Post on 18-Jan-2017
Is your organization making risk-aware decisions?
Companies are seeking to embed Governance, Risk and Compliance
(GRC) into the fabric of the organization—allowing business managers and leaders
to make more risk-aware decisions.
Why? Because GRC impacts every aspect of an organization…
Operational Risk
Compliance
IT Governance
SOX
EUC
Audit
Vendor RiskManagement
Business Continuity
ManagementPolicy Management
Model Risk Governance
Data Security
GRC has many disciplines that also interact with each other in a complex web.
Operational Risk
Compliance
IT Governance
SOX
EUC
Audit
Vendor RiskManagement
Business Continuity
ManagementPolicy Management
Model Risk Governance
Data Security
A lack of visibility into policy could set off a series of events across controls and associated issues and actions.
Operational Risk
Compliance
IT Governance
SOX
EUC
Audit
Vendor RiskManagement
Business Continuity
ManagementPolicy Management
Model Risk Governance
Data Security
Business & Risk Owners Executive Oversight Teams Regulators
Process Owners Compliance Teams Audit Teams
Who would benefit most from an aggregated view of GRC?
An aggregated view informs key individualshow issues and actions may affect the organization and departments within it.
Operational Risk
Compliance
ITGovernance
SOX
EUC
Audit
Vendor RiskManagement
Data Security
PolicyManagement
Model Risk Governance
BusinessContinuity
Management
For example, an internal audit team conducts a test of an organization’s IT
control—changing of passwords…
IT Governance
LDAP
Unauthorized AccessRisk
Processing Systems
CRM
ERP HR Systems
HR Systems
NA Data Center
Security
Secure Logins
Password Security
Review password changes and exceptions
Audit
Section
Workpaper
Control Test
Audit
Change passwords every 60 days.
Control
Operational Risk Mgmt
Policy andCompliance
MgmtFinancial
Controls Mgmt
Business
AreaRetail Banking …
Processing and Operations …
Payment, Settlement and Collections …
Process
Subprocess
Business
AreaReg. Library …
FFIES InfoSecurity …
Exam Tier II ObjA.4 …
(Authentication)
Mandate
Sub-
mandate
Business
AreaFinance …
Purchasing andPayments …
Adjustments and Payments …
Process
Subprocess
Shared Control
The result of that test has a knock-on effect to multiple areas of the business.
NA Data Center
Security
Secure Logins
Password Security
Review password changes and exceptions
Audit
Section
Workpaper
Control Test
Audit
Change passwords every 60 days.
Control
Unauthorized Access
RiskChange
Passwords onRegular Basis
Requirement Invalid or Unapproved Entries
Risk
It finds that the policy of regularly changing passwords has not
been enforced in key systems.
Shared Control
Operational Risk Mgmt
Policy andCompliance
MgmtFinancial
Controls Mgmt
Business
AreaRetail Banking …
Processing and Operations …
Payment, Settlement and Collections …
Process
Business
AreaReg. Library …
FFIES InfoSecurity …
Exam Tier II ObjA.4 …
(Authentication)
Mandate
Business
AreaFinance …
Purchasing andPayments …
Adjustments and Payments …
Process
Subprocess Sub-
mandateSubprocess
NA Data Center
Security
Secure Logins
Password Security
Review password changes and exceptions
Audit
Section
Workpaper
Control Test
Change passwords every 60 days.
Control
Operational Risk Mgmt
Policy andCompliance
MgmtFinancial
Controls Mgmt
Business
AreaRetail Banking …
Processing and Operations …
Payment, Settlement and Collections …
Unauthorized Access
Process
Risk
Business
AreaReg. Library …
FFIES InfoSecurity …
Exam Tier II ObjA.4 …
(Authentication)
Change Passwords onRegular Basis
Mandate
Requirement
Business
AreaFinance …
Purchasing andPayments …
Adjustments and Payments …
Invalid or Unapproved Entries
Process
Risk
A breach of those passwords could impact the system’s operations and compromise
key processes in various lines of business.
Shared Control
Subprocess Sub-
mandateSubprocess
NA Data Center
Security
Secure Logins
Password Security
Review password changes and exceptions
Audit
Section
Workpaper
Control Test
Change passwords every 60 days.
Control
The impact to the business if risks like these are incurred could be significant.
So what is keeping organizations from integrating and optimizing GRC?
Siloed people, data, knowledge, projects
Defining system interlock (granularity,
lookup, golden source)
Lack of executive sponsorship and
alignment
Lack of skills, adoption, engagement, agile
self-service
Data integration issues
(middleware, API, ETL)
Defining workflow
and reporting across
multiple systems
There are complexities and challenges to integrating systems and creating a
single view of nonfinancial risk.
No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12
Departmental Initiatives
??
?
Tactical, siloed approach to GRC.
No integration or sharing of information.
Too much reliance on fragmented technology.
Recognizes the need for greater GRC integration.
Strategic approach, mature processes, good reporting and trending at the department level.
Because of these issues, GRC is still at the departmental level for many organizations...
Fragmented
Integrated
Unaware
No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12
Departmental Initiatives Enterprise GRC
??
?
Tactical, siloed approach to GRC.
No integration or sharing of information.
Too much reliance on fragmented technology.
Recognizes the need for greater GRC integration.
Strategic approach, mature processes, good reporting and trending at the department level.
Strategic approach to GRC across departments.
Silos are eliminated.
Leverages GRC to realize business benefits.
GRC is integrated throughout the business and is part of strategic planning.
Extensive measurement and monitoring of GRC in the context of business.
While advanced and forward-thinking organizations have adopted enterprise GRC.
Fragmented
Integrated
Unaware
AlignedOptimized
How do organizations achieve an integrated and optimized GRC?
Leverage big data and AI to create a sophisticated
risk warning system.
Secure a strong corporate sponsorship
Create a strategy for integrating all aspects of GRC
Centralize on one Enterprise GRC Software vendor
Prioritize GRC projects
Establish a centralized GRC solutions team
Here are our recommendations:
An aggregated view from a standardized Governance, Risk & Compliance deployment:
There are tangible advantages to creating this aggregated view of GRC:
Improved alignment of objectives with mission, vision and values of the organization, resulting in better decision-making agility and confidence.
Leverage cognitive capabilities to improve qualityof information, user interaction and reducemanual tasks.
Reduced costs in maintaining duplicated controls, tests, issues, actions and reporting across multiple disciplines.
Reduced IT costs by consolidating on a single GRC solution.
Learn more about IBM solutions for governance, risk and compliance.
ibm.com/OpenPages