ITRiskManagementLifeCycleand

enablingitwithGRCTechnology
DebbieLew(debbie.lew@ey.com),SeniorManager,E&Y
StevenJones(steven.jones@ey.com),SeniorManager,E&Y

Overview
1.
2.
3.
4.
5.
6.
7
7.
8.
9.
10.
11.

Whatisriskmanagement?Commonunderstanding
ITriskmanagementlifecycle
KeycomponentsofanITriskmanagementprogram
ResourcesandenablersforITriskmanagement
g
Whatdoestechnologyenablementmean?
Industryperspective
Business drivers
Businessdrivers
Trendsandchallenges
Riskprocessimplementation
GRCtechnologyimplementationconsiderations
Valueconsiderations

What is risk management?

Whatisriskmanagement?
Is the identification, assessment, and prioritization of risks (as the
effect of uncertainty on objectives, whether positive or negative)
followed by coordinated and economical application of resources to
minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
As per Wikipedia
AsperWikipedia

Whatareyourchallengeswith
ITriskmanagementinyour
ik
i
organization?

IndustryPerspective

Riskmanagement,regulatory,andcompliancerequirementsare increasinglycomplex
andintrusive (especiallyforfinancialservicesinstitutions)andhavebecome agrowing
operationalandfinancialburden.Theserequirementsarenotoptionalandmustbe
addressed.
addressed

Institutionshaveoftenapproachedtherequirementsinsilos,leadingtothecreationof
multipleriskgovernanceprocesses,methodsandinfrastructure.

Typicalcontrolfunctionsareexperiencingscopecreep duetoacombinationofexternal
andinternalpressures.Highexpectationshaveblurredthelinesofauthorityand
responsibilityamongthecontrolunits.

Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeep
pacewithbusinessgrowth.

Linesofbusinessareexperiencing
Lines
of business are experiencing risk
riskmanagementprocessfatigue.
management process fatigue Significant
Significant
amountsoftimeandmoney arespentcomplyingwithriskrequirements,whichcanbe
furtherburdenedbymultiplerequestsandduplicativeefforts.

Boardsofdirectorsandseniormanagementaredemandingmorecomprehensive,
Boards
of directors and senior management are demanding more comprehensive
consolidated,andactionable governance,riskandcomplianceinformation.

Riskmanagementlifecycle

ITriskmanagementprogram
What is it?
Whatisit?
ITriskgovernanceandstrategy,andthesupportingorganization,resourcesandcomponents
usedtoestablishaneffective,operationalandsustainableITriskmanagementprogram
Componentscaninclude:
C
t
i l d
DefinedbusinessdriversthataligntoRiskStrategy,CharterandReportingoncritical
successfactors
Defineregulatoryrequirementsandindustrystandardsforadherence
CharterthatreflectsmandateforITriskmanagementprogram,riskprinciplesand
Charter that reflects mandate for IT risk management program risk principles and
governancestructureforoperatingtheprogram
ITriskmanagementstrategicplanthatdefinesprogramobjectives,businessdrivers
alignment,criticalsuccessfactorsandmeasurements,riskgovernancestructure,risk
managementprocesses,rolesandresponsibilities,riskappetiteandtoleranceguidance,
strategicandtacticalinitiatives,timelinesandworkeffortfordesignand
t t i
d t ti l i iti ti
ti li
d
k ff t f d i
d
implementations,interdependencieswithotherfunctionaloperations ERM/ORM,
Security,BCM,Compliance,SOX,etc.
Definedriskmanagementpoliciesandstandards
Definedanddocumentedtaxonomy
Defined and documented taxonomy
DefinedITRisk&ControlFramework Process/Risk/ControlModel
Rating,scoringandweightingmodelorquantificationmodel
Riskidentificationprocess internalandexternaldataminingfortrends,analysisand
classification
Riskprofilingattributesandprocess

BusinesscaseandvalueofanITRisk(GRC)
Management Framework
ManagementFramework
Effective,documentedresponsetonumerousregulatory/industry/audit/compliance
requirements
Lowercost
Lower cost
Repeatableprocessesandriskbasedtechnologydecisionsproduce812%costsavings
AveragefromvarioussourcesincludingGartner,Forrester,andtheRiskManagement
Association
Reducesiloedandduplicativeefforts
Reduce siloed and duplicative efforts
Linesofbusiness/functionsexperiencingassessmentfatigue
Consistentcontrolsandconsistenttestingstrategyfocusedjustonhigherriskareasdeemed
keyfortheorganization
Betterallocationoftechnologyspendandresources
Defensible,riskbaseddecisionstoproperlyallocatetechnologyspendtohighestriskareas
Manageunknownrisk
Quicklyidentifynewrisksandquantifycostofexposurethroughconsistentprocesses
(newsystems,newtechnologies)
Enablegotomarketfornewventures,emergingtechnologies,andbusinessproducts
Systemstability/performance
Reducesystemfailureswithriskbasedapproachtosystemandarchitectureinvestments
e.g.,identificationandcategorizationoffailuretrendsandissueswithsystemsallowing
risk ranked remediation across the enterprise
riskrankedremediationacrosstheenterprise

Resources & Enablers

Resources&Enablers
RiskITFrameworkandPractitionersGuide
CO
COBIT5Frameworkandsupportingproducts
k d
i
d

ISACAsRiskITFrameworkandPractitionersGuide

RiskITisaframeworkbased
onasetofguidingprinciples
andfeaturingbusiness
df t i b i
processesandmanagement
guidelinesthatconfirmthese
p
principles.
p

RiskITframeworkistobe
usedtohelpimplementIT
governance.

Organisationsthathave
adopted(orareplanningto
adopt)CobiTastheirIT
Governanceframeworkcan
f
k
useRiskITtoenhancerisk
management.

RiskITFramework

COBIT5
y TheCOBIT5governanceor
managementpracticesare
equivalenttotheRiskIT
q
processes.
y TheCOBIT5activitiesare
equivalenttotheRiskIT
managementpractices.
y COBIT5followsthesamegoal
andmetricconceptsasRiskIT,
butthesearerenamed
enterprisegoals,ITrelatedgoals
andprocessgoalsreflectingan
d
l fl ti
enterpriselevelview.
y COBIT5providesRACIcharts
describingrolesand
responsibilities in a similar way
responsibilitiesinasimilarway
toRiskIT.
y FutureenablerincludesCOBIT5
forRisk

12

MeetingStakeholderNeeds
Principle1.MeetingStakeholderNeeds
y Enterprisesexisttocreatevalue
E t
i
i tt
t
l fortheirstakeholders.
f th i t k h ld

Source: COBIT 5,figure3.2012ISACA Allrightsreserved.

13

COBIT5:EnablingProcesses

14

EnablingProcessAPO12 ManageRisk

Whenyouheartheterm,GRC,whatdoesit
meantoyouandyourorganization?

WhatdoesGRCtechnologyenablement
mean?

Technology enablement
Technologyenablement
Thedevelopmentofbusinessalignedrequirementstodrivetheuseof
technologytodesign,enhance,implementandoperationalize
Governance Risk and Compliance processes
Governance,RiskandComplianceprocesses

OrganizationsthatusetechnologytoenabletheirGRCprocesseshavethepotentialto
reducethecostofriskmanagement,enhancecomplianceandaudit,streamline
reporting,bettermanagerisk,anddeliverinsightforbetterdecisionmaking.By
enablingtechnology,companiescanbuildaneffectivefoundationthatallowsthemto
buildefficiency,integrityandconsistencyintotheirprocesses:
Datamappingtoidentifycriticalrelationshipsbetweencorporateobjectives,risksand
controls;
t l
Workflowtooptimallycoordinateactivitiesacrossmultiplelayersoftheorganization;
Decisionsupportnecessaryforplanningandreporting;
Managementofrisksfromidentification,toassessmentandtreatment;
Modelmultipleriskhierarchiesandintegrateriskintelligencewithotherassetandrisk
M d l
l i l i k hi
hi
di
i k i lli
ih h
d ik
informationsystems;
UnderstandingtheholisticITProcess,RiskandControlenvironmentinplacewithinan
organization;and
Reporting,monitoringanddashboardingofrisk(inherentrisk,residualriskandkeyrisk
Reporting monitoring and dashboarding of risk (inherent risk residual risk and key risk
indicators)acrosstheITenvironment.

Governance,Risk&Compliance
toolspace
l

Businessdriversfortechnology
enablement

Businessdrivers

Increasinglycomplexandupdatedriskmanagement,regulatoryandcompliance
requirements,andBoardandshareholderexpectations

Duplicationofriskgovernanceprocesses,methodsandinfrastructure
p
g
p
,

Toomanysiloedassessmentsacrossfunctionalareasoftechnology
Nonaggregatedreportingacrossmultiplesourcesofriskintelligence
Inconsistentrisktaxonomies

Controlfunctionsexperiencingscopecreepandhighexpectationshaveblurredlinesof
authority/responsibilityamongstcontrolunits

PendingDoddFranklegislation
A i
AnincreasedpressuretocomplywithNIST
d
t
l ith NIST
RegulatoryupdatesacrossFFIECandBITS
PCIDSSv2.0

DuplicationofcontrolsacrossmultipleITunits
Multiplesharedcontrolsthatcouldbecondensed
Di i t
DrivingtowardscontrolconvergenceandautomatedcontrolmonitoringthroughGRCtechnology
d
t l
d t
t d
t l
it i th
h GRC t h l

Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeep
pacewithbusinessgrowth

ITriskmanagementrequirementshaveincreasedwhilepressureisfacedacrossavailablebudget
g
q
p
g
andheadcount

Business drivers (cont.)

Businessdrivers(cont.)

Linesofbusinessareexperiencingriskmanagementprocessfatigueduetotheamountof
timeandmoneyspentcomplyingwithriskrequirements

Managementisdemandingmorecomprehensive,consolidated,andactionable
governance,riskandcomplianceinformation

Repeatandoverlappingassessmentsoverfunctionalareasoftechnology
Timecommitmentrequiredtofolloworganizationalriskmanagementprocessesisplacingaburdenonthefirstline
ofdefense
Nonprioritizedapproachtoriskmitigationleadingtopotentialimproperallocationoffunds

ReportingofriskmanagementactivityandoutcomesacrossmultiplehierarchiesisachallengeforITriskfunctions
Organizationsarefacingchallengeswhenattemptingtoincorporateriskintelligenceacrosstheorganization
i i
f i
h ll
h
i
i
i k i lli
h
i i

Mergers&Acquisitions

Multipleriskprogramsrequiringconsolidationandaggregation
ITrisksinheritedfromlegacyenvironments

Current state vs. future state

Currentstatevs.futurestate
Mostcompanieshavetakenaverysiloedapproachtoriskandcompliancemanagementwhichcreates
multipleredundanciesandextensiveinconsistencyinhowrisksareassessedandmanaged.

External regulators,analysts,investors

Boardoversight
Audit
committee

Board/seniormanagementoversight
Risk
Risk
committee

Other
committees

Risk
committees

Other
committee

Executivemanagement
CEO

CFO

CRO

GeneralCounsel

Intternal
co
ontrol

Audit
committee

Compensation
committee

Internal
audit

Risk
management

Compliance

Internal
control

Information
technology

Legaland
regulatory

External
audit

Internal
audit

External
audit

Alignedmandateandscope
Coordinated infrastructure and people
Coordinatedinfrastructureandpeople
Consistentmethodsandpractices
Commoninformationandtechnology

Business
unit

Business
unit

Business
unit

Business
unit

Business
unit

Business
unit

Business
unit

Business
unit

Trendsandchallenges

KeyissuesandtrendsfacingGRCtools

LackofaGRCstrategy,visionandholisticbusinessandfunctional
requirementscanleadtoincorrecttoolselections,overbudget
l d
l l
b d
implementationsofGRCtools,ormisuseofGRCtechnology.
ThereisacontinuedevolutionandbroaderuseoftechnologyforGRC
across IT
acrossIT.
Therehasbeenarecententranceofsoftwareheavyweightsintothe
GRCmarket.
GRC tools are being leveraged for business process management and
GRCtoolsarebeingleveragedforbusinessprocessmanagementand
assessmentrulesenginesalongwithcontinuousauditing,monitoringand
controltesting.
GRCvendorsaredevelopingrelationshipswithotherapplicationvendors
(competitorsandcomplementaryproducts)toextendtherangeofthe
software.Othershavebeenacquiredtocombineproductofferingsinto
larger,morecomprehensivepackages.

KeyissuesandtrendsfacingGRCtools

AlackofgovernanceandaccountabilityforGRCtoolscanlimitthereturn
oninvestmentfromaGRCsolution.OwnershipofGRCtechnologyis
crucialtodrivingconsistencyinmethodology,reportingandpresentation.
l d
h d l
d
ManyorganizationsaredesigningaholisticGRCtechnologyecosystemto
achieveholisticriskintelligenceacrosstheenterprise.
TherearemultipleregulatoryenvironmentsthatcanbecoveredbyGRC
tools,andnotoneGRCvendorprovidescontenttocoverallthe
environments.
ThereisincreasedboardliabilityasitpertainstoITrisk.
OrganizationsarelookingatleveragingGRCtechnologytofacilitatea
centralcorporatepolicymanagementportal.
Thereisoutsourcingofcompliancemonitoringfortheinternaland
externalbusinessenvironments.
Consultingfirmsareeithertoolagnosticortheyarenot.Manyfirmshave
g
g
y
y
strategicrelationshipswithGRCvendorsthatmayskewtheirperspective.

Currentstatelimitations

DefinitionofGRC
ThedefinitionofGRCdiffersfromclienttoclientandvendortovendor,leadingtoan
inabilitytostandardizeGRCrequirementsandguidefuturedevelopment.
IsolationoffinancialriskmanagementfunctionalityfrommainstreamGRCsolutions
Nosinglesolutionavailable
AllsolutionsperformwellforcertainaspectsofGRC,butnoonesolutionprovidesa
complete holistic solution for all GRC requirements
completeholisticsolutionforallGRCrequirements.
Immaturedashboardingandmetrics
Notalltoolsprovidewebenabledreportinganddashboards.
NonfinancialRMtoolsdonotprovideadvancedchartingcapabilitiestoaddresscomplex
riskscenarioanalysis.
Virtuallynonexistentglobalregulatorycontent
Inconsistentframeworkmappingandcontent
Assessment methodology
Assessmentmethodology
Onlyaselectfewtoolsallowforlogicbasedassessments(questionnaires,surveys,etc.),
whichintegratebusinessworkflowandriskcalculationsdrivenbyassessmentresults.
Riskcontrollibrarymanagementisnotintegratedintoassessmentstodriverisk
convergence.

Keyissues&trendsfacingGRC
tools no silver bullet!
toolsnosilverbullet!
Issues

Trends

Nosilverbullet

Continuedevolutionandbroaderuseof
t h l
technologyforGRC
f GRC

NonstandarddefinitionofGRChampersability
todefinefuturestateanddriverequirements

Entranceofsoftwareheavyweights
intoGRCmarket

Multipleregulatoryenvironments

ArchitectingaholisticGRCtechnology
ecosystem
y

Increasedboardliability
Manyofthesystemscurrentlyinusewere
f h
l
developedforaspecificfunctionorsectorneed.
Thesevendorsarechallengedwithfinding
alternativeusesfortheirapplications
Immaturedashboardsandmetrics
Immaturecapabilitiestogainrealtimedata
feeds
Inconsistentframeworkmapping
Configurationflexibility
Assessmentmethodologyandmaturity
Initiativeshouldbeadirectivefrom
executivemanagementwithagreement
fromallkeystakeholders

Marketissuesare
drivingproduct
trends

Integrationofwebservicestoenablerisk
andregulatoryintelligence
Implementationofacentralcorporate
policymanagementportal
Useofbusinessprocessmanagement
andrulesenginesalongwithcontinuous
auditing,monitoringandcontroltesting
Outsourcingofcompliancemonitoring
fortheinternalandexternalbusiness
environments
Acquisitionsandalliancesareformingto
extendorenhanceproductoffering

Whatareyourchallenges
y
g
(anticipated)inselecting,configuring
andimplementingGRCtechnology?

GRCtoolimplementationchallenges
Functionalrequirementsalongwithorganizationalandprocessconvergenceshouldbe
definedpriortotoolselectionbyperformingafeasibilitystudy
Organizationspurchasingasolution,andthenattemptingtoconvergetherisk
organization and processes contains many challenges
organizationandprocessescontainsmanychallenges
MaturityofvendorsolutionsisnotwhereitneedstobetomeetallGRCfunctional
requirements
AlackofunderstandingofhowotherbusinesstoolscanintegrateintoGRCsolutions
andoffutureGRCstaterequirementsstillexist
ManyorganizationswillneedtocustomizetheirselectedGRCtoolorchangetheir
currentmethodologies,businessprocesses,andhierarchiestohaveasuccessfulGRC
toolimplementation
Contentmanagementdecision ifaligningtoleadingpractices,frameworks,and
regulations,adecisionneedstobemadetodetermineifyouwillrelyonavendorto
g
,
y
y
provideandmanagecontentgoingforwardorwillitbecustomizedandmanagedbythe
id
d
i f
d
ill i b
i d d
db h
client
Timeframesforimplementationisoftenunderestimatedmostorganizationstake
between12 24monthsforsuccessfulimplementationandforoperational
competenciestoberealized
GRCtoolcostisoftenunderestimatedduetoimpropercalculatingofcustomizationor
functionalandprocessmodificationsthatwillbeneededbythefirm
LackofexperienceandknowledgeableresourcesthatarededicatedtoGRCtool
implementation
Vendorsupportandexperienceatbusinessaligneddeploymentsislimited
Vendor support and experience at business aligned deployments is limited

Customization vs. configuration

Customizationvs.configuration

AkeyconsiderationwhenanalyzingGRCsolutionsistheconceptofcustomization
vs.configuration.Thesearetwoverydistinctterms,andhavesignificantimpacton
a GRC solutions ability to meet or exceed business and functional requirements
aGRCsolutionsabilitytomeetorexceedbusinessandfunctionalrequirements.
ConfigurationreferstotheprocessofalteringaGRCsolutionbymakingbasicchangestothe
outoftheboxcapabilitytomeetbusinessrequirements.Thisprocesswillnotgreatly
enhanceaGRCsolutionsfunctionality.Examplesofconfigurationinclude:
Changingcolors
Ch i
l
Changingfieldproperties(i.e.,text,number,length,etc.)
Addingfields
Creatingbasiccalculations
CustomizationreferstotheprocessofalteringandenhancingaGRCsolutionbymaking
advancedchangestotheoutoftheboxcapabilitytomeetbusinessrequirements.This
processcangreatlyenhanceaGRCsolutionsfunctionality.Examplesofcustomizationinclude:
Buildingcustombusinessworkflow
g
UsingJavaScriptorHTMLtoenhancethefunctionalityoftheGRCsolution
Usingadvancedcalculationsandlogic
Integratingdatafrommultiplesystemsandsources

GRC
solution cost balance
GRCsolutioncostbalance
Complexity

Support

Customization

Administration

Customization

Administration

Whatstherightbalancefor
your organization?
yourorganization?

Needtoincreasecostto
achievebalance

Complexity

Support

GRCtoolfunctionalcoverage
Governance

Policy management
Standards
Procedures
PRC framework
Asset and hierarchy
management
Process accountability
Data management
Awareness training
Project management

Financial risk

Scenario analysis
Risk modeling
Financial risk impact
analysis

Risk management

Compliance

Regulatory content
Management
Leading practice content
Management
Compliance monitoring
Compliance assessment

Program management
Scheduling
Attestation
Evidence capture
SAS 70/SOC 2

Risk treatment
Risk acceptance
Policy exceptions
Risk transference

Dashboards
Ad-hoc reporting
Notifications
User interface
Statistical analysis
Historical trending
Triggered calculations
Audit tracking
Data export

Incidentmanagement

Issuesmanagement

Audit

Risk profiling
Risk assessment
Risk identification
Risk analysis
KRIs
Threat and vulnerability
management
Information security
BCP/DR
Internal control
management
KRI/KPI management
V d managementt
Vendor
Service delivery
management

Metrics, presentation
and reporting

Event capture
Loss capture

ITGRCtoolvendorgeographic
footprint

Leader:RSAArcher,Thompson
Reuters
Presence:Allothers

Leader:Bwise
Presence: RSA Archer
Presence:RSAArcher,
ThompsonReuters

Leader:Bwise
Presence:RSAArcher,
ThompsonReuters

Leader:RSAArcher
P
Presence:ThompsonReuters
Th
R t
Leader:Modulo
Presence:RSAArcher,
ThompsonReuters,Bwise

Leader:None
Presence:BWise

Leader:None
Presence:RSAArcher,
Thompson Reuters
ThompsonReuters

Riskprocessimplementation

Core GRC solution components

CoreGRCsolutioncomponents

Populations/inventories/authorityinformation

Businesshierarchy

Considerationsaroundfunctional,lineofbusiness(LOB)orentityhierarchyembeddedwithinthe
GRCtool
Determinationofdepthandbreadthofhierarchy

SSOintegration

DeterminationofCMDB(ConfigurationManagementDatabase)andassetmanagementtool
D
t
i ti
f CMDB (C fi
ti M
tD t b ) d
t
tt l
integrationforapplicationsandsupportinginfrastructure,databases,operatingsystemsanddata
centers
Identificationofrelevantindustryregulationsandbestpracticestoalignwith

IntegrationwithLDAP(LightweightDirectoryAccessProtocol)tosimplifyuserauthenticationand
g
( g
g
y
)
p y
useraccessadministration

Accesscontrolstrategy

Groups roles and privileges assigned to users

Groups,rolesandprivilegesassignedtousers

Potentialtechnologyenablement
coverage
ITRisk

Op Risk

ERM

InternalAudit

Regulatory
Risk

Legal&
Compliance

InfoSecurity

PRCFramework

Assessments
Assessments

ProgramMgmt

IssuesMgmt

CaseMgmt
KRIs

ContentMgmt

UI/Metrics/
Dashboards

Other

GRCtechnologyimplementation
considerations

KeyGRCfunctionalrequirements

Policy,StandardsandProceduresMgmt.

RiskMgmtProcesses(Assessments,KRIs,Event
Capture,RiskProfiling,etc)

ContentManagement
V d M
VendorManagement
t
RiskAssessmentandRiskAnalysisCapabilities
RiskIdentificationandProfiling
Issues,Mitigation,RiskAcceptanceLifecycle
Management
TrainingandAwareness
Risk Identification Methodology
RiskIdentificationMethodology

Frameworks&HierarchyStructure(Org,
Process,Risk,Control)

AssetManagementCapabilities
HierarchyStructureOrganizational,Process,Risk,
Control,MetricsandReporting
Best Practice Content
BestPracticeContent
TechnologyControls/InformationSecurity

RegulatoryMapping

RegulatoryMappings
RegulatoryComplianceCapabilitiesandLeading
Practices Standards
SOX,BaselII,GLBA&DataProtectionLaws,
SOX Basel II GLBA & Data Protection Laws
PCI,FFIEC,BITS,COSO,ISO27002,CobiT,
ITIL,etc.
ComplianceMonitoring

BusinessProcessManagement
BusinessWorkflowManagement

AuditProcesses

AuditProcessesandWorkflow
AttestationCapabilities
Archival

C t lA t
ControlAutomation&Monitoring
ti & M it i

AutomatedControlTesting
RealTimeMonitoring
NotificationServices

Metrics,Measurements,andReporting

Quantity&qualityoftemplatereports
AdhocReporting
RiskSimulationCapability
RiskWeighting&Calculations
StatisticalAnalysis
Dashboards

FinancialRiskManagement
Financial
Risk Management

FinancialRiskModeling
FinancialRiskImpactAnalysis
QuantificationEngine
EventLoss/Capture IncidentManagement
FinancialRiskContent(i.e.ratings)

Configuration Flexibility
ConfigurationFlexibility

Interoperability/ApplicationInterface/Open
Standards
ConfigurationCapabilities
CustomizationCapabilities

KeyGRCfunctionalrequirements
(cont )
(cont.)

AvailableModulesanddescriptions
AdditionalFunctionality

Financials
ClientBase
Marketratingsandrankings

ReleaseCycle
ImplementationRequirements
p
q
ProductTraining
RiskBasedServices
Maintenance&Support
EnterpriseScalability
p
y
EndUserExperience/Interface
TeamingandSupportfromVendor
IndustrySaturation/Customerloyalty

SystemAdministration

ManagementAssurance
EaseofUse
AuditingandLogging

VendorQualifications

TechnicalArchitecture

Backup&Recovery
System Performance
SystemPerformance
UserAdministration
Documentation&Guidance
SecurityConfiguration
InfrastructureRequirements
ApplicationRequirements
IntegrationCapabilities
DataOwnership&Management
Performance and Scalability
PerformanceandScalability
SingleSignOnIntegration
DataIntegrityandAudit
FutureProductRoadmap
Deployment&Migration

Fees,ContractsandSoftware
Arrangements

Note:TheprovidedGRCFunctionRequirementsareasampleonly,afullrequirementsgatheringandweighting
Note:
The provided GRC Function Requirements are a sample only a full requirements gathering and weighting
exercisemustbedonetoensurepropertoolselection.

Designconsiderations
g
Convergenceofrisks,controls,processes,issues
and themes
andthemes
Roadmapandstrategicapproach
Solutionownershipandgovernance
Solution ownership and governance
Reportingrequirementsanddataconsiderations
Processandworkflowrequirements
Process and workflow requirements
Sourceofrecordvs.datafeeds
Implementationmanagement
p
g
Functionalandtechnicalrequirementvalidation
Supportpersonnel

GRCtechnologyenablement
approach
Suggested key milestones

Suggested program deliverables

Evaluation and approval of a GRC solution

Development of technical specifications from business

and functional requirements

Detailed design of core foundational components

Organizational hierarchy

Process hierarchy

Risk Hierarchy

Control Hierarchy

Hierarchy relationships and interdependencies

Design and implementation of risk assessment

methodology and assessments

Design and implementation of Issues Management

Design and implementation of additional risk

management
g
p
processes

Design and implement reporting and dashboarding

requirements

Foundational components technical specifications

Technical specifications for risk assessments,
issues management, and reporting
Core framework solution implementation
Risk process solution implementation
Reporting and dashboarding implementation
UAT completion and a run book/design binder
Training material and procedural guides

Valueconsiderations

Valueproposition

Measurableanddocumented
enterprise commitment to
enterprisecommitmentto
transparencyandcompliance
Decreasedexposuretofraud,
catastrophiclossesandthefull
compliment of operational risks
complimentofoperationalrisks
Preparedtoanticipateandrespondto
newandchangingregulatorymatters
Greaterinsightandmoreeffective
decisionsupport
Betterequippedtolowercostand
improveperformance
More effective management and use of
Moreeffectivemanagementanduseof
enterpriseinformation

Questions?
Thankyou!