Professional Documents
Culture Documents
ü GRC 20/20 Research Briefings are copyrighted and protected material. Content
cannot be reused or distributed without written permission from GRC 20/20
Research, LLC.
ü GRC Advisor Enterprise Subscribers get access to live and recorded Research
Briefings for all employees for INTERNAL use only through the GRC 20/20
website. If they wish to have a recording to host internally there is a fee for this.
ü GRC Basic Subscribers pay for either individual access to specific GRC 20/20
Research Briefings. Individual access is for the individual only and slides or login
are not to be shared with others or viewed as a group.
Regulatory/Legal Change
REGULATIONS Monitor change in the legal and regulatory environment to
determine how pending legislation, court decisions,
COURT RULINGS new/changing regulations, and enforcement actions affect
current and needed policies.
MONITOR
INDUSTRY EMPLOYEES
TECHNOLOGY
SOCIETAL FORCES
PROCESSES
IT
1
Drivers
Trends
1 Exponential growth in regulatory, risk and No platform does everything. Organizations are
business change is making scattered GRC looking toward an information and technology
Constant processes and information constantly behind GRC architecture that integrates GRC, though there
and exposing the organization. often is one central core platform.
Change Architecture
2 The growing array of 3rd party relationships with 2 Enterprise GRC Platforms are no longer self-
increased regulatory and risk exposure is bearing contained solutions to manage GRC workflow
Growing down on organizations to include in GRC and tasks, they require strong integration
strategies. capabilities into a range of business systems.
Relationships Integration
3 Many organizations still find they are 3 In a GRC architecture approach, organizations
Scattered encumbered by silos of information that is Best of Breed are looking toward a common hub and core for
Information disconnected, and often have several Where it Enterprise GRC but allow for best of breed
disconnected GRC platforms in different areas. solutions where they make sense.
& Platforms Makes Sense
§ Disconnected departments managing GRC related § An integrated approach that balances GRC
activities in different ways with little or no collaboration management centralization with distributed
with other departments participation and collaboration
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics..
Automated Control Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
Miscellaneous GRC Platform & Architecture Tools To be an Enterprise GRC Platform requires a single
platform architecture that has multi-department (e.g.,
enterprise wide) use across the following areas, at a
minimum:
– Enterprise/Operational Risk Management,
– Compliance Management
– Internal Control Management
– Issue Management (e.g., incident, case, investigations)
– NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.
CCO
CCO
INTERNAL EXTERNAL Are things going
AUDIT EXPERTS according to plan?
Are there
any red flags? HOTLINE / HELPLINE
GOVERNMENT
© GRC 20/20 Research, LLC • ww.GRC2020.com 24
360° GRC Contextual Analytics & Intelligence Capabilities
Action Items
Analyzed to
understand relationships
Integrated and
mapped together
to provide context
Distributed & Disconnected
GRC Data Points
Strategic
process optimization
Entity All non-value-added activities are
Process Organization Risks Operational eliminated and value-added
Financial activities are streamlined to reduce
Asset .
lag time and undesirable variation.
1 2 3
Documents, Spreadsheets &
Siloed Solutions Enterprise GRC Platforms
Emails
0 0 0 0 0 0 0 UR OF
E
3 S:
violations. to be done
1 1 1 1 1 1 1
differently.
tor or regulator, it is often necessary ganizational
to policy program. The
PO
L
LATICY V
provide positive evidence of policy com- 0 0 0 0 0 0 0 ION IO-
0 S:
EXC
Repository Consistency 0
right metrics will help ensure policies 1 0 1 0 1 0 AN EPTIO
D NS
TIODEVIA
pliance. Preserving a full view of the policy 0 0 0 0 0 0 0 NS -
are effective at establishing desired 0 1 0 1
Technology creates a consistent environment 0 1 0
history andenables
Technology audit trail (including
policy key data and
implementation
behaviors efficiently, and agile 1 1 1 1 1 1 1 • Policy implementation and/or enforcement is • Exceptions must be documented and
points such as
enforcement bythe owner,
creating who read it,
a repository of all policies, 1 track
to conduct assessments, 0 issues
1 of 0 1 0 1 not always possible. Exceptions can happen available to auditors and regulators upon
enough to accommodate the de- 0 corrective
0 actions.
0 0 0 0 0 when the organization cannot comply with a request. Organizations 4 IMPLEMENT that demonstrate & ENFORCE
01 0 11 0 to1more
00 1 10 1 1 1
non-compliance, and take
who was trained,
procedures, and controls 0 that are
acceptance 1 cross-referenced
acknowl- 0 of1a dynamic
mands 0 and1 distributed
0 allows
Technology 1 organizations 00 0 1 0 1 0
policy, when the policy is too subjective, or clear procedures for Evenpolicy
withexception
good communication, policies aren’t always fol-
1 0 0 01 00 1 1 1 1 1 1
improvements
an accurate and complete policy control
0plan. 10 00 1 sufficient authority. Limits should be set so policy revisions are made or the organization
environment is operating 0 0 0 0 0 0 and0assessments. 0 010 0 0
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Repository 0 1effectively.
0 1 0 1 Consistency
0 1 0 1 0 0 10 0 1 00 0 1 0 1 0 1
exceptions are regularly reviewed and not
0
granted for extended or unreasonable time
is brought into full compliance.
0 THE 0 0 0 0 Technology
0 0 0 0 environment
0 0 0 0 0 0 0 0 0 0
1 BENEFIT0 and 1 OF 0 TECHNOLOGY
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests periods. Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
0 implementation 1
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints
Technology enables policy 0 creates
1 a consistent
or licensing
©2012
0 1 0 1 0 1 0 1 0
requests for other installments in the Policy Management Illustrated Series©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
OCEG visit www.oceg.org
1 0 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
they
record can
they can show what, when, where, why, and howofshow
the what,
versionswhen,
and where, why,
communication and how
©2014 OCEG visit www.oceg.org for other graphics in the GRC Illustrated Series
organization
communication requires consitent
took place.
they can show what,
communication took when,
place. where,communication
why, andaround
activities how took place.
policies to have an effective organization
and training and requires consitent
learning from thc
communication
5 6 took
7 place.
8 compliance program. and training
previous efforts.and learning from th
previous efforts.
contact Carolereprints
S. Switzer cs
QUESTIONS
29
contact Carole S. Switzer cswitzer@oceg.org for comments, or lic
contact Carole
©2012 OCEG S.www.oceg.org
visit Switzer cswitzer@oceg.org for comments,
©2012
for other installments OCEG
in the reprints
visit orIllus
www.oceg.o
Anti-Corruption lic
© GRC 20/20 Research, LLC • ww.GRC2020.com
Four Critical Capabilities Areas that Define an Enterprise GRC Platform
Risk Compliance
Management Management
Enterprise
Internal Control
GRCIssue Reporting &
Management Management
Business
Risk Continuity
Management
Management
Audit Legal
Management Management
Issue Quality
Management Management
50 to 99%
of Enterprise
GRC RFPs
© GRC 20/20 Research, LLC • ww.GRC2020.com 31
Basic, Common & Advanced Solutions
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
Capabilities Limitations
ü Core Enterprise GRC modules of risk, compliance, internal Ø Tends to have a flat view of risk in which the entire enterprise
control, & issue management is mapped into one risk model and assessment process
ü Workflow Ø Lacks risk normalization and aggregation capabilities
ü Task management Ø Limited capabilities to integrate with other systems
ü Survey & assessment Ø Reporting is rigid and unflexible
ü Forms management Ø Lacks depth in risk analytics and modeling capabilities
ü Reporting Ø Often difficult to adapt to your environment
ü Often has other modules, but capilities are limited to those
defined above
Capabilities Limitations
ü Core Enterprise GRC modules of risk, compliance, internal Ø Often does not fit the needs of more advanced risk
control, & issue management and a range of other GRC management programs
modules
Ø Solution offers some content feeds, but does not have a
ü Has workflow, task, survey, assessment, forms, and reporting strong array of content offerings across areas of GRC
capabiliteis of Basic solutions
ü Has capabilities for risk normalizaiton, aggregation, and
supports more risk analysis methodologies
ü Integrates easily into broader IT environment
ü Advanced reporting
Areas of Advanced Capabilities (note, a solution might have one or more of these):
ü Enterprise Architecture & Business Process Modeling. Ability to visually layout business processes in a GRC context and for GRC
documentation.
ü Risk Analytics & Modeling. Advanced risk analytics and modeling supporting a range of methodologies and quantification
ü GRC Mobility. Mobile architecture capabilities that easily extends new GRC applications and interfaces to mobile devices
ü GRC Content & Intelligence. An array of GRC content and intelligence offerings integrated as part of the platform
ü Easy to Configure & Extend. The solution is highly extensible and can be built out to support new GRC processes without coding,
and does not require a high degree of IT expertise.
ü Risk Normalization & Aggregation. The solution supports advanced capabilities to normalize and aggregate risk across the
environment
ü Robust Data Analytics & Reporting. The solution has a strong data warehouse architecture and can aggregate and report on a
range of GRC risk and reporting needs involving data gathering and analysis across disparate systems.
Long-Term Potential
Reporting
© GRC 20/20 Research, LLC • ww.GRC2020.com 49
Key Considerations in Evaluating Enterprise GRC Platforms
Security Agility
What is the security architecture of the Does the solution meet not only your
platform? How does the solution current needs but also your long term
provider resolve security issues in their strategy for GRC over the next 3 to 5
platform? years?
GRC Strategy
GRC Process
GRC Information
GRC Technology
!
CORPORATE
POLITICS
MISALGINED
EXPECTATIONS Critical
LIMITED 00 10 0
Success
Factors
11 01 1
COMPLEX
RESOURCES 0 0
10101 GRC DATA
00110
11011
Team Fact-Driven Analysis
MISSED INABILITY TO Leadership alignment and Accurate, relevant informa-
DEADLINES INTEGRATE the right mix of skills to see tion that reflects reality; use
and analyze the entire situa- both quantitative and quali-
tion tative evidence
DISPARATE Openness Clear & Compelling
REQUIREMENTS Willingness to listen; face Story
contact Carole S. Switzer, cswitzer@oceg.org for comments, reprints or licensing requests
the facts; don’t shoot mes- Numbers will not speak for
©2013 OCEG visit www.oceg.org for other installments in the GRC Illustrated Series
sengers themselves – the numeric
case must be supported by
Enterprise Perspective a narrative case
Get out of siloed thinking
to see the big picture
contact Carole S. Switzer, cswitzer@oceg.org for comments, reprints or licensing requests
©2013 OCEG visit www.oceg.org for other installments in the GRC Illustrated Series
OPTIMIZE YOUR:
Governance Risk Ethics & Compliance
Ensure that sound governance Integrate risk management Establish practices and a cul-
structures are in place “below with strategic planning and ture to prevent misconduct,
the board” so that the right maintain a 360-degree view inspire desired conduct, detect
information about the right of organizational risks and problems and improve out-
issues is available at the right effectively allocate resources comes.
time. to address them.
UNNECESSARY COMPLEXITY
VULNERABILITY AND INFLEXIBLE
We need a single
version of the truth!
GRC
GRC GRC
IT
64
©2013 OCEG visit www.oceg.org for other installments in the GRC Illustrated Series
Current State Define GRC Charter Define GRC Develop GRC Value Establish Criteria Evaluate & Rank
Analysis & Structure Information Proposition for for Enterprise GRC Solutions
Architecture & Change Technology
Needs
1 2 3 4 5 6
5 Prepare & Protect the Organization 10 Optimize Economic Return & Value
Efficiency
Value
ü Operational Effectiveness ü Responsiveness to Events
Effectiveness Agility
It is critical to
plan your GRC
journey by
laying out the
route ahead of
time © GRC 20/20 Research, LLC • ww.GRC2020.com 68
Conditioning is critical, make sure your team is ready
Is your
organization
prepared for the
GRC journey? © GRC 20/20 Research, LLC • ww.GRC2020.com 69
Select the right equipment for the GRC journey
2 A good GRC
journey is not
1 done with one
effort but is
broken down
© GRC 20/20 Research, LLC • ww.GRC2020.com
into stages 71
Preparing for the next GRC journey
Once complete
it is not over,
you begin
preparing for
the next GRC
© GRC 20/20 Research, LLC • ww.GRC2020.com
project 72
Increasing GRC maturity through contextual risk awareness delivers . . .
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides
or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.