19th Annual Regional Audit Conference – Abu Dhabi

Governance, Risk & Compliance (GRC) Technology

Abhisek Bhattacharyya, Principal, Risk Advisory Services, Deloitte & Touche (M.E.)
 Table of Contents

1 – Introduction to GRC

2 – GRC Technology Solution Overview

3 – GRC Products/Vendors Overview

© 2019 Deloitte & Touche (M.E.). All rights reserved 2

Introduction to GRC

© 2019 Deloitte & Touche (M.E.). 3

 GRC Overview
What could GRC mean to an Organization?
Governance is the culture, policies,
processes, laws, and institutions
that define the structure by which
What could GRC meanto realize
companies and functions are
directed and managed.
GOVERNANCE
• Identify external laws, rules &
regulations that guide the
conduct of the organization
Program Elements
• Internal policies and
procedures to ensure
compliance with external
requirements and desired
organization objectives
• Enable the boards and
management teams to
understand current risk and
regulatory land scape
Technology Platform - Enables and Automate GRC
© 2019 Deloitte & Touche (M.E.).
Risk (management) is the coordinated
set of activities to direct and control an
organization
to anopportunities
organizationwhile
managing negative events.
GRC Program Pillars
RISK MANAGEMENT
• Align and adapt risk
management program to
organization's business model
and company culture
• Identify, analyze and evaluate
internal and external risks
• Prioritize and optimize risk
portfolio and risk treatments
• Continuously monitor,
measure and adapt risk
management program
Compliance is the act of
adhering to, and demonstrating
adherence to, external laws and
regulations as well as corporate
policies and procedures.
COMPLIANCE
• Define obligation /
requirements
• Develop and implement
controls, processes and
programs to ensure
compliance with requirements
• Audit against controls and
processes to measure
effectiveness of
implementation
• Monitor and measure
compliance programs and
adapt to changing conditions
4
 Risk as a driver for GRC Technology
Technology Risk
Scale and lack of integration
between cyber risk and
compliance activities
Inconsistent methodology
for risk evaluation
Lack of robust incident
response capabilities
Reactive monitoring and
integration of technology risk
Misaligned cybersecurity
expectations between
business stakeholders
Lack of consolidation and
coordination of cyber risk
management activities
across the organization.
© 2019 Deloitte & Touche (M.E.).
Internal Audit
Operational Risk
Inconsistent view of the
auditable entities across
the organization and other
assurance functions
Decentralized resource
allocation hinders
appropriate planning and
efficient audit assignment
Multiple repositories and
organizational systems in
use across the enterprise
with no communication
or linkage capabilities
between them
Duplication of effort to
address findings common
across auditable entities
due to an inability to
effectively aggregate
information
Inefficient, manual, and
time-consuming issue
follow-up processes
hinder issue resolution
and action planning
Misalignment between
operational risk Regulatory Risk
management and
Demonstrating compliance
business strategy
in a highly complex and
constantly changing
Lack of centralized,
regulatory environment
meaningful, value-driven
data analysis and
Inconsistent identification
reporting
and mapping of operational
and reputational risks to
Too much time spent on
owners
risk administration
instead of risk
Limited resources and
management
time to allocate to issue
management
Lack of integrated view of
risks and loss events
Lack of transparent end-
hinders risk performance
to-end insights on key
assessment
risks combined with
inconsistent risk rating
Disconnect between risk
across functions
appetite, the operational
risk framework, and
Inconsistent risk
other assurance functions
aggregation between
governance forums
5
 Enablers for GRC Technology

GRC Enablers GRC Use Cases

Internal Audit

Enterprise Risk
Management
Operational Risk
Management
IT Risk Management

Compliance Management

Advanced Continuous
Controls Monitoring

Business Resiliency

Third Party & Vendor

Risk Management

© 2019 Deloitte & Touche (M.E.). 6

 Internal Audit/CAE AT THE CENTER OF GRC LEADERSHIP
KEY ASKS FOR CAE
Articulate to the Audit Committee and Board why
having a clear and conformed view of risk, including
compliance risks, across the enterprise is critical to
defining and achieving strategic objectives
Assist the Chief Executive Officer (CEO) in finding
opportunities and preventing adverse effects from
identified risks
Influence other key functional executives to support
Internal Audit’s role in GRC strategy and the
organization’s achievement of business objectives.
Especially key is having critical conversations with
the:
• Chief Finance Officer (CFO)
• Chief Ethics and Compliance Officer (CECO)
• Chief Risk Officer (CRO)
• Chief Information Officer (CIO)
© 2019 Deloitte & Touche (M.E.).
CONVERSATION WITH THE AC & BOARD: “HOW CAN I HELP
YOU GAIN TRANSPARENCY USING STANDARD, MEASURABLE
PROCESSES?”
CONVERSATION WITH THE CEO: “HOW CAN I HELP YOU PLAN
BY PROVIDING OBJECTIVE, MEASURABLE ASSURANCE ON THE GRC
CAPABILITY?”
CONVERSATION WITH THE CFO: “HOW CAN I HELP YOU GROW
AND PROTECT VALUE THROUGH AN INTEGRATED GRC
FRAMEWORK?”
CONVERSATION WITH THE CECO: “HOW CAN I HELP YOU
DEFINE AND IMPROVE THE USE OF METRICS AND OTHER ONGOING
MEASUREMENT TOOLS?”
CONVERSATION WITH THE CRO: “HOW CAN I HELP YOU DRIVE
ENTERPRISE RISK MANAGEMENT THROUGHOUT THE
ORGANIZATION?”
CONVERSATION WITH THE CIO: “HOW CAN I HELP YOU
IMPROVE THE IT INFRASTRUCTURE FOR GRC?”
7
GRC Technology Solution Overview

© 2019 Deloitte & Touche (M.E.). 8

 GRC Technology Solution – Market Direction

Traditional GRC approach Emerging GRC Trends

Use of spreadsheets to track regulatory compliance.  Analytic tools to measure and monitor risk management
No centralized means of tracking risks. processes.

Lack of consistent reporting around risk & compliance
initiatives.
Lack of accountability for risks and controls.
Lack of automation to improve efficiency and data collection.
 Best-in-class vendor solutions to replace GRC modules.
 GRC platforms integrated with other best-in-class solutions
and analytics tools to provide common reporting and holistic
view of the business environment.

GRC solution types

A significant amount of
organizations still depend on
spreadsheets and office
automation for GRC
programs.
But more organizations are
now using either stand-alone
or integrated vendor
platforms indicating a shift
towards more consolidation.

© 2019 Deloitte & Touche (M.E.). 9

 GRC Technology Solution - Common Architecture

Compliance Enterprise Risk Operational Risk Audit

Common GRC
modules Third Party / Business
IT Risk Vendor Risk Financial Controls
Resiliency

GRC Risk & Incident &

Policy Remediation
elements control self Issues
management planning
assessment management

Risk & control Business

content processes

Core GRC Content Workflow Reporting Database

capabilities

© 2019 Deloitte & Touche (M.E.). 10

 GRC Technology Solution – Core Capabilities

Application builder
User experience
Build applications to meet business
Ease of end-user adoption
requirements

Integration Reports and dashboards

Seamlessly integrate cross- GRC Core Gain a real-time actionable
departmental systems Capabilities reports and graphical dashboards

Content & Access control

Document Management Enforce access controls at the
Storage of content and system or field level
documents

Workflows & Notifications

Enables business processes workflow
approvals

RPA Friendly or RPA AI & Cognitive Thinking Analytics ‘Driven’

‘Enabled’ ‘Embedded’
© 2019 Deloitte & Touche (M.E.). 11
GRC Technology for Audit Management

Key Roles Functional Architecture (How Audit Management Solution Works)

 Chief Audit Executive (CAE) or

Internal audit Director (IAD)
 Audit Committee
 Internal audit managers
 Lead auditor
 Internal auditor
 External auditor

Process High Level Summary

 Audit Management Team completes

pre-audit activities:
Create the Audit Entity in the
system by scopes the entity
based on associated Business
Processes, Applications,
Devices, and Facilities. Assign
audit and business ownership to
each audit entity

Create the Audit Plan in the

system , define start date and
end date i.e. reviewers and
approvers

Set-up the Program and

procedure library in the
system

 Audit Management team defines a

Plan Entity by linking it to the Audit
Entity and Audit Plan
 Audit user creates the Audit
Engagement and selects the in
scope audit programs
 The audit user completes work
papers generated by the system

© 2019 Deloitte & Touche (M.E.). 12

 Key Benefits of GRC Technology

Single repository of regulations to comply to by entity.

Automate assessment and remediation processes

Automated monitoring sensitive controls, data and transactions within IT, finance and
operations

Full audit record of automated policy distribution and user acknowledgement through mobile
applications

Comprehensive reporting capabilities related to compliance levels and risk exposure by

business unit

Document risk mitigation, prioritize & track responses

Workflow driven collaborative risk assessment for prioritization of actions & central planning
dashboard
© 2019 Deloitte & Touche (M.E.). 13
GRC Products/Vendors Overview

© 2019 Deloitte & Touche (M.E.). 14

 Sample ME GRC Vendors – Summary of Offerings

Thomson
Archer SAP GRC Oracle GRC MetricStream BWise
Reuters

Audit Management

Compliance Management

Enterprise Risk
Management

Operational Risk
Management

IT Risk Management
including Cyber Security

Advanced Financial
Controls Monitoring

Business Resiliency

Legend

Module offered by vendor in Module may not be out-of- Module not offered by
out-of-the-box solution the-box but consolidated vendor out-of-the-box
with other modules

© 2019 Deloitte & Touche (M.E.). 15

 Advanced Controls Monitoring Driven GRC Solution – SAP as an example

SAP Access Control

© 2019 Deloitte & Touche (M.E.). 16

 Enterprise GRC - RSA Archer GRC as an example
RSA Archer
Audit Management
Transform your internal audit function
from reactive and compliance focused to
become a proactive and strategic enabler
of the business.
RSA Archer
IT & Security
Risk Management
Compile a complete picture of technology-
and security-related risks and understand
their financial impact to improve decision-
making.
© 2019 Deloitte & Touche (M.E.).
RSA Archer
Business Resiliency
Automate business continuity and disaster
recovery planning and execution to
protect your organization from crisis
events.
RSA Archer
Regulatory & Corporate
Compliance Management
Establish a sustainable, repeatable and
auditable regulatory compliance program
by consolidating information from multiple
regulatory bodies.
RSA Archer
Enterprise &
Operational Risk Management
Gain a clear, consolidated view of risk
across your business by aggregating
disparate risk information in one central
solution.
RSA Archer Third
Party Governance
Get an accurate picture of third-party risk
while managing and monitoring the
performance of third-party relationships
and engagements.
17
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member
firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as
“Deloitte Global”) does not provide services to clients. Deloitte & Touche (M.E.) is a member firm of DTTL and is a leading professional services firm
established in the Middle East region with uninterrupted presence since 1926, providing audit, tax, consulting, and financial advisory services
through 26 offices in 15 countries with more than 3,300 partners, directors and staff.

Copyright © 2018 Deloitte & Touche (M.E.). All rights reserved.