and impact, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value for each of the plurality of compliance-related questions; and
  
  producing an assessment including at least some of the plurality of responses and at least some of the risk rating for each of the plurality of compliance-related questions.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable medium of claim 13 further comprising acquiring an approval for the assessment.
  - 15. The non-transitory computer readable medium of claim 14 further comprising recording a remediation plan associated with at least one of the plurality of compliance-related questions.
  - 16. The non-transitory computer readable medium of claim 15 further comprising tracking actions associated with the remediation plan.
  - 17. The non-transitory computer readable medium of claim 13 further comprising recording a remediation plan associated with at least one of the plurality of compliance-related questions.
  - 18. The non-transitory computer readable medium of claim 17 wherein the computer program further comprises instructions for tracking actions associated with the remediation plan.

19. Apparatus for facilitating compliance monitoring, the apparatus comprising:
- means for providing a plurality of compliance-related questions to participants of compliance monitoring for an organization, wherein the participants include at least one question designer and at least one assessor;
  
  means for assigning by the at least one question designer a probability of occurrence value to each of the plurality of compliance-related questions, wherein the robabilit of occurrence value is a ratin for a ,robabilit of occurrence for a threat posed by a compliance-related question;
  
  means for collecting from the at least one assessor a plurality of responses to a plurality of compliance-related questions;
  
  means for assigning by the at least one assessor a residual risk value and an impact value to each of the plurality of compliance-related questions, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized;
  
  means for establishing risk ratings comprising at least a risk rating for each of the plurality of compliance-related questions based on the responses, the risk rating determined from averaging together the values for residual risk, probability of occurrence, and impact, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value for each of the plurality of compliance-related questions; and
  
  means for producing an assessment including at least some of the responses and at least some of the risk ratings.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The apparatus of claim 19 further comprising means for acquiring an approval for the assessment.
  - 21. The apparatus of claim 20 further comprising means for recording a remediation plan associated with at least one of the plurality of compliance-related questions.
  - 22. The apparatus of claim 21 further comprising means for tracking actions associated with the remediation plan.
  - 23. The apparatus of claim 19 further comprising means for recording a remediation plan associated with at least one of the plurality of compliance-related questions.
  - 24. The apparatus of claim 23 further comprising means for tracking actions associated with the remediation plan.

25. A system for facilitating compliance monitoring, the system comprising:
- an instruction execution platform further comprising a memory device and a processing device operatively coupled to the memory device, wherein the processing device is configured to execute computer-readable program code of at least one application module, wherein the at least one application module comprises at least;
  
  a risk assessment module, the risk assessment module operable to produce an assessment by;
  
  providing a plurality of compliance-related questions to participants of compliance monitoring for an organization, wherein the participants include at least one question designer and at least one assessor;
  
  assigning by the at least one question designer a probability of occurrence value to each of the plurality of compliance-related questions, wherein the probability of occurrence value is a rating for a probability of occurrence for a threat posed by a compliance-related question,collecting responses from the at least one assessor wherein the responses include assigning a residual risk value and an impact value to each of the plurality of compliance-related questions, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized,determining risk ratings from averaging together the values provided for residual risk, probability of occurrence, and impact, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value, andproducing the assessment including at least some of the responses and at least some of the risk ratings; and
  
  a database operatively coupled to the instruction execution platform for storing and retrieving data produced by the at least one application module and operable to facilitate review, approval and action tracking related to the assessment.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 40)
- - 26. The system of claim 25 wherein the database is disposed within the instruction execution platform.
  - 27. The system of claim 26 wherein the risk assessment module further comprises a plurality of tailored risk assessment templates.
  - 28. The system of claim 25 wherein the database is disposed within a server which is operatively connected to the at least one application module through a network.
  - 29. The system of claim 28 wherein the at least one application module is accessed by a user via a web page.
  - 30. The system of claim 29 further comprising an email server for sending email notifications related to the assessment.
  - 31. The system of claim 30 wherein the risk assessment module further comprises a plurality of tailored risk assessment templates.
  - 32. The system of claim 29 wherein the risk assessment module further comprises a plurality of tailored risk assessment templates.
  - 33. The system of claim 28 wherein the risk assessment module further comprises a plurality of tailored risk assessment templates.
  - 34. The system of claim 25 wherein the risk assessment module further comprises a plurality of tailored risk assessment templates.
  - 40. The system of claim 25 further comprising a training module operatively connected to the instruction execution platform to train employees on compliance requirements.

35. A computer-implemented method of achieving and monitoring compliance for an organization, the computer-implemented method comprising:
- selecting, from a database, participants for achieving and monitoring compliance for an organization, wherein the participants include at least one question designer and at least one assessor;
  
  designing by the at least one question designer, in a data processing system, a plurality of compliance-related questions, wherein the at least one question designer assigns a probability of occurrence value to each of the plurality of compliance-related questions, wherein the probability of occurrence value is a rating for a probability of occurrence for a threat posed by a compliance-related question;
  
  collecting from the at least one assessor, in the data processing system, a plurality of responses to the plurality of compliance-related questions;
  
  assigning, in the data processing system, a residual risk value and an impact value to each of the plurality of compliance-related questions by the at least one assessor, wherein the residual risk value is a value of the threat posed by the compliance-related question, and wherein the impact value is a value of how critical is a result of the threat posed by the compliance-related question if the threat is realized;
  
  determining, using a central processing unit (CPU), a risk rating for each of the plurality of compliance-related questions, the risk rating determined from averaging together the value assigned for probability of occurrence by the question designer and the values assigned for residual risk and impact by the assessor, so as to express the risk rating as a function of the residual risk value, probability of occurrence value, and impact value for each of the plurality of compliance related questions; and
  
  producing, using the CPU, an assessment including at least some of the plurality of responses and the risk rating for at least some of the plurality of compliance-related questions.
- View Dependent Claims (36, 37, 38, 39, 41)
- - 36. The computer-implemented method of claim 35, wherein the participants further include at least one data guardian for reviewing the assessment prior to approval.
  - 37. The computer-implemented method of claim 35, wherein the participants further include at least one approver for providing approval of the assessment, wherein the at least one approver for providing approval of the assessment is selected from the group consisting of a data guardian and an executive.
  - 38. The computer-implemented method of claim 35, wherein the at least one assessor provides at least one remediation plan for at least one of the plurality of compliance-related questions.
  - 39. The computer-implemented method of claim 38, wherein the at least one remediation plan comprises training employees of the organization on compliance requirements.
  - 41. The computer-implemented method of claim 35, wherein the overall risk rating includes a weighting of the responses to the plurality of compliance-related questions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Ericson, Martin William Jr., Callahan, Roger Michael
Primary Examiner(s)
LOFTIS, JOHNNA RONEE

Application Number

US10/232,115
Publication Number

US 20030229525A1
Time in Patent Office

3,028 Days
Field of Search

705/1, 705/8
US Class Current

705/7.28
CPC Class Codes

G06Q 10/0635   Risk analysis of enterprise...

G06Q 10/06395   Quality analysis or management

G06Q 40/08   Insurance

System and methods for integrated compliance monitoring

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

311 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for integrated compliance monitoring

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links