SYMPHONY ERMS — WORKFLOW OVERVIEW
How Symphony ERMS Works — End to End
Risk identification · Control mapping · Assessment · Incident logging · Treatment · Board reporting
Risk Register
Identify & log
risks with controls
HOD Approval
Maker–Checker
verification
Risk Review
Risk team
finalisation
RCSA Assessment
Periodic control
testing & scoring
Log Incident
Record breach &
treatment plan
Board Dashboard
Heatmaps &
residual risk
Key Design Principle: Symphony ERMS enforces Maker–Checker–Reviewer segregation at every step — from risk creation to incident closure. Risk culture stops being a compliance checkbox and becomes a structured, organisation-wide discipline. Every action is traceable, every approval is logged, and every decision is defensible.
Without Symphony ERMS
- Risk registers maintained in Excel — version-controlled by email, no single source of truth
- No structured approval workflow — risks entered and forgotten without review
- Incidents logged informally or not at all — no structured treatment plans
- RCSA assessments done manually — inconsistent methodology across departments
- Risk scores computed differently by each team — no standardised formula
- Board receives static decks with stale data — no real-time heatmaps or drill-down
With Symphony ERMS
- Centralised risk register with role-based access — one version, always current
- Configurable Maker–Checker–Reviewer workflow enforced at every stage
- Structured incident logging with mandatory treatment plans and closure tracking
- Standardised RCSA with configurable assessment campaigns and control testing
- Inherent Risk Score, Residual Risk Score and Control Impact derived automatically
- Live heatmaps, trend charts, and drill-down dashboards for the Risk Committee and Board
User Roles & Responsibilities
Built for every stakeholder
in your risk framework.
Risk management works only when every role is clearly defined. Symphony ERMS enforces accountability by design — not by policy.
Risk Owners
Department Heads / HODs
- Identify and own department-specific risks
- Perform periodic RCSA for their unit
- Log incidents as they occur
- Ensure action plans are completed on time
Control Owners
Operational Staff
- Attest to effectiveness of controls they operate
- Provide evidence for control testing
- Notify Risk Owner if a control is failing
- Update walkthrough documentation
Risk Officers / CRO
Central Risk Team
- Administer the standardised risk library
- Launch and monitor assessment campaigns
- Analyse incident trends across the organisation
- Report to the Risk Management Committee
Auditors
Independent Verification
- View-only access to verify assessment accuracy
- Log audit findings that trigger action plans
- Track remediation and closure status
Executives / Trustees
Board Oversight
- Live heatmaps and executive dashboards
- Monitor residual risk vs approved appetite
- Historical trend of risk scores over assessments
System Administrators
Configuration & Masters
- Configure Company Group, Company, Department
- Manage risk categories, score parameters
- Define rating bands and control types
Platform Capabilities
Six core modules.
One complete risk management system.
Risk Register & Control Mapping
- Structured risk entry with full metadata — category, department, function, activity, frequency, and risk owner
- Each risk supports one or more controls with type classification (Automated / Manual, Preventive / Detective)
- Control attributes: walkthrough evidence, test procedures, sample size, and incident reporting
- Maker–Checker workflow from Draft → Pending HOD Approval → Pending Risk Review → Finalised
- Full change history visible to every reviewer at each approval stage before sign-off
Risk Scoring Engine
- Configurable scoring masters for Impact, Probability, Control Effectiveness, and Control Criticality (each 1–5 scale)
- Inherent Risk Score (RS), Control Impact Score (CS), and Residual Risk Score (RRS) derived automatically
- Rating bands: Low → Low-to-Medium → Medium → Medium-to-High → High, each mapped to a coverage %
- Risk ratings: Low / Medium / High / Critical — thresholds configurable by the Risk Team without IT involvement
RCSA & Control Testing
- Risk team creates periodic assessment plans — covering all risks or a selected set by criticality
- Sample sizes for control testing computed automatically from the activity's frequency setting
- Multiple test results and document evidence attachments supported per control within a plan
- Risk Officers update scoring parameters during the assessment to arrive at the Residual Risk Score
- Ad hoc assessments triggered from incidents automatically include all risks linked to that incident
Incident Management
- Structured incident logging with mandatory preventive treatment and tentative action plan fields
- Maker → HOD → Risk Team approval chain — mirrors the risk register workflow exactly
- Incidents linked to risk categories and parameters to enable trend analysis across the organisation
- Treatment plans carry definitive closure dates and appear as pending items against each linked risk
- Final version requires department HOD approval before the incident can be closed
Risk Treatment & Action Plans
- Treatment plans with definitive closure dates tagged against specific risks in assessment plans or incidents
- Automated pendency tracking — configurable notifications and reminders based on planned closure dates
- Risk Officers verify and formally close action plans once business units confirm resolution
- Audit Findings logged by independent auditors automatically trigger action plans in Symphony
- Complete traceability from finding to treatment to closure — audit-ready at any time
Dashboards, Heatmaps & Trend Reporting
- Live risk heatmaps (Probability × Impact matrix) with drill-down by department, category, or entity
- Historical trend of Inherent Risk Score and Residual Risk Score across successive assessments
- Controls improving or deteriorating over time — visible to the Risk Committee at a glance
- Executive dashboards for Board, Trustees, and the Risk Management Committee
- Risk Appetite Framework reporting with RAG parameter tracking across Operational, Technology, Compliance, and Talent risk
How Risk is Scored
From Inherent Risk to Residual —
a transparent, formula-driven process.
Every score is derived automatically. Risk Officers see exactly how each number is computed — no black boxes.
Risk Heatmap
Real-time visualisation of your
organisation's risk landscape.
The heatmap plots every risk by Impact × Probability. Drill-down by department, company, or risk category. Refreshed automatically after each assessment. Historical overlays show how the risk profile is shifting over time.
Sample Heatmap — Probability vs Impact
Low
Medium
High
Critical
IMPACT ↑
PROBABILITY →
Built For
Which organisations benefit
from Symphony ERMS?
Asset Management Companies (AMCs)
- SEBI-aligned RCSA across all departments
- Risk Appetite Framework with RAG parameters
- Operational, compliance, and technology risk tracking
Banks & NBFCs
- Multi-department, multi-entity risk governance
- ICoFR breach tracking and financial reporting risk
- Audit finding management with action plan closure
Large Corporates & Conglomerates
- Multi-company group hierarchy (Company Group → Company → Department)
- Standardised risk methodology across subsidiaries
- Group-level Board reporting and residual risk monitoring