Governance Risk ComplianceGovernance Risk ComplianceA Luxury Good in Hard Times?

2/10/10

Why the GRC emphasis in the last 5-10years?Why the GRC emphasis in the last 5-10years?

• Lots of reasons:– Worldwide complexity and

specialization. Risk is less“bounded.”

– Global trend of transparency– Global trend of transparencyfor both emerging and industrializednations.

– The usual suspects, Enron, World Com, Madoff, etc. widely reported;stakeholders demand more accountability.

– Changing structure of work. Industrial management models do not fittoday’s less hierarchical, more distributed structures. Appropriate GRCsystems provide flexibility while keeping risk in check.

– Higher accountability for the Board of Directors.

– Calls for increased regulation and control spawned by recession.

2

Is GRC really a luxury good?Is GRC really a luxury good?

• Risks don’t decrease in hard times.

• Cost management is always in style.

• If there was ever a bad time for a major project tofail, that time is now.

• Could be a CLM. Auditors are quick to notedeclines in governance and they report to the BOD.

• GRC tools are growing in power and value everyday, but “home grown” is better than nothing.

3

Frameworks & ToolsFrameworks & Tools

• Frameworks: mental constructs – notdependent on time, place ortechnology. Mostly words.technology. Mostly words.

• Tools: programs, databases and otherartifacts that allow the framework to berealized.

4

Select the framework(s) that fits. No needto use all of it. Mix & match OKSelect the framework(s) that fits. No needto use all of it. Mix & match OK

5

Frameworks often sound like bureaucrat-speak,but when properly implemented, they work ….Frameworks often sound like bureaucrat-speak,but when properly implemented, they work ….

6

CobiTCobiT

Common IT framework,accepted by the “Big 4” andother auditing firms as areliable framework.

7

Source: CobiT 4.1, Information Systems Auditingand Control Association

A Plethora of Governance MechanismsA Plethora of Governance Mechanisms

Information Systems Control Journal, volume 2, 2008, p. 25 8

GRC Maturity ModelGRC Maturity Model

9

Match your framework(s) to your ITstrategy/architecture – layer by layerMatch your framework(s) to your ITstrategy/architecture – layer by layer

10

Match your framework(s) to your ITstrategy/architecture – layer by layerMatch your framework(s) to your ITstrategy/architecture – layer by layer

-Network management/monitoring:Solar Winds, What’s Up Gold

-Alertlogics: IDS

-Alertlogics: Log Manager

-Antivirus: McAfee

-Email Spam: CISCO Ironmport,Vamsoft: ORF, Baracuda

-Approva

-Oracle

-- SAP GRC

-- Custom SOD reporting, using Excel

--AON Risk Service

iCIMS’ Applicant Tracking

Vamsoft: ORF, Baracuda

11

11

GRC is the glue that keeps the architecturetogetherGRC is the glue that keeps the architecturetogether

12

PMOPMO

The Effective CIO, CRC Press13

SDLC – “Post it” Notes forGovernanceSDLC – “Post it” Notes forGovernance

14

Let the SDLC anchor your governanceprocesses for projectsLet the SDLC anchor your governanceprocesses for projects

15

Risk Models for ProjectsRisk Models for Projects

16

Annual risk assessmentAnnual risk assessment

17

PMO challengesPMO challenges

• Changing the culture.

• Making projects & progress visible to the right people.

• Prevents use of “enhanced” numbers by projectsponsors – with no follow up.

• Creates metrics to measure success.• Creates metrics to measure success.

• Develops structure to force logicalrather than emotional estimates.

• Enforces the methodology.

18

PMO DashboardPMO Dashboard

19

PMO HistoryPMO History

20

GRC serves IT, general business processes

or both

GRC serves IT, general business processes

or both

21

GRC focus areasGRC focus areas

22

GRC Packages – Narrow Focus/verticalGRC Packages – Narrow Focus/vertical

Examples:

• Applicant tracking system. Office of FederalContract Compliance Programs (OFCCP) can levyContract Compliance Programs (OFCCP) can levyfines if hiring practices are not in compliance.

• Risk tracking (focus on insurance). Feeds frominsurance carriers interfaced with fleet information,such as number of miles logged, hours driven,accidents, claims.

23

GRC packages …. A few suggestionsGRC packages …. A few suggestions

• GRC touches so many groups-- the chances of duplicationare high.

• Make sure your package has• Make sure your package hashooks for customization (SDK,API, etc.).

• Decision point:industry specific or genericpackage.

24

GRC package selection is no different fromother software – do your due diligence

25

GRC Package ExamplesGRC Package Examples

1

26

2

One off governance examplesOne off governance examples

Example 1

27

Example 2

Governance using packages augmentedwith in-house developed toolsGovernance using packages augmentedwith in-house developed tools

• Reporting andenforcement tightlycoupled withreal-time events.real-time events.

• Controls enforcement,credit risk managementanalytics, SOD, configuration management, fraudalerts, odd behaviors, hierarchical approvals …

28

Metrics are the raw fuel of good governanceMetrics are the raw fuel of good governance

29

WIP …..WIP …..

30

Some examples of improving GRC “on the

cheap”

Some examples of improving GRC “on the

cheap”

• Use your accounting system to improvegranularity of expenditure reporting.

• Create as many accounts/sub accounts• Create as many accounts/sub accountsas you need.

• “Chunk” projects for better control.

31

GRC tools include not only software/consulting fromproviders but also in-house documents and strategies.You can do a lot with existing resources.

GRC tools include not only software/consulting fromproviders but also in-house documents and strategies.You can do a lot with existing resources.

• Policies and procedures maybe tedious. Yet thinkingthrough P&P forces a usefulgovernance discipline.governance discipline.

• Technical architecture. It canbe five pages or five hundredbut you need one. A stabledelivery platform requiresstructure rather than ad hocdecisions in times of stress. 32

Another in-house exampleAnother in-house example

• Security turnarounddocument – send anaccess rights listing tosupervisors and havethem send back deletionsthem send back deletionsfor employees &contractors who are goneor who no longer needspecific access (considerit as backup for yourprimary security process)

33

Active Management of ContractsActive Management of Contracts

34

Actively Manage Contracts – a win/win inthe long runActively Manage Contracts – a win/win inthe long run

• Note that contracts from large vendors are not necessarily fixed in stone.They will often work with you.

• Facilitate negotiations by converting draft vendor contracts in PDF formatto an editable document. After both sides reach agreement, the finaldocument can be converted to PDF.

• Set up a repository/tracking system.

• Centralize hardware/software purchases.

• Think through the entity name (Corporate entity or subsidiary) used in thepurchase, as well as “affinity language” or assignments.

• Insert price lists and price holds if appropriate.

• Work with your vendor to explicitly address auto-renewals.

• Include downturn scenarios in the final agreement.

35

Actively Manage Contracts – Work withyour vendors to:Actively Manage Contracts – Work withyour vendors to:

• Build mutually satisfactory caps on maintenanceincreases.

• Keep audit clauses reasonable and practical so thatyour vendor can be assured of compliance but theaudit itself is not burdensome.audit itself is not burdensome.

• Manage the accuracy of data that drives billing. Youowe no more and no less than the contract requires.User name changes and confusion betweenCorporate and subsidiary use of software should bemonitored.

• Specify explicitly the pricing variance between “trueup” and unanticipated growth. 36

Actively manage contractsActively manage contracts

• Routinely include non-disclosureagreements in your contracts (works bothways).

• Work with supplier to layout contract• Work with supplier to layout contractmaintenance going forward.

• Obtain agreement on who owns the code.The decision could go either way,depending on a number of factors.

37

Some GRC issues are really close tohomeSome GRC issues are really close tohome

www.bsa.org38

Getting in front of your auditorsGetting in front of your auditors

• GRC, including self audits, letsyou know where you standbefore the audit.

• Aside from fraud investigations,IT audits should not be aIT audits should not be asurprise … work with IA to separate bestpractices from essential governancerequirements.

39

Wrap up. In difficult times:Wrap up. In difficult times:

• Don’t let GRC go

• Do your homework (formal analysis) and acquire the toolsthat fit your business

• Think beyond IT – your enterprise needs GRC (bothvertical and horizontal) for many activities

• Maintain/develop PMO• Maintain/develop PMO

• Develop an architecture/roadmap

• Avoid fragmented/duplicated efforts

• Work with your auditors (internal and external)

40

Thank You. Questions?Thank You. Questions?

41