Transcription
A MaturityModel forIntegratedGRCSponsored byAugust 2016
– A Maturity Model for Integrated GRC –OCEG is a global, nonprofit think tank and community. We invented GRC.We inform, empower and help advance more than 50,000 members on governance, risk management, andcompliance (GRC). Independent of specific professions, we provide content, best practices, education, andcertifications to drive leadership and business strategy through the application of the OCEG GRC CapabilityModel and Principled Performance. An OCEG differentiator, Principled Performance enables the reliableachievement of objectives while addressing uncertainty and acting with integrity.Our members include c-suite, executive, management, and other professionals from small and midsizebusinesses, international corporations, nonprofits, and government agencies.Founded in 2002, OCEG is headquartered in Phoenix, Arizona. For more information visit www.oceg.org.RSA's Intelligence Driven Security solutions help organizations reducethe risks of operating in a digital world. By improving visibility, analysisand action, RSA solutions give customers the ability to prevent, detect,investigate and respond to IP theft, fraud and cybercrime.RSA Archer's vision is to help organizations transform compliance, manage risk and exploit opportunitywith Risk Intelligence made possible via an integrated, coordinated GRC program. The RSA Archer MaturityModel series outlines multiple segments of risk management that organizations must address to transformtheir GRC programs.RSA Archer Maturity Models typically focus on key capabilities enabled by the RSA Archer solutions. Forthe Integrated GRC Maturity Model presented here, RSA analyzed best practices in some of its largestimplementations to gain insight into what it takes to implement an integrated GRC program. You can findother RSA maturity models at rademarksOCEG, the OCEG logo, GRC360 , the GRC360 logo,GRC Capability Model and Principled Performance are registeredtrademarks of OCEG in the United States.EMC, the EMC logo, RSA, Archer, FraudAction, NetWitness and the RSA logo are registered trademarks or trademarks ofEMC Corporation in the United States and other countries.All other products or services mentioned are trademarks of their respective companies.2
– A Maturity Model for Integrated GRC –Table of ContentsIntroduction. 4Why Integrated GRC?. 6Key Capabilities. 7The Maturity Journey. 8Foundations. 9The Siloed Stage. 10The Transition Stage. 12The Managed Stage. 14The Transform Stage. 16The Advantaged Stage. 18Conclusion. 193
– A Maturity Model for Integrated GRC –IntroductionAs the think tank that defined the business concept of GRC, OCEG has long talked about the needfor a harmonized set of capabilities that enable an organization to reliably achieve its objectives,while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRCCapability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards forGRC planning and execution. The outcome of applying effective GRC is Principled Performance,which demands a mature, integrative approach to governance, risk management and compliance;the component parts of GRC.Over the past 12 years, since theWe are pleased to share the details of thefirst release of the OCEG Red Book,Maturity Model for Integrated GRC in thisorganizations of all types and sizes, and ineBook, which discusses ways that GRCcountries all over the world, have embracedstructures, practices and technologiesthe concept of integrated GRC. They have, atchange as maturity for GRC capabilityvarious speeds and starting points, evolvedgrows. In its pages you will find ways totheir GRC capabilities in organizationaldescribe the benefits your organizationstructure, processes and technologies.will gain as you mature your own GRCcapabilities to leverage processes, shareYet, many questions remain:data and streamline efforts. Use thisinformation to make the business case What represents GRC maturity?for starting or continuing movement What are the stages that we mustfrom siloed reactive, compliance-drivenpass through to establish GRCprocesses to an integrated risk-centric,capabilities that truly support theGRC program in your organization.What best describesthe maturity of yourorganization’s currentGRC capabilities?business? Do the stages of GRC maturity meanThe trend toward greater GRC maturitythe same capabilities are put in placeoverall is easy to see. OCEG recentlyfor every organization?conducted a poll of 100 GRC in-houseWhat business benefits do we gainprofessionals primarily in risk, compliance,from maturing GRC?internal audit and IT roles. Based on theIntegrated GRC Maturity Model scaleSiloed. 32.8%To address these questions, RSAdescribed in this eBook, more than two-Archer, an OCEG GRC Solutions Councilthirds of the participants indicate that theirmember and a leader in GRC technology,organizations are on the journey to greaterManaged. 21.8%has developed the Maturity Model forGRC maturity.Transforming. 6.7%Integrated GRC drawing from the real worldTransitioning. 35.3%Advantaged. 3.4%experience of some of its largest users.4
– A Maturity Model for Integrated GRC –Nearly a quarter report that they haveHow would you describeyour organization’sGRC capabilities? GRC program management mustachieved the “Managed” state of maturity,mirror business operationsin which core GRC processes are wellmanagement, with established goalsdefined and reporting is standardized.and performance indicators supportedMore than another 10% are eitherby efficient and well-executedtransitioning toward or report they havestrategic plans.achieved “Advantaged” GRC with optimized GRC technology must be designedprocesses and the ability to provide trueand architected as a process andsupport for business objectives.data engine to support GRC programsand provide risk-aware informationWhen asked about maturity from theto business managers and strategicperspective of outcomes, we see thatplanners for the organization.those who are at - or transforming towardDepartmentalized. 31.9%Becoming Standardized. 41.2%Standardized andWell Managed. 19.3%Supporting the Businesswith GRC. 4.2%Harnessing Risk toExploit Opportunities. 3.4%- the Advantaged state have movedAs you use this eBook to better understandbeyond standardized and well-managedthe stages of the Integrated GRC MaturityGRC processes and now can harness riskModel, consider where your organizationto exploit opportunities in ways that trulyfalls on the scale today, both across thesupport the business while addressingenterprise and unit by unit.threats and ensuring compliance. This isPrincipled Performance and it is achievedEvaluate the areas where you might actthrough greater GRC maturity.first to gain the most value and where yourdefined risk profile calls for change.As this eBook describes, there are fourcore aspects to GRC capabilities that mustFinally, as you develop your workplan forall be addressed to grow GRC maturity.further stages of maturation, rememberto always recall the goal of Principled Organizational and governancePerformance and determine what is neededstructures must be defined toto ensure that your organization can reliablyestablish ownership, reportingachieve its objectives while addressingand communication and to ensureuncertainty and acting with integrity.appropriate resources are applied. Risk and compliance culture mustWe hope you find this eBook useful asbegin with clearly established views,you map your own journey to maturingtolerances and guidance from seniorIntegrated GRC.management and continue withongoing education and awareness atevery level from management throughfront line employees.5The OCEG Executive Team
– A Maturity Model for Integrated GRC –Why Integrated GRC?Most often, Governance, Risk and Compliance (GRC) efforts begin as a focusedattempt to improve certain elements of risk or compliance managementwithin one functional area such as IT, security or finance.The function takes on the challenge of building amanaging risk and compliance processes, nowdefined approach to methodically review risk, oroften referred to as the Second (2nd) Line ofcatalog compliance obligations, to ensure thatDefense (LoD). The First (1st) LoD consists of thethis individual piece of the organization is properlyfrontline employees and business managers closesttracking towards its objectives. The drivers forto the risks within the business. Many times, thethis effort can be many – regulatory pressure1st LoD have conflicting or redundant requirementsfrom an external entity, strategic acknowledgmentplaced on them by different functional GRC efforts.by executives or bottom up efforts by front lineIntegrated GRC reduces this complexity for businessmanagers to reduce risks. Eventually, this functionoperations through combined or coordinated effortsdesignates resources, implements processes andby the 2nd LoD. In other words, Integrated GRC canutilizes some technologies to address risk andmake the 2nd LoD more effective through sharedcompliance issues.processes and data and the 1st LoD more efficientthrough streamlined and prioritized efforts.As more functions understand that risk andcompliance management is part of managingAn Integrated GRC program breaks downbusiness operations, more GRC efforts are created.silos between functional areas and enablesMost organizations take the path of buildingcommon processes, taxonomies and technologyindividual pieces of the overall GRC programinfrastructure to both streamline risk andindependently as each function has its own nuancescompliance efforts and build a risk awareand challenges. As GRC implementations becomeorganization. The cultural impact of an integratedmore mature, the organization realizes there areprogram can be tremendous. The organization seessignificant benefits to streamlining processes,managing risk as a key ingredient of the successreducing efforts and eliminating redundant activities.of the business – not as a deterring obstacle forprogress. Getting to the level of maturity of anThese revelations lead the organization to addressIntegrated GRC program is a matter of constantlythe fact that most GRC efforts are generallyexpanding, communicating, exploring and evolving.executed by a set of individuals tasked with6
– A Maturity Model for Integrated GRC –Key CapabilitiesIntegrated GRC differentiates between GRC effortsTo achieve these goals, RSA Archer’s Integratedthat are singly focused on one dimension of riskGRC Maturity Model focuses on the following keyand GRC efforts that are driven by a single view orcapabilities:strategy that bridges multiple functions. The term‘integrated’ is used to describe the interconnectionEstablish organizational and governance structuresand communication between GRC functions ratherEnable the various functional groups to understandthan meaning a consolidated, centralized function.the program’s ownership and accountability modelsEvery GRC initiative will have its own distinctiveand lay the foundation for clear coordination andtraits. However, there are some common elementscommunication.that can be leveraged across functions that willimprove the overall effectiveness of the risk andBuild risk and compliance culturecompliance efforts as well as reduce costs andImplement processes to affect the organization’sbuild efficiencies.culture, converge and define key GRC programelements and promote risk and complianceWhen an executive team seeks to assembleawareness of the front line employees.an enterprise (integrated) program for risk andcompliance, multiple operational groups areImplement GRC Program Managementrequired to collaborate and coordinate efforts toEmploy efficient methods to build and executeachieve these specific goals:strategic plans and individual projects and optimizethe overall program. Clear ownership and communication channelsmust be established to provide oversight andManage GRC Technologyaccountability.Establish the infrastructure to leverage The strategic vision must be implemented suchthat roles, responsibilities and objectives filtertechnology as a process and data engine tosupport GRC capabilities.down to the front line employees to ensureconsistency across risk and compliance efforts. GRC efforts must be coordinated ensuring riskand compliance initiatives are executed in thecontext of the broader strategy. Technology must be harnessed to full effect for itto be a true enabler for GRC.7
– A Maturity Model for Integrated GRC –The Maturity JourneyThe Maturity Model for Integrated GRC focuses on building the five levels ofcapability outlined below over time and implementing the broad strategy asa series of tactical intelligently designed actions.MATURITYSiloedTransitionCompliance DrivenManagedTransformRisk CentricAdvantagedOpportunity FocusedBaseline activities areActivities focused onOperational processesTransformativeProcesses arein place to manage riskimproving effectivenesshave evolved into ainitiatives are executedoptimized and balancedbut are isolated andare underway tosteady state and areto build betterby business context andfragmentedstabilize processes andnow effective, repeatableconnection betweenrisk prioritiesexpand program scopeand sustainablerisk management andbusinessSiloedThe Siloed stage focuses on baseline activities needed to manage risk and is the starting point for allorganizations. At this stage the organization is not necessarily deficient in its approach but coordinationacross functions is very limited.ManagedThe Managed stage depicts the phase at which organizations reach a coordinated, sustainable program.The GRC program, at this point, is effective and achieving its objectives but is still lacking the criticalconnection to the business that will turn the effort into a valuable contributor to the business strategy.Transition & TransformThe Transition stage and Transform stage help the organization “move to the next level” with initiatives thatevolve critical capabilities and set the stage for advanced capabilities.AdvantagedThe Advantaged stage is designed to be achievable for most organizations. This is not an ‘ideal, pie-in-thesky’ aspiration but an advanced stage of maturity that optimizes the GRC program. At this point, risk andcompliance is part of business operations and the organization reaps the benefits of a coordinated program.8
– A Maturity Model for Integrated GRC –FoundationsFoundations are critical elements necessary for the overall success of thematurity journey for Integrated GRC. Without these foundations in place, theorganization will face difficulties throughout the journey based on lack of focus,commitment, resources or strategy. Any organization looking to improve itsmaturity for Integrated GRC should discuss and address these foundations.Management commitmentThe degree and level of leadership commitment tooverall risk and compliance management culture,strategy and priorities should be established asmaturing GRC processes takes time and resources.Performance and acceptable riskDefined levels of performance and acceptablerisk for the business need to be established to setthe target state for the GRC program and ensurethe business understands the level of effort andbenefits involved.Expectations and measurementClear expectations and success criteria definedfor the GRC program must be communicated bymanagement to guide strategies.Stakeholder involvementKey business stakeholders and constituentsneed to agree on the importance of continuousimprovement and maturity of GRC processes.Budget and resourcesSufficient resources for the GRC program must becommitted to achieve success.9
– A Maturity Model for Integrated GRC –SiloedBaseline activities are in place to managerisk but are isolated and fragmented10
– A Maturity Model for Integrated GRC –The Siloed StageFunctional FocusIn the Siloed stage, GRC efforts are focused within the individual functionssuch as IT, security, finance, business continuity, audit and regulatorycompliance. These functions establish their own vision and strategiesindependently. Ownership of risk and compliance efforts are assigned to thelogical management individual. As efforts get underway within that function,governance processes begin to be established. Most functions will require inputor partnership with some core service providers or vendors (consultants, advisors,etc.) that help implement processes. Individual engagements with these providersare organized and executed within the functions.In essence, most of the work at the siloed stage is being coordinated andexecuted at the 2nd LoD level. Awareness and education processes, such asSecurity Awareness or Audit training, push requirements to business operationsonly in the context of the individual domain. Business partners (those operationalgroups outside the function) have little to no visibility into the ‘inner workings’of the functional groups focused on risk and compliance. Domain policies andcontrol structures are established within the function to define requirements thatare then pushed down to the 1st LoD. Issues that are identified (risks, controlgaps, etc.) are managed independently within the function.Strategic plans for each domain are built on business cases focused on theindividual functional needs. Requirements are defined and resources aredesignated to implement the plan within the functional group. This plan fuelsdomain level projects that are tracked and managed using the individualprocesses within the function.Finally, technology usage supporting GRC processes may be implemented withinthe function but are focused solely on meeting the operational requirements ofthe processes within the domain. Domain level technical expertise around theGRC technologies begins to form. The technology may be desktop tools, homegrown systems, commercial products built for niche needs or in some casesGRC technologies, but are only implemented and utilized within the function for adefined set of use cases.11
– A Maturity Model for Integrated GRC –TransitionActivities focused on improving effectiveness are underwayto stabilize processes and expand program scope12
– A Maturity Model for Integrated GRC –The Transition StageBuilding for the FutureWithin the Transition stage, the GRC program begins the trekAs the executive sponsorship for a coordinated GRC programtowards integration. The motivations for this convergence cantakes hold and the 2nd LoD builds taxonomies for the basicbe many but most organizations identity at minimum someelements of a GRC program, a long term strategy and roadmapconsiderable benefits as the domain level (IT, Finance, Legal, etc.)for an integrated program takes shape. Defining this plan is not aefforts grow within functional groups. First, executive sponsorshipone-time effort. However, the Transition phase begins the process.for a more integrated approach begins to take hold. This requiresPart of this plan is documenting the existing domain level projectsmultiple functions to embrace the idea that leveraging processes(to identify where each functional group is headed) and catalogingcan lead to greater benefits for all of the GRC efforts. Typicallyand monitoring domain level metrics (to understand where eachthis is fueled by regular communication between functionalfunctional group is succeeding and struggling). These are keystakeholders (executive leadership) as the individual domainsinputs into the next stage of Maturity as the Integrated GRCmature their own processes.program strategy emerges.As more and more functional groups begin communicating,From a technology perspective, the Transition phase includesawareness starts to build across different domains. This leadsactivities to catalog the individual domain level technologyto the main GRC functions within each domain to implementusage. Tools utilized within each functional group are identifiedan integrated GRC awareness framework for the 2nd LoD. Riskand a technical architecture must be aligned with the taxonomyand compliance functional groups within the domains begindevelopment for the common elements (business hierarchy,to communicate and understand the bigger GRC picture. Thispolicies, issues). Additionally, most functional groups at thisawareness strengthens the overall cultural effectiveness oftime have been developing technical solutions to solve domain2nd LoD. Through this communication at the 2nd LoD, certainlevel issues. Implementing (or adopting a standard) Softwarecommon elements rise to the surface.Development Lifecycle (SDLC) for GRC technology developmentwill ensure future efforts are coordinated and controlled. A common business hierarchy (organizational structure) isrequired to report risk and compliance issues Policies are central to establishing controls and theorganization seeks to harmonize and/or standardize policies. Issues are a common output of all risk and complianceefforts and need to be reined in to reduce redundant efforts.These three elements are the first candidates for standardizationvia taxonomy (structure and definitions) development. Beforethose taxonomies can be defined and implemented though, aprocess to develop and maintain GRC related taxonomies must beimplemented. Once ownership and accountability for taxonomiesis established, taxonomies are developed for business hierarchy,policies and issues.13
– A Maturity Model for Integrated GRC –ManagedOperational processes have evolved into a steady stateand are now effective, repeatable and sustainable14
– A Maturity Model for Integrated GRC –The Managed StageOperationally SoundThe Managed stage represents a significant level of maturity fordefinitions of Risks and Controls. As continuation of the taxonomyan organization. An organization that reaches this level has anwork in the Transition phase (focusing on Policy and Issues),operationally sound program that is effective and is impacting theoperational processes can now implement those taxonomies toorganization on a daily basis. Organizations could stay at this levelresult in integrated Policy Management and Issues Management.for some time working through the complexities of integrating riskand compliance efforts across multiple functions. However, it isGRC Program Management in the Managed stage has severalimportant to acknowledge that while this is a key landmark on theessential building blocks for the future of the integrated GRCjourney it is not the final destination.program:Through the efforts of the Transition phase, roles and The strategy and roadmap documented in the Transitionresponsibilities for the GRC program are formalized. Two key piecesPhase takes shape in the form of key objectives and outputs,in formalizing the GRC program is the charter and establishment oftechnical requirements and resource requirements. Theintegrated governance structures:strategy can be analyzed by the individual functions to makeadjustments to domain processes, fit into the bigger picture GRC Program Committee – cross functional managementand drive a stream of projects to break down the silos.team responsible for moving the overall GRC strategy forward Projects become more complex with connections betweenGRC Technology Committee – cross functional managementfunctions and therefore require more oversight andteam that focuses on the technology infrastructure supportingmanagement. A Project Management Office (PMO), in manythe GRC Programcases, is required to provide the coordination or reporting.Additionally, projects will need a prioritization model to ensureAs these committees begin working together, oversightprojects are executed in the proper sequence.coordination across functions improves and leads to the Finally, the program will need metrics to identify key milestonesestablishment of a decision authority for integrated elements ofand critical junctures. Metrics will also be used later tothe GRC Program. This is especially necessary to continue theoptimize the program. As the integration activities are gettingtaxonomy work begun in the Transition phase. Finally, given there isunderway, it is recommended to establish some standardizedincrease cooperation and coordination across functions, externalmetrics to monitor.service providers (vendors, consultants, etc.) can be consolidatedto focus on Preferred (or strategic) partners.In the Transition stage, technology usage has been cataloged anda technical architecture has been outlined that aligns with theThe next step beyond building a framework for 2nd LoD awarenessongoing taxonomy work. In the Managed stage, this results in a(established in Transition phase) is a strategy around converging 1stmigration or integration of GRC technologies. This work will be builtLoD education and training programs. As the GRC program becomesupon a consolidated data architecture and an integrated technologymore integrated, the effort to build one view of risk and compliancearchitecture. In some cases, domain level tools (spreadsheets,responsibilities extending to the 1st LoD must be tackled. Thishomegrown tools, etc.) may be eliminated as a larger, integratedis an important milestone in establishing the risk culture ofGRC infrastructure is built. During this process, common technicalthe organization. Another important aspect of promoting risk/implementation practices should be followed. Finally, this evolutioncompliance principles throughout the organization is to continueof the technical infrastructure will require proper resources. Athe establishment of common taxonomies for GRC elements. Informalized integration development team and technical supportthe Managed stage, the organization can now institute taxonomiesteam will be necessary to ensure successful technology projects.for Assets (logical and physical, business and IT) and common15
– A Maturity Model for Integrated GRC –TransformTransformative initiatives are executed to build betterconnection between risk management and business16
– A Maturity Model for Integrated GRC –The Transform StageCommunication & StabilizationThe Transform Stage focuses on building for and more meaningfulThe Program Management elements in the Transform stage alsocommunication across the program. The Managed Stagefocus on rigor, consistency and cadence. The PMO (or equivalentrepresents much work. As that work becomes more confirmed andbody) will have multiple work streams to accomplish in theproven, the momentum towards integration can cause logjams inManaged Stage. In the Transform stage, a regular cadence ofpriorities and resource crunches. The Transform Stage is importantoversight meetings will be driven by the review and monitoring ofto stabilize the efforts and ensure the organization is seeing themetrics produced by the implementation projects. These metricsvalue that is expected out of the GRC Program.will identify gaps and stimulate improvement plans that must befed back into the project funnel.Since the major governance committees were established in theManaged stage, within the Transform stage these bodies move intoFrom a technology perspective, the Transform stage representsan operational state as a recognized, informed management teama move to a truly managed and operational infrastructure. Thiswith a regular cadence of governance activities. Examples of theserequires implementing the operational model (chargeback or costactivities include supporting and sponsoring the taxonomy work,sharing depending on the general IT models of the organization).coordinating the technical implementations and prioritization ofRegular healthchecks and metrics on the technology should beprojects. Additionally, these bodies will be the faces of the programconducted as the program will continue to onboard processes,as key representatives for communicating progress to executivefunctions and other data stores as the program moves forward.management and other functional leadership.This also requires more rigor around managing incoming requests(for modifications to existing processes, for onboarding newThe cultural impacts of the integrated GRC program will beprocesses, etc.) and a change management program that ismanifested in a more cohesive awareness program for thecontrolled and prioritized.organization. Testing processes to ensure the awareness andintegration of risk/compliance priorities and responsibilities forthe 1st LoD will improve overall acceptance and accountability.Additionally, the taxonomy work in the Managed Phase will need tobe implemented. Since Assets, Risks and Controls are fundamentalpieces for all risk and compliance processes, the Transform Stagesignifies a substantial shift in how processes work together.With common taxonomies defined for
with Risk Intelligence made possible via an integrated, coordinated GRC program. The RSA Archer Maturity Model series outlines multiple segments of risk management that organizations must address to transform their GRC programs. RSA Archer Maturity Models typically focus on key capabilities enabled by the RSA Archer solutions. For
