Buyers Guide Enterprise GRC Management Solutions

Buyers Guide: Enterprise GRC Management Solutions
Ø Critical Capabilities & Considerations for Evaluation of Solutions

Ø Building a Business Case for Enterprise GRC
Michael Rasmussen, J.D., GRCP, CCEP

The GRC Pundit @ GRC 20/20 Research, LLC
OCEG Fellow @ www.OCEG.org
Terms & Conditions . . .
ü GRC 20/20 Research Briefings are copyrighted and protected material. Content
cannot be reused or distributed without written permission from GRC 20/20
Research, LLC.
ü GRC Advisor Enterprise Subscribers get access to live and recorded Research
Briefings for all employees for INTERNAL use only through the GRC 20/20
website. If they wish to have a recording to host internally there is a fee for this.
ü GRC Basic Subscribers pay for either individual access to specific GRC 20/20
Research Briefings. Individual access is for the individual only and slides or login
are not to be shared with others or viewed as a group.
© GRC 20/20 Research, LLC • ww.GRC2020.com 2

Two Things to Note . . .
Complimentary Inquiry RFP Development & Support

§ Organizations evaluating or considering GRC § GRC 20/20 has an extensive library of RFP
solutions are free to ask GRC 20/20 on our requirements across a range of GRC
understanding and comparison of solutions in capability areas presented in this
the market to meet your GRC requirements. presentation.
§ Inquiries are single focused questions that § GRC 20/20 can be engaged in RFP
can be answered in under 30 minutes. development and support projects to
§ Complimentary inquiry is only available to streamline your process, gain perspectives
organizations evaluating or considering GRC learned from other organizations, and to keep
solutions for their internal use. solution providers honest in their responses.

Titelmasterformat durch Klicken bearbeiten
Our Agenda . . .
1. Defining & Understanding Enterprise GRC
Definition, Drivers, Trends & Best Practices
2. Critical Capabilities of an Enterprise GRC Platform

What Differentiates Basic, Common, & Advanced Solutions
3. Considerations in Selection of Enterprise GRC Platforms

Decision Framework & Considerations to Keep in Mind
4. Building a Business Case for an Enterprise GRC Platform

Trajectory of Value in Effectiveness, Efficiency & Agility

Defining & Understanding Enterprise GRC

Definition, Drivers, Trends & Best Practices

The Official Definition of GRC . . .
GRC is the integrated collection of

capabilities that enable an organization to:
G) reliably achieve objectives
R) while addressing uncertainty and
C) acting with integrity.
SOURCE: OCEG GRC Capability Model

Governance, Risk Management & Compliance in Context
Governance Risk Management Compliance

Governance sets direction and strategy Risk management seeks to manage Compliance aims to see that the
for the organization to reliably achieve and understand uncertainty by organization acts with integrity in
objectives. Governance sets the assessing and monitoring risk within fulfilling its regulatory, contractual, and
context for risk management, without context to take action on risk through self-imposed obligations and values.
context risk management fails. acceptance, avoidance, mitigation, or Compliance follows through on risk
transfer. treatment plans to assure that risk is
being managed within limits and
controls are in place and functioning.
Are you truly aware of your risks?
“Never in all history have we

harnessed such formidable
technology. Every scientific
advancement known to
man has been incorporated
into its design. The
operational controls are
sound and foolproof!”
E.J. Smith,
Captain of the Titanic

The Chaos of Compliance Interconnectedness
Realize that everything connects to everything else.

Leonardo da Vinci © GRC 20/20 Research, LLC • ww.GRC2020.com 9
The Organization Has to be Able to See . . .
q The Tree. The individual area of risk, issue, control
q The Forest. The interconnectedness of risks, issues, controls

GRC in Transition: From Old Ways to New Ways

Change is the Greatest Challenge Impacting GRC Management
Regulatory/Legal Change
REGULATIONS Monitor change in the legal and regulatory environment to
determine how pending legislation, court decisions,
COURT RULINGS new/changing regulations, and enforcement actions affect
current and needed policies.
Internal Risk/Business Change MERGERS &

ACQUISITIONS
LEGISLATION Monitor changes to the internal environment to identify how changes to
strategy, mergers & acquisitions, processes, technology, business relation-
ENFORCEMENT ships, and employees affect current and needed policies.
MONITOR
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
External Risk Change $

Monitor change in the external risk environment to
BUSINESS
determine how uncertainty in economic, geo-political, RELATIONSHIPS
MARKET FORCES environmental, industry, societal, and market forces FINANCIAL
COMPETITIVE POSITION
GEO-POLITICAL FORCES affect current and needed policies.
STRATEGY
01
11 11
01 10 00
01 01
00
INDUSTRY EMPLOYEES
TECHNOLOGY
SOCIETAL FORCES
PROCESSES
IT


Inevitability of Failure: Too Many Approaches
There are too many departments sending too many
communications in different formats. GRC management is
buried in documents, spreadsheets & emails.
Ø Wasted resources through redundancy & overlap
Ø Excessive emails, documents, and paper trails
Ø Poor visibility & reporting
Ø Files and documents out of sync
Ø Overwhelming complexity
Ø Lack of accountability

Confusing Conundrum of GRC Management Processes & Information
The Winchester Mystery House

Ø 160 rooms
Ø 47 fireplaces
Ø 6 kitchens
Ø 10,000 windows
Ø 65 doors to blank walls
Ø 13 staircases abandoned
Ø 25 skylights – in floors
Ø 147 builders/no architects
Ø Built without a blueprint
Ø $5.5 million over 38 years

. . . And We Hope Nothing Fails
Ø Inability to gain clear view of GRC information
interdependencies;
Ø High cost of consolidating GRC information;
Ø Difficulty maintaining accurate GRC

information;
Ø Failure to trend across GRC assessment

periods;
Ø Redundant approaches limit correlation,

comparison and integration of GRC
information; and
Ø Lack of agility to respond timely to changing

risks, regulations, laws, and situations.
Drivers & Trends: Enterprise GRC
1
Drivers
Trends
1 Exponential growth in regulatory, risk and No platform does everything. Organizations are
business change is making scattered GRC looking toward an information and technology
Constant processes and information constantly behind GRC architecture that integrates GRC, though there
and exposing the organization. often is one central core platform.
Change Architecture
2 The growing array of 3rd party relationships with 2 Enterprise GRC Platforms are no longer self-
increased regulatory and risk exposure is bearing contained solutions to manage GRC workflow
Growing down on organizations to include in GRC and tasks, they require strong integration
strategies. capabilities into a range of business systems.
Relationships Integration
3 Many organizations still find they are 3 In a GRC architecture approach, organizations
Scattered encumbered by silos of information that is Best of Breed are looking toward a common hub and core for
Information disconnected, and often have several Where it Enterprise GRC but allow for best of breed
disconnected GRC platforms in different areas. solutions where they make sense.
& Platforms Makes Sense
4 Those that have implemented a GRC platform in

the past decade are often finding that the
4 There is growing demand in RFPs for GRC
Growing Business solutions to have business process modeling
solution is out of date and cumbersome to use
Beyond Initial Process capabilities to visually layout and document how
when compared to the new generation of
business processes function in a GRC context.
GRC Platforms solutions. Modeling
5 There is growing demand and need for the

5 Enterprise GRC is no longer for the back-office,
Need for but needs to be intuitive and easy to use for the
integration of external content and intelligence
External GRC GRC Mobility front-office. New releases are showing improved
feeds into the GRC architecture.
user interface and mobility options.
Content & Engagement

Varying Levels of GRC Management
Top-down federated GRC

management strategy across
Enterprise the entire organization.
Division Division or business unit

management strategy
Business Unit
Management being done at a

Department department, function, or
process level
Function
Process
Risk Managed in context of a

Regulation specific focus, regulation, or
Issue issues
What is Your Approach to GRC Management?
Distributed GRC Management Federated GRC Management
§ Disconnected departments managing GRC related § An integrated approach that balances GRC
activities in different ways with little or no collaboration management centralization with distributed
with other departments participation and collaboration

Critical Capabilities of an Enterprise GRC Platform

What Differentiates Basic, Common, & Advanced Solutions

The GRC Market: Technology, Information,& Professional Services
GRC Technology Solutions

843 technology solution providers that
offer solutions related to GRC
GRC Intelligence & Content Solutions

112 providers with 384
content/intelligence solutions across a
range of GRC areas
GRC Professional Services Solutions

1,000+ professional service firms
offering services related to GRC

GRC Technology Market Segment Definitions
GRC Technology Segment Description
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics..
Automated Control Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.

2019 Additions Being Worked on
The additional market segments are being added into

the GRC 20/20 model in 2019:
• Anti-Money Laundering/KYC, Fraud & Corruption

• Formerly under Automated-Continuous Controls
• Reputation & Responsibility Management
• Formerly covered under a combination of
Environmental Management, Health & Safety
Management, Third Party Management, &
Compliance & Ethics Management

GRC Technology Market: Enterprise GRC Platforms & Architecture
Enterprise GRC Platforms & Architecture technologies
Enterprise GRC Platform & Architecture deliver a range of cross-department functionality across
GRC functional areas into an integrated technology
Enterprise GRC Platforms
ecosystem. For some this is single GRC platform for the
GRC Data Integration Solutions entire organization. For others it is an integrated
architecture in which there can be a core platform but often
GRC Analytics & Reporting Solutions extends and integrates into a range of other solutions and
Organization & Process Modeling Solutions data sources.
Miscellaneous GRC Platform & Architecture Tools To be an Enterprise GRC Platform requires a single
platform architecture that has multi-department (e.g.,
enterprise wide) use across the following areas, at a
minimum:
– Enterprise/Operational Risk Management,
– Compliance Management
– Internal Control Management
– Issue Management (e.g., incident, case, investigations)
– NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.

Central Hub of Issue Reporting & Management Information
COMMUNICATION
Effective communication greases the wheels of
any initiative by ensuring that everyone knows
What’s changed?
what’s happening, why, and where they fit.
Why change
something that’s
PROVIDE working?
The RIGHT PEOPLE with
What do I
What’s on the RIGHT ACCESS to How does it
need to do? impact me?
the horizon? the RIGHT INFO at
the RIGHT TIME Where
do I fit? What if I have
(or see)
a problem?
What do
we need to
focus on?
I can help you

assess the program. We can
help too!
CCO
CCO
INTERNAL EXTERNAL Are things going
AUDIT EXPERTS according to plan?
Are there
any red flags? HOTLINE / HELPLINE
GOVERNMENT
360° GRC Contextual Analytics & Intelligence Capabilities
Action Items
Analyzed to
understand relationships
Integrated and
mapped together
to provide context
Distributed & Disconnected
GRC Data Points

GRC Information Architecture Provides 360° Contextual Intelligence
BENEFITS
higher quality information
Strategic
Integrating GRC information allows
Objectives Department management to make more
intelligent decisions, more rapidly.
Process
Strategic
process optimization
Entity All non-value-added activities are
Process Organization Risks Operational eliminated and value-added
Financial activities are streamlined to reduce
Asset .
lag time and undesirable variation.
better capital allocation

Identifying areas where there are
redundancies or inefficiencies
Regulatory BENEFITS Preventive allows financial and human capital
to be allocated more effectively.
Contractual Obligations Controls Detective
Values
higher quality information
Corrective
improved effectiveness
Integrating GRC information allows Overall effectiveness is improved
management to make more as gaps are closed, unnecessary
intelligent decisions, more rapidly. redundancy is reduced, and GRC
activities are allocated to the right
process optimization individuals and departments.
Code of All non-value-added activities are
Complaint
Conduct eliminated and value-added protected reputation
Policies & Procedures Policies Issues Event
activities are streamlined to reduce Reputation is protected and
.
lag time and undesirable variation.
Investigation enhanced because risks are
Training & Awareness
managed more effectively.
Owner better capital allocation
Subject Matter Expert Roles Identifying areas where there are reduced costs
redundancies or inefficiencies Reduced costs help to improve
Employee allows financial and human capital return on investments made in GRC
to be allocated more effectively. activities.
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material
Three Approaches to Enterprise GRC Management
1 2 3
Documents, Spreadsheets &
Siloed Solutions Enterprise GRC Platforms
Emails
§ Manual spreadsheet and § Organizations also have § These are solutions

document-centric deployed silos of deployed for enterprise
processes are prone to applications and custom GRC management and
failure as they bury the internal databases to have the broadest array of
organization in mountains manage aspects of GRC. built-in (versus built-out)
of data that is difficult to § The challenge here is that features to support the
maintain, aggregate, and the organization ends up breadth of GRC
report on, consuming maintaining a solution that management processes.
valuable resources. is limited in function and § In this context, they take a
§ The organization ends up costly to keep current and big picture view of
spending more time in data does not show the big managing GRC, but still
management and picture. needs to integrated with
reconciling as opposed to business and best of breed
active risk monitoring. solutions.

Enterprise GRC Technology Provides Automation and Tracking
Archive and History
uate
hecklistEvery policy and its past revisions must be AUDIT TRAIL WORKFLOW & COLLABORATION ENFORCEMENT
MANAGEMENT REPORTING Metrics
archived for referral at a later time. TASKS MANAGING EXCEPTIONS
THE
When an BENEFITS
organizationOF TECHNOLOGY
experiences an in-
Metrics can provide a solid founda- 0 1 0 1 0 1 0
1 1 1 1 1 1 1 NU
I haven’t
cident or is examined by an externaltion audi-for continuously refining the or- 1 0 1 0 1 0 1 ? FAMILBER seen any This needs
0 0 0 0 0 0 0 UR OF
E
3 S:
violations. to be done
1 1 1 1 1 1 1
differently.
tor or regulator, it is often necessary ganizational
to policy program. The
PO
L
LATICY V
provide positive evidence of policy com- 0 0 0 0 0 0 0 ION IO-
0 S:
EXC
Repository Consistency 0
right metrics will help ensure policies 1 0 1 0 1 0 AN EPTIO
D NS
TIODEVIA
pliance. Preserving a full view of the policy 0 0 0 0 0 0 0 NS -
are effective at establishing desired 0 1 0 1
Technology creates a consistent environment 0 1 0
history andenables
Technology audit trail (including
policy key data and
implementation
behaviors efficiently, and agile 1 1 1 1 1 1 1 • Policy implementation and/or enforcement is • Exceptions must be documented and
points such as
enforcement bythe owner,
creating who read it,
a repository of all policies, 1 track
to conduct assessments, 0 issues
1 of 0 1 0 1 not always possible. Exceptions can happen available to auditors and regulators upon
enough to accommodate the de- 0 corrective
0 actions.
0 0 0 0 0 when the organization cannot comply with a request. Organizations 4 IMPLEMENT that demonstrate & ENFORCE
01 0 11 0 to1more
00 1 10 1 1 1
non-compliance, and take
who was trained,
procedures, and controls 0 that are
acceptance 1 cross-referenced
acknowl- 0 of1a dynamic
mands 0 and1 distributed
0 allows
Technology 1 organizations 00 0 1 0 1 0
policy, when the policy is too subjective, or clear procedures for Evenpolicy
withexception
good communication, policies aren’t always fol-
THE BENEFITS OF 1TECHNOLOGY 1 1 1 1 easily

1 and1efficiently1 manage
0 1 1 10 11 01 11 0 1 101 requires excessive clarification. management are also better
lowed. Implement able to defend controls that enable enforcement.
edgements
with one and
another dates
and for
not treated as isolated
1Technology
0 assert 1is the backbone
0environment.
1 for the
0 implementation
1 0 11 0 00its1hundreds
1 1 00 0
0 to1 01 1 0 1 0 1
• Organizations need processes to authorize, their policy management Monitorprocesses.
those controls for effectiveness and adherence.
specific policy versions)
documents. will help business
0 0 0 0 0 0 0 0 10 0 1
10 1 10 especially 11 01 1 0 010 0
track, monitor and review exceptions. • Organizations should instituteand
Document compensating
remediate violations, while considering
1of the 1policy, 1training thousands

1 and1communications
1 during of
1 audits
1 individual
1 documents 1 1 • Those who authorize exceptions must have controls as part of what exception
policyapproval until should be made.
1 0 0 01 00 1 1 1 1 1 1
improvements
an accurate and complete policy control
0plan. 10 00 1 sufficient authority. Limits should be set so policy revisions are made or the organization
environment is operating 0 0 0 0 0 0 and0assessments. 0 010 0 0
Repository 0 1effectively.
0 1 0 1 Consistency
0 1 0 1 0 0 10 0 1 00 0 1 0 1 0 1
exceptions are regularly reviewed and not
0
granted for extended or unreasonable time
is brought into full compliance.
0 THE 0 0 0 0 Technology
0 0 0 0 environment
0 0 0 0 0 0 0 0 0 0
1 BENEFIT0 and 1 OF 0 TECHNOLOGY
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests periods. Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
0 implementation 1
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints
Technology enables policy 0 creates
1 a consistent
or licensing
©2012
0 1 0 1 0 1 0 1 0
requests for other installments in the Policy Management Illustrated Series©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
OCEG visit www.oceg.org
1 0 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
1 1of all policies,

1 1 1 to 1conduct1assessments,
1 track1 issues
1 of 1
©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series
enforcement by creating a repository 1 1 1 1 1 1 1 1 1
1 0 1 0 1 0 1 0 take 1 corrective
0 actions.
1 0 1 0 1 0 1 0 1 0 1
procedures, and controls that0are cross-referenced
0 0 0 0 non-compliance,
0 0 and 0 0 to0more 0 0 0 0 0 0 0 0 0 0 0
with one another and not1treated1as isolated
1 1 1 1Technology
1 allows1 organizations
1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 easily
0 and 0efficiently
0 0 its hundreds
0 TECH 0to 0 0 0
THE1 BENEFITS0 0 0 0 0 0 0 0
documents. 0 1 0 1 0 1thousands 1 manage
0 of individual 1 0 0 1 OF TECHNOLOGY
0 1 0 1 0 1
0 1 0 1 0 1 0 0
documents especially
DATA 1 0 1 0 1 0 1 0 1 0 1
1 0 1 0 1 0during1audits and
0 assessments. 0 1 0 1 0 1 0 1 0 1 0
1 1 1 1 1 1 Automation
1 1 1 1 1 1 1 1 1 1 1 1 Consistency
1
Accountability 1 0 1 0 1 0 1 0 0 1 0Repository
1 0 1 0 1 0 1 0
0 0
Technology provides for a complete picture
0 1 0 Technology
0 1 enables the automation of 0 0 1 1 1 0 0 0 0 0 0Technology
0 creates a consistent environment
Technology enables policy implementation and
and defensible audit trail of the ‘who, what, workflows and tasks to complete audits and enforcement by creating a repository of all policies, to conduct assessments, track issues of
when, where, how and why’ including the assessments related to policy compliance. No procedures, and controls that are cross-referenced non-compliance, and take corrective actions.
Technology allows organizations to more
role and actions of each individual. longer is the organization encumbered by
THE
with oneBENEFITS OFtreated
another and not TECHNOLOGY
as isolated
Integration Visibility or lost emails or documents Global Reach
unanswered documents. Availability easily and efficiently manage its hundreds to
that are out of sync. thousands of individual documents especially
Policy communication and training Policy communication and training Policy communication and training Policy communication andduring
training
audits and assessments.
Automationneed to be user
Accountability technologies need to integrate into technologies Consistency
0 1 0 1 0 1 0 1 0 technologies
1 0 should have the
Repository technologies need to be accessible
1 1 1 1 1 1 1 1 1 1
Technology provides forthe larger business
a complete picture environment - Technology
friendly
1
0
0
0
and
enables
1
0
intuitive
0 0
so
0 that
0 the1 automation
0
1 users
0
of0
0
1 proper
0
0
0
1 capabilities to meet
Technology enables the implementation
policy across the andbusiness and often
Technology creates a consistent environment
such
and defensible audit trail as‘who,
of the withwhat,
HR systems to gain workflows
of
1 varying
0
1 and
0
1 degrees
tasks
0 0 of
0 capabilities
1 to 1complete
1
0 audits
1
0
1 and1 language
0 0
1
0
1 and geographic
enforcement needs
by creating of business
a repository relationships so that
of all policies, to conduct assessments, track issues of
0 1 0related
1 to 0policy
1 compliance.
0 1 0 1 0 non-compliance, and take corrective actions.
access
when, where, how and why’ to employee
including the lists to prop- assessments
can
0
0 use0 the
1 0
0system
1
0
0
and
0
1
0under-
0
0
1
0 No 0the 0organization.
0 1 0
procedures, and controls that are anyone associated
cross-referenced with the organi-
role and actions of eacherly
individual.
target and communicate longer1 is the
stand 1 organization
the policy.
1 1 1encumbered
1 1 by
1 1 1 with one another and not treated zation can easily access theTechnology
as isolated policy allows organizations to more
unanswered or lost emails or documents documents. easily and efficiently manage its hundreds to
policies. and associated training.
that are out of sync. thousands of individual documents especially
Contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests
©2012 OCEG visit www.oceg.org for0other1installments
0 1 in the © 1GRC
0 Policy 020/201Research,
Management 1LLCSeries
Illustrated
0 0• ww.GRC2020.com
©2012 OCEG
during
contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing audits and assessments.
requests
visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Automation
28
1 necessary
It is 2 that3 individuals
4 ha
Defensible GRC Management

questions answered about polici
QUALITIES QUALITIES OF
OF DEFENSIBLE AND EFFECTIVE DEFENSIBLE ANDand EFFECTIVE
ALITIES QUALITIES
after training OF DEFEN
communicatio
ALITIES OF
OF DEFENSIBLE
DEFENSIBLE AND
AND EFFECTIVE
AND TRAINING COMMUNICATION AND
EFFECTIVE
COMMUNICATION TRAINING 5 6 7 8
MMUNICATION AND TRAINING COMMUNICATION AN
MMUNICATION AND TRAINING VERSION (DATE/TIME) ASK & RESOLVE QUESTIONS
VERSION
EXCEPTIONS(DATE, TIME)
VERSION (DATE, TIME) VERSION (DATE, TIME) TESTING
VERSION (DATE, TIME) 1 to have
2 an auditable
3 4 The organization
TESTING to the needs
policy,to have a
bery2 & Corruption
2
3
3
4 - System
4
1 of 2Record3
The organization needs to have anThe
4 organization needs
auditable
The organization needs to have an auditable
record of the versions and communication
! Exceptions
To
To
ensure understanding,
1ensure
record
cation
should
2 versions
of the
test
3
understanding,
plan,
and
comprehension
thetrai
org
and4the
comm
are to be documente
onorg
cr
record of the versions and communication activities around policies to have
record of around
the versions andtocommunication
activities around policies to have an effective should
and
policiestest
to comprehension
periodically
ensure evaluated.
that they on cr
have
activities policies have an effective 5 6 7 8 compliance program.
activities
5 around policies
6 program.
7 to
8 have an effective program.
compliance policies to ensure
communicated andthat they have
understood.
6 7 8 compliance 5 6 7 8
6 7 8 compliance program. communicated and understood.
UNDERSTAND CONTEXT PROVIDE AUDITABLE RECORDS
QUESTIONS
SYSTEM OF RECORD
QUESTIONS QUESTIONS TRACKING PAST RECORDS
ACCESSING
QUESTIONS It aisway
It is necessary that individuals have necessary
to get that individuals have a way to get
It is necessaryPAST
ACCESSING
The
To organization
defend
questions
should
itself and
answered ! haveanahaec
that individuals
RECORDS
validate
about polici
It is necessary that individuals have a way
questionsto answered
get about policies that remain To defend
of all itself
training
compliance/policyandand validate an eo
communicatio
program the
questions answered about policies that remain after training and communicatio
questions answered about policies that
after remain
training and communication. compliance/policy
they can
should beshow
able what, program
to havewhen, the o
wher
a complet
after training and communication.
after training and communication. should
policy be able to
communication
communication have
took a complet
place.
and traini
policy
past. communication and traini
past.
MEET REQUIREMENTS MANAGE EXCEPTIONS
EXCEPTIONS
EXCEPTIONS EXCEPTIONS DEFENSIBILITY
EXCEPTIONS
! Exceptions !
to the policy, and training/ communi-
Exceptions to the policy, and trai
DEFENSIBILITY
Defending the organizatin in lega
!
!! Exceptions to the policy, and training/
Exceptions
cation plan,to the
are topolicy, and training/
be documented,
communi-
communi-
cation plan, are to be documented, approved,
approved,
cation plan,the
Defending
actions
and
are to be documente
requiresorganizatin
periodically that a 360 in
evaluated.
lega
degre
cation plan, are to be documented, approved,
and periodically evaluated. actions requires that a 360 degre
history of the policy, interactions
and periodically evaluated.
QUALITIES OF DEFENSIBLE AND EFFECTIVE
and periodically evaluated. history of the policy, interactions
and all communications be acces
and
trailsall communications
are defensible.be acces
COMMUNICATION AND TRAINING that
trails that are defensible.
REPEATABLE CYCLE TRACKING
DEMONSTRATE SEQUENCE
TRACKING TRACKING REPEATABLE
The organization CYCLE
should have a c
TRACKING VERSION
The (DATE,should
organization
The organization should have a complete record TIME)have a complete record REPEATABLE
Policy
CYCLE
communication and trainin
of all training and communicatio
Theallorganization
of 1 training andshould have a complete
of
The record
allpolicies
trainingsoandneeds
organization communications of policies so
to have an auditable Policy communication and trainin
2 3communications
4 of time effort.
they can To guide
show what, behavior
when, wheran
of all training and communications of policies so time effort. To guide behavior anc
contact info@oceg.org for comments, reprints or licensing requests
they
record can
they can show what, when, where, why, and howofshow
the what,
versionswhen,
and where, why,
communication and how
©2014 OCEG visit www.oceg.org for other graphics in the GRC Illustrated Series
organization
communication requires consitent
took place.
they can show what,
communication took when,
place. where,communication
why, andaround
activities how took place.
policies to have an effective organization
and training and requires consitent
learning from thc
communication
5 6 took
7 place.
8 compliance program. and training
previous efforts.and learning from th
previous efforts.
contact Carolereprints
S. Switzer cs
QUESTIONS
29
contact Carole S. Switzer cswitzer@oceg.org for comments, or lic
contact Carole
©2012 OCEG S.www.oceg.org
visit Switzer cswitzer@oceg.org for comments,
©2012
for other installments OCEG
in the reprints
visit orIllus
www.oceg.o
Anti-Corruption lic
© GRC 20/20 Research, LLC • ww.GRC2020.com
Four Critical Capabilities Areas that Define an Enterprise GRC Platform
Risk Compliance
Management Management
Enterprise
Internal Control
GRCIssue Reporting &

What Are the Critical Components of Your GRC Platform?
100% 1 to 49%
of Enterprise of Enterprise
GRC RFPs IT GRC RFPs Automated
GRC Controls
Business
Risk Continuity
Management
Management
Audit Legal
Compliance Health & Safety

Physical
Policy Security
Management
Management
Internal
Control Environmental
Management
Management
Strategy &
Third Party Performance
Management
Management
Issue Quality
50 to 99%
of Enterprise
GRC RFPs
Basic, Common & Advanced Solutions
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
varying array of advanced
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
low Techology Capabilities high

Enterprise GRC Core: Risk Management
Solution Area Definition Critical Capabilities

Risk Management solutions provide the capability to identify, q Manage overall risk management program planning,
assess, measure, treat, manage, monitor, and report on staff, projects/assessments, and activities
risks to objectives, divisions, departments, processes, q Support for multiple risk management frameworks,
assets, and projects. methodologies, and analysis techniques
This enables organizations to manage: q Set and map objectives and context (e.g., internal,
§ Risk management process of risk identification, external) of risk
assessment, quantification, treatment and monitoring q Enable the organization to identify, categorize, map, and
activities in context of objectives, including the overall show risk relationships in registers
management of the continual, cyclic, as well as dynamic
q Enable the organization to gather information and
processes of risk assessment, analysis, decision making,
assessment of risks in a variety of approaches
and response (e.g., acceptance, mitigation, transfer,
avoidance). q Analyze risk from different perspectives and implement
risk treatment
§ Risk monitoring on changes in external and internal
contexts to alert the organization to conditions that can q Provide monitoring and reporting on risk, including risk
impact objectives. normalization and aggregation enterprise reporting
§ Risk evaluation to identify specific causes and evaluate q Ability to analyze scenarios and evaluate risk losses
historical review, simulation, interpretation and and events, and revise risk models as necessary
projection of impacts on an objectives and assets. q Dashboarding and metrics (e.g., KRIs) on risk

Enterprise GRC Core: Compliance Management

q Manage overall risk management program planning,
Compliance Management solutions provide the capability to staff, projects/assessments, and activities
manage an overall compliance program, document and q Maintain a register of all compliance obligations that is
manage change to obligations, assess compliance, mapped to policies, risks, controls, subject matter
remediate non-compliance, and report. experts.
This enables organizations to manage: q Manage change to obligations as regulations,
§ Compliance management process of projects, staff, enforcement actions, standards, and related sources
resources, projects/assessments, compliance risk, change.
reporting, as well as related compliance forms & q Provide for assessments and evidence of compliance
workflow.
q Model and manage compliance risk
§ Obligation management to document compliance
q Have a defensible audit trail of compliance to
obligations (e.g., regulations, contracts, values) and
demonstrate a effective compliance program
manage change to obligations and their impact on the
organization. q Compliance attestations and regulatory reporting
§ Assess, document, and report on compliance through q Document regulatory and stakeholder interactions
compliance assessments and reporting. q Manage and process compliance related forms
§ Provide a defensible record of compliance of who did q Provide regulatory intelligence feeds
what, when, how, and why at any given point in time.
q Remediate issues of non-compliance
§ Integrate with policy and issue management as these
q Manage compliance exceptions and exemptions
are core areas of a compliance program.
Enterprise GRC Core: Internal Control Management

Internal Control Management solutions provide the
q Central control register that can be mapped to
capability to manage, define, document, map, monitor, test,
objectives, risks, policies, issues, obligations, and
assess, and report on internal controls of the organization.
organization hierarchy.
This enables organizations to manage:
q Survey and assessment capability to query state of
§ Internal control program of staff, projects, resources, controls across organization and record attestations.
assessments, and reporting
q Exception and exemption process to document control
§ Central register of internal controls in which controls are and manage process.
mapped to risks and obligations so a single control can
q Business process modeling and documentation to
be implemented to address similar requirements.
visually layout business processes with identified controls
§ Control assessments to query areas of the organization in process.
on control effectiveness and attestations
q Reporting on controls, including deficiencies and
§ Automated controls established for continuous detective, weaknesses
and preventive controls.
q Document control testing and findings
§ Exceptions, exemptions and corrective controls so
q Support or integrate with automated control solutions
documentation is in place and does not get missed.
q Remediation management to address control
§ Remediation process related to weak or missing
issues
controls

Enterprise GRC Core: Issue Reporting & Management

Issue Reporting & Management solutions provide the q Map issues to risks, policies, objectives, obligations, and
capability to notify on issues and incidents and manage, controls to show relationships and impact of issues
document, resolve, and report on the range of complaints, q Provide issue intake (anonymous and non-anonymous)
issues, incidents, events, investigations, and cases. as well as a portal to collect issues reported to
These solutions enable companies to manage: management
§ Issue management and resolution processes across the q Structured and legally defensible investigation process
organization (e.g., legal, compliance, HR, security, health and documentation
& safety, quality) from the intake through the investigation q Issue escalation when investigation grows beyond what
and resolution. originally thought
§ Issue intake and consolidation through hotlines, q Manage investigative resources, skills, and utilization
management reporting, surveys, and other notification
pathways. q Collect a detailed history of issues, particularly frequency
and impact
§ Issue history to collect incidents over time and the details
and analysis of business impact to feed into risk models. q Conduct remediation and CAPA in context of issues and
findings
§ Investigation management to manage the lifecycle and
process of incidents, investigations, and processes. q Loss analytics and root cause analysis
§ Incident analysis for root cause and CAPA. q Variety of templates and interfaces for managing
different types of issues

GRC Engagement: Bringing GRC to the Front Lines of the Organization 37
GRC Collaboration: Providing Collaboration on GRC Across the Organization 38
GRC Operationalization: Integrating GRC Across Systems & Processes

GRC Intelligence: Integration of Actionable Content 40
GRC Mobility: GRC Engagement Anywhere, Anytime 41
Considerations in Selection of Enterprise GRC Platforms

Decision Framework & Considerations to Keep in Mind

Basic, Common & Advanced GRC Solutions
Advanced
high
high
§ Solutions that go beyond
common features and
distinguish themselves with a
Value to Organization
varying array of advanced
Cost to Implement
capabilities.
Common
§ Solutions with features that are
commonly found in the market
across primary competitors in
the segment.
Basic
§ Solutions that have the basic
elements needed, but are not
as feature rich as solutions that
have a lot of market traction.
low
low
low Techology Capabilities high

Basic Enterprise GRC Platforms
Basic Enterprise GRC Platforms
Basic Enterprise GRC Platforms focus on the workflow, forms, and tasks of enterprise GRC. The value focus is on automation
by getting rid of the inefficiencies of documents, spreadsheets, and emails and replacing this with a solution that can collect
information, manage workflow and tasks, and simplify reporting.
Value = tends to be the lower cost solutions to acquire, focus is more on the small to medium sized enterprise deployments
Capabilities Limitations
ü Core Enterprise GRC modules of risk, compliance, internal Ø Tends to have a flat view of risk in which the entire enterprise
control, & issue management is mapped into one risk model and assessment process
ü Workflow Ø Lacks risk normalization and aggregation capabilities
ü Task management Ø Limited capabilities to integrate with other systems
ü Survey & assessment Ø Reporting is rigid and unflexible
ü Forms management Ø Lacks depth in risk analytics and modeling capabilities
ü Reporting Ø Often difficult to adapt to your environment
ü Often has other modules, but capilities are limited to those
defined above

Common Enterprise GRC Platforms
Common Enterprise GRC Platforms
Common Enterprise GRC Platforms have the range of features commonly found in Enterprise GRC RFPs. They build upon the
foundation of workflow, tasks, surveys, and forms with features to provide greater integration with other systems, analytics, and
reporting.
Capabilities Limitations
ü Core Enterprise GRC modules of risk, compliance, internal Ø Often does not fit the needs of more advanced risk
control, & issue management and a range of other GRC management programs
modules
Ø Solution offers some content feeds, but does not have a
ü Has workflow, task, survey, assessment, forms, and reporting strong array of content offerings across areas of GRC
capabiliteis of Basic solutions
ü Has capabilities for risk normalizaiton, aggregation, and
supports more risk analysis methodologies
ü Integrates easily into broader IT environment
ü Advanced reporting

What Differentiates Basic, Common & Advanced GRC Solutions?
Characteristics: Advanced Enterprise GRC Platforms
Advanced Enterprise GRC Platforms are Common Platforms that have distinguished themselves from competitors by offering
advanced capabilities in different areas.
Areas of Advanced Capabilities (note, a solution might have one or more of these):
ü Enterprise Architecture & Business Process Modeling. Ability to visually layout business processes in a GRC context and for GRC
documentation.
ü Risk Analytics & Modeling. Advanced risk analytics and modeling supporting a range of methodologies and quantification
ü GRC Mobility. Mobile architecture capabilities that easily extends new GRC applications and interfaces to mobile devices
ü GRC Content & Intelligence. An array of GRC content and intelligence offerings integrated as part of the platform
ü Easy to Configure & Extend. The solution is highly extensible and can be built out to support new GRC processes without coding,
and does not require a high degree of IT expertise.
ü Risk Normalization & Aggregation. The solution supports advanced capabilities to normalize and aggregate risk across the
environment
ü Robust Data Analytics & Reporting. The solution has a strong data warehouse architecture and can aggregate and report on a
range of GRC risk and reporting needs involving data gathering and analysis across disparate systems.

Other Considerations to Evaluate
Organization Profile Solution Architecture

q Company Profile q Development Platform & Technology Architecture
q Financial Profile q Information Architecture
q Vision & Solution Plans q Flexibility of Technology & Information Architecture
q Geographic Reach q Product Life Cycle & Updates
q Industry Footprint q Security Architecture - enterprise, entity, record, field
q Client References & Case Studies q Single Sign-On & LDAP
q Brand, Reputation & Track Record q Deployment Model – On-Premise, Hosted, SaaS
q Customer Service q Scalability of Solution
q Training & Education q Integration with Other Systems & Data
q Consulting & Implementation Services q Responsive Interface & Mobility Architecture
q Channels, alliances, partnerships q Data Management & Bulk Changes
q Demonstrated Value, Financial Benefits, & ROI q Configuration & Customization
q Service Level Agreements q Availability of Toolkits, flexibility of architecture
q Evaluation Instance & Proof of Value Support q Administration
q Post-Sales Support q Internationalization & Contextualization
q Documentation
NOTE: these are just a selection of some common elements
from GRC 20/20’s RFP template containing over 200
requirements for issue Management Platforms 47
Other Considerations to Evaluate
Foundational Capabilities Other Topics of Consideration

q Workflow & Task Management q Out of the Box Features &Functionality
q Process Modeling q Breadth of Functionality
q Content & Document Management q Depth of Functionality
q Cross-Referencing & Relationships of Data q Advanced Features & Differentiators
q Survey & Assessment Management q Usability & User Experience
q Audit Trail & Records Management q Integrated Content & Intelligence
q Reporting, Dashboards & Business Intelligence q Embedded Domain/Industry Expertise
q Notifications & Alerts q R&D & Innovation
q Mobility Apps q Wizards & Contextual Help
q Visualization & Analytics q Role-based Experiences Devoid of Clutter
q Standard & Framework Support
q Collaboration
q Business Rules Engine
NOTE: these are just a selection of some common elements

from GRC 20/20’s RFP template containing over 200
requirements for issue Management Platforms 48
Important Considerations
Long-Term Potential
Domain and Industry

Integrated Content
Competence
Client Important Mobility

References Considerations
Analytics Ease of Use & Configuration
Reporting
Key Considerations in Evaluating Enterprise GRC Platforms
Client Market GRC Business RFP Solution

References Presence Strategy Value Hype Reach
Check client Determine if the Ensure that the The solution needs Test drive the Determine if the
references. Talk to solution provider solution provider to demonstrate a solution and asked solution meets
the primary has enough shares your clear return of the direct your industry and
reference, but also market definition and value to the questions on geographic needs
ask to talk to momentum or direction for your business in features, to be able to
someone on their differentiating strategy for both efficiency, particularly if the support
team that uses the technology to be today and effectiveness, and features are operations,
solution every day. in the market for tomorrow. agility. natively in the languages, and
the long haul. solution or have to content.
be built out.
NOTE: these are just a selection of some common

elements from GRC 20/20’s RFP template containing
© GRC 20/20 Research, LLC • ww.GRC2020.com over 1000 requirements for Enterprise GRC Platforms 50
Other Considerations in Enterprise GRC Platforms
Cost Information Architecture

What does the solution cost to acquire? Is the solution readily configurable and
Implement? Maintain? adaptable to your environment? Does it
require costly customization,
programming, or consultants to adapt?
Ease of Use Integration

Does the solution bring efficiency Does the solution allow for the right
through ease of use and intuitiveness of integration points with other analytic,
the platform? control, and Enterprise GRC solutions?
Security Agility
What is the security architecture of the Does the solution meet not only your
platform? How does the solution current needs but also your long term
provider resolve security issues in their strategy for GRC over the next 3 to 5
platform? years?
NOTE: these are just a selection of some common

elements from GRC 20/20’s RFP template containing
© GRC 20/20 Research, LLC • ww.GRC2020.com over 1000 requirements for Enterprise GRC Platforms 51
Most Significant Concerns in Evaluating GRC Management Providers
Costs Client References

1 What is the reality of the 1 Are the client references people 5
acquisition and maintenance actually using the solution every
costs? day?
8 2
Content Customization
2 Does the solution provide the Can you configure the solution 6
right GRC content integrations? or does it require customization
& coding?
Technology Debt 7 Concerns 3 Implementation Team

3 How much technology debt does Does the implementation team 7
the solution provider carry in have real world experience in
promised features undelivered? aspects of GRC?
RFP Responses User Experience

Is the solution provider saying 6 4 Is the user experience intuitive
4 8
yes to everything in the RFP to and easy to use?
win a deal?
Is mobility supported?
5

Building a Business Case for an Enterprise GRC Platform

Trajectory of Value in Effectiveness, Efficiency & Agility

GRC Strategy Within Organizations
GRC Strategy
GRC Process
GRC Information
GRC Technology

Critical Roles in Federated GRC
Board of Directors & Executive Management Oversight
Risk Management Internal Control Corporate Compliance & Ethics

§ Enterprise Risk § Internal Control Over Financial § Ethics
§ Operational Risk Reporting § Compliance Professionals
§ Department/Process Risk § IT Controls § Fraud Examiners
§ Project Risk § Operational Controls § Policy Manager
Internal Audit IT Risk & Security

§ Financial Auditor Enterprise GRC § Information Security
§
§
IT Auditor
Operational Auditor
Strategy § Information Risk & Compliance
§ IT Governance
§ 3rd Party Auditor
Finance Line of Business Other GRC Roles

§ CFO § Business Managers § Procurement
§ Controller § Front Line Employee Input § Environmental, Health & Safety
§ Accounting Professionals § Human Resources § Legal
§ Quality

GRC Chaos: Lack of Sustainable Structure
Regulatory, risk, and business change has more than
doubled in the past five years, but processes and staffing
have not, resulting in . . .
q Time consuming processes put staff in “triage” mode and
results in compliance processes that are NOT EFFICIENT
q An ability to scale to increased change and requirements
results in a program that is always behind and NOT
EFFECTIVE
q Maintaining GRC slows the organization down as it
scrambles to manage change in context of the
organization NOT AGILE
Inefficient processes create critical resources constraints:

q Multiple sources of change and intelligence consume
resources
q Changes are inconsistently logged in documents and
spreadsheets – if they are logged at all
Not q The organization does not have a consistent approach to
Effectiv Not Not assess impact and prioritize action items
e Efficient Agile
q Email fly about, slip through cracks, are not responded to,
simply forgotten

GRC Agility: an Optimized Approach
However, if organizations align and optimize processes

supported by the integration of technology and change
content, GRC programs can become . . .
ü Effective. Greater understanding of changing requirements

and their impact enables the organization to be proactive
in gathering, organizing, assessing, prioritizing,
communicating, addressing and monitoring the change.
This allows the organization to demonstrate evidence of
good compliance practices.
ü Efficient. The organization can now optimize human and

financial capital resources to consistently address
regulatory change and enable sustainable management of
resources as the business, risk, and regulatory landscape
grows. Effective Efficient Agile
ü Agile. GRC intelligence enables a dynamic and changing

organization to understand how the regulatory
environment effects business change, and also how risk
and regulatory change impacts the organization.
Where do we have GRC activities and information?

What can hinder us or help us
POTENTIAL CHALLENGES
!
CORPORATE
POLITICS
MISALGINED
EXPECTATIONS Critical
LIMITED 00 10 0
Success
Factors
11 01 1
COMPLEX
RESOURCES 0 0
10101 GRC DATA
00110
11011
Team Fact-Driven Analysis
MISSED INABILITY TO Leadership alignment and Accurate, relevant informa-
DEADLINES INTEGRATE the right mix of skills to see tion that reflects reality; use
and analyze the entire situa- both quantitative and quali-
tion tative evidence
DISPARATE Openness Clear & Compelling
REQUIREMENTS Willingness to listen; face Story
contact Carole S. Switzer, cswitzer@oceg.org for comments, reprints or licensing requests
the facts; don’t shoot mes- Numbers will not speak for
©2013 OCEG visit www.oceg.org for other installments in the GRC Illustrated Series
sengers themselves – the numeric
case must be supported by
Enterprise Perspective a narrative case
Get out of siloed thinking
to see the big picture

Effectiveness & efficiency value by role
OPTIMIZE YOUR:
Governance Risk Ethics & Compliance
Ensure that sound governance Integrate risk management Establish practices and a cul-
structures are in place “below with strategic planning and ture to prevent misconduct,
the board” so that the right maintain a 360-degree view inspire desired conduct, detect
information about the right of organizational risks and problems and improve out-
issues is available at the right effectively allocate resources comes.
time. to address them.
Finance Audit Legal

Reduce costs and optimize Go beyond financial processes Identify and establish sound
how you allocate capital to and assess the design and oper- practices to address your legal
governance, risk and ation of controls for gover- risks and improve your ability
compliance processes so that nance, risk management, com- to detect and correct issues;
GRC is better aligned with pliance and ethics efforts while improving your ability
the business. throughout the enterprise. to defend the organization.
Core Processes Technology

Embed sound GRC practices in Address IT compliance issues
all lines of business and core and the alignment of
processes so that business information technology to
owners and operators are general GRC needs in the
accountable for GRC success. rest of the business.


GRC 20/20’s GRC Maturity Model
5 AGILE
GRC is integrated across
Strategic Process, Information & Technology Architecture Alignment
the organization which

has moved to an
4 INTEGRATED understanding of GRC
The organization has an architecture that aligns
enterprise GRC strategy and integrates information
that is trying to coordinate and technologies across
3 MANAGED efforts, processes, and the organization. The
GRC is department- services across organization is focused
specific with limited departments. Focus on on a federated GRC
coordination between enteprise reporting and architecture that allows
2 FRAGMENTED department/function. working toward a for central coordination
GRC responsibilities are Within a department, common GRC platform and shared services with
scattered and GRC activities tend to be with centralized GRC distributed accountability
decentralized. well structured, organized, coordination. and autonomy where it
1 AD HOC Inconsistencies within and use technology well makes sense.
Ractive & focused on departments. GRC to make GRC activities
putting out individual fires actitivities are manual more efficient, effective,
of risk in scattered silos and rely on documents, and agile at the
across the organization. spreadsheets and emails. department level.
Issue to Departments to Enterprise Coordination and Integration

Taking the first steps

Then we explore how this is being done today
“As-Is” Situation
Inventory existing processes and the technology that supports these processes:
• What do we already have in place?
• Who owns and maintains these systems? COMPLEXITY
• Who operates them? HIGH

COSTS
FRAGMENTATION
• What do they really do? SLIPPING THROUGH

THE CRACKS WASTED
RESOURCES
UNNECESSARY COMPLEXITY
VULNERABILITY AND INFLEXIBLE
What about all of these processes

We have some serious that are so prone to error and
overlapITbetween systems.
We need a single
version of the truth!
GRC

Next, we design the desired state we want to achieve
“To-Be” Vision
Define, enhance, evolve an enterprise architecture that supports GRC needs. Leverage existing technology
investments where possible and look for ways to consolidate technology to serve multiple GRC areas.
Integrate technology into core business processes to serve GRC needs.
GRC Management
GRC Data Controls
Integration
GRC GRC Architecture
Intelligence
GRC GRC
IT
Now that we have rationalized

GRC needs are now embedded into our GRC architecture, I see This will give me good visibility
core business processes and enabled several old components that into the information, processes,
by enterprise systems. We've made it we can get rid of. controls and evidence that I need
is easier for people stay aligned to effectively govern, manage risk
with our policies and values. and ensure compliance.
64

Steps in Building an for Enterprise GRC Strategy & RFP
Current State Define GRC Charter Define GRC Develop GRC Value Establish Criteria Evaluate & Rank
Analysis & Structure Information Proposition for for Enterprise GRC Solutions
Architecture & Change Technology
Needs
1 2 3 4 5 6

Mature GRC Capabilities Achieve the Following 10 Objectives. . .
Prevent, Detect, and Reduce Adversity

1 Achieve Business Objectives 6 and Weaknesses
Ensure Risk Aware Setting of Objectives

2 and Strategic Planning 7 Motiviate & Inspire Desired Conduct
3 Enhance Organizational Culture 8 Stay Ahead of the Game
4 Increase Stakeholder Confidence 9 Improve Responsiveness & Efficiency
5 Prepare & Protect the Organization 10 Optimize Economic Return & Value

GRC 20/20 Value Perspective: 3 Angles of GRC Value
ü Financial Capital Savings

ü Human Capital Savings
Efficiency
ü Design Effectiveness GRC ü Agility to Change
Value
ü Operational Effectiveness ü Responsiveness to Events
Effectiveness Agility

Careful planning is the key to GRC success
It is critical to
plan your GRC
journey by
laying out the
route ahead of
time © GRC 20/20 Research, LLC • ww.GRC2020.com 68
Conditioning is critical, make sure your team is ready
Is your
organization
prepared for the
GRC journey? © GRC 20/20 Research, LLC • ww.GRC2020.com 69
Select the right equipment for the GRC journey
You don’t just

throw everything
in a bag, you
carefully select
your GRC
equipment for the
task 70
Tackle GRC in stages
2 A good GRC
journey is not
1 done with one
effort but is
broken down
into stages 71
Preparing for the next GRC journey
Once complete
it is not over,
you begin
preparing for
the next GRC
project 72
Increasing GRC maturity through contextual risk awareness delivers . . .
1. Aware 2. Aligned 3. Responsive 4. Agile 5. Resilient 6. Lean

ü Have a finger on ü Support and ü You can’t react to ü More than fast, ü Be able to bounce ü Build the muscle,
the pulse of inform business something you nimble back quickly from trim the fat
business objectives don’t sense ü Being fast isn’t changes in ü Get rid of expense
ü Watch for change ü Continuously align ü Gain greater helpful if you are context and from unnecessary
in internal & objectives and awareness and headed in the threats with duplication,
external operations to risk understanding of wrong direction. limited business redundancy and
environment of the entity information that impact misallocation of
ü Risk mgmt
ü Turn data into drives decisions ü Have sufficient resources within
ü Give strategic enables decisions
information that and actions tolerances to the risk
consideration to and actions that
can be, and is, allow for some management
information from ü Improve are quick,
analyzed missteps
risk management transparency, but coordinated and ü Lean the
ü Share information
enabling also quickly cut well thought out. ü Have confidence organization
in every relevant
appropriate through the ü Agility allows an necessary to overall with
direction
change morass of data to entity to use risk rapidly adapt and enhanced
what you need to to its advantage, respond to capability and
know to make the grasp strategic opportunities related decisions
right decisions opportunities and about application
be confident in its of resources
ability to stay on
course.

Two Things to Note . . .
Complimentary Inquiry RFP Development & Support

§ Organizations evaluating or considering GRC § GRC 20/20 has an extensive library of RFP
solutions are free to ask GRC 20/20 on our requirements across a range of GRC
understanding and comparison of solutions in capability areas presented in this
the market to meet your GRC requirements. presentation.
§ Inquiries are single focused questions that § GRC 20/20 can be engaged in RFP
can be answered in under 30 minutes. development and support projects to
§ Complimentary inquiry is only available to streamline your process, gain perspectives
organizations evaluating or considering GRC learned from other organizations, and to keep
solutions for their internal use. solution providers honest in their responses.

Questions?
Michael Rasmussen, J.D. GRC 20/20 Newsletter
LinkedIn: GRC 20/20
The GRC Pundit & OCEG Fellow
LinkedIn: Michael Rasmussen
mkras@grc2020.com
+1.888.365.4560 Twitter: GRCPundit
Blog: GRC Pundit
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides
or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

Buyers Guide Enterprise GRC Management Solutions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Buyers Guide Enterprise GRC Management Solutions

Uploaded by

Copyright:

Available Formats

Buyers Guide: Enterprise GRC Management Solutions

Ø Critical Capabilities & Considerations for Evaluation of Solutions

Michael Rasmussen, J.D., GRCP, CCEP

© GRC 20/20 Research, LLC • ww.GRC2020.com 2

Complimentary Inquiry RFP Development & Support

© GRC 20/20 Research, LLC • ww.GRC2020.com 3

2. Critical Capabilities of an Enterprise GRC Platform

3. Considerations in Selection of Enterprise GRC Platforms

4. Building a Business Case for an Enterprise GRC Platform

© GRC 20/20 Research, LLC • ww.GRC2020.com 4

Defining & Understanding Enterprise GRC

© GRC 20/20 Research, LLC • ww.GRC2020.com 5

The Official Definition of GRC . . .

GRC is the integrated collection of

© GRC 20/20 Research, LLC • ww.GRC2020.com 6

Governance Risk Management Compliance

“Never in all history have we

© GRC 20/20 Research, LLC • ww.GRC2020.com 8

Realize that everything connects to everything else.

© GRC 20/20 Research, LLC • ww.GRC2020.com 10

© GRC 20/20 Research, LLC • ww.GRC2020.com 11

Internal Risk/Business Change MERGERS &

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

External Risk Change $

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

contact Carole S. Switzer cswitzer@oceg.org for comments, reprints or licensing requests

© GRC 20/20 Research, LLC • ww.GRC2020.com 13

The Winchester Mystery House

© GRC 20/20 Research, LLC • ww.GRC2020.com 14

Ø High cost of consolidating GRC information;

Ø Difficulty maintaining accurate GRC

Ø Failure to trend across GRC assessment

Ø Redundant approaches limit correlation,

Ø Lack of agility to respond timely to changing

4 Those that have implemented a GRC platform in

5 There is growing demand and need for the

© GRC 20/20 Research, LLC • ww.GRC2020.com 16

Top-down federated GRC

Division Division or business unit

Management being done at a

Risk Managed in context of a

Distributed GRC Management Federated GRC Management

© GRC 20/20 Research, LLC • ww.GRC2020.com 18

Critical Capabilities of an Enterprise GRC Platform

© GRC 20/20 Research, LLC • ww.GRC2020.com 19

GRC Technology Solutions

GRC Intelligence & Content Solutions

GRC Professional Services Solutions

© GRC 20/20 Research, LLC • ww.GRC2020.com 20

© GRC 20/20 Research, LLC • ww.GRC2020.com 21

The additional market segments are being added into

• Anti-Money Laundering/KYC, Fraud & Corruption

© GRC 20/20 Research, LLC • ww.GRC2020.com 22

© GRC 20/20 Research, LLC • ww.GRC2020.com 23

I can help you

© GRC 20/20 Research, LLC • ww.GRC2020.com 25

better capital allocation

§ Manual spreadsheet and § Organizations also have § These are solutions

© GRC 20/20 Research, LLC • ww.GRC2020.com 27

THE BENEFITS OF 1TECHNOLOGY 1 1 1 1 easily

1of the 1policy, 1training thousands

1 1of all policies,

Defensible GRC Management