Main Page

From RiskWiki
Jump to: navigation, search

The BPC RiskWiki



Quick Index

Introduction to the RiskWiki

This wiki is sponsored by Bishop Phillips Consulting ( for the education, use and enjoyment of our clients, educators, the public and professionals involved in management consulting and risk advisory, compliance, internal audit, insurance claims management, safety, governance and risk analysis industries. It provides reference articles on management, risk and risk related functions including: Risk Management, Internal Audit, Governance, Compliance, and Process Reengineering, etc.

The RiskWiki is based on the articles, methods, manuals and papers of primarily three firms: Bishop Phillips Consulting P/L, Stanton Consulting Partners and Bishop Finance P/L. These firms are contributing a large body of work amassed over many years experience with hundreds of clients. The project to convert and upload much of our BPC software help & manuals, extended body of consulting, risk and internal audit methods and models, and education and research materials is a large and time consuming project so the RiskWiki content changes frequently and will do so for the foreseeable future.

With the exception of all software documentation, and those additional documents marked otherwise, all written material on this site may be used freely by readers for any purpose including reproduction, subject only to the retention of moral rights by the authors. Some articles may include images for which additional permission may be reuired prior to reproduction. Software documentation may be duplicated in hard-copy for internal use by registered users of the systems with current maintenance agreements. Other uses of software systems documentation will be considered on written request.

Things to See in The RiskWiki

BPC RiskManager

  • Are you looking for BPC RiskManager Documentation or to learn more about the software?
BPC RiskManager V6261 Main Screen.jpg
Bishop Phillips supplies the BPC RiskManagement suite of governance software that provides a complete governance solution across risk management, controls management, compliance management, insurance management, claims management, incident & hazard management, audit risk management, governance document management and survey generation and management. The system can be installed in configurations ranging from single-user to very large scale enterprise configurations.

The system is particularly suited to managing and reporting on the risk and compliance management tasks of government agencies, whole of government, special project, not-for-profits, insurance providers, service industries, utilities, and tertiary education sectors. You will find an extensive body of information covering technical, administration and user level tasks here.

If you have questions they may be answered in our frequently asked questions.

Frequently asked Questions About BPC RiskManger

BPC RiskManager Client - Browser Setup For ActiveX Plugins using IE 7

Browser Setup For ActiveX Plugins using IE 7

  1. From a client computer (or from the application server computer if no client computer is easily available) open Internet Explorer.
  2. Choose “Tools” from the menu bar and “Internet Options” from the menu that appears.
  3. Select the “Security” tab.

    RMC IESetup2.png

  4. Select the zone in which your risk manager application server resides relative to you client computer on the “Select a zone to view or change settings” tool bar. The diagram shows "Intranet Zone" which is the normal situation, but depending on your intended server destination you might need to choose a different zone - such as "Internet Zone"
  5. Select “Custom Level”
  6. On the “Security Settings” window scroll through the settings list until you find the “Download signed ActiveX Controls” setting. Enable the “Prompt” option (which is Microsoft’s recommended setting). Our ActiveX controls are signed with current Verisign ceritificates. Administrators can achieve higher level of security by also flagging controls from Bishop Phillips Consulting as being trusted, or from the riskmanager application server web site as being trusted – but the recommended setting should be enough.

    RMC IESetup1.png

  7. We also set the automatic prompting for ActiveX controls to enable, but this may not be required in all scenarios.
  8. Scroll a little further down the list and enable the running of ActiveX plugins as follows:

    RMC IESetup3.png

  9. Now select OK and close the security settings window, and select OK again and close the Internet Options window. You should now be back at your browser window.
Read More..
Featured Article...

BPC RiskManager V6 Enterprise (Enrima Edition)

The BPC RiskManager Software Suite - Features

What is the BPC RiskManager Software Suite?

The BPC RiskManager Software suite is an Enterprise Grade risk management & governance software suite supplied worldwide, and developed and supported by Bishop Phillips Consulting. Originally developed between 1995 and 1997, the system is now in its 6th major version release with updates released roughly every 3 months. Version 6 was originally released in 2006, and the Enrima Edition (the current release) in 2008. The latest release is July 2010.

BPC RiskManager is available in 2 product streams (both of which can be configured as single user desktop or massively multiuser networked solutions). The two product streams are:

  • BPC RiskManager V5 (Express)
  • BPC RiskManager V6 (Enrima Edition)

While there are a lot of similarities between the systems, they are not identical and not data compatible. BPC RiskManager V5 (Express) is maintained on an an annual update cycle, while BPC RiskManager (Enrima Edition) is maintained on a quarterly (every 3 months) update cycle.

In terms of scalability, both systems will handle thousands of simultaneous users, and both model risk management at the enterprise level and project level. Both systems include risk, controls/strategies, consequences, survey, compliance, incident management support and both systems feature customisable screens and field names. Both systems allow multiple simultaneously active databases.

The essential differences are in depth and complexity of issues supported and expandability of the system. Here they have significant differences. Express is designed to be extremely simple and consequently excludes both depth and breadth beyond the functions of a risk and compliance register. It therefore is able to present almost all its risk or compliance record data on a single screen.

In the Enrima V6 series this single screen display is not possible as the both multiple views and considerable anciliary management objects are brought into the system (such as documents, assets, assertions, insurance, claims, etc).

BPC RiskManager V6.2.5 (Enrima Edition)

BPC RiskManager V6261 Main Screen.jpg

BPC RiskManager - Who should use it?


BPC RiskManager designed to manage the governance function of an organisation. It therefore fits in audit, risk management, compliance management, insurance risk management, environmental risk management, project risk management, human resources, OHS and strategic planning. It delivers functions covering both ther strategic and the operational functions of these disciplines. For example the claims module actually manages insurance claims (not merely registering them), the document management system is capable of actually managing documents (not merely cataloguing them), the compliance and strategy systems actually manage the remediation of the issue, etc.

It functions best as an integrated solution with multiple governenance teams using the one system. With each release we expand the governance functions in the system.


BPC RiskManager is designed to scale. There are four types of clients using it:

  1. . Single user or small work groups running off a single user install switched to server mode.
  2. . Medium scale enterprises with risk and executive seats on an IT group managed server / in-cloud and database.
  3. . Large scale enterprise with many seats actively managing general risks and compliance issues and project risks, etc
  4. . Hosting consolidators providing cloud services to many clients in different organisations with many databases.

Every version of BPC RiskManager (from the single user install, up) comes capable of operating in all these modes. For each type of operation there are specific features built in to aid maintenance and management (including multi database bulk operatiions for hosting providers).

BPC RiskManager Features

BPC RiskManager V6.2.5 (Enrima Edition) (often referred to as RiskManager V625 or Enrima), is a powerful risk and compliance management solution with an almost unlimited range of end-user configurable solutions. It delivers:

  • General
    • Totally end-user configurable (change almost any label or caption or search relationship, re-task fields, define your own risk and compliance model, build your own reports, define your own work flows, customisable messages, define your own risk structure, etc)
    • Runs out-of-the-box (ready to use immediately after install in single-user or small work group mode).
    • Provides an optional fast configure mode (shown on first run of any client and available at any time thereafter).
    • An extremely versatile ratings engine support multiple methods of ratings compliance and risk issues. Each item can simultaneously store different ratings for inherent, residual, auditor, reviewer and unlimited current self ratings for each of likelihood, impact and (residual) risk. It also holds additional ratings for compliance breach, compliance rating, and unlimited assertion sets.
    • Ratings can be rolled up through trees of risks and compliance issues

  • Functional
    • Risk Management
    • Compliance Management
    • Incident Management
    • Planning
    • Document Management

  • Registers
    • General Risk register(s) with unlimited risk types and able to distinguish project and general risks
    • Project Risk register(s)
    • Compliance register(s) with unlimited assertions/questions and assertions/question groups AND pure HTML based compliance surveys / checklists
    • Incident & Hazard register
    • Insurance register
    • Claims register
    • Legal register
    • Document register
    • Causes register
    • Consequence & impact register
    • Standard strategies register (Type of Control)
    • Strategies & control register
    • Actions register
    • Work flow register
    • Asset register
    • Business plan register
    • Survey register
    • Access control

  • Evaluation engines
    • Risk & compliance rating
    • Question & assertion rating
    • Assessments engine
    • Survey rules engine
    • Charting engine
    • Email management engine
    • Exception tracking engine

  • Work flow control systems
    • Work flow engine
    • Instantaneous internal message engine
    • Instant and batched email management engine
    • PAX & TMS ScripterStudio scripting engines
    • Survey management system
    • Exception tracking engine

  • Data reporting and access
    • Master-child and folder structures can have unlimited mixed general, project and compliance risks members, across multiple registers. In addition to implied relational structures, there are multiple tree structures used to link objects across the application. Two of these of particular relevance to end users are the folder tree and master-child hierarchical network. Both of these tools provide ways to group risk and compliance issues in roll-up and dependency relationships, as well as pools of mutually associated items. These structures are understood by the search and reporting engines.
    • Unlimited risk structuring - risk folders to any depth, risk-linking, risk categorisation, unlimited master-child structures, etc
    • Tree, search and flat risk navigation simultaneously supported
    • Risks/compliance issues can inhabit any number of tree folders simultaneously (allowing multiple grouping and reporting frameworks with risk roll up)
    • Link Objectives, assertions, questions, processes, legislative/regulator obligation, causes, risks, consequences, compliance obligations, controls / strategies, actions, risk history, incidents / hazards, people, supporting documentation, and information web-sites, and more.
    • Full live search-able audit trail of all changes
    • Storable searches used through-out the application to access and feed data to tables, views, folders and reports
    • Multiple reporting engines:
      • Built-in pre-written reports
      • Very powerful, programmable end user report writer and manual (outputs in various formats including HTML and PDF)
      • Word Document (mail-merge) style report engine
      • SurveyManager Instant Reporting engine (maps survey response reports back into the survey layout)
      • BPC SurveyManager operating in web forms mode is a powerful reporting engine in its own right
      • Query Exporter (Administrator only - can cross feed to the import engine creating an excellent method for doing bulk updates based on extracted data)
      • Search based end user export
      • Built-In Charting
      • End-user charting
    • End user sample reports
    • Copy and paste from / to word and XL
    • Powerful import/export administrator only tool
    • Search / chart driven general user export in various formats including XL and PDF
    • Dashboard with drill through to risk collections, risks, assessments and incidents
    • Dashboard risk collections configurable via folder tree view system (so any risk/compliance topic can be put to the dashboard with unlimited layers of drill through).

  • Messaging
    • Built-in automated email messaging based on events and dates for a wide range of scenarios, and occurrences, with email contents able to be fed by custom reports from the report writer.
    • Multiple levels of responsibility assignment on all trackable objects
    • Risk Message racking and work flow message tracking

  • Secretarial, Administration and Desktop Integration
    • MS Office compatible
    • Copy and paste from / to word and XL
    • Powerful import/export administrator only tool
    • Search / chart driven general user export in various formats including XL
    • Spell checking using your MS Word dictionary
    • Simple point and select search system but with an option for savable advanced query writer custom searches if required.
    • Extensive configuration and customisation screens to support tuning the system to do just what you want.
    • Dynamic screen captions allowing you to adopt your own terminology, which also appear to the report writer as the names of the fields
    • Smooth support for large and small fonts and 96dpi and 120dpi and other screen resolutions
    • Works on all versions of windows from W2000 up, including Vista and Version 7.
    • Fast fully automated installation and upgrade system.
    • Available in single/small work group and enterprise configurations

  • Compliance System
    • Compliance obligations can be viewed as general risks and compliance modes
    • General and project risks can have all compliance mode features including assertions/questions attached (Compliance/Risk views exist simultaneously for all risks).
    • Compliance obligations will support multiple compliance models simultaneously (SOX / Sched7 / General / etc).
    • Compliance obligations are stored internally as risks so they roll up smoothly into the general and project risk register
    • Master-child and folder structures can have unlimited mixed general, project and compliance risks members, across multiple registers. In addition to implied relational structures, there are multiple tree structures used to link objects across the application. Two of these of particular relevance to end users are the folder tree and master-child hierarchical network. Both of these tools provide ways to group risk and compliance issues in roll-up and dependency relationships, as well as pools of mutually associated items. An issue can belong to many such relationships at once.
    • Selectable screen editing assignment of ratings allows you to choose where and what ratings can be changed for each model
    • Risk & Control Archiving and unarchiving
    • Instant live update of compliance ratings and master-child roll-ups
    • Unlimited assessments and simultaneous self, internal audit and reviewer assessments
    • Simultaneous mixed formula and grid assignable ratings and question/assertion ratings rules for automated rating translation.
    • Compliance responses automatically convert to risk equivalent ratings so that both compliance issues and risks can be seen on the one heat map, and in comparative tables.
    • Unlimited compliance milestones - snapshots of the risk record including all notes and ratings at an instant in time. Some milestone types allow restoration of the milestone to the current instance of the risk / compliance record. Uses include "balance day" records, what-of analysis, audit evidence snapshots.

  • Risk System
    • General and project risks can have all compliance mode features including assertions/questions attached (Compliance/Risk views exist simultaneously for all risks).
    • Master-child and folder structures can have unlimited mixed general, project and compliance risks members, across multiple registers.
    • Risk Tolerances (rating and numeric) for differential risk reporting and automated condition reporting.
    • Likelihood & consequence trigger points
    • Separate audit comment and tracking data for each risk.
    • Multiple modelling systems - inherent, current and residual risk ratings (with optional likelihood, impact, control and residual categories for each rating)
    • Velocity supported at the impact/consequence level
    • Selectable screen editing assignment of ratings allows you to choose where and what ratings can be changed for each model
    • Risk & Control Archiving and unarchiving
    • Instant live update of risk ratings and master-child roll-ups
    • Unlimited assessments and simultaneous self, internal audit and reviewer assessments
    • Simultaneous mixed formula and grid assignable ratings
    • Confidential risks
    • Risk advisory notes for each risk
    • Unlimited risk milestones - snapshots of the risk record including all notes and ratings at an instant in time. Some milestone types allow restoration of the milestone to the current instance of the risk / compliance record. Uses include "balance day" records, what-of analysis, audit evidence snapshots.

  • Incident Management
    • Fully configurable - drop lists, business rules, screens, etc.
    • Incident type determines rules and attributes
    • Multiple handling steps fully tracked - recorder, assignee, reviewer, responder, escalted to, investigator
    • Automatic triggers for review, escalation, investigation, etc based on user configurable rules (triggered by participant information, incident attributes, etc.)
    • Configurable unlimited incident attributes with triggers (for reviews, escalation, enhancements, workflow, etc.) to classify incidents
    • Unlimited configurable incident types (which determine the set of incident attributes applied to the incident)
    • Incidents have a built in workflow – record, assign, review, escalate, resolve, investigate, close
    • Unlimited user defined additional fields for storing extra data
    • Unlimited text fields details/notes, etc for unstructured data
    • Change tracking
    • Separate org structure defnition that lives side by side with the risk management org structure (allowing different structures for risk/compliance and incidents)
    • Structure and rule driven review, escalation and investigation
    • Unlimited incidents per risk/compliance event
    • Incidents attached to more than one risk/compliance topic
    • Incidents can be created and attached to a risk/compliance topic at a later time
    • Notifiers
    • Incident Causes – immediate and underlying (mirrors risk causes)
    • Incident Actions – Current (done) and future, both proposed and approved + action assignment, progress and tracking
    • Proposed actions can be converted to risk / compliance topic controlls
    • Large array of location types (even GPS location specification)
    • Unlimited partcipants per incident (with user defined roles)
    • Particpant records of interview
    • Participant injury tracking
    • Review and investigation reminders

  • Incident Investigations
    • Investigations including progress tracking/status / findings / recommendations, etc
    • Configurable investigation types with differing investigation team structures
    • Investigation external document links
    • Configurable and managed signoff models including separate lists for investigation team members and other parties
    • Investigation signoffs with qualified and dissenting opinion options
    • Investigations build distinct reports

  • Internal Audit System
    • Separate audit risk ratings and notes per risk/compliance issue
    • Separate audit external document links
    • Internal-audit remediation register with assignable tasks and remediation progress, status and outcome recording.
    • Automated access escalation for user flagged as auditors
    • Auditors use the same screens as normal users but have extra fields and facilities
    • Automated CSA survey generation
    • Full change logs kept of key accountable tables (can be expanded to include additional tables including additional tables added by clients)

  • Insurance and claims
    • Insurance register with renewal reminders
    • Insurance policies link to risk/compliance registers via the strategy and controls register, actions register and document registers.
    • Claims management
    • Claims link to risks/compliance registers via incident and insurance registers
    • Incident/Hazards Register (plus hooks for interfacing into a separate incident management system if desired)

  • Causes Register
    • Unlimited risk specific causes per risk
    • Type-of-Cause allows standardisation of causes while allowing complete flexibility in description and instance of a cause (similar to Type-of-Control)
    • Incident and Risk/Compliance causes.
    • Causes can have numeric risk event triggers (allowing concepts such as the "likelihood of exceeding x events in a year")
    • Direct sub linking between causes and strategies and consequences enables cause and effect strategy design and verifiable coverage of causes
    • Causes can be sub linked off Assertions/Questions (the default for compliance screens) allowing low rating compliance questions or analytic steps for remediating breaches to be structured around the causes of each question's failure. This enables the compliance model to be around built around both compliance risk and compliance topics philosophies.
    • As there can be an indefinite number of question sets with an indefinite number of questions per risk / compliance issue, cause structuring can get very deep.
    • Causes integrate with surveys, the scripting engine and external modelling systems to enable programmatic setting of likelihood ratings using additional fields as part of the interface (like the "risk trigger value").

  • Strategies & Controls register
    • Strategies and controls with progress notes and tracking
    • Register and track unlimited strategies and controls
    • Customisable ratings scheme for each control or strategy including any of likelihood, impact, control, (residual) risk over inherent, residual, current self, audit, reviewer, etc ratings groups, as well as five ratings defaulting to authority, reliability, efficiency, economy, and timeliness control assertions.
    • Officially mandated Type-of-Control list provides a template for approved control strategies and allows strategies to be both individually described, and structurally grouped and standardised.
    • Strategies & Controls directly cross link to individual causes and impacts/consequences allowing you to tie specific strategies to one or more causes and consequences of a risk or compliance item.
    • Strategies & Controls can have actions.
    • (Coming soon: unlimited assertion/ratable question sets similar to that used for compliance and risk screens).
    • Includes Responsible officer, delegate, email reminders, assignment tracking, cost and benefit measures, link to insurance, cyclic and one off controls/strategies, flag where insurance expired, due dates exceeded, user defined categories and subcategories, etc.
    • Automatic access rights escalation where read only viewer is accessing a strategy for which they have responsibility
    • Fully customisable messages with or without email running.
    • Survey question library links surveys to strategies
    • Can feed CSA automated surveys

  • Financial Elements Register
    • Unlimited charts of account
    • Account rollup
    • Store performance metrics (budget, actual, transaction volumes, etc)
    • Store audit assessments for each element
    • Link to audit/risk/compliance assertions
    • Ownership
    • Unlimited risks/compliance obligations per account
    • Test plans and test plan scheduling
    • Heat maps for each element with drill through to risks and incidents

  • Document Register
    • Document register for unlimited documents
    • Supports multiple document management strategies simultaneously: unmanaged, delegated management and full management.
    • Unlimited risk/compliance issues may be linked to each managed or unmanaged document.
    • Unlimited unmanaged documents may be linked to a risk-compliance issue
    • Document management can be set at the document or section level on a per-document basis
    • Managed documents track (optionally) full text, responsibilities, review cycles, issuing authority, compliance status, risks/compliance issues assigned, question-assertion status.
    • Managed document sections track (optionally) full text, responsibilities, review cycles, issuing authority, compliance status, risks/compliance issues assigned, question-assertion status.
    • Full snapshot version control operates on managed documents - a full time-stamped copy of the relevant records is made for each change.
    • The document register presents document and section specific lists and heat maps of all risks/compliance issues attached to the document or section and supports export on that basis.
    • Main listing screens support dynamically constructed QBE filters and free text search to enable isolation of documents using specific terms or any of the tracking fields.
  • Store documents internally or interface to your document management system, web site links available for most objects.

  • Work flow engine
    • The work flow system supports two purposes (a) documenting processes with flow charts, and (b) automating RM related activities
    • Work flow modelling and diagramming tool (with a built-in script-able work-flow diagramming subsystem)
    • Work flows can be executed and can invoke RM screens and external applications. Executed work flows can be assigned to individuals and have multiple individuals participating in different steps.
    • Work flows steps can have attachments.

  • Survey engine
    • Full implementation of BPC SurveyManager with customised management client built-in
    • Built in survey engine
    • A full scale (not limited) survey / web forms engine that is licensed for separate use and can be used for far more than just your risk management requirements. Think of something you need to collect data on the BPC SurveyManager will handle it. The SurveyManager can be used to write entire web sites on its own.

  • Access and security
    • Single user mode or secured access modes (end user selectable)
    • Multiple access security support (LDAP,AD, NTGroups, Internal, Trusted, etc)
    • Configurable access rights for access to risk type, business group, business unit, risks over multiple levels of access from none to administration
    • Automatic escalation of access to individual records where the user has responsibility assigned, but otherwise would not have access

  • People & resources
    • People and positions (resources) may be imported in bulk, created individually or automatically created on connection.
    • Resources integrate with the access control system
    • SurveyManager keeps a separate list if resources mirrored with the RiskManager resource tables
    • RiskManager allows for three domains of resources - survey responders (access to specific surveys), risk manager known persons (can be managed by email, assigned responsibilities but do not have access to the system), and risk manager users (access allowed).
    • User access control down to individual business unit risks & issues as read / update / create (See access control).
    • Resources (people) can be retired (removed from lookup windows, etc) without deletion from system (to preserve risk/compliance history integrity).

  • Scalability, Networking and communications
    • N-Tier architecture, can be installed on one computer with the database (as in single user mode) or distributed across multiple servers (as in Enterprise/Web mode).
    • Networked comms supports simultaneous or individual use of Raw TCP/IP, HTTP and HTTPS (SSL) network communications (all with compression)
    • Supports unlimited simultaneous databases (subject to license purchased)
    • Supports unlimited simultaneous application servers (subject to license purchased)
    • Supports unlimited simultaneous survey engines (subject to license purchased)
    • Supports unlimited installed client desktops (subject to license purchased)

  • Other
    • Cost and benefit tracking
    • Full internal scripting language to support end user expansion and external interfacing
    • Interfaces for external complex risk assessment (eg Monte-Carlo modelling risk systems such as Benfield / AON Remetrics)
    • Single point of update publishing for clients

BPC RiskManager Express V5.x


BPC RiskManager Express has a dramatically simplified and restricted user interface, does not maintain structured causes lists (but does have unlimited "contributing factors" descriptions) and allows one level of responsibility for assignment of issues and actions, and does not have an end-user report writer (although it does support both mail-merge and word / XL template driven reporting). It can be configured as either a compliance or a risk solution running on separate databases through the one application server. Like it's more powerful sibling, it will support an indefinite number of databases.

BPC RiskManager Express is targeted at organisations where simplicity of operation and user input overrides the need for granularity of input and analysis, and where the additional governance sub-systems available in BPC RiskManager are not needed (eg insurance, claims, assertion / question rating models, work-flow, assessments, security, assets, etc.)

This riskwiki focuses on BPC RiskManager (Enrima Edition).

Additional Resources

BPC Support Forum
BPC RiskThink Blog
Request a free fully functional trial copy of BPC RiskManager (Enrima)

Read More..

BPC SurveyManager

  • Are you looking for BPC SurveyManager Documentation or to learn more about the software?
BPCSurveyManager DTCV7 SurveyEdit Screen.jpg
Bundled with the BPC RiskManager suite and also supplied in both hosted and installed forms, the BPC SurveyManager software solution is an outstandingly versatile interactive web page generation engine using a survey model as the design and data storage paradigm. While being outstanding at survey creation and management the software is powerful enough to build build conventional data-input web pages. The full technical and SM language programming documentation is available from here.

Research into Virtual Worlds in Business & Education

  • Are you looking for our virtual Learning research papers?
Second Life 042.jpg
Through our Virtual Worlds research group - "Waisman Learning Systems", we do extensive work in the development of virtual learning and business spaces in SecondLife, and undertake considerable formal research into the application of Virtual Worlds to learning. You will find technical and text book material in our Virtual World Learning Systems pages. There is an extensive overview of the literature, and history of virtual worlds, a very large bibliography, details of our in-world networked lecture theatre control systems and lecture delivery systems, and a complete documentation of an extensive academic study undertaken by our WLS team into the effectiveness at achieving learning outcomes of different approaches in delivering course material in 3D virtual worlds.

You will find an extensive reading list and bibliography of works covering virtual worlds and virtual reality concepts, history, ideas, related technologies, and application in learning as well as relevant papers on learning taxonomies and teaching concepts relevant to virtual world learning systems here.

Internal Audit and Management Science

  • Are you heading up an Internal Audit Team or learning internal audit methods?
If yes, you will find complete enterprise level internal audit methods and manuals on this site cross linked to our other management papers. The internal audit manuals cover everything from managing the audit team through planning the audit program to the detail of designing the audit, conducting interviews and undertaking the controls analysis; to reporting the results. Everything you are likely to need to manage and train an internal audit team is here.

  • Are you a manager, management consultant or student of Management Science?
You will find articles covering topics of general management and process management methods in the RiskWiki including the detailed theory and practice of plannning, process re-engineering, control theory and our proven theories in stakeholder network organisation modelling. The work here is generally unique to this site. All methods have been used extensively and effectively in practice. Start here with process engineering.

  • Are you managing a merger or an acquisition?

MnA WhyMerge.jpg
Take a look here first and learn about the risks in mergers and acquisitions and successful strategies for managing them from our team who have been through it successfully from both sides or the equation multiple times.

Take A Random Look At The RiskWiki

From the Vault of the BPC RiskWiki...

RIAM:Overview of the Method

About The Author & The Article

Jonathan Bishop, Group Chairman, Bishop Phillips Consulting. [1]

Copyright 1995-2019 - Moral Rights Retained

This article may be copied and reprinted in whole or in part, provided that the original author and Bishop Phillips Consulting is credited and this copyright notice is included and visible, and that a reference to this web site ( is included.

This article is provided to the community as a service by Bishop Phillips Consulting

Rational Internal Audit Method - Volume 1

About this series

This volume is the first in the Bishop Phillips Consulting Internal Audit series. It presents a brief introduction and overview of the Rational Internal Audit Method (RIAM).

The entire series, taken as one, is a complete course in the conduct, management, and reporting of internal audit. RIAM is unique in that it presents a systematic approach to management assurance, incorporating principles of Total Quality Management in the methods for managing the audit operation, the approach to conducting the audit and in the focus the reviews.

RIAM is not a static product. Consistent with principles of KAIZEN it is continuously improved and updated with the experience and suggestions of your staff and clients. It is the result of our wide experience in providing management assurance services to many different clients in both Government and Commercial environments.

In RIAM, the traditional focus of Internal Audit (IA) on financial issues is considerably expanded to cover all aspects of business functions. Features of RIAM include:

  • A wide focus for IA covering business planning through quality control to product delivery;
  • Incorporation on "Best Practice" models that have evolved into separate consulting services;
  • Incorporation of, and consistency with, the Institute of Internal Auditors Standards, Statements and Pronouncements;
  • Consistency with the "Best Practices Statement" for Internal Audit developed by the Australian National Audit Office for the use and guidance of Commonwealth Agencies;
  • Incorporation systems for the participation of Internal Audit in the design stages of management and computer systems development;
  • Use of the concept of "Assertions" as the basis to the Systems Based Audit.
  • Incorporation of Risk Analysis in every aspect of the audit, from planning through to systems analysis; and
  • Adoption of current theories in the science of Systems Analysis developed at Glascow University and used by its consulting division;

It must be recognised that reading this course will not make you a good an Internal Auditor. The importance of experience can not be stressed too much. What RIAM will do is provide a method for systematically interpreting that experience and ensuring a predictable standard of service delivery.