WIXLIB

GRC FundamentalsConnected Roles of Audit, Risk and ComplianceOctober 2013Michael Rasmussen, J.D., GRCP, CCEPChief GRC Pundit @ GRC 20/20 Research, LLCOCEG Fellow @ www.OCEG.org

The pain organizations have expressedInability to gain clear view of GRCdependencies;High cost of consolidating information;Difficulty maintaining accurate information;Failure to trend across assessmentperiods;Incapable to provide risk intelligence tosupport business decisions and planning;Redundant approaches limit correlation,comparison and integration ofinformation; anLack of agility to respond timely tochanging risks, regulations, laws, andsituations. 2013, all rights reserved, www.grc2020.com2

Transformational Opportunity 2013, all rights reserved, www.grc2020.com3

The building blocks of GRC come from many disciplines 2013, all rights reserved, www.grc2020.com4

What GRC is about . . .MANDATORY BOUNDARYboundary established by external forces includinglaws, government regulation and other mandates.OPPORTUNITIESBUSINESS MODELOPPORTUNITIESstrategy, people, process, technology andinfrastructure in place to drive towardOPPORTUNITIESobjectivesOBJECTIVESstrategic, operational, customer,process, compliance objectivesVOLUNTARY BOUNDARYboundary defined by management including organizationalvalues, contractual obligations, voluntary policies and otherpromises.GRC is a capability that enables anorganization to reliably achieveobjectives while addressinguncertainty and acting with integrity 2013, all rights reserved, www.grc2020.com5

G-R-C Definitions Governance is the act of externally directing, controllingand evaluating an entity,process or resource– Reliably achieve objectivesRisk Management is the act ofmanaging processes andresources to address risk whilepursuing reward– Addressing uncertaintyCompliance is the state ofbeing able to prove fulfillment ofa requirement, obligation,commitment, boundary, policy,or value– Acting with integrity 2013, all rights reserved, www.grc2020.com6

GRC goals1 - Aware2 - Aligned Have a finger on the pulse of thebusiness Watch for change in the internaland external environment Turn data into information thatcan be, and is, analyzed Share information in everyrelevant direction Support and inform businessobjectives Continuously align objectivesand operations of theintegrated governance, risk andcompliance capability (the GRCcapability) to the objectivesand operations of the entity Give strategic consideration toinformation from the GRCcapability, enabling appropriatechange 2013, all rights reserved, www.grc2020.com7

GRC goals3 - Responsive4 - Agile You can’t react to somethingyou don’t sense Gain greater awareness andunderstanding of informationthat drives decisions andactions Improve transparency, but alsoquickly cut through the morassof data to what you need toknow to make the rightdecisions Be more than fast, be nimble Being fast isn’t helpful if youare headed in the wrongdirection. PrincipledPerformance enables decisionsand actions that are quick,coordinated and well thoughtout. Agility allows an entity to userisk to its advantage, graspstrategic opportunities and beconfident in its ability to stay oncourse. 2013, all rights reserved, www.grc2020.com8

GRC goals5 - Resilient6 - Lean Be able to bounce back quicklyfrom changes in context andthreats with limited businessimpact Have sufficient tolerances toallow for some missteps Have confidence necessary torapidly adapt and respond toopportunities Build the muscle, trim the fat Get rid of expense fromunnecessary duplication,redundancy and misallocationof resources within the GRCcapability Lean the organization overallwith enhanced capability andrelated decisions aboutapplication of resources 2013, all rights reserved, www.grc2020.com9

Positioned for Competitive Advantage 2013, all rights reserved, www.grc2020.com10

OCEG GRC Capability Model 2013, all rights reserved, www.grc2020.com11

ContextCONTEXT (C)Understand the current culture and businesscontext so that the organization can address,and proactively influence conditions to supportobjectives.C1 – External ContextC2 – Internal ContextC3 – CultureC4 – Objectives 2013, all rights reserved, www.grc2020.com12

OrganizeOrganize (O)Organize and oversee an integrated capabilitythat enables the organization to reliably achieveobjectives while addressing uncertainty andacting with integrity.O1 – CommitmentO2 – RolesO3 – Accountability 2013, all rights reserved, www.grc2020.com13

AssessAssess (A)Identify threats, opportunities andrequirements; assess the level of risk, rewardand conformance; and align an approach toreliably achieve objectives while addressinguncertainty and acting with integrity.A1 – IdentificationA2 – AnalysisA3 – Planning 2013, all rights reserved, www.grc2020.com14

ProactProact (P)Incent desirable conditions and events; andprevent undesirable conditions and events withmanagement actions and controls.P1 – Proactive Actions & ControlsP2 – Codes of ConductP3 – PoliciesP4 – EducationP5 – IncentivesP6 – Stakeholder RelationsP7 – Risk Financing 2013, all rights reserved, www.grc2020.com15

DetectDetect (D)Detect ongoing progress toward objectives aswell as actual and potential undesirableconditions and events using managementactions and controls.D1 – Detective Actions & ControlsD2 – NotificationD3 – Inquiry 2013, all rights reserved, www.grc2020.com16

RespondRespond (R)Respond to desirable conditions and eventswith rewards; and correct undesirableconditions and events so that the organizationrecovers from and resolves each immediateissue and improves future performance.R1 – Responsive Actions & ControlsR2 – Internal InvestigationR3 – 3rd Party InvestigationR4 – Crisis ResponseR5 – RemediationR6 – Rewards 2013, all rights reserved, www.grc2020.com17

MeasureMeasure (M)Monitor, measure and modify plans on a periodicand ongoing basis to ensure that managementactions and controls reliably achieve objectiveswhile addressing uncertainty and acting withintegrity.M1 – Context MonitoringM2 – Performance MonitoringM3 – Systemic ImprovementM4 – Assurance 2013, all rights reserved, www.grc2020.com18

InteractInteract (I)Enable the capability with technology and manageinformation so that it efficiently and accuratelyflows up, down and across the organization,extended enterprise, and to appropriatestakeholders.I1 – Info Management & DocumentationI2 – Internal & External CommunicationI3 – Technology & Infrastructure 2013, all rights reserved, www.grc2020.com19

GRC – architecture for communication and collaboration 2013, all rights reserved, www.grc2020.com20

Benefits and success factors of GRC integration 2013, all rights reserved, www.grc2020.com21

GRC technology provides context of informationOBJECTIVES& GOALSASSETS &RELATIONSHIPSRISK &ANALYSISREGULATIONS &OBLIGATIONSCONTROLS &ASSESSMENTPOLICIES &TRAININGINCIDENTS& ISSUESROLES &RESPONSIBILITIES 2013, all rights reserved, www.grc2020.com22

GRC architecture models 2013, all rights reserved, www.grc2020.com23

Integrating Information 2013, all rights reserved, www.grc2020.com24

The GRC Strategic Plan A document that details the structures, processes, technologies,resources, objectives and measures to establish and maintain thecapability needed to achieve the mission and vision. Among othercomponents it would include:– Charter– Mission / vision statement– outcomes and maturity milestones(with correlation to business objectives)business case– measurement strategy (metrics, indicators, calculation method, frequency ofmeasurement, nature and frequency of reporting)– organization chart– human capital / vendor relations plan (for implementation and ongoing operations)– financial plan (start-up and operations)– technology plan– assurance plan– implementation plan 2013, all rights reserved, www.grc2020.com25

Delivering Value . . . 2013, all rights reserved, www.grc2020.com26

Making the Case for Change 2013, all rights reserved, www.grc2020.com27

How one organization got started . . . 2013, all rights reserved, www.grc2020.com28

Background The Chief Audit Executive ofone OCEG leadership councilmember company wanted todrive support for a GRCimprovement (establishment)project enterprise-wide Together with OCEG, his teamestablished a plan of action– Internal Survey about thecurrent state– Cross-Function and CrossDepartment Workshop– Follow on projects Company is a technology andinnovation leader specializingin defense and othergovernment Markets throughout the world 2012 net sales: 24 billion 68,000 employees worldwide Matrixed organization Focused on Mission Assurance Internal Audit: 50 employees 2013, all rights reserved, www.grc2020.com29

The situation RIA initiated throughAdvisory Council Past History /Misconceptions Determining if there is aBurning Platform Leadership Support(Compliance) Survey Workshop Proper level of Involvement Created Internal Pitch Deck Distributed Survey to everyorganization actively involvedGovernance, Risk andCompliance process 11 unique groups– Guided by 113 unique policies,procedures and external guidelines– External reporting to six majorparties– Internal reporting to 21organizations– Covering 120 risk areas Numerous Tools employed– Applications and spreadsheets– Duplication of information – nodefinitive source 2013, all rights reserved, www.grc2020.com30

Workshop Management buy-in expanded based upon survey results – sponsorship by Chief AuditExecutive, General Counsel and CFO Provided results of survey prior to 2 ½ day workshop attended by about 50 individuals fromvarious departments and functions– Flew everyone to a centralized spot for a F2F– Used OCEG for Day 1 (Independent subject matter expert overview) Established collaborative environment where they could place all the GRC type documentationthey had developed and used over time– Workshop Kick-Off Report– Objective– Identification of coverage– Gaps– Duplication 2013, all rights reserved, www.grc2020.com31

BenefitsFocus areas: Risk Management Compliance Monitoring Governance & Strategy Privacy & Data Protection Analysis Risk Assessment Focus on Significant Areas Targeted Resource Utilization Cost Management Reporting GRC Council– Initiate a GRC Deployment Team to drive initial actions anddesign a sustaining council to prioritize ongoing improvementand maintain momentum Mission/Strategy Team– Craft a GRC Mission Statement; Develop an executableStrategy for implementation of integrated GRC in alignment withobjectives Risk Taxonomy Team– Craft a standard enterprise risk taxonomy resulting in anefficient, effective and comprehensive list of risks alignedacross agreed-upon categories GRC Vocabulary Team– Standardize a GRC Vocabulary with terminology definitionsaligned across functional and business groups, supportingcommon language and actions Unified Risk Matrix Team– Establish a matrix to capture comprehensive risk andgovernance activities for enterprise; pilot with workshopparticipants and mature iteratively 2013, all rights reserved, www.grc2020.com32

Progress on the GRC journey Replace final compliance tool, with a GRC solution– Implement SOX and Anti-Corruption certification processes Replace Information Systems Registry (ISR) with GRC Solution– Create a repository and process for System Security Plans and SecurityAuthorization Establish a common GRC platform and foundation, which could be usedby other functions for later adoption– Internal Audit looking to adopt in the near future Deploy globally Out of Scope (requires separate projects and funding)– Additional Finance and IT compliance and risk management activities such asTier-2, Top 5 Risks in IT, General Computing Controls (GCC) assessments 2013, all rights reserved, www.grc2020.com33