GRC Foundation: Transforming Data to Information · Navigating Your GRC Journey MetricStream GRC...

18
Navigating Your GRC Journey MetricStream GRC Summit Europe 2014: Case Study © MetricStream, Inc. | All Rights Reserved. GRC Foundation: Transforming Data to Information Angela Hoon Principal, KPMG [email protected] Michael Wilson Principal, KPMG [email protected]

Transcript of GRC Foundation: Transforming Data to Information · Navigating Your GRC Journey MetricStream GRC...

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Navigating Your GRC Journey

MetricStream GRC Summit Europe 2014: Case Study © MetricStream, Inc. | All Rights Reserved.

GRC Foundation: Transforming Data to Information Angela Hoon Principal, KPMG [email protected]

Michael Wilson Principal, KPMG [email protected]

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Agenda

1. Introduction 2. Practical Steps

• Begin with the end in mind • Understand the data • Design data structure • Link data to technology • Data Migration • Robust Reporting

3. Case Study Spotlights 4. Q&A

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Introduction: Alleviating Today’s Challenges through GRC Foundational Transformation

Desired State

Legal Entities Geographical Regions

Audi

t

Prod

uct

Dev

elop

men

t

IT

Lega

l and

Reg

ulat

ory

Hum

an R

esou

rces

Shar

ed S

ervi

ces

and

Supp

ort

Fina

nce

Ope

rati

ons

Sale

s an

d M

arke

ting

Business and

Controls ERM Compliance Internal

Audit

Other Assurance

Groups

Business and Risk Management Information

Internal External

Board/ Committees

Executive/ Senior

Management Stakeholders Auditor Regulator

Rating Agency

Business and Risk Management Information

Internal External

Board/ Committees

Executive/ Senior

Management Stakeholders Auditor Regulator

Rating Agency

Legal Entities

Audi

t

Prod

uct

Dev

elop

men

t

IT

Lega

l and

Reg

ulat

ory

Hum

an R

esou

rces

Shar

ed S

ervi

ces

and

Supp

ort

Fina

nce

Ope

rati

ons

Sale

s an

d M

arke

ting

CONTROL REPORTS ERM

REPORTS COMPLIANCE

REPORTS AUDIT

REPORTS

ISSUE MANAGEMENT

REPORTS

QUARTERLY DEFICIENCY

SOX REPORTING QUARTERLY ASSESSMENT

FIRM

CRMP

AUDIT PLAN

AUDIT COMMITTEE

OPEN ISSUES

PAST DUE ISSUES

CLOSED ISSUES EXTERNAL AUDIT

REPORT

eGRC Foundation Transformation

Geographical Regions

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Increasing Efficiencies and Effectiveness

Integrated Risk

Assessments

Standardized Risk

Measurement

Consistent Monitoring

Transparent, real-time Integrated Reporting

eGRC

Today, each business group performs the same four core activities in silos with no common taxonomy, risk ratings,

and governance.

The eGRC program aims to eliminate redundancy in these core activities by providing an integrated, real-time view of risks and associated issues governed by a standardized framework. This enables Management to make informed decisions while effectively and efficiently delivering on a Risk Management strategy.

ERM & Compliance

Assess

Measure

Monitor

Report

Business & Controls

Assess

Measure

Monitor

Report

Global Audit

Assess

Measure

Monitor

Report

9

Siloed, Manual, Duplicated

Efforts, Reactive

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Value of holistic and integrated GRC over time C

ost

Man

ual

Duration

Siloed

Integrated GRCAlthough the initial spend may seem small, manual processes lead to increasing costs over time

Implementing distinct technologies in silo’s leads to cost bumps and increasing costs over time

An integrated GRC approach may have a high initial spend, but flattens over time decreasing costs and improving efficiencies!

The Shift From Manual to Integrated

State

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Enterprise GRC Considerations

GRC Vision Guiding Principles Executive Buy-in GRC Business Case Functional Commitment Roadmap

1

Strategy Convergence

& Foundational Elements

Program Management

People & Change

Business Requirements

& Reporting

Technology Enablement

Foundational Elements (taxonomies and libraries)

Future State Process Flows Convergence Opportunities, Alignment

of Shared Functionality, and Integration Points with GRC Tool

High-level Business, Functional, and Technical Requirements Definition

3

2

4 5

6 Project Governance Project Plan, Timeline and

Budget Project Risks and Issue Tracking Project Resource Management Scope Change Management Resource Management

Stakeholder Analysis Roles and Responsibilities Communication Plan Learning, Development and

Training Adoption Plan/Roll-out

GRC Business requirements design & documentation

Fit-Gap Analysis Process, Risk, Transactional

level dashboards & reporting

Link between Business Requirements and Business Process Design

Requirements to System Mapping /Proof of Concept

System Configuration Data Conversion Testing Strategy,

Performance and User Acceptance Testing

Enterprise GRC Considerations Components

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

GRC Foundation: Convergence and Alignment

The objective of this session is to focus on the importance of structuring GRC technology and data elements to meet your governance objectives. It will address the importance of data from the perspective of the business side and key methods to promote gathering and inputting of “quality” data and combining it with the data structure to enable integrated reporting. As you move forward through your GRC journey, it is imperative that a comprehensive convergence and foundational element strategy be implemented:

• Common/Universal Language • Taxonomy Definitions • Data Structure • Reporting

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Considerations for optimizing your data

What is the most important information that needs to be shared across the business?

Who are the key stakeholders?

Who is providing the data and content? Do they have all of the required information? Do you understand your data?

How do we maximize information value

while minimizing the cost to maintain it?

How do we best leverage data from multiple

sources?

How do you structure your content within the GRC solution to enable valuable analysis and

reporting?

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Practical steps – transforming data into information

Understand the data Design a

comprehensive data structure

Begin with the end in mind

1 2 3

Link data to technology

Gather, scrub, format, and import the data

Design robust actionable reports

4 5 6

9

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

What do you want to achieve? Begin with the end in mind

1

Consolidated report of cross-functional risks

and issues

Single view of

controls across the organization

Real-time reporting of Issue Management

Activities

Actionable Reports

Interface with other systems

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

How do you say Tomato? Understand the data

2

Foundational Elements form the “foundation” for how the GRC Tool is configured and establish a common language for GRC across the organization. Foundational Elements can be thought of as filing cabinet where each filing drawer represents specific contents to store key information. Key Question for consideration include:

• What are the elements that you need? • How do you define the elements? • Does a common language exist for these

elements? • What is the level of detail and granularity for

each element?

Organizational Structure

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

For your data, identify how it connects to other pieces of data to build information.

Design data structure

3 How does your data connect? What is and will be the source of truth?

Exam Type

Member

Module

Violation A

Procedures 1 Procedures 2

Rule 1

Procedures 3

Rule 2 Rule 3 Rule 4

Violation B

Procedures 4 Procedures 5

Rule 5

Procedures 6

Rule 6 Rule 7 Rule 8

Sect

1

Sect

2

Identify the source of truth and if the information will be interfaced from another system, is static in a repository or needs to be created.

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Link data to technology

4 How do you enable data elements relationships and linkage?

Link Objects, Map Data, Create Relationships

Exam Type

Member

Module

Violation

Rules/Regs

Procedures

Procedures

Procedures

Procedures

Section

MetricStream Object

Organization

Auditable Entity

Risk

Reference

Checklists

Task Grouping

Test Step

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Gather, scrub, format, and

import the data

5 What are the steps to input, migrate, or interface quality data?

Gather the data

Scrub the data to element redundancies and inconsistencies

Format the data

Import the data – test run, validate, full run, validate

Build and test real-time interfaces

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Design robust reports

6 Can you create targeted and analytical reports to meet your business needs?

The culmination of defining structure and foundational elements, relating data to the objects in the GRC tool enable robust reporting and dashboards to provide meaningful analysis.

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

An integrated GRC reporting system

GRC Tool

Integrate Tool with System of Record/Source of Truth

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey

Client Spotlight #1

• Client Challenge: Multiple groups performing divergent, and inconsistent examination activities Lack of workflow and documentation repository to enforce completeness of procedures Regulator dissatisfaction with the existing processes Inability to report on examination statuses

• Solution: Migrate to the MetricStream platform to automate the manual processes Define common language and the foundational elements to drive consistency Establish consistent future state process which incorporates industry leading practices Restructure internal data to align to future state process, which includes regrouping of

procedures Map data to the MetricStream structure and objects Design reports to provide real-time status of key elements of examination process

• Benefits: Promote common language in the culture, used daily across organization, even prior to

technology go-live Streamline and automate the processes Provide real-time progress reporting on examination process

MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey MetricStream GRC Summit Europe 2014: Case Study © MetricStream, Inc. | All Rights Reserved.

Navigating Your GRC Journey

Questions and discussion