MILANO 1863 Zacc… · MILANO 1863 School of Industrial and Information Engineering ... 5.5 Handle...

POLITECNICO

MILANO1863

School of Industrial and Information Engineering Master of Science in Mechanical Engineering

ADDRESSING A SUCCESSFUL IMPLEMENTATION OF A GOVERNANCE, RISK AND COMPLIANCE

MANAGEMENT SYSTEM

Candidate:LucaZaccariMatr.:854112

Supervisor:Prof.GuidoJacopoLucaMicheli

Academicyear2015/2016

2

SUMMARYABSTRACT (ENGLISH)............................................................................................................4

ABSTRACT (ITALIAN).............................................................................................................5

ACRONYMUSED.........................................................................................................................6

EXECUTIVESUMMARY (ENGLISH).............................................................................................7

EXECUTIVESUMMARY (ITALIAN)............................................................................................16

1. INTRODUCTION..................................................................................................................261.1 GRCsystemsand“silostructures”.........................................................................................................261.2 ToolsandguidelinesfortheselectionandimplementationofaGRCsystem........................261.3 Tipsforfuturedevelopment....................................................................................................................27

2. GRCSYSTEMS.....................................................................................................................282.1 GRCSystems..................................................................................................................................................282.1.1 GRCdriversandhowtheneedofanintegratedGRCarises.........................................................................282.1.2 ThebenefitsofanintegratedGRCsystem...........................................................................................................292.1.3 Implementationphase..................................................................................................................................................30

2.2 ComponentsofanintegratedGRCsystem..........................................................................................312.2.1 Governance........................................................................................................................................................................312.2.2 Risk........................................................................................................................................................................................322.2.3 Compliance........................................................................................................................................................................33

2.3 CalculatingtheROIofanintegratedGRCsystem.............................................................................342.3.1 Costestimation................................................................................................................................................................342.3.2 Benefitsestimation........................................................................................................................................................352.3.3 Riskanalysis......................................................................................................................................................................362.3.4 Summingup......................................................................................................................................................................37

2.4 BigPictureforGovernance,Risk,andCompliancePlatforms.........................................................382.4.1 GRCstudy...........................................................................................................................................................................382.4.2 ExistingGRCevaluationandclassificationsystems........................................................................................382.4.3 Thenewevaluationandclassificationsystem...................................................................................................39

3. SILOSTRUCTURES...............................................................................................................423.1 Whatisasilostructureandwhyisused..............................................................................................423.2 Theissuesofasilostructure...................................................................................................................44

4. PREREQUISITESFORASUCCESSFULIMPLEMENTATION......................................................474.1 Topmanagementsupport........................................................................................................................474.2 Riskmanagementsystem.........................................................................................................................484.3 ProactiveRiskManagement....................................................................................................................484.3.1 Risk:threatoropportunity?......................................................................................................................................50

4.4 Enterpriseresilience..................................................................................................................................504.5 Nokia-EricssonCase....................................................................................................................................544.5.1 Thedisruption..................................................................................................................................................................544.5.2 Nokiaresponse.................................................................................................................................................................554.5.3 Ericssonresponse...........................................................................................................................................................554.5.4 Theresultsandlessonslearned................................................................................................................................55

4.6Conclusions........................................................................................................................................................56

3

5. GUIDELINESFORASUCCESSFULIMPLEMENTATION...........................................................575.1 Motivatingandcommunicatingthereasons......................................................................................575.2 Creatingacommonlanguage..................................................................................................................585.3 Basictrainingonriskmanagement......................................................................................................585.4 Activestaffparticipation...........................................................................................................................595.5 Handletheprojectinphases...................................................................................................................59

6. SUGGESTIONSFORFUTUREDEVELOPMENT.......................................................................616.1 BYODPolicy...................................................................................................................................................616.2 JustCulture....................................................................................................................................................626.2.1 Linateaccident,October8,2001.............................................................................................................................636.2.2 Riskmanagementculture...........................................................................................................................................646.2.3 HowJustCultureworks................................................................................................................................................646.2.4 Creatingthenecessaryconditions..........................................................................................................................656.2.5 WhatJustCulturecanmakesforintegratedGRCsystems...........................................................................66

7. CONCLUSIONS....................................................................................................................67

BIBLIOGRAPHY..........................................................................................................................68

APPENDIX.................................................................................................................................70

4

ABSTRACT (ENGLISH)

ThisisaliteraturereviewprojectbasedonthestudyofintegratedGRCsystems.Itaimstocreate a document, for the companies interested in integratedGRC systems, by collecting andproviding useful information about these platforms (their features, implementationprerequisites,implementationtips,etc.).

This should allow the companies to select and deepen the topics in which are moreinterestedandatthesametimetobeabletoidentifyalltheelementsinvolvedinsuchaproject.

Inotherwords this should tobeconsideredasapreparatoryworktobeusesduringthefirstapproachtoGRCsystems, inordertoprovide ideasthathelpthereaderto focusonwhatconsidersmoreimportantorappropriatetohisbusinessreality.

Thematerialconsultedtocreatethisdocuments iscomposedbyarticles,publicationanddocumentswrittenbyconsultingcompaniesorexpertsandinterviewstoCEOsofcompaniesthathavesuccessfullyimplementedanintegratedGRCsystemandmakeacontinuousandprofitableuseofit.

The form and structure of this document have been designed to meet the needs of thereaders,makinganextensiveuseoflistsinordertofacilitatethereadingandprovidingbusinesscasesorsecondarydatainordertosupportthediscussionwithpracticalexamples.

Theoverallworkisdividedintothreemainparts.ThefirstoneisaboutGRCs(Whatarethey?,Howdotheywork?,Whatbenefitscouldthey

bring?, etc.) and the problems of “silo structures” in order to better understand why GRCsrepresentavaluabletool.Thisfirstpartalsopresenttwousefuldocuments:aframeworkcreatedbyForrestertohelpCEOsincalculatingtheROIofanintegratedGRCsystemandthework"BigPicture for Governance, Risk, and Compliance Platforms", created by Politecnico di Milano,focused on the evaluation and classification systems of GRC platforms. This should provide tocompanies two valuable tools for addressing the phase of project evaluation and GRC vendorselection,inordertochoosethesolutionthatbettermeetstheirrequirements.

The second part is focused on the implementation phase: after presenting the neededprerequisites it provides a list of valuable tips for easing the installation phase and helppreventingrisks.

Once the implementation phase has been successfully completed the company may beinterestedinfindingsomewaytocontinueitsimprovementprocess.ForthisreasonthelastpartofthedocumentisdevotedtopresenttwomanagementtechniquesparticularlyalignedwiththephilosophyandmodusoperandioftheintegratedGRCsystems.Thoseare:theBYODpolicies(formanagingtheuseofpersonaldevices forbusinesspurposes)andthe"JustCulture"(regardingtheriskmanagementcultureandprocesses).

Keywords:GRC,Implementation,Prerequisites,silostructure,BYOD,JustCulture

5

ABSTRACT (ITALIAN)

Ilpresentedocumentoriguardaunostudio,ditipoliteraturereview,riguardanteisistemiGRC integrati. Lo scopo è quello di creare un documento, diretto alle aziende interessate aisistemiGRCintegrati,cheraccolgaeforniscainformazioniutilicircaquestepiattaforme(lelorocaratteristiche,iprerequisitinecessariedalcunisuggerimentiperlaloroimplementazione,ecc.).

Questodovrebbeaiutarelecompagnieaselezionaregliargomentipiùinteressantiperlaloro realtà aziendale in modo da poterli approfondire successivamente; allo stesso momentodovrebbepermetterelorodiriuscireadinquadraretuttiglielementicoinvoltiinquestotipodiprogetti, inmododaavereunavisionecompletadelproblemae facilitarepoi leoperazionidiprojectmanagement.

Inaltreparole,questodocumentodovrebbeessereutilizzatonellolostudiopreparatorio,duranteilprimoapprocciotral’aziendaedisistemiGRCintegrati.

Imaterialeutilizzatoperquestoprogettoriguardapubblicazionidisocietàdiconsulenzaoesperti ed interviste ai CEO di aziende che hanno implementato con successo un sistemaGRCintegratoenefannounusocontinuoeproficuo:ciòpermettenonsolodiaveredegliimportantisuggerimenti per la fase d’implementazione, ma soprattutto delle testimonianze di qualivantaggiquestistrumentihannoportatoalleloroimprese.

La formae lastrutturadiquestodocumentosonostatepensate in funzionedelpubblicopercuiècreato:visaràunusofrequentedielenchipercercaredifacilitarnelaletturaedesempipratici(secondarydataobusinesscase)persupportarelatrattazione.

Illavorocomplessivorisultasuddivisointreparti. La prima parte riguarda da vicino i sistemi GRC integrati (cosa sono, come agiscono,

qualivantaggipossonoportare,ecc.)eiproblemidellecosiddettestruttureaziendali“asilos”,inmododacomprenderemeglioperchéiGRCvengonoconsideratideglistrumentipreziosi.

In questa prima sezione vengono anche presentati al lettore due utili documenti: unframework creato da Forrester per calcolare il ROI di una piattaforma GRC ed il lavoro “BigPictureforGovernance,RiskandCompliancePlatforms”focalizzatosuisistemidivalutazioneeclassificazione delle piattaforme GRC. Ciò dovrebbe fornire alle aziende due importantistrumenti per la fase di valutazione del progetto e di selezione dell’offerta o GRC vendor piùadeguatiallapropriasituazione.

La seconda parte riguarda la fase di implementazione: dopo aver presentato iprerequisiti necessari si passaai consigli pratici per completare l’installazione inmanierapiùagevoleepoterprevenirealcunirischi.

Una volta completata con successo l’implementazione, l’azienda potrebbe essereinteressata ad identificare e valutare delle occasioni per completare il proprio processo dimiglioramentocominciatoconl’adozionedelnuovosistemaGRCintegrato.

Per tale ragione l’ultima parte è dedicata a presentare due tecniche di gestioneparticolarmente allineate con la filosofia e le pratiche dei sistemi GRC. Esse rappresentanoquindi un’opportunità di supportare e completare il nuovo sistema, ed al contempo sfruttaresinergie e affinità per rendere la fase di implementazione particolarmente agevole evantaggiosa.

Le due tecniche in questione sono: la BYOD policy (Bring YourOwnDevice: riguarda lagestioneel’utilizzodipersonaldevicesperlosvolgimentodiattivitàlavorative)elacosiddetta“JustCulture”(riguardantelaculturaeiprocessidigestionedelrischio).

Parolechiave:GRC,Implementazione,Prerequisiti,Struttureasilos,BYOD,JustCulture

6

ACRONYMUSED ANSV AgenziaNazionaleperlaSicurezzadelVolo

CEO ChiefExecutiveOfficer

CFO ChiefFinancialOfficer

CIO ChiefInformationOfficer

COO ChiefOperatingOfficer

CRO ChiefRiskOfficer

ERM EnterpriseRiskManagement

FMEA FailureModeandEffectsAnalysis

FMECA FailureMode,EffectsandCriticalityAnalysis

GRC Governance,Risk,andCompliance

ICT InformationandCommunicationTechnology

IT InformationTechnology

KPI KeyPerformanceIndicator

OCEG OpenComplianceandEthicGroup

ORM OperationalRiskManagement

ROI ReturnOnInvestment

SCRM SupplyChainRiskManagement

SVM Sourcing&VendorManagement

7

EXECUTIVESUMMARY (ENGLISH)

Overtheyears,theuseofnewbusinessmanagementsystemscalledGRC(Governance,RiskandCompliance)hasbeenaffirmingandspreading.This document intends to support companies interested in integrated GRC systems byproviding all theneeded information toproperly frame all the elements involved in such aproject.InotherwordsthisshouldtobeconsideredasapreparatoryworktobeusesduringthefirstapproachtoGRCsystems,inordertoprovideideasthathelpthereadertofocusonwhatconsidersmoreimportantorappropriatetohisbusinessreality.

ThematerialusedtocreatethisdocumentcomesfrompublicationsandinterviewstoCEOsofcompaniesthathavesuccessfullyimplementedanintegratedGRCsystemandmakeacontinuousandprofitableuseofit.

Thisprojectaimstocoverallthephasesthatacompanygoesthroughsincethetimeitdiscovers the need of adopting an integrated system until it successfully implements it. Inordertodosothedocumenthasbeendividedintothreemainsteps:

1. ShowthepotentialofGRCsystemsastoolstoimprovebusinessperformanceandsolvesomeproblemstypicalofa"silostructure”.

2. Providetoolsandguidelines for theselectionand implementationphasessothat thecompanycanmakethesestepsinamoreconsciousway.

3. Providecues tocontinuethe improvementprocessandenable thecompanytomakethemostoftheinvestmentonthenewGRCsystem.

Let'sstartbyclarifyingwhatGRCsystemsareandhowtheywork.Theirpurposeistoreorganizecorporatestructureandmodusoperanditoimprovetheir

efficiencyandeffectivenessthroughabetterresourceutilization,wastereduction, improvedinternal communication management, and providing the top manager with a stream ofinformationalwayscompleteandupdatedtosupportthedecision-makingprocess.

This requires, first of all, the creation of a centralized system for gathering, analyzingand storing information that becomes the backbone of thewhole enterprise, enabling it tocapitalizeonthecompany'sknowledge.Alldepartmentswillneedtocollaboratebysupplyingthe information system with data coming from their respective fields, allowing bettervisibility and control, free internal resourcesused forunnecessaryduplicationof functions,exploitopportunitiesandsynergiesthatmayhaveremainedhidden.

ThenextstepistointegrateRiskManagementandGovernanceManagementinallotheroperations carried out inside the company. The underlying idea is to consider riskmanagementandregulationasthefunctionsthatusuallyshowaninefficientuseofcorporateresources.Someexpertsarguethatthesetwoprocesses,despitethefactthattheyconcernallareas of the enterprise, are often carried out in an improvised and unstructured way, allcomplicated by the fact that communication between departments is often lacking anddifficult.

One of the purposes of the GRC is to improve internal communication within thecompanyandtoensurethatmanagementofrisksandstandardsaremanagedinastructuredandconsciousway,asahomogeneouscomponentofalltheotheroperations;thisshouldeasecompanymanagementandatthesametimeeffectivelyprotecttheorganizationagainstrisksandtheirconsequences.

Aswemightalreadyguess,althoughGRCscanbeconsideredasanITsystem,theyareactuallyanewmethodofmanagingthereforerequiretotrainandinvolvestaffatalllevelsandatthesametimetoredesignthestructureofthecompanyinordertoeliminatetheso-called“silostructure”.

8

Forthesereasons,itisclearthattheimplementationofanintegratedGRCsystemisverycomplexandcostlyunderdifferentperspectives,anditisthereforeimportanttosharealltheinformationandexperiencesusefultosuccessfullycompletingsuchaproject.

For this reason one of the main purposes of this work is to collect material frompublications or companies that have successfully adopted an integrated GRC system andprovideguidelinesforcompaniesthatwanttotacklesuchaproject.

As a result, has been chosen to adopt a Literature Review structure and a form asstraightforward and practical as possible to meet the needs of the readers for which it iscreated.

ThankstothetestimoniesoftheCEOofsomeItaliancompanies,wecanprovidesomeexamplesofhowthecompanyusuallydiscoverstheneedtoadoptanintegratedsystem;thisshould provide to the reader an opportunity tomake a first comparisonwith the businessrealityofitscompany.

In Italy, the first areas that are adopting aGRC systemare theFinance sector,mainlyconcerned in security and risk management, and the Telecommunications sector, mainlyconcernedincompliance.

Inthe industrial field, this topic isstillrelativelynew,butwecanseeanever-growinginterestinGRCsystems,mainlylinkedtotheneedforgreatercontrolandflexibility.

Within a company, usually the sector that firstly shows the need formore structuredprocedures is the compliance function, which is often carried out in an improvised way,resultinginaninefficientuseofresources.Infact,asthelevelofcomplexityincreases(duetothe frequencywithwhichstandardsareupdated, increasednumberofregulations towhichthecompanyadheres,etc.),arisestheneedtocreateamorestructuredsystem.

Among the various options available, topmanagers can considers the adoption of anintegratedGRCsysteminordertoactontheentirecompany(ratherthatmeetjusttheneedraised, for example, of compliance function) by creating an integrated system capable toidentifyandeliminatetherootcausesofmanyproblemsandsobringinggreatbenefitstothewholeorganization.Oncethecompany(usuallytheCEO)showsaninterestinadoptingaGRCsystem,aformalproposalmustbesubmittedtotheboardofdirectors.

For this reason, is presented to the reader framework, created by Forrester, forcalculating the ROI of an integrated GRC platform; its aim is to help the CEO in creating adocument to be presented to his company's board of directors in order to support theproposalofadoptingofanintegratedGRC.

Theframeworksuggestsarticulatingthedocumentinthreeparts:

1. Identifyingandquantifyingcosts(containsanin-depthdiscussionofhowtoestimatecostsandwhatalternativesmightbeavailableforthetopmanager).

2. Identifyingandquantifyingthebenefitsobtainable;Forresterdividesthemintothreecategories:Efficiency,RiskReductionandStrategicPerformance (figure1).Althoughthebenefitsofthefirsttwocategoriescanbeeasilyquantifiedintermsofsavedhours,reduction of management costs or mitigation of the consequences, the "StrategicPerformance" group appears to be more difficult to be expressed with quantitativeindicators.Forthisreason,Forresteridentifiestwotypesofflexibility:ExtensibilityofInvestment (which guarantees savings in case of future integration of newpackageswithintheGRCsystem)andAgilityInBusinessSupport(whichassuresadvantagesinandsavingsincaseofintegrationwithnewsuppliers,partnerorworkforce)(figure2).

3. Project-related risk identification, divided into 4 categories: Unforeseen costs anddelays, Resistance to adoption by users, Integration problems with pre-existing ITplatforms, and finally what Forrester calls “Vendor Viability”. This last categoryincludestherisksthatarisewhentherelationshipwithasupplierbecomesvitalforthe

9

success or failure of a product, project or business model. This implies that thecompanycan initiallyhandle “directly” the riskby identifying, forexample, themostrobust vendors and choose the most proper one for establishing a long-termrelationship.Thecompany,however,maynothave thechance toperceive theactualriskorvulnerabilityofitsvendor,thusexposingitselftoseriousriskorconsequencesincasethevendorshouldsuffersdisruption,asaresultofaccidentsorpoorstrategicchoices.

Figure1:TypesofbenefitsofanintegratedGRCsystem(Source:ForresterResearch,Inc.)

Figure2:Componentsof"StrategicPerformance"(Source:ForresterResearch,Inc.)

10

Fromthis framework,thereadercanalreadyhaveamoreprecise ideaofthepracticalbenefitsthathiscompanymightgetfromusingthesesystemsandtheorderofmagnitudeoftheexpectedcosts,thuspreparingforapreliminarycost/benefitanalysis.

In the finalpartof this first section isbrieflypresented theworkof thePolitecnicodiMilano"BigPictureforGovernance,RiskandCompliancePlatforms"createdbyAndreaBrusaPerona,Ing.GuidoJacopoLucaMicheliandProf.EnricoCagno,focusedGRC’sevaluationandclassificationsystems.

After identifying the strengths and limitations of existing classification systems, theauthors have created a new one by collaborating with some GRC vendors and somecompanies,interestedinadoptingaGRCorthatwasalreadyusingit.

Their primary purpose was to support companies in choosing a GRC system byidentifying thekey features thatdrive thechoiceof theplatformthatbest suits theirneedswhileatthesametimehelpingtheGRCvendortoshowthepotentialitiesandpeculiaritiesoftheirproducts.

This should provide to the reader the necessary information of the tools required toselectthemostproperplatform.

Atthispoint,toconcludetheintroductionaboutintegratedGRCsystemswecantrytobetter contextualize these tools by looking at the conditions in which they have beendevelopedandwhichproblemstheywanttosolve(issuesrelatedtotheuseofheavysiloedstructure).

For thisreason, it isuseful toaddressabriefdiscussion“silostructures”,which todayrepresentthemostwidespreadrealityinmanymedium-largeenterprises.Thefirststepistopresenttheneedsandtheprocessesthatledtothecreationofsuchstructures.

Nowadays companies are operating in increasingly complex environments,characterized by multiple sources and types of uncertainties; organizations are thereforeinterested in easing business management by trying to filter uncertainties, thus creatingdetermined scenario in which conducting operation more smoothly and at the same timetuningtheprocessestomakethemasefficientaspossible.

In order to do so, the company identifies the so-called "core functions" (what itconsidersasthemainactivities thatcreatevalue intheproduct, thiscanbeappliedtobothmanufacturing companies and service providers) and to "Protect" them using the otherprocessesinordertomanageandfiltertheuncertainties.

By doing this, core functions can operate in a predictable and stable environment(although this does not correspond to the actual context in which the company operates,characterized by various forms of uncertainty that are then filtered by the other "bufferfunctions"); this should allow the company to increase its efficiency and reduce costs, allresultinginanincreaseofprofitmargin.

Thefollowingfigure(Figure3)shouldhelptounderstandwhathasjustbeensaid;thecentral rectangle represents the "core functions", the ellipses represent the "bearingfunctions"andinboldaresomeexamplesofuncertaintiesaffectingthecompany.

11

Figure3:Schematicrepresentationofa"silostructure"(Source:IndustrialRiskManagementCourse)

Themaindownside is that thevarious functionsworksautonomously,eachwith theirown hierarchical structures and local objectives (that might be conflict with each other; aclassic example is the management of stock level: the production manager will tend tomaintainahighlevelofstockinordertodealwithanyunexpecteddemandfluctuatingwhilestock manager will be interested in keeping stock volume as low as possible in order tocontainmanagementcosts).

Thefirstconsequenceofconflictinggoalsistheuseofresourcesforprocessesthatactinopposition, not only causing a loss of efficiency but sometimes also a loss of effectiveness,resultingfromfailuretoproperlymanagetheprobleminordertofindtheoptimaltrade-offcondition.

The factor that further complicates this situation is the inadequate management ofinternalcommunication,whichcanleadtotwotypesofproblems.

We can define the first one as “lack of vertical communication” in which topmanagement has a poor visibility of the organization reducing the awareness of whatresources the company has and where they has been allocated, resulting in an increaseddifficultytoassignlocalgoalsandtracktheirprogress(allthisthismayleadtosituationsliketheonewithconflictingobjectivesthatwehavedescribedearlier).

Wecandefine the secondoneas the “lack ofhorizontal communication” inwhichwehavedelaysandmissingcommunicationsbetweendepartmentsthatcreatecircumstancesinwhichproblemsdevelopunnoticed, thushampering riskmanagementprocesses inall theirphases(identification,analysis,mitigation,control).

In some business realities, we can see some “extreme” situation where risk andcompliancemanagementrolesareseenasthefiguresthattryto“putthebrakeon"strategicbusinessdecisions,andthereforearenotincludedinthatprocess.This is for sureoneof thebiggestmistakeanorganizationcouldmadebecause complianceandriskmanagementfunctionsarethemostimportantcapableofidentifyalltheimplicationsandrelevantfactorsinvolvedinthedecisionthatthecompanyisevaluating,thusenablingthedecisionmakingprocess to take strategicandconscious choices, improving the chance thattheywillprovesuccessful.

Amongtheexamplesincludedinthissectionthereisalsothe“Mattelcase”of2007,inorder to allow the reader to better understand the magnitude of possible consequencesarisingfromalossofvisibilityandmonitoring.

12

The importance of this overview about "silo structure” and its problems allows thereadertounderstandtheneedsthatledtothedevelopmentanduseofGRCs,whichentrusttointernal communication management a key role in allowing the company to operateefficiently and affectively in very complex environment, having better awareness of itspotential,internalandexternalrisksandimplementedprotections.

Thenextstepistoidentifytherequirementsneededforasuccessfulimplementation.Aswepointedoutatthebeginningofthisdocument,GRCsrequireanevolutionofboth

thecorporatestructureandallthestaffso,inordertosupportthecompanyinenduringtheeffort,itisnecessarytohavetheconvincedandtotalsupportofhighmanagementcombinedwithacertainlevelofbusinessmaturity.

Thislatterconceptmainlyconcernsriskmanagementcultureandproceduresusedbytheorganizationandsohasbeenidentifiedsomeconceptscapableofassessingthe“maturitylevel”ofthecompany.

The requirements identified consulting the publication of experts andmanagers arelisted:

1. Ownanduseaconsolidatedriskmanagementsystem.

2. Conductproactiveriskmanagement.

3. Beawarethatoperationalriskcanbebothathreatoraopportunity;

4. Know the importance of corporate resilience, how to build it, and its value in aproactiveview.

Point 1 can be considered as the real essential requirement for attempting theimplementation,however,points2to4areimportanttobeabletousemoreproperlythenewintegratedGRCsystemsand to take fulladvantageof itspotential,enabling thecompany tofullyexploittheinvestmentandtoachievethebenefitsmentionedinthisdocument.

Tosupportthediscussionofthissectionandtogivetothereaderatestimonyofthepotential and benefits of proactive risk management how operational risk (looking like athreat) can be transformed into an opportunity, is presented in theNokia-Ericsson case of2000.

Atthispointareprovidedsome"practicaltips"formanagingGRC'simplementationbypresentingacollectionofsuccessfulproceduresforasmoothandconsciousimplementation.

The material used to create these best practices comes primarily from interviewsissued by CEOs of companies that have successfully implemented a GRC platform and aremaking a continuous and profitable use of it, and can therefore appreciate and testify thebenefitsithasbroughttotheirorganization.

Wecannowlistthesethesuggestedprocedures:

1. BeingabletocommunicatethereasonsfortheadoptionofaGRCsystemandmotivatethe staff. This point basically consist on motivating the staff to participate in theimplementationofthenewsystem,butalsotoeffectivelyusethesystemwhennormaloperatingconditionswillberestored.Infactthewayandtheextentinwhichworkersinteract with the new system will substantially decrees the success (correct andcontinuous use of the system) or failure (creation of different and “illegal”communicationchannels,thuslosingtheflowofinformationonwhichGRCsarebasedallitsprocesses)oftheproject/investment;

2. Creatingacommonvocabularyinallsectorsofthecompany.Infactitmayhappenthatdifferent departments use the same word with two different meanings, making itnecessarytocreateacommonlanguageforallthecorporatefunctionthatnowhaveto

13

communicateandcooperate in feedingthenewcentralized informationmanagementsystem;

3. Trainingthestaff(ideallyoftheall,butinpracticeisenoughtoselectjusttheworkersinchargeof interactingwith the informationsystem)about the fundamentalsof riskmanagement(andmaybealsoregulatorymanagementifitisparticularlyimportantforthebusinessof the company) inorder tomake themable to recognizeall theusefulinformationandbeawareoftheirvalue,thuspotentiallyincreasingtheamountofdatacollectedandprocessed;

4. Activestaff involvement increating thestructureofauditsand forms fordataentry;Thisshouldmakesthestafffeelmoreinvolvedandmotivatedtouseasystemthathashelped to create rather than seeing it “imposed” from the top; at the same time thisshould prevents the risk of creating a difficult and uncomfortable system interface,thusavoidingtheproblemsidentifiedinpoint1;

5. Step-by-stepprojectmanagement:someCEOssuggestconductingtheimplementationin small steps. In fact as we said this process involves the entire organization buthaving limited resources and the need to maintain business continuity, the bestapproachseemstobetotakeonedepartmentatthetimeandintegrateitintothenewsystem(software/hardwareimplementationandstafftraining)andthenmoveontothenextone,creatingstepbystepthefinalform.

Once the implementationphasehasbeensuccessfully completedand theorganizationhasrestoredthenormaloperatingconditions,thecompanymaybeinterestedinfindingsometools or management techniques to continue the improvement process begun with theadoptionofanintegratedGRCsystem.

For this reason the last part is devoted to present two management techniquesparticularly in linewithGRC’s philosophy andprocedures, andmay therefore represent aninteresting and easily way of integrating and complementing the new system takingadvantageofsomesynergies.

Thetwomethodologiesare:theBYODpolicyandtheso-called"JustCulture".BYODpolicydealswiththeuseofpersonaldevicesforbusinesspurposeswiththeaim

ofincreasingproductivitywhilemaintaininganadequatelevelofsecurityanddataprotection.This subject is particularly delicate and carries some difficulties; for this reason, over theyears,severalinitiativeshavetakenplace:BYOP(BringYourOwnPC),BringYourOwnPhone(BYOP), BYO (Bring Your Own Devices), BYOD (Bring Your Own Devices), presenting anincreasingly difficult challenge for IT Security, which today needs to develop securitysolutionswhile dealingwith a large number of products (smartphones, computers, tablets,OSs, etc.) and versions (different brands, operating system), that change with a dizzyingrhythm.

For this reason, theBYODhasbeenused in thisdocument topresent theentiresetofdifferent management techniques, focusing just on 3 of them: MAM (Mobile ApplicationManagement),MobileDeviceManagement(MDM)andMEM(MobileExpenseManagement).

We can expect that the use of personal devices could bring great benefits toGRCs bymotivating staff to use their owndevices (withwhom they aremore confident) to interactwiththecentralinformationmanagementsysteminamorecomfortable,quickandfrequentway,andthereforewecanexpectanincreaseintheamountofdatacollectedandanalyzed.

"Just Culture" is born in the aeronautics field (in particular with regard to air trafficsecuritymanagement)andconcernsthecreationofabusinessculturecenteredonproactiveriskmanagement.

Thediscussionbeginsprovidinganextractfromthearticle“Trasportoaereo.Impararedaglierrori.Eccocos’èlajustculture”(InEnglish:“AirTransport.LearnFromErrors.Hereis

14

theJustCulture”)byPatrizioPaolinelli(Wordpress)toshowhowitisparticularlyimportantto create the riskmanagement systemover an “healthy” risk culture. In addition it tries toexplainwhywouldbesoimportanttobringthis(Anglo-Saxon)mentalityintoourcountry,inorder to finally contribute to the cultural change necessary for creating a proactive andproficient riskmanagement systemcapableof guarantee an adequate level of protection inparticularly complex environments such as aeronautical (and some industrial field such as:powerplants,oilplatforms,state-of-the-artfacilities,etc.).

These techniques also allow organizations to reach high levels of protection and riskpreventioninmanyareas,thusrespondingtotheincreasinglywidespreadneedforproactiveriskmanagement.

“Just Culture” requires first of all the creation of structured procedures for riskmanagement throughacommoneffortandcollaborationofall thehierarchical levelsof thecompany,allsupportedbytheregulationsandotherusefulresources.

Isveryimportantthatriskmanagementprocessesarebuiltoverariskculturecapableofidentifyitsprioritiesandobjective(itsonlyconcernhastoberiskprevention/protection,anyothergoalwouldjustreduceitsperformances),knowingallthetoolsthatmightbeusefulto perform its tasks and also knowing the value and potential of prevention and assetreliability.Thisismoreorlesswhatwehavehighlightedasrequirementsforasuccessfuluseof a GRC system, so we can find a first sign of the fact that “Just Culture” and GRC’s riskcomponentarewellaligned.

The second step requires the creation of a system for collecting and analyzing safetydatadefinedas "voluntaryreports",usually theyareminorevents (minor failuresorminoranomaliesfoundduringoperationsormaintenanceortheso-called"nearmisses",eventsthatcouldresultinaccidentsbutwereinterruptedbeforetheycouldbringseriousconsequences)thatthelegislationconsidersnon-mandatory.

These data are extremely valuable in fact particularly complex systems (inwhichwemayhavedifferentactors,procedures,systemsinterweavingandcollaborating)becauseitispractically impossible topredict all thepossible situations inwhichanaccidentmayoccur.These reports can highlight criticalities that under certain conditions could lead to seriousconsequences.

Wethereforeunderstandthatwearedealingwitharealtreasureofinformation,whichcouldalsohelp, forexample, inhealthandsafetyoperationsandassetprotection (basicallysystemsreliability).

However,inordertoestablishthisinformationgatheringsystemtheorganizationhastocreateamutualtrustrelationshipbetweenthevariouslevelsofthecompany.

In fact, although thesedataareentered in the system followingpreciseprocedures toprotect the privacy of the people involved (personal information are removed, but generalinformationareusedtoclassifyandanalyzetheevent;forexamplesthereportdescribingforexampletheroleofthepeopleinvolved:e.g.:pilot,mechanic,etc.;thetypeofsystem:airplaneX,machineY,etc.),itmaybestillpossibletoidentifythepeoplementioned.

For example, if we consider a small airline in which only two pilots are trained andassignedtopilotaircraftXYorasmallcompanywherethereisonlyonemillingmachine.Weunderstand that if the report is about a “nearmiss” eventhappened to the aircraftXYor amilling machine, it would be straightforward to trace who might have committed and“anonymouslyconfessed”themistake.

Itisthereforeextremelyimportantthat,exceptcaseofabuse,maliciousintentorseriousnegligence attributable to an individualwhowill beproperlyprosecuted, these reports areused exclusively for risk management purposes and never to identify and prosecute thepersonsinvolvedexceptfortheaforementionedcases.

15

Herewegetreconnecttowhathasbeensaidbefore:inourcountrywouldbeextremelyimportant to bring a mentality of this type, capable of understanding that the pursuit ofscapegoat isnotusefultoanyone,whileamanagement liketheone justpresenteddoesnotaimtoleavetheguiltywalkfreeforthesakeofsafety,butisabletoattributeresponsibilitiesto all the people involved and at the same time to contribute actively to the prevention ofaccidents.

Wemay expect that “Just Culture” could bring several benefits to the company's GRCsystem,firstofallbycompletingandsupportingitsriskmanagementculture(Riskfunction)thatconsiderproactiveriskmanagementapriority.

Secondly,thecollectionandanalysisofvoluntaryreportscouldnotonlybringbenefitstoriskmanagementandcompliance functions,but itmayalsoencouragestaff tocontributeactively by reporting any particular event and thus increasing the awareness andresponsivenessoftheentireorganizationpotentiallyinanyarea.

This represent the conclusion of the present work, we hope that it can prove usefulserving as a consultation document for companies interested in GRCs and providing thenecessary insights to deepen the various themes and contribute to reach a successful andprofitableimplementationofthesesystems.

Wealsohopethatthisdocumentwillbecomethestartingandcontactpointforasetofsuccessive works each one focused on one of the different themes addressed here in asuperficialway.

Among the topics that seem to bemore interesting and less tackled today,we thinkthat the identification and analysis of management techniques (such the two we justmentioned) particularly aligned with GRC systems, could be very useful to discover andspread interesting opportunities for completing and enriching these valuable integratedsystems.

16

EXECUTIVESUMMARY (ITALIAN)

Inquestiannisistaaffermandoediffondendol’utilizzodinuovisistemiperlagestioneaziendaledenominatiGRC(Governance,RiskandCompliance).

Questo documento intende supportare le aziende interessate ai sistemi GRC integratimettendo a disposizione le conoscenze reperibili da pubblicazioni ed interviste a CEO diaziendechehanno implementatoconsuccessounsistemadiquesto tipoene fannounusocontinuativoneltempo.

Loscopoprimariodiquestoprogettoèquellodicreareunoperariassuntivaingradodiaiutare le aziende ad individuare e prendere coscienza di tutti gli elementi che entrano ingiocoquandodalmomentoincuiun’impresamanifestainteressenell’adozionediunsistemaGRCintegrato.Inaltreparolequestodocumentodovrebbeessereutilizzatonellefasiiniziali,in cui un’azienda cerca di capiremeglio sia cosa i GRC possono portare alla propria realtàlavorativasiaqualipossanoessereirequisitinecessari,nonsoloperunimplementazionedisuccesso,maanchepercrearelecondizioniadatteadunutilizzocompletoeredditizio.

Si cercherà quindi di fornire importanti spunti di approfondimento ai lettori inmodoche possano concentrarsi su quello che ritengono più importante o adatto alla loro realtàaziendaleecompiereinmanierapiùconsapevoleipassaggiprincipali,comelaselezionedeifornitoriel’implementazioneveraepropriadelnuovosistema.

Questo progetto intende coprire tutte le fasi che un’azienda attraversa da quando siscopreinteressataadunsistemaintegratofinoaquandoloimplementaconsuccesso.

Ildocumentosipone3obiettiviprincipali:

1. MostrarelepotenzialitàdeisistemiGRCcomestrumentipermigliorareleperformanceaziendalierisolverealcuniproblemitipicidiunastrutturaa"silos";

2. Forniredeglistrumentielineeguidaperlafasediselezioneedimplementazioneinmododapotercompiereinmanierapiùconsapevolequestipassaggi;

3. Fornirespuntiperproseguireilprocessodimiglioramentocontinuoepermettereall'aziendadisfruttarealmassimol'investimentocompiutosulnuovosistemaGRC.

CominciamocolchiariremegliocosasonoisistemiGRCecomeagiscono.Illoroscopoèquellodiriorganizzarelastrutturaedilmodusoperandiaziendaleper

migliorarnel’efficaciael’efficienzatramiteunutilizzomiglioredellerisorse,l’eliminazionedisprechi(duplicazionidiprocessinonnecessarie),unamiglioregestionedellacomunicazioneinternaefornendoaltopmanagerunflussoinformativosemprecompletoedaggiornatopersupportareilprocessodecisionaledell’azienda.

Ciòrichiedeinnanzituttolacreazionediunsistemacentralizzatodiraccolta,analisieimmagazzinamento delle informazioni che diverrà di fatto la spina dorsale della nuovastruttura aziendale, permettendo all’organizzazione di capitalizzare al meglio la propriaKnowledge.

Tutti i dipartimenti aziendali dovranno quindi collaborare alimentando il sistemainformativo con informazioni provenienti dai loro rispettivi campi, permettendo cosìall’azienda di avere una migliore visibilità e controllo delle risorse impiegate, al fine dieliminareinutiliduplicazionidifunzioniesfruttareopportunitàesinergiedicuipotevanonessereaconoscenza.

Il passo successivo è quello di prendere le funzioni di gestione del rischio (Risk) egestione degli adeguamenti normativi (Governance) e renderle parte integrante di tutte leoperazionisvolteinazienda.

L’idea che sta alla base è quella di considerare la gestione del rischio e quellanormativacomelefunzionichesolitamentemostranounutilizzononefficientedellerisorseaziendali.

17

Alcuniespertisostengonoinfattichequestidueprocessi,nonostantetocchinotuttigliambitidell’impresa,venganospessocondotti inmaniera estemporaneaenonstrutturata, iltutto complicato dal fatto che la comunicazione tra i dipartimenti risulta spesso carente edifficoltosa.

Uno degli scopi dei GRC è appunto quello di migliorare la comunicazione internadell’azienda e far sì che la gestione del rischio e delle norme venga condotta in manierastrutturata e consapevole, come una componente omogenea in tutte le operazioni,permettendocosìall’impresadicompiereunamiglioregestioneenelcontempoproteggersipiùefficacementedairischiedalleloroconseguenze.

Comegiàsipotrebbeintuire,sebbeneiGRCsipresentinocomedeisistemiinformatici,essi sono in realtàunnuovometododigestionea tuttigli effettie come tale richiedonoungrande lavoro di formazione e coinvolgimento del personale a tutti i livelli unito ad unariprogettazionedellastrutturaaziendale(superamentodellastrutturadefinita“asilos”).

Perquestimotivirisultaevidenteche l’implementazionediunsistemaGRCintegratorisulteràmolto complessa e costosa sotto diversi punti di vista; diventa quindi importantecondivideretutteleinformazionieleesperienzeutiliacompletareconsuccessounprogettodiquestogenere.

Ilpresentelavoronasceproprioconl’obiettivodiraccoglierematerialeprovenientedapubblicazionidiespertioesperienzediaziendechehannoadottatoconsuccessounsistemaGRCintegratoperpoterquindiforniredellelineeguidaalleimpresecheintendonoaffrontareunsimileprogetto.

DiconseguenzasièsceltodiadottareunastrutturaLiteratureReviewedunaformailpiùpossibiledirettaepraticapervenireincontroalleesigenzedelpubblicopercuièpensato.

Grazie alle testimonianze di alcuni top manager italiani, vengono riportati alcuniesempidicomesolitamentenasceinaziendailbisognodiricorrereall’utilizzodiunsistemaintegratoestrutturato,perpoterfornireallettorealcuneoccasionidiconfrontocollapropriarealtàaziendale.

In Italiagliambienti cheperprimisi stannoaprendoall’adozionediunsistemaGRCsonoilsettoreFinance,interessatosoprattuttoallasicurezzaeallagestionedeirischi,equellodelleTelecomunicazionimaggiormenteinteressatoall’aspettodellacompliance.

Incampoindustriale l’argomentoèancorarelativamentenuovomasipercepisceunaspintaintaledirezionelegatasoprattuttoadun’esigenzadimaggiorecontrolloeflessibilità.

All’internodelleaziende,ilsettoredacuipiùfrequentementenasceuntalebisognoèquello riguardante la gestione normativa, la quale viene spesso condotta in manieradestrutturata determinandoperciòunutilizzodirisorsenonefficiente;manoamanocheillivello di complessità aumenta (frequenza con cui si aggiornano le norme, aumento delnumerodinormativeacuil’aziendaaderisce,ecc.)nascequindilanecessitàdiricorrereallacreazionediunsistemastrutturato,ordinatoepiùfacilmentecontrollabile.

Tra le varie opzioni a disposizione del top manager si trovano proprio i GRC chepermettono di sfruttare l’opportunità offerta dal dover rispondere ad un’esigenza specifica(come quella appena mostrata) per decidere invece di agire a livello dell’intera azienda,creandounsistemaintegratocapacediidentificareegestirelecauseprofonderesponsabilididiversiproblemieportarecosìgrandibeneficiall’interaimpresa.

Una volta che l’azienda (solitamente il CEO) riscontra un bisogno/interessenell’adozionediunsistemaGRCdovràesserecreataunapropostadasottoporrealconsigliodiamministrazione.

PerquestaragionevienepresentatoallettoreilframeworkdiForresterperilcalcolodelROIdiunapiattaformaGRCintegrata;essohaloscopodiaiutareilCEOnellacreazionedeldocumentodapresentarealconsigliodiamministrazionedellasuaaziendapersupportarelarichiestadiadozionediunGRCintegrato.

18

Ilframeworksuggeriscediarticolareildocumentointreparti:1. Individuazioneequantificazionedeicosti(vienefornitaunatrattazioneapprofondita

di come stimare i costi e quali alternative il top manager potrebbe avere adisposizione);

2. Individuazione e quantificazione dei vantaggi ottenibili, Forrester li suddivide in 3categorie: Efficiency, Risk Reduction e Strategic Performance (figura 1). Sebbene ivantaggi offerti dalle prime due categorie possano essere facilmente quantificati intermini di ore-uomo risparmiate, riduzione dei costi di gestione omitigazione delleconseguenze, il gruppo “StrategicPerformance”apparepiùdifficileda rappresentareconindicatoriquantitativi.PertaleragioneForresteridentificaduetipidiflessibilità:GRC extension flexibility (che garantisce risparmi nel caso si intenda integrare, infuturo,nuovipacchettiall’internodelsistemaGRC)elaBusinessagilityflexibility(chegarantisce risparmi di risorse in vari tipi di operazioni commerciali come la fusioneconunpartner)(figura2);

3. Identificazione dei rischi legati al progetto, suddivisi in 4 categorie: costi e ritardidovuti ad imprevisti, resistenza all’adozione da parte degli utenti, problemi diintegrazione conpiattaforme ITpreesistenti ed infinequella che Forresterdefinisce“VendorViability”.Quest’ultimacategoriacomprendeirischiacuicisiesponequandosi affida al rapporto col proprio fornitore un’importanza vitale per la riuscita o ilfallimento di un prodotto, progetto o businessmodel. Ciò implica che l’azienda puòinizialmentegestireilrischioinmanieradirettaidentificandoadesempioilvendorconil profilo più solido e che garantisce maggiori probabilità di poter mantenere unrapporto duraturo nel tempo; l’azienda potrebbe tuttavia non avere la possibilità dipercepire la reale inclinazione al rischio o le vulnerabilità del proprio fornitoreesponendosi così al rischio di trovarsi senza supporto nel caso il vendor subiscal’interruzionedelleattivitàaseguitodiincidentiosceltestrategichesbagliate.

19

Figura1:Esempidivantaggidivisiin3categorie:Efficiency,RiskReductioneStrategicPerformance

(Fonte:ForresterResearch)

Figura2:Esempidistrategicperformanceconsiderandoduetipidiflessibilità

(Fonte:ForresterResearch)

Da ciò il lettore potrebbe già farsi un’idea più precisa dei vantaggi pratici che la suaaziendapotrebbeotteneredall’utilizzodiquesti sistemiedell’ordinedi grandezzadei costiprevisti,potendocosìelaborareadun’analisicosti/beneficipreliminare.

20

Nellapartefinalediquestaprimasezionedeldocumentovienepresentatobrevementeillavoro“BigPictureforGovernance,RiskandCompliancePlatforms”delPolitecnicodiMilanoadopera di Andrea Brusa Perona, Ing. Guido Jacopo Luca Micheli e Prof. Enrico Cagno cheanalizzaisistemiesistentidiclassificazionedellepiattaformeGRC.

Gli autori, dopo aver identificato i punti di forza e le limitazioni dei sistemi diclassificazioneesistenti,nehannoelaboratounonuovocollaborandoconalcuniGRCvendorealcuneaziendeinteressateadadottareunGRCochegiànefacevanouso.

Il loro scopo primario era infatti quello di supportare le aziende nella scelta di unsistemaGRCidentificandolecaratteristicheprincipalicheguidanolasceltadellapiattaformapiùadattaalleproprieesigenzeecontemporaneamenteaiutandoiGRCvendoramettere inmostralepotenzialitàelepeculiaritàdeipropriprodotti.

Questodovrebbefornirealleaziendeinteressateleinformazioninecessarieaconosceregli strumenti che la possano aiutare nella selezione della piattaforma GRC più adatta alleproprieesigenze,utilizzandounoopiùdeisistemidiclassificazionedisponibili.

A questo punto si può considerare conclusa l’introduzione ai sistemi GRC integrati,avendone mostrato le potenzialità ed alcuni strumenti per valutarne l’applicabilità allapropriarealtàaziendale.

Come risulta ormai chiaro i sistemi GRC nascono per rispondere ad alcune esigenzepiuttostoprecise,ma riuscire a contestualizzaremeglio l’ambito in cui sono stati sviluppatipuòcontribuireadaverneunamaggiorecomprensione.

Per tale ragione è utile affrontare una breve trattazione circa la struttura aziendaledefinita“asilos”,cherappresentaadoggilarealtàpiùdiffusainmoltemedie-grandiaziende.

Il primo passo è quello di presentare le esigenze che portarono alla creazione distrutturediquestotipo.

Leaziendesi trovanoadoperare inambientisemprepiùcomplessiecaratterizzatidamolteplicifontietipologiediincertezze;leimpresecercaronoquindidialleggerirelagestioneaziendalecercandodifiltrareleincertezzecreandocosìunoscenariodeterminatoincuipoterlavorareincondizioniilpiùpossibilestabili,affinandoiprocessiperrenderliilpiùefficientipossibile.

Per fare ciò l’azienda identifica tra le funzioni svolte le cosiddette “core functions”(quellechel’aziendaconsideracomeleprincipaliattivitàchecreanovalorenelprodotto,ciòvalesiaper le impreseproduttivesiaper i fornitoridiservizi)e le“protegge”utilizzandolealtrepergestireefiltrareleincertezze.

Così facendo le “core functions” possono operare in un ambiente determinato eprevedibile (anche se ciò non corrisponde al contesto reale in cui opera l’azienda,caratterizzato invece da varie forme di incertezza opportunamente filtrate dalle altre“funzioni cuscinetto”) in modo da renderle il più efficiente possibile e permettere unariduzionedeicostieunconseguenteaumentodelmarginediguadagno.

Nella figura seguente (figura 3) si può vedere un esempio di struttura “a silos”: ilrettangolo centrale rappresenta le “core functions”, gli ellissi rappresentano le “funzionicuscinetto”eingrassettosonoriportatealcuniesempidiincertezzecheimpattanol’azienda.

21

Figura3:Esempiodistrutturaaziendaledefinita"asilos"(Fonte:CorsodiIndustrialRiskManagement)

Il rovescio dellamedaglia sta nel fatto che le varie funzioni si trovano ad operare inmaniera autonoma, ognuna con le proprie strutture gerarchiche ed obiettivi locali chepotrebberorisultarecontrastantigliuniconglialtri(esempioclassicoèrappresentatodallagestionedel livellodiscorteamagazzino,sianoessematerieprime,semilavoratioprodottifiniti: ilresponsabiledellaproduzionetenderàamantenereunalto livellodiscorteperfarefronte ad eventuali imprevisti o fluttuazioni della domanda mentre il responsabile dimagazzino sarà interessato a mantenere il volume delle scorte il più basso possibile percontenereicostidigestione).

Laprimaconseguenzadiobiettivicontrastantièsenzadubbiounimpiegodirisorsecheagiscono in opposizione, determinandonon solo unaperdita di efficienzama a volte ancheunaperditadiefficaciaderivantedalfattoche,senonsiriesceaconsiderareilproblemadaunpunto di vista più distaccato, non sarà possibile gestirlo in maniera adeguata (trovare untrade-offottimaletraledueposizioni).

Ilfattorechecomplicaulteriormentelecoseèlagestionedellecomunicazionitraivaridipartimenti: ritardi e comunicazioni non pervenute creano infatti delle circostanze chepossiamodividereinduecategorie.

Laprima categoriapossiamodefinirla “mancanzadi comunicazione verticale” in cui ilmedioedaltomanagementnonriesceadavereunabuonavisibilitàdicomevengonosvolteleoperazioni dei vari dipartimenti;. Ciò comporta una serie di difficoltà come ad esempionell’identificare e allocare le proprie risorse (rischio di obiettivi risorse che operano inopposizione)onell’assegnare gliobiettivi localie tracciarne iprogressi (rischiodiobiettivicontrastantiononallineaticongliobiettiviglobalidell’azienda).

La seconda categoriapuò esseredefinita “mancanzadi comunicazioneorizzontale”, incui ritardi e mancate comunicazioni creano delle condizioni in cui i problemi e i rischi sisviluppano inosservati e si può perdere la prontezza di identificare, valutare e compiereeventualimisurecorrettive.

Inalcunerealtàaziendalisiarrivaallasituazioneestremaincuilefunzionidigestionedeirischiedellenormativevengonovistecomedellefigureche“frenano”l’aziendaquandoc’èda compiere delle scelte strategiche, non capendo invece che l’unico modo per fare scelteconsapevolièutilizzarequestiprocessiperidentificaretutti i fattoririlevantiepoterquindiaumentarelepossibilitàdicompierescelteconsapevolievincenti.

TragliesempiinseritiinquestasezionecompareancheilcasoMatteldel2007,alfinedipermettereallettoreidentificaremegliolepossibiliconseguenzechenasconodaproblemidi

22

comunicazione e visibilità, potendo eventualmente ritrovare alcuni dei problemi già vissutinellapropriarealtàaziendaleedaverequindiunulterioreriscontrodelfattosesiasensatoomeno per la sua organizzazione prendere in considerazione l’utilizzo di una piattaforma diquestotipo.

L’importanza di questa panoramica circa la struttura “a silos” e le sue problematichepermetteallettoredicapirequalisonoleesigenzechehannoportatoallanascitaeall’utilizzodei GRC, i quali affidano alla gestione del flusso informativo interno un ruolo chiave nelpermettere all’azienda di operare in maniera efficiente ed efficace, avendo una miglioreconsapevolezza delle proprie potenzialità, dei rischi (interni ed esterni) e delle protezioniimplementate.

Ilpassosuccessivoriguardal’individuazionedeirequisitinecessariadun’implementazionedisuccesso.

Come abbiamo sottolineato all’inizio di questo documento i GRC richiedonoun’evoluzione sia della struttura aziendale sia del personale interno e per permettereall’azienda di sopportare lo sforzo è necessario il convinto e totale supporto dell’altomanagementunitoaduncertolivellodimaturitàaziendale.

Quest’ultimoconcettoriguardasoprattuttoilsistemaelaculturadigestionedelrischiooperativoutilizzatadall’aziendaevengonopresentatialcuniconcetticapacidi “misurare” lamaturitàdell’impresa.I requisiti identificati grazie anche al materiale di alcuni esperti e manager che hannoimplementatoconsuccessounGRCsono:

1. PossedereedUTILIZZAREunsistemadigestionedelrischioconsolidato;

2. Condurreunagestioneproattivadeirischi;

3. Essere consapevoledel fatto che il rischiooperativopuòessere siaunaminaccia siaun’opportunità;

4. Conoscere l’importanzadellaresilienzaaziendale,comecostruirla,ed ilsuovalore inotticaproattiva.

Il punto 1 può essere considerato il vero requisito essenziale per tentarel’implementazione,tuttavia i puntida2a4sonoimportantiperpoterutilizzareinmanierapiùcorretta isistemiGRCintegratiepoternesfruttareappieno lepotenzialità,permettendoall’impresadi far fruttare l’investimento e poter raggiungere i vantaggi accennati in questodocumento.

Per supportare la trattazione di questa sezione, dare un’idea concreta al lettore deivantaggi derivanti da una gestione proattiva del rischio ed una testimonianza di come siapossibiletrasformareunrischioinun’opportunità,vienepresentatoilcasoNokia-Ericssondel2000.

A questo punto si può passare a parlare dei “consigli pratici” per la gestionedell’implementazionediunGRCpresentandounaraccoltadiprocedurerivelatesivincentiperun’implementazioneilpiùpossibileagevoleeprivadiimprevisti.Il materiale utilizzato per la creazione di queste best practice proviene principalmente daintervisterilasciatedaCEOdiaziendechehannoimplementatoconsuccessounapiattaformaGRCenefannounutilizzocontinuativo,potendoquindiapprezzareetestimoniareivantaggicheciòhaportatoallalororealtàaziendale.

Diseguitovieneriportatol’elencodeisuggerimentiofferti:

1. Riuscire a trasmettere lemotivazioni dell’adozione del sistemaGRC e quali vantaggipuò portare all’azienda e al lavoro del personale. Questo punto riguardasostanzialmente la motivazione del personale dell’azienda che dovrà non solopartecipareall’implementazionedelnuovosistema,masaràanchecoluicheinteragirà

23

maggiormenteconesso,decretandocosìsostanzialmenteilsuccesso(utilizzocorrettoe continuativo del sistema) o il fallimento (creazione di canali di comunicazionedifferenti, facendo così perdere al sistema GRC il flusso di informazioni su cuisostanzialmentesibasanotuttiisuoiprocessi)dell’investimento;

2. Creazionediunvocabolariocomunea tutti i settoridell’azienda(puòcapitare infattiche dipartimenti differenti utilizzino lo stesso vocabolo con due significati diversi,rendendoquindinecessarialacreareedadozionediunlinguaggiocomuneatutti);

3. Formazionedelpersonale(idealmentedituttoilpersonale,mainpraticaèsufficienteil personale incaricato di alimentare il sistema informativo) circa la gestione delrischio(ed eventualmente anche della gestione normativa se risulta particolarmenteimportanteperilbusinessdell’azienda),conloscopodifarsìchepossariconoscereleinformazioni utili e il loro valore, incrementando le potenzialità del processo diraccoltaedanalisideidati;

4. Partecipazioneattivadelpersonaleallacreazionedellastrutturadegliauditedeiformper l’inserimentodi dati a sistema; ciò fa sì che il personale si senta coinvolto e piùmotivatoadutilizzareunsistemache luistessohacontribuitoacrearepiuttostochevederseloimporredall’alto;allostessotempoprevieneilrischiodicreareunsistemadifficile e scomodo da utilizzare, evitando quindi di ricadere nella situazione di“fallimentodell’investimento”cheavevamoidentificatonelpunto1;

5. Gestionedelprogettoinfasi:l’implementazionediunsistemaGRCintegratocoinvolgel’interaaziendama,essendolerisorseadisposizionelimitateedavendolanecessitàdimantenere la continuità del business, l’approccio migliore sembra essere quello diprocedere un settore per volta, integrandolo nel nuovo sistema (implementazionesoftware/hardware e formazione del personale) e passando poi al successivo, pergiungerepassodopopassoallacreazionedellaformafinale.

Unavoltaconclusaconsuccessolafasediimplementazioneeraggiuntalacondizionediregimesipuòconsiderarel’adozionedelsistemaGRCintegratocomeilprimopasso,compiutodall’azienda,diunprocessoevolutivoversounasempremiglioreedavanzatagestione.

L’ultima parte ha perciò lo scopo di fornire degli spunti per continuare il processo disviluppoemiglioramentopresentandoduetecnichedigestioneparticolarmenteinlineaconlafilosofiaeleproceduredeiGRC,chepotrebberoquindirisultareinteressantiperillettoreefacilmenteintegrabilinelnuovosistema.

Leduemetodologiesono:laBYODpolicyelacosiddetta“JustCulture”.La BYOD policy riguarda l’utilizzo di personal devices per lo svolgimento di alcune

attività lavorative con lo scopo di aumentare la produttività mantenendocontemporaneamenteunadeguatolivellodisicurezzaeprotezione.

L’argomento è particolarmente delicato e negli anni ha subito grandi modificazioni emiglioramenti;negliannisisonoinfattisuccedutediverseiniziative:BYOPC(BringYourOwnPC),BYOP(BringYourOwnPhone),BYOT(BringYourOwnTechnology),BYOD(BringYourOwnDevices),rappresentandounasfidasemprepiùdifficileperlaITsecurity,cheoggigiornodeve elaborare soluzioni di protezione e sicurezza informatica scontrandosi con un grandenumero di prodotti (per tipo: smartphone, computer, tablet; per OS; ecc.) e di versioni(sistemioperativi)checambianoconunritmovertiginoso.

Per tale ragione si riporta l’iniziativa BYOD per introdurre la presentazione delletecniche gestionali che stanno alla base: MAM (Mobile Application Management), MDM(MobileDeviceManagement)edMEM(MobileExpenseManagement).

Cisipuòaspettarechel’utilizzodipersonaldevicespotrebbeportaregrandivantaggialsistemainformativodeiGRCmotivandoilpersonaleadutilizzareipropridispositivi(concui

24

hanno grande dimestichezza) per interagire col sistema centrale in maniera più comoda,rapidaefrequente;cisipuòaspettarequindiunconseguenteaumentodellaquantitàdidatiiningresso.

La “Just Culture” nasce in ambito aeronautico (per la gestione della sicurezza deltrasporto aereo) e riguarda la creazione di una cultura aziendale incentrata sulla gestioneproattivadelrischiochepermettadisvolgerelefunzionidiriskmanagementinmanierapiùconsapevoleedefficace.

Latrattazionesiaprepresentandounestrattodell’articolo“Trasportoaereo. Impararedaglierrori.Eccocos’èlajustculture”diPatrizioPaolinelli(Wordpress).Ciòaiutaamostrarecome sia particolarmente costruire il sistemadi gestione del rischio sopra una risk culture“sana”,liberadascopidiversidallapuraprevenzioneeprotezione(altriobiettiviandrebberosoloaprecluderelasuaefficacia),consapevoledell’importanzadipotercontaresuunabasedidati“volontari”(chevedremomeglioinseguito)perlagestioneproattivaedotatadituttiglistrumentieleprocedurenecessari.

Inoltrel’articolotestimonial’importanzadiportarequestamentalità(anglosassone)nelnostro paese, per poter supportare il cambiamento culturale necessario ad una gestioneproattivadeirischirealmentecapacedigarantireunadeguatolivellodiprotezioneincontestiparticolarmentecomplessi(comequelloaeronauticomanonsolo,ancheinambitoindustrialeinfatti abbiamo sempre più esempi di realtà complesse: centrali, piattaforme petrolifere,fabbrichecontecnologieparticolarmenteavanzate,ecc.;questetecnichepermettonoanchediraggiungere alti livelli di protezione e prevenzione dei rischi in moltissimi ambiti,rispondendocosìall’esigenzasemprepiùdiffusadiunagestioneproattivadelrischio).

La Just Culture prevede innanzitutto la creazione delle procedure e del sistema digestionedelrischiotramitelosforzocongiuntoelacollaborazioneditutti i livelligerarchicidell’azienda,iltuttosupportatodallenormative,volontarieecogenti,disponibili.

Ilsecondopassoriguardalacreazionediunsistemadiraccoltaedanalisididatirelativiallasicurezzadefiniti“voluntaryreports”,ovverolacomunicazionedieventiminori(guastioanomalieminoririscontratiduranteleoperazioniolamanutenzioneoppureicosiddetti“nearmisses”,eventichepotevanodiventareincidentimasonostatiinterrottiprimacheportasseroconseguenzegravi);entrambivengonoconsiderati“nonmandatory”dallenormative.

Questidatisonoestremamentepreziosi inrealtàparticolarmentecomplesse(intrecciodi numerosi attori, procedure, sistemi, ecc.) perché, essendo praticamente impossibileprevedere tutte imodipossibili incuiun incidentepuòmanifestarsi,questi reportpossonoinquadrare degli scenari che in determinate condizioni potrebbero portare a graviconseguenzeeperciòmettonoinlucedellecriticitàchesarebberopotutepassareinosservate.

Capiamoquindidiavereachefareconunverotesorodiinformazioni,chepotrebberoaiutarerisultareutiliancheinaltricampi,comeadesempionellagestionedellasicurezzasullavoroenellaprotezionedegliasset(sostanzialmentel’affidabilitàdeisistemi).

Tuttavia, affinché questo sistema di raccolta delle informazioni funzioni è necessariocreareunrapportodifiduciareciprocatraivarilivelliaziendali.Infatti,nonostante leproceduredi immissionedatiutilizzinosolo informazionigeneriche(ilsistema o le figure coinvolte nell’evento) necessarie a caratterizzare l’evento, in alcunesituazionièpossibilerisalireall’identitàdellepersonecoinvolte.PensiamoadesempioalcasoincuisoloduepilotisianoassegnatialvelivoloXel’eventosiastatocausatodaunloroerroreoppureilcasoincuiun’aziendaaventeunsolotornitoreechericevaunrapportoriguardanteuneventoavvenutosuuntornioechesiastatoprovocatodall’operatoremainterrottoprimadiprodurreconseguenze.

Risulta quindi estremamente importante che, salvo casi di negligenza grave, abuso odolo (casi che verrannoperseguiti nellemodalitàpreviste), questi report venganoutilizzati

25

ESCLUSIVAMENTE per la gestione della sicurezza e MAI per identificare e perseguire lepersonecoinvoltesalvoicasiappenacitati.

Qui ci ricolleghiamo con quanto detto prima: nel nostro paese è estremamenteimportanteriuscireaportareunamentalitàdiquestitipo,capacedicapirechelaricercadelcaproespiatoriononèutileanessuno,mentreunagestionecomequellaappenapresentatanon punta a lasciare liberi i colpevoli in nome della sicurezza,ma al contrario permette digiungere alle cause profonde e quindi di poter attribuire le vere responsabilità ad ognunodegli attori coinvolti, ed allo stesso tempo contribuire attivamente alla prevenzione degliincidenti.

La Just Culture potrebbe portare diversi vantaggi al sistema GRC di un’azienda,innanzitutto completando e riconfermando la sua cultura del rischio (funzioneRisk) che fadellagestioneproattivadelrischiounasuapriorità.

Insecondo luogo la raccoltae l’analisideivoluntaryreportpotrebbenonsoloportarevantaggi alla gestione del rischio e delle normative, ma anche incentivare il personale acontribuire attivamente segnalando eventi particolari, potendo così aumentare laconsapevolezzaelaprontezzadell’interaorganizzazione,potenzialmenteinqualsiasiambito.

Conquestosiconcludeilpresentelavoro,eciauguriamochesiaingradodisvolgerelefunzioni,descritteall’inizio,cheglifuronoaffidateinfasediprogettazione.

Ci auguriamo inoltre che questo documento, oltre a fornire gli spunti necessari adapprofondire le varie tematiche e favorire un’implementazione di successo e proficua diquesti sistemi, possa rappresentare il punto di contatto di un insieme di opere successive,ognunafocalizzatesuunodeitemiquitrattatisoloinmanierasuperficiale.

Traletematichecheadoggisembranopiùinteressantiemenoaffrontateriteniamochel’individuazione e l’analisi di tecniche gestionali (come quelle appena riportate)particolarmente affini ai sistemi GRC possa essere uno dei contributi più importanti enecessari alle aziende.Ciòpotrebbe infatti scoprire edivulgare interessanti opportunitàdicompletareedarricchirequestisistemi,sfruttandoalcontemposinergieedaffinità.

26

1. INTRODUCTION

NowadaysGRCintegratedsystemspromisegreatbenefitsandconsequentlygenerategreatinterestinmanyfields,includingindustrialones.

ThepresentworkwantstoturntothecompaniesinterestedinGRCsystemsbysupportingtheminallthemainphasesandhavingthreemainobjectives:

1. ShowthepotentialofGRCsystemsastoolstoimprovebusinessperformanceandsolvesomeproblemstypicalof“silostructures”.

2. Providetoolsandguidelinesfortheselectionandimplementationphasesothatthecompanycanmakethesestepsmoreinamoreconsciousway.

3. ProvidecuestocontinuetheimprovementprocessandenablethecompanytomakethemostoftheinvestmentmadeonthenewGRCsystem.

Aswehavesaid,thisdocumentturnstothestaffofcompanies,forthisreasontheformandstructureofthisdocumenthavebeendesignedtomeettheneedsofthereaders,makingan extensive use of lists in order to facilitate the reading and providing business cases orsecondarydatainordertosupportthediscussionwithpracticalexamples.

Thematerial consulted tocreate thisdocuments is composedbyarticles,publicationanddocumentswrittenbyconsultingcompaniesandinterviewstoCEOsofsomecompaniesthat has successfully implemented an integrated GRC system andmakes a continuous andprofitableuseofit.

Firstofalllet’sseebrieflyhowthevariouspointswillbeaddressedduringthecourseofthispaper.

1.1 GRCsystemsand“silostructures”

The first step regards the presentation of GRC systems and theirmodus operandi, inordertocorrectlyframethetopicofthisproject.Willbethenprovidedsomeexamplesofhow,insidecompanies,usuallyarisetheneedstoadoptan integratedsystemssuchasGRCs; thisshouldallowthereadertomakeafirstcomparisonwiththebusinessrealityofitscompany.

Finally, the second chapter will be devoted to presenting the "silo structure”, thatrepresents themostwidespread reality inmedium-large sizedenterprises, andpresents itsmainissuestobetterframethescenarioinwhichGRCsystemshavebeendevelopedandhowtheyintendtoovercomethoseproblems.

1.2 ToolsandguidelinesfortheselectionandimplementationofaGRCsystem

ThediscussionwilltrytofollowthepathofacompanyonceittakesconsciousnessoftheneedtoadoptanintegratedGRCsystem.

Firstofall,willbepresentedForrester’sframeworkforthecreationofabusinesscaseaimedtocalculatetheROIoftheimplementationanduseofanintegratedGRCsystem.ThisshouldhelptheCEOincreatingadocumenttosupportthepresentation,infrontoftheboardofdirectors,oftheproposalfortheadoptionofthenewGRCsystem.

Afterwards, will be presented the study “Big Picture for Governance, Risk, andCompliancePlatforms”madebyofthePolitecnicodiMilanofocusedonshowingandanalyzingthe GRC platform’s evaluation and classification systems already existing and a new onecreatedby itsauthors.Thisshouldprovide to thestaffof thecompany the informationandtoolsneededtocomparethevariousGRCvendors'offersandselectthemostsuitedones.

27

At this point, chapter 4 will be devoted to present the requirements for successfulimplementationandaprofitableuseofthenewsystem.Thispartwascreatedbyconsultingthe publications available online and the interviews to CEOs of some companies that havesuccessfullyinstalledanintegratedGRCsystemandaremakingacontinuoususeofit,andarethereforeabletoprovideimportanttipsforthephasessubsequenttotheimplementation.

Finally, chapter 5 contains guidelines for both the implementation phase and thecreationof theoptimalconditionsforaproperandprofitableuseof thenewsystemduringnormaloperating conditions, thus enabling the company to reach thebenefitspresented inthisdocument.

1.3 Tipsforfuturedevelopment

ThelastpartconcernsthephasesubsequenttothesuccessfulimplementationofthenewintegratedGRCsystem.Itaimstohelpandsupportthecompanyincontinuingitsimprovementprocessthroughtheidentificationofpolicies,methodologiesortoolscapableofsupportingandcompletingthenewsystem.Forthisreason,twomanagementtechniquesparticularlyalignedwiththephilosophyandmodusoperandioftheGRCsystemshasbeenselectedandprovided.Theyrepresentagreatopportunitytoenrichandcompletethenewsysteminaneasyandcostsavingway,exploitingsomeadvantageoussynergies.

Thetwotechniquesinquestionare:theBYODpolicy(relatingtothemanagementanduseofpersonaldevicesforbusinesspurposes)andtheso-called"JustCulture"(dealingwithriskmanagementcultureandprocedures).

28

2. GRCSYSTEMS

2.1 GRCSystems

The acronym GRC stand for: Governance, Risk, and Compliance Management but, inordertogiveadefinitionofwhatisconsideredtobeaGRCSystem,wecanrefertothearticle“GRC–ThePathwaytoPrincipledPerformance”availableonOCEG.org.:“…The acronymGRCwas invented as a shorthand reference to the critical capabilities thatmustworktogethertoachievePrincipledPerformance1—thecapabilitiesthatintegratethegovernance,managementandassuranceofperformance,risk,andcomplianceactivities.”andlater “It is important to remember that organizations have been governed, and risk andcompliancehavebeenmanaged,foralongtime—inthisway,GRCisnothingnew.However,manyhavenotapproachedtheseactivitiesinamatureway,norhavetheseeffortssupportedeach other to enhance the reliability of achieving organizational objectives. In a forward-thinkingorganization,GRCisviewedasawell-coordinatedandintegratedcollectionofallofthe capabilities necessary to support Principled Performance at every level. GRC doesn’tburdenthebusiness,itsupportsandimprovesit.—inthisway,GRCistotallyrevolutionary.”.

This gives us all the information needed to introduce GRC Systems: they can beconsidered as tools to support the organization in reaching its objectives and achieving amoreefficientandeffectiveuseofitsownresources.

As we mentioned before GRC are composed of three parts: Governance (knowledgemanagement),Risk (riskmanagement), andCompliance (regulatory compliance); also ifweconsider theGRCplatformavailable on themarketwehave thepossibility topurchase thecomplete system (what we call “integrated GRC system”) or only one or two of itscomponents.

InthisdocumentweconsiderjustthecaseofintegratedGRCsystemsastheyrepresenttheonlywaytomakethemostoftheirpotentialandachievethebenefits.

Firstofall couldbeuseful to investigatewhatusuallypushcompanies toconsider thepurchaseofanintegratedGRCsystem.

2.1.1 GRCdriversandhowtheneedofanintegratedGRCarises

OCEGcallthesefactors“GRCDrivers”andwecanreportsomeexamples:

• An increasingmanagement complexity due to the dynamism of the environment inwhichthecompanyoperates

• Stakeholdersdemandhighperformancealongwithhighlevelsoftransparency.

• Regulationsandenforcementareever-changingandunpredictable.

• Exponentialgrowthofthird-partyrelationshipsandriskisamanagementchallenge.

• Thecostsofaddressingrisksandrequirementsarespinningoutofcontrol.

• Theharsh(andscary)impactwhenthreatsandopportunitiesarenotidentified.1OCEGconsidersPrincipledPerformanceasanapproachtobusinesstoachieveobjectivewhilecopingtouncertainty.ThethreepillarsofPrincipledPerformanceare:PrincipledPathway(breakdownsilosandleveragecommoncapabilitiesineverykeysystemthatkeepanorganizationontrack;thisisveryclosetothewayGRCsystemsacts),PrincipledPeople(Leadership,theworkforceandextendedenterprisemustbepopulatedbyprincipledpeoplewithstrongcharacterandacommitmenttocompetencewhoconsistentlydirecttheirenergiestowardaprincipledpurpose),andPrincipledPurpose(Aprincipledpurposeisperhapsthemostbasicstartingpointforprincipledperformance.Definingyourhighestpurposeviamission,visionandvaluesguideeverythingthattheorganizationdoes.).

29

InItalythefirstsectorsthathaveadoptedanintegratedGRCsystemareFinance(whosefirstconcernissecurityandriskmanagement)andTelecommunication(whosefirstconcerniscompliance,asaconsequenceofthestrictrulestowhichitissubject);howeverwecanseesomeexamplesofcompaniesoperatingintheindustrialsectorthatarebeginningtolookatGRCasawaytoachievebettercontrolandflexibility.

CryptoNet, an Italian company specialized in IT security and business software, haspublishedonitssiteanarticleregardingGRCinwhichidentifiesthe“compliancefunction”asthe process fromwhich usually arises, inside a company, the need of structured andmoreefficientprocedures.Infact,mostofthetimes,dailycomplianceprocessesarecarriedoninanirrational way, conducting interviews and creating reports; CryptoNet mentions annualcompliestod.lgs.196/03and231/01or l.262/05asexamplesofprocessesthat inmostofmedium or large enterprises born and dies periodically resulting in an inefficient use ofresources.Inotherwordstheyconsideronlythe“immediateproblem”theyarefacingatthemomentwithoutlookingfortheidentificationoftheelementscommontoalltheactivities,inordertobeabletoautomatizetheseprocesses.

Thiswouldallowustogetsignificantbenefitslikereducingdirectcostsorstartworkingin an incremental way in order to enhance company awareness and create a process ofcontinuousimprovement.

HowevercomplianceisnottheonlyprocessfromwhichtheneedofanintegratedGRCsystemmayarise:nowadaysalsotheneedofanevergreaterICTsecurity,becomingcriticalduetothechoiceofusingwebasabusinesstoolinamoreextendedway,pushinthesamedirectionaskingformoreawareandeffectiveprocedures.

Those are two examples of “symptoms” of the need of a more structured andcoordinatedsystemandsothecompanyshouldnotconcentrateonlyonthespecificproblemsregarding for example only compliance or ICT security but should consider this as anopportunitytomakeasignificantchangetothewayitmanagesitsoperationsandtosolveatthesametimealotofproblems,thatsharesomecommoncausesevenifthecompanymaynotbeawareofit.

2.1.2 ThebenefitsofanintegratedGRCsystem

As we can imagine this kind of decision could be frightening because it involves theentirecompanyorbecause it requiresa lotofresourcesanda longtime for itscompletion;howeveralsothebenefitsarisingfromtheadoptionofanintegratedGRCsystemareequallyattractive:

• Enhancing company awareness about its resources and potentiality through acentralizedmanagementofinformation.

• Enhancing company effectiveness through the creation and use of structuredprocedurestoperformallbusinessfunctions.

• Enhancing company efficiency taking advantage of the information coming from thecentralizedinformationmanagementsystem.

• Enhance company effectiveness facilitating top manager’s decision making processprovidingaconstant flowofcompleteandupdated info inorder to takemoreawareandquickdecisions.

• Increase company stability and resilience through a better risk management thatattempts to identify and eliminate the root causes common to multiple differentproblemsinordertoactinamoreeffectiveandefficientway.

30

Later on we will see how to calculate the ROI of an integrated GRC platform bypresenting a framework created by Forrester (one of the most influential research andadvisoryfirmsintheworld)tohelpCEOsinpreparingabusinesscasetobetterpresenttheproposaltoadoptaGRCtotheboardofdirectors.

2.1.3 Implementationphase

Aswe can imagine the best scenariowould be a green field project inwhichwe cancreateex-novoanintegratedGRCsystem.However most of the times reality is far differentand we could face situations in which there are several pre-existing investments made indifferent functions (e.g.: IT department) that need to be protected and at the same time“siloed”structureandmentalitydifficulttoeliminate.

In this case there are a lot of different solutions thatmaybe chosen, butwe candividethemintwodifferentcategories:

• “less invasive” procedures: focuses on the creation of a centralized informationmanagement system integrating all the different solutions adopted by individualdepartments. This choice represent a trade off between the requirement of the newintegratedGRCsystemand theoldcompanystructurebut ifwechoose thispathweneed to be conscious thatwewould carrymany of the “old problems” into the newsystemandwecouldalsocreatesomenewones;

• “more invasive” procedure: redesign, one department at a time, every corporatefunctioninamutually-integratedway,inordertoleave“oldproblems”behind.

Thesecondcategoryisforsurethemostinterestinganddifficultofthetwoandsowillbetheoneonwhichthisworkwillfocus.

Most ofmedium and large enterprises have “silo structures” inwhich every functionworksautonomously(withitsownhierarchicalstructureandobjectives)andinwhichpoorcommunicationandcoordinationbecomes themainsourceofproblems.For thisreasonwewilldevoteoneofthechapterofthisdocumenttobetterunderstandthe“silostructure”anditsproblemsinordertoclarifytheimportanceofintegratedGRCsystemsandhowtheysolvethiskindofsituation.

In the rest of this chapter we will look more closely to the three parts of GRC(Governance, Risk, andCompliance) and thenprovide two important documents: Forresterframework(thatwementionedbefore)and“BigPictureforGovernance,RiskandCompliancePlatforms”createdbyPolitecnicodiMilano.

31

2.2 ComponentsofanintegratedGRCsystem

2.2.1 Governance

Governance can be considered as the backbone of an integrated GRC system andconcerns the management of corporate knowledge. It requires the creation of a centralinformation management systems that collects, analyzes and makes available data comingfromallthedepartmentsofthecompany.Thesystemrequirestheintegrationofthreeparts:

1. Hardware:usuallyitrequiresjustawebserver,anapplicationserverandadatabase.

2. Software: thecompanyhasmanyoptionsandcanchoosethemostsuitablesoftwareforitsneeds.Usuallytheparametersthataffectthischoicearetheextenttowhichthecompanyintendstousethesystemandthenumberofworkersauthorizedtointeractwithit.

3. Training:aswewillseeinthechapter5,trainingisoneofthemostcriticalelements.Infactifworkerswon’tfeelcomfortableinusingthenewinformationsystemtheymaydecidetouseothercommunicationsystemsmakingtheinvestmentvain.

Aswesaid the informationsystemcollects,analyzeandelaborate thedata inorder tosupportthetopmanagerinthedecision-makingprocess.Inordertodosothedatamustmeetcertainrequirements:

1. Be Complete: all the information needed to characterize a product, a process, acustomeroranyotherobjectof interest for thecompanymustbegrouped together.For example if we are dealing with Product X we need to collect data from all thedepartments inorder to create a complete setof information. In this casewewouldneed:

• Technicaldatacomingfromproductiondepartment.• Salesdatacomingfrommarketingdepartment.• Dataregardingthesupplychaincomingfromthesupplydepartment.• Dataregardingthevoluntaryandbindingregulationstowhichtheproduct

mustcomply.• Data relating to the handling and storage of resources need for the

production.• Safetydataregardingproductionprocesses.• Dataregardingallkindofoperationalrisks(e.g.SCRM).• Etc..

2. Beupdatedandfreeofredundancy:samedataregardingthesameobject(createdindifferentmomentsorbydifferentworkers) cannot exist at the same time inside theinformationmanagementsystem.Otherwisetheeffortstodeterminewhichcopyistherightonewouldresultinawasteofresourcesandmayleadtotakedecisionbasedonincorrectoroutdateddata.

3. Beuniform: insidea“silostructure”isnotuncommonthatdifferentdepartmentsuse

thesamewordwithtwodifferentmeanings,butsincetheinteractionbetweenthemisvery poor this is not a big issue. Nowwe are “forcing” all the departments toworktogetherinfeedingthenewinformationmanagementsystemandsoit’smandatorytocreateanduseacommonlanguageintheentirecompany.Thisenablestheinformationmanagement system toanalyzeandaggregate thedata coming fromall thedifferentdepartments.

32

ToconcludewecanlistsomeofthebenefitsbroughtbytheGRCknowledgemanagement:

• Improvecompanyawarenessaboutitsprocessandresources(soweareabletoavoiduselessduplicationsandtoidentifyandexploitsynergies).

• Improvecompanyawarenessaboutboth internalandexternalrisks thatmay impactitsperformances.

• Improvecompanyawarenessaboutmarketrequirementsandcompetitorsinordertotakestrategicdecisionstogaincompetitiveadvantage.

• Involvingallthedepartmentsinacommoneffort(feedingthecentralizedinformationmanagementsystem)createsgreatercohesionandspiritofcollaboration,resultinginbetterabilitytoidentifyandreportproblemsandcoordinatetheeffortstoalignwiththegoalssetbytopmanagement.

• Allow top manager to take quicker and more conscious strategic decisions byprovidingaconstantstreamofupdateddata.

• Improvecompanycapabilityofcollectandanalyzedatatolearnfrompasteventsandcapitalize corporate knowledge (e.g.: creating new procedures or updating andimprovingexistingones).

2.2.2 Risk

NowadaysmostofthecompaniesmanageriskfollowingtheprinciplesofERM:

1. Identification of events and circumstances that may have an impact on corporateobjectives.

2. Quantification of any single risk by considering its occurrence probability andseverityofconsequences.

3. Determinationofthenecessarycorrectiveactionsandbarriers.

4. Monitoringprogressesandrepeatingcyclicallytheidentificationphasetodetectnewrisks.

Oneofthescopesof“BigPicturesforGovernance,RiskandCompliancePlatforms”wastoinvestigate the relationship between ERM and riskmanagement system of integrated GRCsystems considering the opinion of experts. Authors concluded that exist two schools ofthought: the first one argues that ERM and its components represent the Risk part of GRCsystems, the second one (supported by the authors of theBigPicture) argues that the twoapproachessharesomeprocessesandtechnologiesbutlargelydifferforthebasicconcept.

They claim that ERM analyzes risks by taking a snapshot of the system at a precisemoment and proposing the corrective actions to be implemented; GRC systems insteadhighlightthemostcriticalprocesses,allowingbothaggregateanddetailedviewstoimprovecorporateresourceawarenessandtomakefulluseoftheirthepotential.

The fact that available information are kept updated allow the company to conduct aconstantriskcontrol,detectingquicklyanydeviationsfromnormaloperatingparameters(forexample monitoring KPIs), identifying possible causes (internal/external to the company,direct/root)andincreasingthecompany'sresponsivenessandresilience.

It is clear then that, as we said before, both the Risk part and the Compliance partdepend entirely on the Governance part, in particular on its centralized informationmanagementsystem.

33

FurthermorethephilosophyonwhichGRCarebasedwanttoturnriskandcompliancemanagement into a cross sectional component of all corporate processes, in order tohomogenizethemintodailyoperationsandhelptocreateawayofthinkingandactingmorestructuredandconscious(inchapter5wewillseemoreindetailhowispossibletoturnriskandcompliancemanagementintoallotherprocessesinasustainableway).

Consequently,thedeterminingfactorforthesuccessorfailureofsuchasystembecomesthe "human factor", andmoreparticularly thementalityofusers thatwill requirea changefrombefore. Corporate culturemanagement is now one of themost critical elements for acompanythatneedstochangeandalthoughthedifficultiesandlongtimesneededforsuchaprocess could discourage similar initiatives, almost all modern management techniquesrequireachangeofthiskind.Wewillresumethistopicinthefinalchapterwhentalkingabout“JustCulture”,ariskmanagementtechniqueusedinaviationwhichisperfectlyalignedwiththephilosophyofGRCsystemsandthusrepresentsagoodwaytocontinuetheimprovementprocessofthecompanybegunwiththeadoptionofanintegratedGRCsystem.

Asbefore,we can conclude this brief focus about riskmanagement in integratedGRCsystemlistingsomeexamplesofpossiblebenefits:

• Improve company visibility of all its processes in order to identify criticalities andimplementadequatebarriers.

• The great amount and variety of data coming from the centralized informationmanagementsystemimprovescompanycapabilityofmanagingexternalandcomplexrisks(e.g.:SCRM,supplierselectionrisks,etc.).

• Amoreadvancedandeffectiveriskmanagementsystemallowsthecompanytohaveamorerobustanddetailedriskprofilewiththefollowingadvantages:

o Improvedcompanystabilityandtheabilitytohaveacompetitiveadvantage.

o Greaterattractivenessforcontracts,acquisitionsorjointventures.

o Creditsandinsuranceundermorefavorableconditions.

2.2.3 Compliance

Speakingofregulations,wecanfirstdistinguishbetweenbindingnorms(mandatoryinordertooperateinaparticularsector)andvoluntarystandards,thelatterbeingincreasinglyimportantnowadays. In fact, rival companiescompeteonewitheachotheronmany fronts,includingtheimageperceivedbythecustomer.Watchingcommercialsorvisitingacompany'sweb site we may well notice the great attention paid to the ethical criteria adopted, thesustainabilityoftheprocessesandthequalityofthecompany'sproducts.Allofthesecomponentsstrengthenthecompany'spublicimage,gainingcustomerconfidenceand loyalty in order to differentiate and take advantage over competitors. Voluntary orbinding norms (e.g.: ISO: 9001 for quality management, ISO: 14000 for environmentalmanagement, ISO: 22000 for food safety, etc.) to which the company complies attest theadaptationtothestandardsprovidedandgiveinreturnacertificationthatcanbeexhibited.

The issue of compliancemanagement is not about the investmentmade for the tools(usually simple spreadsheets are used, e.g.: Excel) but regards the amount of resourcesneeded to monitor the updates of the various regulations, especially as the number ofstandards(usuallyvoluntary)chosenbythecompanygrowstoomuch.

Choosing to invest in software for regulatory compliance management allows thecompanytotransfertheburdenofkeepingthesetofrules(voluntaryandbinding)updatedtothesupplier inorderto freeandtoreallocate internalresources. Ifweconsiderthis typeof

34

softwareintegratedintoasystemsuchasGRC,wecaneasilybringcomplianceintoanyotherbusiness process, making it more homogeneous and lightweight to manage, enabling thecompanytoadheretonewstandards.

WecannowlistsomeoftheadvantagesofusingaGRCforcompliancemanagement:

• Allowthecompanytofreeandreallocateinternalresources.

• Allowthecompanytoadheretoagreaternumberofstandardsinordertotakeovercompetitorsorbeingabletoenternewmarketsgovernedbydifferentregulations.

• Reducetheriskandimpactoflegalcostsorpenaltiesfornon-compliance.

• Reducetheriskofimagelossresultingfromviolations.

2.3 CalculatingtheROIofanintegratedGRCsystem

When a company intends to purchase a GRC system, itwill be necessary to submit arequest to the board of directors. The authors of "Big Picture for Governance, Risk andCompliance Platforms" identified the three business figures that could participate in theselectionofaGRCsystem:CRO,CIOandCFO.Oneormoreofthesefigureswillhavethetaskofpersuadingtopmanagementofthebenefitsofusingsuchplatformstojustifythenecessaryeffortintermsoftimeandresources.

Forrester suggests addressing this topic by following three steps: cost estimation,benefitsestimation,andriskanalysis.

2.3.1 Costestimation

As we said, the first step concerns the identification and estimation of themain costitems.Theinvestmentrequiredbythistypeofproductvariesbetween200and700k€andGRCvendorsoffera"package"thatusuallyincludes:software,hardware,andimplementationservices.

Thefinalcostusuallydependsonseveralparameters:companysize,softwarerequiredfeatures, number of regulations to be included in the system, number of users, etc.. With"numberofusers"wemeanthenumberandtypeofprofilestobecreatedinordertointerfacewiththeinformationsystem.Aswementioned,thenewcentralizedinformationmanagementsystemwillbeconstantly fedwithdatacomingfromallbusiness functionsand inthemeantimeitwillprovidesomeinformationtospecificrolesinsidethecompany.Forthosereasonsweneedtoprofileallthepersonneltoassigntherightandnecessarycredentialsandaccessrights (data entry,datavisualization,data entry&visualization) to each singleworker thatwill become a user. This ensures an adequate level of security (sensitive informationprotection)andthepossibilityforuserstoparticipateinaconsciousandactiveway.

Usually the investment required for the hardware part of the system has a minimalimpact on the overall cost; GRC systems in facts require just a web server, an applicationserver,andadatabase(thesizeofthesetoolswilldependonthesizeofthebusinessandontheusethatthecustomerintentstodo).

Instead,thesupportoftheGRCvendormaytakeseveralform:insomecasesitwillbenecessarytohaveat leastonefull-timeresourceforevery50-75activeusersforITsupportwithinthecompany;inothercases,itwillbesufficienttorequirestrategicandorganizationaladvice(notessentialfortheimplementationofanintegratedGRCsystem,soitmaybeneglectduringcostestimation).

Alsoincaseofsoftware-as-serviceorhostingsolutionswewouldhavethesametypesofcostswejustidentifiedandwillbeembeddedintothesubscriptionfee.

35

2.3.2 Benefitsestimation

Forresteridentifiesthreemaincategoriesof(mediumtolongterm)benefitsthataGRCplatformcanbringtoourcompany:Efficiency,RiskReduction,andStrategicPerformance.

Figure4:TypesofbenefitsofanintegratedGRCsystem(Source:ForresterResearch,Inc.)

Forresterprovidestangibleexamplesofbenefitsbut,whiletheincreaseinefficiencyorriskreductioncanbequantifiedbyconsideringtheamountofsavedhoursorthereductionofcostsorsanctions,thebenefitsof"StrategicPerformance"aremoredifficulttobeexpressinapracticalway.Thiskindofbenefitsarethesamethatwehaveidentifiedinpreviouschapters:greater awareness of the environment in which the company operates and more awarechoices (greater knowledge of the market and competitors = more successful products,reduction of negative consequences,more successful development choices, identification ofnewopportunities,etc.).

Forrestertriestoclarifybetterthistopicbyconsideringtwodistinctkindsofflexibility:

1. Extensibility of investment: investment on a GRC platform, albeit high, allowssubstantialsavingswhendecidingtoaddnewfeatures;(ThisisthecaseforexampleofBusinessContinuityplatforms:40k€toaddamodule to theGRCagainst400k€ fortheex-novosolution)

36

2. Agility in Business Support: Forrester intends to emphasize the fact that a GRCplatform facilitates the company's entry into new markets or integration with newpartners,businesses,suppliers,orworkforce.Morein-depththeuseofaGRCreducesthe costs associated with requirements definition, due diligence activities, andcompliancetraining.

Thefollowingtabletriestosummarizedwhatwejustsaid:

Figure5:Componentsof"StrategicPerformance"(Source:ForresterResearch,Inc.)

2.3.3 Riskanalysis

This thirdand lastpartdealswith the identificationof risks connected to thiskindofprojects(forsomeofthemwewilltrytoproposesomesolutioninchapter5):

• Costs and delays resulting from unforeseen events or necessary skills not identifiedduringthedesignphase.

• Resistance to adoption by users: greater involvement required during theimplementationphase.

• Problemsofintegrationwithpre-existingITplatforms.

• WhatForrestercalls"vendorviability":SVMprofessionalsdefinevendorviabilityasthe combination of the vendor's inherent riskiness and their firm's tolerance forsupplier-related risk. In otherwordswe are considering the case of companies thatconsidertherelationshipwiththeirsuppliervital forthesuccessoftheirbusinessorprojectsandthereforeexposethemselvestoaparticularsetofrisks.Thecompanyhastwo types of control over this kind of risks: when selecting the most appropriatesupplier the company has a “direct” control because, if itmanages to collect all theneededinformationitcancreatesapreciseprofileofeverycandidateandfocusonthemost concerning elements. Then after the beginning of the relationship with theselected supplier the control of the company over those risks becomes "indirect",meaningthatwillbedifficulttofullymonitorthesupplierandtakecorrectiveactions.

37

GRCs are a perfect example of this kind of situations: GRC vendor does not onlyprovidethe initial “package”but isalsoresponsible forkeeping italwaysperformingand updated according to the needs of its customer. Forrester therefore considers"vendorviability"asanindicatorofthereliabilityoftheGRCvendorandconsistingoftwoparts:

o "vendorinherentriskiness"(asifitwasthe"intrinsicrisk"ofthevendor,canbe seen as the risk profile of the supplier considering the risks towhich it isexposedordecidestoexposeandtheprotectionsithasimplemented).

o "firm's tolerance for supplier-related risk" (how much our company isexposed to GRC vendor’s risks, in other words it measures how much theenterpriseisprotectedorwhatwouldbetheconsequencesincasethevendorGRCshouldsufferadisruption).

Itisobvioushowmuchthistypeofriskdependsonthecombination"company-vendor",andthereforeitrequiresanumberofstudiesduringthedesignphase.

2.3.4 Summingup

Let'ssummarizewhatwejustsaidbycreatingaschemeofthestepsrequiredtocalculatetheROIofanintegratedGRCsystem:

1. Costsestimation:a. Software;b. Hardware;c. Profiling;d. Support;e. Advice;f. Various.

2. Benefitsestimation:a. Increasedefficiency;b. Risksreduction;c. Strategicperformance;

i. GRCextensionflexibility;ii. Businessagilityflexibility.

3. RiskAnalysis:a. Costsanddelaysduetounforeseenevents;b. Resistancetoadoptionbyusers;c. Integrationproblemswithpre-existingITplatforms;d. "VendorViability"

38

2.4 BigPictureforGovernance,Risk,andCompliancePlatforms

In this chapterwewill briefly present thework "BigPicture forGovernance,RiskandCompliancePlatforms", developed by Andrea Brusa Perona, Ing. Guido Jacopo LucaMicheliandProf.EnricoCagno.

Theprojecthasbeendividedintothreeparts:

1. ThestudyofGRCsystems,underliningthebenefitsofusinganintegratedsystem.

2. Thestudyofexistingevaluationandclassificationsystemsand thedevelopmentofanewone.

3. The application of the new rating and classification system, considering the GRCplatformsdirectlyavailableonnationalterritory.

2.4.1 GRCstudy

ThefirstpartusesdatafrompublicationsandinterviewstoCEOsofsomemajorItaliancompanies to present the main features of GRC systems (some already mentioned in thepreviouschapters)andcomparingthetwooptionsofadoptingaGRCplatform:bypurchasingit("buy"option)orbycreatingitinsideourcompany("make"option).Theauthorsconcludesthat "buy" option is the only one that can bring real benefits to the company, because ofseveralconsiderations(someofthemalreadyshowninthepreviouschapters):

• Relyingonasupplierallowthecompanytotransfertheburdenofkeepingcompliancedatabasealwaysupdated.

• Internal creationof aGRCplatformwould requirehigher resources and longer timethanpurchasingandimplementingafinishedproduct.

• Relyingonafinished,testedandcertificatedproductwillresultingreaterguaranteesofsuccessfullyimplementasystemthatworksasplannedandhasgoodreliability.

• Etc..

FinallytheauthorscompareproandconsofchoosinganintegratedGRCsystemorjustapartofit(e.g.:justGovernancepart),concludingthatanintegratedGRCsystemistheonlyonethatcansolvetheproblemsofa“silostructure”(wewilladdressthistopicdeeperinchapter3).

2.4.2 ExistingGRCevaluationandclassificationsystems

The second section begins with the analysis of the two existing evaluation systems:Gartner's "Magic Quadrant for Enterprise Governance, Risk and Compliance Platform" andForrester's "ForresterWave:Governance,Risk,andCompliancePlatforms". Both classify GRCsystems using a comparative matrix resulting in a relative ranking between the platformsbeing considered and attaching a detailed descriptions of the various software in order tohighlightstrengths,weaknessesandrecommendedapplicationareas.

The authors ofBigPictureclaims that although these tools allow for an intuitive andquick-to-use classification, identify the most financially strong GRC vendors and track theevolution of platforms performance (comparing several editions of the publications), theyhavelimitationsofcompleteness.

First of all, they consider only the largestGRCvendors (in termsof customerbaseorturnover) ignoring a large part of the existing market and conducting just a superficial

39

analysisofsomeofthemajoraspectsofGRCssuchasthecontentoffered.Theselimitationsemerged also from the interviews with some Risk Managers who complained of theinadequacyof these tools in supporting the choice of themost suitedGRC system for theirneeds,forcingthemtocontactconsultantsandindustryexperts.

From these observations emerged the need to develop a new classification system,which completes the two previously mentioned tools, with the specific aim of helpingcompaniesidentifytheGRCsystembestsuitedtotheirsituationandatthesametimeallowGRCvendorstoshowthefeaturesoftheirproducts.

Forthisreason,theauthorsofBigPicturechosetoincludealltheavailableplatformsonItalianterritory,withoutlimitationonthesizeofthevendors.

Theproposedinstrumentconsistsoftwoparts:"Evaluation"and"Classification".

Figure6:Showingthestructureandtoolsofthenewevaluationandclassificationsystemdevelopedbytheauthors

ofBigPicture(Source:BigPictureforGovernance,RiskandCompliancePlatforms)

2.4.3 Thenewevaluationandclassificationsystem

During the “Evaluation” phase three criteria of choice are considered: Content,Software and Supply (those three aspects can be linked to the three corporate figuresinvolvedinthedecisiontopurchaseaGRCsystem:CRO,CIOandCFO).

The“Content”criterionisconsideredforeachofthethreefunctions(Governance,Riskand Compliance) and is composed by 3 indicators: Content Adequacy, Output Quality, andFeatureIntegration.

The “Software” criterion follows the guidelines of ISO/IEC 25010:2011 and ischaracterized by the following indicators: Functional Suitability, Efficiency, Compatibility,Usability,Reliability,Security,MaintenanceandPortability.

The “Supply” criterion considers the probability of success and satisfaction with theinvestmentinaspecificGRCsystem,consideringfivemacro-dimensions:FinancialStabilityof

40

theProviderCompany,GRCInnovationEffort,GeographicSpread,QualityofServicesSupportofferedandPurchaseCost.

The “Classification” phase starts creating the criteria to aggregate all the indicatorsconsidered during the “Evaluation” phase in order to get a graphical representation of theresultsusingmatricesandradargraphs.

Platform evaluation is based on a benchmark analysis of the same, considering twoscenarios,basedon the relative importanceof thecontentprovidedby theGRCandnotontheir possible uses, trying to overcome one of the limitation of the other two classificationtools.Thetwoscenariosarenamed“BalancedContents”inwhichthethreeaxes(Governance,RiskandCompliance)weight1/3,1/3,1/3,and“GovernanceBased”,inwhichtheGovernanceaxishasaweightof50%whiletheothertwoequallydividetheremaining50%.

By doing this the authors try to help the companies interested in purchasing anintegratedGRCplatformthatmaywanttousethenewsystemindifferentways.

Theclassificationsystemcreates5matriceshavingonthe“Xaxis”theevaluationofthe“Software”Criterion and the “Y axis” oneof the5 indicators listed above. Each axis is thendividedintotwo("high"and"low")parts,resultinginamatrixwithfourquadrantsthataredividedagainintotwoinordertocreatebinarybandsandtoreducetheerrorresultingfromatoopunctualrating.

Theclassification isconductedby interviewingthemostsatisfiedcustomer,because isthemostsuitablesubjecttohighlightboththepotentialitiesandthelimitationsoftheproduct.

TheGRCplatformsarecomparedtoeachotherandplacedinrelativepositioninsidethematrices,makingthetoolsolidandabletoevaluateanycombinationofGRCsystems(startingfromjusttwoplatformsupto,ideally,allthoseavailableonthemarket)tohelpthecompanyinselectingthemostsuitableproductforitsneedsinthemostsimpleandimmediateway.

Figure7:Examplesofthematrixesusedduringthe"Classification"phase(Source:BigPictureforGovernance,RiskandCompliancePlatforms)

Thelaststepisthecreationofatabthatsummarizesalltherelevantinformation(characteristicsofthesupplier;productfeatures,strengths,weaknessesandimprovements;theuserinterviewedfortheevaluation)andaradargraphthatsummarizestheresultsoftheclassificationphase.

41

Figure8:ExampleofSummarizingTabsandRadarGraphs

(Source:BigPictureforGovernance,RiskandCompliancePlatforms)

42

3. SILOSTRUCTURES

Theaimofthischapteristopresentthesocalled"silostructure"andhighlightsomeofits typical issues tobettercontextualize thescenario inwhich integratedGRCsystemshavebornandwhatproblemstheyintendtosolve.

3.1 Whatisasilostructureandwhyisused

Withtheadventofglobalization,theboundarieswithinacompanyoperatesbecamewider(insomecasestheydisappear:companiesoperatingallovertheworld)andthishasbroughtnewopportunitiesandnewchallenges.

The environment in which companies are currently operating is characterized by anintrinsiccomplexityandisinaconstantchange;thisimpliesthatanenterpriseisexposedtothe action of multiple forms of uncertainties, which have direct or indirect effects on itsperformanceanditscompetitiveness.Wecantrytobetterclarifywhatwearetalkingaboutbypresentingsomeexamplesofsourcesofuncertaintiesandtheireffectsonbusinesses:

• Market growth: themarket in which companies are operatingmay bemore or lessextended (up to reach the globalmarket), but remains characterized by continuousandrapidchangesduetoseveralfactors:

o Legislativeandregulatorychangesthatcanopennewmarkets(liberalization),preclude some existing ones (embargoes) or somehow limit certain types ofproducts(morestringentcontrolsandrequirements).

o Competitors' actions thatmay increase theirmarket share by exploiting newopportunities.

o Poordecisionsorsuffereddisruptionthatmayprovideothersanopportunitytobecomestrongerandexpand.

o Demand fluctuations due to more or less predictable mechanisms (trend,seasonality,fashioneffect,competitorbehavior,etc.).

• Technologicalinnovation:nowadaysitisalmostessentialtoremaincompetitivewhilemaintainingefficiencyandeffectiveness.Choosingtheadequateleveloftechnologicalinnovationisusuallyatrade-offbetweentheperformancethatthecompanywantstoguarantee(definedbytopmanagement'sbusinessstrategy:usuallythemarketsharethatthefirmdecidestocontrolorthebalanceofpowerwithothercompetitors)andhowmuchiswillingtoinvestin"chasing"technologicalprogress.

• Supplierbehavior:whenacompanybecomespartofaproductionchain,itisexposedtoanumberofrisksrelatedto the fact thatsomeof itsperformancedependsonthebehaviorof externalpartieswhencarryingout theiroperations.Wecan list someoftheserisks:

o Logisticalrisks:incorrectquantitiesand/ortimelinesnotrespected.o Lossofexpertise:whenacompanyoutsourcesapartofitsoperations, it loses

skillsthatarehardtorecoverinthefuture.o Lossofcontrol:thiskindofriskiscloselyrelatedtothepreviousoneandoccurs

if the company has to integrate parts, components or products coming fromsuppliers.The first riskwemay thinkabout isdirectly related to the "qualitycontrol": the companyestablishan internal controlmechanism tokeepundercontrolthedefectivenessoftheinputpartsandavoidingextracostsforreworksoroverproduction.Butwehavetobecarefulbecausethiskindofsituationcanhidemuch greater risks thatmay lead to farmore serious consequences.WecantakeasanexamplewhathappenedtoMattel in2007.Mattel, thefamoustoysmanufacturer,hadtowithdrawthousandsofnon-compliantproductsfrom

43

themarketduetosomecomponentsmanufacturedinChinathatcontainedanunacceptableleveloflead(Pb).Sotheproblemislinkedtoalackofcontroloverthesupplierandtheinappropriatematerialsused.AllthishascausetoMattel,not only a financial cost related to the withdrawing of all the non-compliantproducts, but also a major image damage, especially large because we aretalkingaboutaverysensitivesector:children’shealthandsafety.

• Human resources management: the evolution of technologies and managementtechniques used, the degree of innovation and complexity of products, the size ofproductionvolumesandtheirchange(expansion/resizingneeds)maylead,insomecases, to largedifficulties inmanaging thepersonnel, inparticular for identifying therequiredskillsandsizingthenumberofoperators.

• Financial management: has become a very serious problem for a large number ofcompanies, especially as a result of the economic crisis, with great difficulty inobtaining loans to carryoutnormaloperations (e.g.:pay the suppliers), to fundR&Sprojects, to exploit opportunities (ancillary production, expansion, entry into newmarketsornichemarkets,etc.).

• Relationshipswithcustomersthatcantakedifferentforms:o Marketsurveystoidentifycustomerrequests.o Effectiveadvertisingcampaigns(forexample, in theautomotivesector,where

oneofthemostimportantelementsthataffectcarsalesisthemediacoverageofthemodel).

o Pre/aftersalessupporttothecustomer(selectionofthemostsuitableproduct,installation,advice,training,maintenance/replacement/disposal,etc.).

The need tomanage a so large and varied set of operational risks has pushedmanycompaniestotrytoprotecttheso-called"corefunctions"(thoseconsideredbythecompanyas the main activities that create value in the product, this can be applied to bothmanufacturingcompaniesandserviceproviders)usingotherbusinessfunctionsas"buffers"against the various forms of uncertainty. The following image tries to clarifywhatwe justsaid: thecentralrectanglerepresents the“core functions”, theellipsesrepresent the"bufferfunctions"andsomeexamplesofuncertaintiesarereported inbold; thoseuncertaintiesare"filtered"toallowthecorefunctionstooperateinadeterminedenvironment.

Figure9:Schematicrepresentationofa"silostructure"(Source:IndustrialRiskManagementCourse)

44

This creates a structure that is now typical ofmany large companieswhere businessfunctions (e.g.: marketing, production, product design, etc.) are fragmented into distinctsectors that operate as autonomous entities, each having their own objectives (localobjectives)andhierarchicalstructures.

The aim of using a silo structure is to streamline company management whilesimultaneouslyaddressingtheeffectsofmarket-to-businessinteractionmoreeasily.

Tomakeanexamplewecanresumethestructureshowninthefigureandconsiderthecaseofacompanyinterestedin"protecting"theproductiondepartment.Asaresult,theotherdepartments(e.g.:marketing,humanresources,logistics,etc.)becomeautonomousunitswiththetaskofmanagingtheirowntypeofuncertaintycomingfromtheenvironmentinwhichthecompanyoperates.Sincethenthemarketingdepartmentwillhandlethedemandfluctuation,thelogisticsdepartmentwillguaranteethecontinuityandqualityoftheinputmaterials,thehuman resources department will provide staff with the necessary skills, and so on. Thisallowsthecorefunctionstooperateinanenvironmentwithoutanyuncertainty(forexamplethedemandforecastarrivesattheproductionsectorasquantitiesthat ithastoprovide)sothattheycanperformtheiroperationsinthemostefficientwaypossible,reducingcostsandtherebyincreasingtheprofitmargin.

All this has undoubtedly allowed companies to gain great benefits (especially inreducingoverallmanagementcomplexity)butwhatweactuallyget is thatproblemsarisingfromthevarious formsofuncertaintyareshifted fromcore functions tootherdepartmentsratherthanbeingtackledandresolved.

3.2 Theissuesofasilostructure

Choosing tomake the various business functions autonomous to reducemanagementcomplexity will results, most of the times, in a loss of coordination and communicationbetweenallthedifferentdepartment,leadingtoalossofefficiencyandtheformationofsomeserious,andusually latent,problemswhich,aswillbeshownbelow,are thecauseofmanycomplicationsthatmayariseinthecompany.

Wewillnowpresentsomeof themainproblemsassociatedwithpoorcommunicationbetweenthedifferentdepartments:

• Communications delays: usually there are official meetings and events where therepresentativesofvariousfunctionscanconfrontandacttogetheronimportantissues.These opportunities are not sufficient to deal with the evolving speed of theenvironmentinwhichthecompanyoperatesanditisthereforenecessarytousefasterand always-active communication channels between the various departments.Otherwise, ifasector findsoutan importantchangewithin itssphereofcompetencetherewillbeasignificantdelayintransmittingandreceivinginformationtoandfromotherdepartmentsandcorefunctions,resultinginagreatlossofreadinessandagilitythatmakesalmostimpossibletoactontime.

• Lossofawareness:thedesiretoprotectcorefunctionsmeansthattheyhavenodirectperceptionoftheenvironmentinwhichthecompanyoperates,reducingoreliminatingtotally the possibility of developing their awareness and identifying and exploitingopportunities.

• Lossofliability:linkedtothepreviouspointthereisanotherproblemthatarisesfromleadingcorefunctionsintoacertainandisolatedenvironment.Corefunctionshavetotake important decisions based only on information filtered by other departments(those datamay not be representative of reality) andwithout being able to directlytrackthedevelopmentsandconsequencesoftheiractions.Allthiscanbesummarized

45

sayingthatcorefunctionsarenolongerresponsibleforthelong-termconsequencesoftheir choices, with all the issues that this may entail (unaware decision makingprocess,short-sightedorcontradictorychoices,etc.).

• Safetystocks:aswerepeatedlystated,oneofthemainobjectivesofa"silostructure”isto allow core functions to operate in a determined environment, even though thecompanyitselflivesinacontextdominatedbyuncertainty.Thischoiceisbasedonthewill tohaveastableandeasily tuningenvironment, limitingasmuchaspossible theuse of substantive changes. To achieve such a situation, it is often necessary (in thecase ofmanufacturing companies) to rely on large stocks of inbound and outboundresources, resulting in increasedmanagement costs and a general loss of efficiency.This is the classic case of a company that operates in a very variable and/orunpredictable market: the marketing department creates the demand forecast,indicating the large fluctuations of production volumes required in subsequentperiods,atthispointifthecompanymaydecidestoactontheirproductioncapacityortohave to resort to largestocksof rawmaterials, semi-finishedproductsor finishedproductstoensurethattheycansatisfydemand.

• Mistrust:indatacomingfromdifferentdepartmentsduetothefactthatlackofinternalvisibilityprevents thedifferent functions fromhavingaperceptionofhow theotherprocessesworks.Afrequentexampleoccurswhentheproductiondepartmentreceivesthe demand forecast created by themarketing sector.Maybe the previous forecastsmadebymarketingsectorwasimprecise(forexampletheymayunderratethedemandforseveraltimes)sotheproductionmanagermaydecidetoarbitraryincreaseallthequantities by a percentage in order to “correct” these data. This should alreadyrepresent a lack of control over the company and result in a reduction of efficiency(andmaybeeveneffectiveness).Thissituationcanbecomeevenworseifweconsiderthe case in which marketing department has made some investment andimprovementsonitsprocessesandtoolsinordertocreatemorepreciseandreliableforecasts, then the productionmanagermay be in the dark of that and continues to“correct”thedata.Ofcourseaftersometimethecompanywilldiscoverandsolvethisproblem,butinthemeantimeitwillhavesurelycreatedsomedamages.

• Conflicting objectives: as we mentioned inside a “silo structure”, the variousdepartments act as autonomous units and each one has its own local objective. Theproblem arises when these local targets are no longer aligned with the company'soverallgoals(setbytopmanagement)orconflictingwitheachother,resultingnotonlyin efficiency but sometimes also effectiveness loss.We can consider the example ofchoosing the optimal stock level to better clarify this problem. Both the productionmanager and the logistic manager may have the task of managing stock level.Productionmanager is interested inkeepingahigh levelof stocks (of rawmaterials,semi-finishedproductsorfinishedproducts)toconductproductionoperationsinthemoststableandsmoothwaypossibledespitedemandfluctuations;logisticmanageronthe contrarywill try to keep the level of stock as lowaspossible (as long ashe canprovide the required safety stocks) in order to keep logistic and warehousemanagement costsdown.This is aperfect caseof conflictingobjectives and for surethiswouldresult inanallocationofresourcespushing inoppositedirections(lossofefficiency),andwithoutconsideringtheproblemfromabroaderperspective,itwillnotbepossibletofindagoodtradeoffpoint(lossofeffectiveness).

Aswesaidatthebeginningofthislistalltheseproblemsshareacommondeepcause:inadequateinternalcommunicationmanagementthatcanleadtotwokindsofconsequences.

46

Let’scallthefirstthe“lackofverticalcommunication”inwhichtopmanagementhasapoor visibility of the enterprise structure reducing the awareness of what resources thecompanyhasandwheretheyhasbeenallocatedandmakingtheassignmentoflocalgoalsandthetrackingoftheirprogressmuchmorecomplicated(allthisthismayleadtosituationsliketheonewithconflictingobjectivesthatwehavedescribedearlier).

Wecandefinethesecondoneasthe“lackofhorizontalcommunication”inwhichwehavedelaysandmissingcommunicationsbetweendepartmentsthatcreatecircumstancesinwhichproblemsdevelopunnoticed, thushampering riskmanagementprocesses inall theirphases(identification,analysis,mitigation,control).

CarolS.Switzer,OCEGco-founderandpresident,talkingabouttheriskofheavilysiloedapproaches highlights the fact that critical information regarding risk and complianceoperationsareunabletoreachstrategicdecisionmakersinatimelyfashioned.Inadditionisnotuncommonthatinsidea“silostructure”riskandcompliancerolesareseenaspeoplewhowantto“putthebrakeson”businessdecisionsandthereforetheyarenotincludedinstrategicdecision making meetings. This is one of the biggest mistake an organization can makesbecausetheyaresignificantlyreducingtheprobabilityoftakingsuccessfuldecisionsincetheyareneglectinganentiresetofinformationthatisvitaltotakeawaredecisions.

Switzer continues listingotherexamplesof themost commonmistakesmade insidea“silo structure”: “Siloed operations spend toomany resources trying to reconcile disparateinformation, have gaps andunnecessaryoverlaps in activities, put toomuchburdenon thebusinessbyfailingtocoordinateschedulesandrequestsforinformation,andevenworse,maycreatenewrisksthemselves.”.

AtthispointshouldbealreadyclearthatGRCs,whicharebasedoverthecreationofacentral information management system, represent a valid tool capable of solving theproblemsof“silostructures”byactingontherootcauses.

47

4. PREREQUISITESFORASUCCESSFULIMPLEMENTATION

Thischapterisdevotedtoidentifytherequirementsforasuccessfulimplementationofan integrated GRC system. Consulting thematerial available on the web (publications andinterviewstoexpertsandCEOsofcompanies)hasemergedthatthemostdeterminingfactorsforasuccessfulandprofitable implementationarerelated to thematurityof thecompany’sriskmanagementsystem.Todevelopthistopictherehavebeenidentified4points:

1. Totalandconvincedsupportoftopmanagement.

2. Ownanduseaconsolidatedriskmanagementsystem.

3. Conductproactiveriskmanagement.

4. Developtheconceptofenterpriseresilience.

Points 1 and 2 represent the real essential requirements to be able to attempt theimplementation,whileothersrepresentusefulmilestonesforassessingthematurityoftheirrisk management system and are factors that enable the systems to be used in a moreprofitableway (take full advantage of the potential of the new integrated GRC system andenablingthecompanytoachievethebenefitsmentionedinthisdocument).

Intherestofthechapter,wewilldealmorein-depthwiththevariouspoints,usingasmany industrialorsecondarydataaspossible toclarify the importanceand theadvantagesobtainable.

4.1 Topmanagementsupport

Within a company, middle management has responsibilities and authority over thebusinesssectorsandrespondsdirectlytotopmanagement(seniormanagement)composedofoneormorefigures(topmanager,chairman,CEO,generalmanager,secretary-general,etc.),whohastheresponsibilityandauthorityoverthewholeenterprise.Topmanagementdefinesthedirectionoftheorganizationandestablishesthemainmilestonesthatrepresentthegoalspursuedbythemiddlemanagement.

Thisdocumenthas repeatedlyunderlined the fact that suchprojectswill engage largebusiness resources for a long time and it is therefore necessary for topmanagement to befully convinced toundertake thispathandbecomeanactivepromoter inorder tohelp theenterprise to hold the effort necessary during all the phases. The support of seniormanagement is therefore the first and perhapsmost important requirement for the simpleimplementationof thesystem(it isnotenough,however, toensure thecorrectuseofGRCsandthereforetoobtainthebenefitsoffered), thusavoidinganyrethinkingduringworkthatwouldresultinhugecosts.

VeryoftenwithinthetopmanagementwecanfindthefiguresoftheCEOandCIOthattheauthorsofBigPictureidentifiedasthefigureswhocouldparticipateinthechoiceofaGRCplatform. They connect the two levels of management described above, bringing topmanagement directives to the lowest business levels, and receiving from these last majorfeedback they will use to improve management and make proposals to be brought to thehighestlevelofleadership.Infacttheyarethefirstcorporatefiguresthatproposetousetheseintegratedtoolstobetteraligntheresultsobtainedfromvariousbusinessfunctionswiththegoals and directives of executives, and are also the users of Forrester’s framework forcalculatingtheROIpresentedatthebeginningofthisdocument.

In chapter5wewill see that topmanagementmayhave a further role inhelping thecompanyduringtheimplementation.

48

4.2 Riskmanagementsystem

Nowadays in companies of all sizes, the risk management process is based on thesystematicapproachconsistingofthefollowingsteps:

1. Establishthecontext:internalandexternalinwhichthecompanyoperates.

2. Identification of risks: which can affect the performances and achievements ofcompany’sobjectives.

3. Risk analysis / quantification: characterizing them based on the likelihood ofoccurrence(possiblyusingstatisticalmethods)andtheseverityoftheconsequences.

4. Identificationofcauses.

5. Riskmanagement:identifying,wherepossible,interdependenciesbetweenrisksandthe possibility of exploiting synergies for a better use of resources. After an initialprioritization phase has been carried out, risks are processed, preferably byeliminatingthemorelseimplementingbarrierstoprotectthesystem.

6. Continuous monitoring: of the identified risks, implemented barriers and periodicrepetitionoftheidentificationphaseinordertoprotectthesystemfromnewrisks.

Companiesnowadaysuse theso-calledERM,a collectionofmethodsandprocesses toconductriskmanagementbyfollowingthestepsoutlinedabove.

However, the only fact that a company owns a risk management system does notautomaticallyimplythatitisusedinthemostproperway:ifitisonlyseenasatooltotreat,forexample,occupationalsafetyor,asSwitzersaid,asa“brake”thatobstacleotherbusinessfunctions,willbeimpossibleforthisprecioustooltoworkproperlyandbringbenefitstothecompany.

For this reason, one of the requirements needed to implement a GRC system is to"possessandUSEariskmanagementsystem",meaningaconscious,widespreadandin-depthuseofriskmanagementpracticesandtools.All thisallowsthecompanynotonlytoprotectitself more effectively, but also to gain awareness of its resources and potentials and toidentifyandexploitopportunitiesinordertogetadvantagesovercompetitors.

Inthefollowingsubchapterswewilltrytoclarifywhatwemeanbya“properuse”oftheriskmanagementsystem.

4.3 ProactiveRiskManagement

Risk management can be conducted in a reactive or proactive way. The first oneconcerns the investigation of an incident in whichwe are interested in reconstructing thefacts and identify the causes of the event; the other one concerns process analysis andinterventiononunwanted"outcomes"beforetheyoccur.

Intheengineeringfieldtherearesomeproactivetools(FMEAandFMECA)initiallyusedto identify and analyze the failure modes of a component or a system. The operation isstraightforward and rigorous: once we have defined the element we are analyzing at themoment, we list all the ways in which it can fail and analyze each “failure mode” in aqualitative (FMEA) or also quantitative (FMECA) way and finally predict the effects (oroutcomes)thattheymayhaveonsubsequentcomponentsortheoverallsystem.Bydoingso,it is possible to anticipate the problems and their consequences, acting in advance on thesystemandpossiblyputtingbarriers.

49

Thestrengthof these tools (andproactive tools ingeneral) lies in the fact that theyaresimplystructuredandrigorousprocedures foranalysisand treatmentandcan thereforebeusedineveryfieldtotreatthe4typesofrisksidentifiedintheso-called“4riskquadrants”:

• Hazardrisks:concerntheriskstooccupationalsafetyandassetprotection.

• Financial Risks: concern the risks related to monetary exchange (e.g.: € - $), thefluctuationofenergy,materialsandproductsprices,loanfees,etc..

• Operational Risks: Customer Satisfaction, Product Success, Image Damage, TradeUnions,SupplyChainManagement,etc..

• Strategic Risks: Product obsolescence, competitors behavior, product or marketregulations,demandfluctuations,etc..

All this is nothing new compared to what companies are doing in their day-to-dayoperations, but it's important to understand thepotential of proactive riskmanagement sothatacompanycanusethesetoolsinthemostprofitablewayandgainsignificantbenefits.

Anexamplemightbe theuseofproactive techniques in the selectionof suppliers:wecanapplyFMEA toanalyzeall thepossible candidates to identifyall the risks towhichourcompanywouldbeexposedincaseitshoulddependbyoneormoreofthem.

Indoingso,wewillidentifyanumberofrisks(justlikefailuremodes)suchas:

• Risk of sanctions or embargoes (in the case of a supplier located in a countrywithparticulararrangementsorparticularlyuncertainconditions,e.g.:sanctionsonRussiaasaconsequenceofUkrainiancrisis).

• Risksderivingfromregulationsthatarenotcompatiblewiththosewehavetocomply:for example,materials or processesusedbyour suppliers.We recall the example ofmaterialsusedbyMattel(presentedinthepreviouschapter)thatdonotcomplywithUSregulationsorthecaseofsomeprocessesforworkingjeansfabricbyuseof(illegal)powdersthatareharmful toworkersbutareusedanywayinsomecountries: inthiscasewecanexposeourselvestosanctionsorimagedamages.

• Risks related to natural disasters such as earthquakes or floods: depending on thelocationwhereweoroursuppliersareoperating,oursupplychainmaybeexposetopotential disruption due to major events. An example of this may be to depend onsuppliersorwarehouseslocatedinsomeareasofSoutheastAsiaparticularlyexposedtofloodrisk.

• Othersupplier(andalsocustomer)relatedrisks.Forexampleifoneofourcompetitorsis themain customerof oneof our suppliers, theymayhavepriority access to theirproductioncapacity,whichcouldputusincriticalpositionsincaseweneedtoquicklybuyextracapacity.AttheendofthischapterwillbepresentedtheNokia-Ericssoncasewherewewillfindthistypeofproblem.

Aswecansee,dependingonthesinglevendorweareassessingatthemoment,wemaybeexposedtooneormoreofthesetypesofrisk,allowingustomakeconsciouschoicesandtoimplement thenecessaryprotections.Thenormalsupplierselectionproceduresmighthaveignored some of these risks, exposing our company to them and finding us probablyunpreparedtodealwiththem.

Hopefully this example will testify the potential of proactive and rigorous riskmanagement techniquesandthe fact that theyare in factapplicable toeverybusinessarea,enablingthecompanytogainagoodunderstandingoftherisks,resources,andopportunitiesavailable.

50

4.3.1 Risk:threatoropportunity?

Someriskmanagementtechniquesdividesrisksintotwocategories,basedonthekindofconsequencestheymaybring:

1. Pure(orstatic)risk:theycanonlydamagethecompany,forexample:a. Riskofdamage/lossofassets.b. Riskforcivilliability.c. Occupationalhealthandsafetyrisks.d. Riskofdamage/lossofthirdparty’sassetsofourcompany’sresponsibility.

2. Speculative(orneutral)risks:theycanleadtobothaprofitora losstothecompanywithacertain likelihood,so itenters the fieldcloselyrelated to theOperationalRiskwherethecompanyevaluatesscenariosandpossibleconsequencestomakestrategicchoicesfortheachievementoftheirgoals.Herearesomeexamples:

a. Market risks (e.g.: choosing to enter into a newmarket, the tendency of thecustomerstopreferonlineshop,beingoutmaneuveredbycompetitors,etc.).

b. Creditrisks(e.g.:extendingcredittocustomers).c. Liquidityrisks(e.g.:notbeingabletoconvertitsownassetintocash).d. Productionrisks(e.g.:productionvolume,managingstocklevel,etc.).e. Politicalrisks(e.g.:new/tighterregulations,sanctions,embargoes,etc.).f. Risks of innovation (e.g.: choosing adequate level of product/process

innovation,fundingR&S,etc.).g. Etc..

One of the methods developed to manage this type of risks is Operational RiskManagement.TheORMconsiderstheriskasavariationofperformancethatcanbepositiveornegative;suchvariationsarecausedbyuncertainevents.

The only innovative element of this methodology is to consider the risk as a threat(negative variation of performance) or an opportunity (positive variation of performances)while keeping the two components of risk that we saw before: severity of consequences(became the extent of the variation, e.g.: the output of a process) and the probability ofoccurrence (here is the probability of occurrence of the uncertain event that causes thevariation).

Theconsequencesarequantifiable in termsofperformancevariation (e.g.:productioncapacity, lead time, number of nonconforming parts, etc.) or the value perceived by thestakeholders,thusincludingallthetypesofrisksthatwehadpreviouslyidentified.

AttheendofthischapterwillbepresentedtheNokia-Ericssoncaseandwewillseehowaseriesoftimelychoices(thenrevealedsuccessful)haveallowedoneofthesecompaniestoturna"category1"risk(havingonlynegativeimpactsoverthecompany)inanopportunityforahugegrowthandevenforsuccessfullywipingoutthecompetitorfromthemarket.

Thepurposeofthispartinfactistomakeawarethatgoodmanagementofanytypeofrisk can lead to farmore importantbenefits thansimpleprotection, especially inamodernenvironmentwhere thecompetitivenessbetweencompanies is foughtonahugenumberoffronts.

4.4 Enterpriseresilience

BSI Group article titled "Resilience as a Value Driving Organization" begins with thephrase: "In an ever-changing complexmarket,more andmorepeople talk about resilience.Resilient organizationnotonly survives, but is able to anticipate, bepreparedand respondappropriatelytochange,seizingopportunitiesinordertothriveinadynamicenvironment."

51

anddefinescorporateresilienceasfollows:"Resiliencegoesbeyondtheconceptofmereriskmanagement,definingamoreholisticvisionof long-termbusinesssuccessasthevaluethatdrivestheorganization."

Tobetterdefine the concept,we cangroupunder thename “enterprise resilience” allbusiness procedures that enable the company to improve: capitalization of experience,innovation,riskmanagement,andmaintenanceofbusinesscontinuity.

APECconductedaresearchinterviewingsomeCEOsofcompaniesthatweredirectlyorindirectly damaged by the March 2011 Japanese earthquake and tsunami to gathertestimoniesofthelessonslearnedfromthatevent.ThefollowingpictureshowssomeoftheconclusionsreachedbythestudyandinparticularthemostfrequentresponsesoftheCEOsthatclaimedtosufferedhugedamages.

Figure10:ConclusionsoftheAPECCEOSurvey(Source:APEC)

As we can see the three main answers about the lessons learned and the initiativescreatedtoreactare:

1. Increasedourabilitytorespondmorequicklytodisruptiveevents.

2. Revisedourbusinesscontinuityplans.

3. Increasedinvestmentinscenario-planningforlow-probability,high-impactevents.

Here we find perhaps the most important and critical part of corporate resilience:sometimesisnoteasytojustifyinvestmentsinsomeoftheseareas(suchaslow-probabilityscenarioanalysis,inresponse3)untilweexperienceasimilarevent;wemayunderstandsucha choice but "in a constantly evolving market" (BSI Group) like this one, just one severedisruptionmaybesufficienttokillacompanypreventingitfromsurvivingandlearningfromthat event. In this regard, we can quote the sentence: "If you think Risk Management isexpensive,tryanaccident.".

Oneoftheareaswherevariousexpertsarefocusingonisthecreationoftoolssimilartothe Forrester framework for calculating a GRC's ROI to help managers in justifyinginvestmentsinbusinessresilienceprocesseshighlightinghowthesecanbringbenefitsalsotoday-to-dayoperations.

52

Let'sstartbypresentingthephasesthatallowthecompanytodealwithadisruptionwhilemaintaining stabilityandminimizing the recovery time (foreachwewill showexamplesofhowtheprocessescreatedtorespondtoemergenciescanbringbenefitstothecompanyalsoduringnormaloperatingconditions):

1. Sense: thesetofbusiness featuresthatallowthecompanyto identifyandmemorize,frompastexperiences,theknowledgetoidentifyusefulKPIs(requiredformonitoring)andtobeabletoproperlyspotandinterpretthe"symptoms"ofeventsthataregoingto happen or that have already happened but whose consequences are not fullymanifestedyet.Undernormalcircumstances,itenablesthecompanytocapitalizetheitsknowledgeandtofacilitatethecreationofmanualsandstafftrainingprograms.

2. Build:thesetoffunctionsdevotedtotheproactivecreationofskillsthatcanbeusedproactivelyorreactively,andtostudyandexperimentingnewreconfigurationsoftheexistingassetsinordertoreactquicklyandeffectively.Theseprocessesarebasedoncreatingskillsthatareusefultothecompanyandthereforecontributetomoreefficientandeffectivestaffmanagement.

3. Reconfigure: the set of functions dedicated to improve company ability to adapt tochangeswithmultiple formsof flexibility inorder toeasilydealwithadisruptionorsimplyadaptbettertotheconditionsinwhichitisoperating(evolutionaryoptics).Itisobviousthatacompany'sabilitytobeflexibleallowsittogainsignificantbenefitsalsoinday-to-dayoperations:launchingnewproductsormanagingmodestfluctuationsindemandwillrequirelimitedtimeandresources.

4. Sustain: the set of functions dedicated to ensuring the business continuity duringrecovery time, reducing the time needed to recover from the consequences of adisruption, reducing and preventing long-term consequences, and acquiringknowledge and skills for future use. These processes also contribute to thecapitalizationofcorporateknowledge,withtheadvantageswehavealreadyidentified.

5. Re-enhance:thesetoffunctionsdesignedtotaketheactionsneededtorecoverfromadisruptionandatthesametimeexploittheopportunitiesthatmayresultfromthem.This function seems to be totally tied to emergency management, but it basicallyaggregates all the capabilities that allow a company to plan and make importantchanges that require long implementation time, allowing it to undertake moreimportantandchallengingdevelopmentprojects.

53

Thefollowingpictureshowsagraphicalrepresentationofthevariousphasessincethetimeinwhichthedisruptingeventoccurreduntiltherestorationnormaloperatingconditions(whichmaybedifferentfromtheinitialones).

Figure11:Representationofthephasesandtheactionmadebyacompanyfromthetimeadisruptiveeventhappens

untiltherestorationofnormaloperatingconditions(Source:Sheffi&Rice)

Thepicture represents the life of a company as a cyclical succession of (more or lessserious)disruptionfromwhichthecompanyrecovers,sowecanthinkthatbefore“time0”ofthis graph the company has suffered a disruption, has managed to react and recover, hasgained some precious knowledge and now the cycle is about to restart again with a newdisruptingevent.

The first phase, marked as "preparation", can therefore be about the time intervalbetweentherestorationofnormalworkingconditionsaftertheendofapreviousdisruptionandthenew"disruptiveevent”.Howevertherecouldbeanotherwaytointerpretthisgraph:the“preparation”phasecouldalsobeseenasthetimeinwhichthecompanywascollecting,analyzingandcatalogingexperiences inorder togainknowledge tobeused for continuousimprovementofitsprocesses.

Inthisphasethe“Sense”functiondeterminesthecompany'seffectivenessincapitalizingon its know-howand experience; its second task is tomonitor a set ofKPIs that allow thecompanytominimizethetimebetweentheoccurrenceofthedisruptiveeventandthetimeinwhich it is identified; in some situation thedisruptive eventmayevenbe evenanticipated,identifyingthewarningsignsandinitialsymptoms.

The“Build”functioncomesintoplayfromthetimethecompanybecomesawareofthedisruptionandhasthetaskofselectingandorganizingtheskillsneededtoreact,usuallythisphaseinvolvesthecreationoftaskforcesdesignedtopredictallthepossibleconsequencesofthedisruptionandelaboratethenecessarystrategies.

Meanwhile,theconsequencesoftheeventarereducingtheperformanceofthecompanyand during the “Reconfigure” phase the main concern is to wage the resources needed toadaptandtobepreparedtorespondasquicklyaspossible.

54

Atthispoint(“Sustain”functioncomesintoplay),therecoveryphasestartsandthefirstconcern is to sustain the effort of the company without risking dispersing energy andresourcesintounnecessaryprocesses.

Once theemergency isover, therewillbeaperiodof timeduringwhich thecompanyrecoversuntiltherestorationofnormaloperatingconditionswhichmaybedifferentfromtheinitialones (aswewill see inNokia-Ericssoncasea companymayeven improves its initialperformancesifabletomanageproperlyadisruption).

During the final phase “Re-enhance” function has the task of gathering and analyzingdataandlessonlearnedbythisexperienceinordertodecidewhethertorestorethefunctionsand procedures already in place or to take advantage of this transition phase and makechangestoincreaseitseffectivenessandefficiency.

The cycle ends by transferring this knowledge to the “Sense” function in order to beintegratedintothecorporateculturalheritageforfutureuse.

Aswehaveseenallthefunctionsthathavecomeintoplaycanbeusedbothinareactiveway,todealwithadisruption,orproactively,inordertoincreasecompany’sawarenessofitsown resourcesand theexternal environment inwhich it operates, allowing them tohaveacontinuous and harmonious process of learning, gaining competitor advantages andimprovingtheirownriskmanagementandemergencymanagementsystem.

GRC systems seem to be very harmonious within this philosophy, facilitating thetransferof informationwithin thecompanyandall its components, enabling it tomake fulluseofallthedataandexperiencesgatheredinordertoincreaseitsresilienceandproactiveprocesses.

4.5 Nokia-EricssonCase

To conclude the discussion on risk and emergencies management will now bepresented the Nokia-Ericsson case. Here we will find an example of the importance ofcorrectlycapturingandevaluatingtheinformation,theimportanceofinternalcommunicationand how it is possible to turn a negative event into a precious growth opportunity (via aproperunderstandingofscenariosandtimelyplanningandexecution).

4.5.1 Thedisruption

On March 17, 2000, a Philips semiconductor factory located in Albuquerque (NewMexico) caught fire. The security measures proved to be effective (sprinklers and Philips-trainedstaffsuccessfullymanagedthesituation),thefirewastamedandoncethefirefightersarrivedtothescenetheyjusthadtodecreetheendoftheemergency.

Philipsestimatedthetotalcostrelatedtothisdisruptionasthecombinationofthecostsneededtoreplacedamagedlotsandthepenaltiesforhavingfailedtocomplywiththedeliverydeadlines.

ThisplantsuppliedbothNokiaandEricssonandPhilipsannouncedtobothaone-weekdelayforthesubsequentcomponentshipment.

Theproblemwasthatdespitethefactthatthefirehaddevelopedinthefurnacearea,ithad triggered a number of consequences that affected the whole plant. Microprocessormanufacturing plants require closed space provided with an air filter system capable ofinterceptinganyparticleslargerthan1μminordertopreventdustdepositsonsiliconwafersandguaranteetheirquality.

Thefirehadirretrievablycompromisedthecontrolledatmosphereofthefactoryduetosmokeandthepassageofpersonnelandfirefighters"contaminated"bydustandsoot.

55

The result was that all components, semi-finished products and finished productslocated intheplantwere irrecoverableandtheestimatedtimeneededforrestoringnormaloperatingconditionswentfromacoupleofweekstoseveralmonths.

Let’sseenowwhathappenedinsidethetwocompaniesafterreceivingthenewsofaoneweekdelay(thiskindofsituationwasfairlycommoninthattypeofindustryandthuseasilymanageableusingsafetystocks).

4.5.2 Nokiaresponse

After receiving the call from Philips, Nokia Chief Component-purchasing manager,althoughnotparticularlyworriedbythatnews,informedothercompanymembers,includingNokia'schieftroubleshooter,whofeltthatthesituation,notalarmingatthemoment,requiredcloserobservation.

Nokiaactivateda“pre-emergency”plan,creatinga listof thecomponentsproduced inthatplant,monitoringthesituationwithdailyphonecallsandofferingtosendengineers tospeeduprecoveryoperations.

Twoweekslater,NokiareceivedfromPhilipsthecommunicationoftheactualextentofthe damage and established immediately a task force of engineers and supplymanagers tocreate an emergency plan in order to being able to purchase the required componentselsewhere.

Attheendonlytwocomponentswereimpossibletobeprocuredbyothersuppliers,soNokiahada face-to-facemeetingwithPhilipsasking tohaveaccess todetailed informationabout theproductioncapacityof theirremainingplantsandtouse thatcapacity toproducethoseparts;forashortperiodthetwocompaniesoperatedasoneentity.

Withthishugeandtimelyeffort,Nokiawasabletosuccessfullymanagetheemergencyandreducingnegativeconsequencestotheminimum.

4.5.3 Ericssonresponse

EricssonreceivedthesamecommunicationbyPhilipsabouttheone-weekdelayofthesubsequentshipmentbutconsidereditasacceptableand,evenwhentheywererunningoutofcriticalcomponents,low-levelemployeeshadnotyetinformedtheirmanagers.

WhenEricssonrealizedtherealgravityofthesituationitwasalreadytoolate:Philips’andotherssuppliers’extracapacitywasalready"taken"byNokia,leavingEricssonwithfewchancesofcontainingthedamages.

4.5.4 Theresultsandlessonslearned

The resultsof this seriesofeventswerecatastrophic forEricsson,whichwasshortofmillionsofkeycomponentsforthemanufactureofanewgenerationofphonesthatwasabouttolaunchonthemarketandfounditselfwithaninadequatemixofproducts.

Theeconomic loss for themwasabout$2.3billion,andafteroneyear thedecisiontoshut down the phone industry led to the creation of Sony-Ericsson, a 50-50 joint venturemanagedbythetwocompanies.

ForNokia,however,whatinitiallycouldbeadisasterwithsimilarconsequencesturnedout to be an opportunity to eliminate themain rival from themarket and earn 3% of themarket share in just12months, all thanks to theirmoreaggressiveandproactivebusinessculture.

AnalystsstudiedthiscasewithgreatcuriosityandfoundinNokiaagreatawarenessofthetruevalueofinformationflowwithinacompany.

56

Indeed,regardlessofwhatmaybetheopinionofthepersonwhofirstreceivesanews,businesspolicyrequiresahighlevelofinternalcommunicationsothatthoseinformationcanreachthepeoplewiththerightskillsneededtomakethebestuseofthem.

In thecasewe justseen, itwas thesameNokiamanagerwho,despitenotconsideringthesituationparticularlyalarming,forwardedtheinformationtotherestofthecompanybyputtinginmotionvariousprocesses,sothatthoseapparentlyordinarynewscouldreachthetroubleshooter.

A statement fromNokia's troubleshooterwas: "Weencouragebadnews to travel fast,wedon’twanttohidetheproblems";wecanfindtheseprinciplesinallthesystemsthatstandoutforreadinessandeffectivenessinidentifyingandsolvingproblems.

Once again, we can reiterate the fact that the centralized information managementsystem created by GRC systems is perfectly aligned with Nokia’s strategy and with thephilosophyofsharinginformationandcompetencesinsideacompanyinordertoactasoneentityagainstproblems.

4.6Conclusions

Finally,wecansummarizewhathasbeensaidinthischapterbybrieflyrecapthestepsacompanyshouldtaketomakeitsownriskmanagementsystemmatureandreadytosupporta successful implementation of an integrated GRC system and increase the probability tomakeaprofitableuseofthenewsystem.

ThefirststeprequiresthecreationofanERMsystembasedonanadvancedandawareriskculture(knowingthevalueoftheinformationandthebenefitsthatcanbeobtained)touseallthetoolsandmethodologiesavailableinanintegratedandcomplementaryway.

Thesecondstep involves thecreationofproactivemanagementprocesses toestablishthebarriersnecessarytoprotectthecompanyagainstrisks.

The last step is related to the creation of processes and tools needed tomonitor thecompany,bothinternallyandexternally,toidentifyalltheindicators(KPIs)usefultocreateadashboard capable to spot all variations and quickly activate the risk and emergencymanagement system, in other words, the creation and development of their enterpriseresilience.

57

5. GUIDELINESFORASUCCESSFULIMPLEMENTATION

ThischapterisdedicatedtosupportingtheimplementationphaseoftheintegratedGRCplatformbysuggestingproceduresthatmaynotbeidentifiedduringthedesignphase.

ThereferencematerialsforthispartsarearticleswrittenbyconsultingcompaniesandinterviewstotopmanagersofcompaniesthathavesuccessfullyaccomplishedtheinstallationphaseofanintegratedGRCsystemandaremakingacontinuousandprofitableuseofit.

Inorder toprovide suggestions foreasing the implementationphaseand toallow thecompanytocreatetheconditionstotakeadvantageofthefullpotentialofthenewsystem,theauthorsofthisdocumentidentifiedthefollowingpoints:

• BeingabletocommunicatethereasonsfortheadoptionofaGRCsystemandmotivatethestaff.

• Creatingacommonlanguage.

• Basictrainingonriskmanagement.

• Activestaffparticipationduringthedesignstage.

• Handletheprojectinphases.

Wewillnowprovideamoredetaileddescriptionofthevariouspoints.

5.1 Motivatingandcommunicatingthereasons

SeveraltimesduringthisworkhasbeenhighlightedthefactthatGRCsystemsinvolveallcorporatefunctionsandstaffatalllevelsinacommoneffort.

AswesaidusuallyistheCEOthefirstwhotakesintoconsiderationtheadoptionofanintegratedGRCsystemtoimprovetheperformancesofthecompanyandtosolvesomeofitsproblemscomingoutduringday-to-dayoperations.

At this point, after having evaluated several alternatives and selected one or twoplatforms, he brings theproposal to the corporate council in order to take a choice. Aswehavepointedoutinthepreviouschapter,isabsolutelynecessarythattopmanagementisfullyconvincedofwillingtoundertakethisprojectandbecomesanactivesupporterandpromoterofit.

Now we can get in more detail of how top management can concretely support theimplementationphase.Infactlow-levelstaffistheonewhowillusethenewsystemanddealwithnewproceduresandtoolssometimesverydifferentfromthosehewasaccustomedto.

Thiscertainly impliesasignificanteffortontheirpartso it iscrucial tomotivatethemandtomakethemfeelpartofthisproject.OnewayofdoingthisistomakethemunderstandthemotivationsthatledtothechoiceofusingtheGRCsystemandthebenefitsitcanbringtothemandtotheentirecompany.

ItisthereforeintendedtomakethemperceivetheadoptionofanintegratedGRCsystemnot as something imposed from above (and to which they just have to adapt), but assomething that cangiveapositive contributionand that requires theirwork inorder tobeabletodoso.Inotherwords,itisaboutmeetingeachother:theGRCshelpustosolvesomeproblemsandgainbenefits,inexchangewe,asacompany,helpGRCstofunctionproperlybyleavingthecomfortofouroldproceduresandembracingnewones.

Aswe knowmotivation is by far themost critical and difficult tomanage variable ofprojectmanagement, and become evenmore important in case (such as this) inwhich thewaystaffperceivestheprojectwillhaveheavyconsequencesnotonlyonthesuccessof the

58

implementation phase but also on how the new system will be used during day-to-dayoperations.

Wewillunderstandbetterthistopicinpoint4,showinganotherwayofmotivatingthestafftointeractinaproperwaywiththenewGRCsystem.

5.2 Creatingacommonlanguage

Itisnotunusualthatwithinthesamecompany,differentdepartmentsorfunctionsusethesametermswithdifferentmeanings.

This could be tolerated without any particular problems within a more fragmentedstructure (silo structure), but given that GRCs intend to create a centralized informationmanagementsystemtowhichalldepartmentswillhaveaccess,itisessentialtocreateasingleandstandardizedvocabularyandmakesurethattheentirecompanyadoptsit.

Thispointmightseemtrivial,butifleftover,itcouldleadtomanyproblemsintheearlystagesafterimplementation,whenstaffwillstarttointeractmoreandmorefrequentlywiththesystem.

In fact, as we said, one of the purposes of the centralized information managementsystem is to analyze data to support the decision-making process, so without a commonlanguagethoseinformationwillbecomeincompatiblewitheachothers,orintheworsecasetheycouldleadtomisunderstandingandpoordecisions.

5.3 Basictrainingonriskmanagement

Asmentionedinthebeginningofthisdocument,the"Risk"partofGRCsystemsseekstomakeriskmanagementacomponentofalltheprocessesofthecompany.

Thisdoesnotnecessarilymeanthatthecompanyshouldgiveuphavinga“centralized”or“unique”riskmanagementfunctioninordertoreachaconditioninwhicheachdepartmentmanagesitsownrisks.

Such a situation, in addition to being difficult to achieve,would prevent the companyfromhavinganoverviewoftheentireorganizationandmanagingrisksinamorecoordinatedway, thus not being able to exploit possible synergies and risking to lose efficiency andeffectiveness.

A better way would be to provide at least basic training to personnel in charge ofinteractingwiththecentralizedinformationmanagementsystemsothattheycanidentifyalltheinformationusefulforriskmanagement(forexampleknowingtheimportanceoftheso-called"voluntaryreports"ofwhichwewilldiscussinthelastchapterwhentalkingaboutthesocalled“JustCulture”).

Thus risk management could still be carried out by a dedicated function within thecompany, which could rely on a desirablymore complete and constant stream of valuableinformation.

Choosingtotrainonlythestaffresponsibleforinterfacingwiththeinformationsystemisanacceptablecompromise; themost idealscenariowouldbe toextendthe training toallstaff,butitmaybeineffectiveaswellasexpensive.

WhatwejustsaidisvalidalsofortheCompliancepartofGRCs;acompanymaydecidetotrainthestaffalsoforcompliancemanagementif it isaparticularlycriticalelementofitsbusiness.

59

5.4 Activestaffparticipation

OneofthemajorproblemsforacompanythatinvestsinsuchanimportantsystemasaGRCoccurswhen,afterimplementationphase,staffshowssomeresistanceinusingit,riskingtomakingalltheeffortsandinvestmentsvain.

Theriskistobeunabletotakefulladvantageofthenewsystemandatthesametimetoseethecreationofothercommunicationchannelspreferredbythestaff.

The first step should be the determination of the possible causes that lead to suchsituations;wecanlistsomeofthem:

a. Particularly complicated system interface and non “user friendly” processes, maybecausedbyerrorsmadeduringthedesignphase.

b. Inadequate training on how to use the system as a result of problems during thetrainingphase.

c. Adistrustinnewsystems,asaresultofafailureinmotivatingthestaff.

d. Aperceivedambiguity in thecompany'sbehavior, thestaffmightperceivesa lackofconfidencebycompany(usuallytopmanagement)inthenewsystemandfeelinglessmotivatedtouseit,inthiscasethemanagement'ssupportmighthavefailed.

Thecompanymaytrytosolvesomeor(hopefully)alloftheseproblemsbychoosingtoactivelyinvolvethestaffinthedesignphaseofthenewcentralizedinformationmanagementsystemtheywillbeaskedtouse.

Collaboratingtothecreationoftheauditstructureorsysteminterfacecouldeliminatetheriskofcreatingprogramtoocomplicated touse(point "a.")andconsequentlyproblemsduringthetrainingphase(point"b.")wouldbeeasilysolved/prevented.

Being personally involved means that staff is more motivated and willing to use thesystemthathecontributedtocreate.

Thisisoneofthebestwaystoincreasenotonlytheprobabilitytosuccessfullycompletethe implementation phase, but above all creates the conditions to use the GRCs in amoreawareandprofitableway,maximizingthebenefitsobtainableandjustifyingtheinvestment.

5.5 Handletheprojectinphases

This last point concerns a practical suggestion that is strictly related to projectmanagement.

CompaniesthathaveimplementedaGRCsystemsuggesttoproceedonesectoratatime,integratingitintothesystem,andthenmovingontothenextone,inordertobeabletocarryouttheprojectmoreeasilyandatthesametimemaintaincontinuityinoperations.

Thissuggestionassumesthatthecompanyismakingatransitionfroma"silostructure”toanintegratedstructurebuiltaroundthenewcentralizedinformationmanagementsystemthatrepresentthebackboneofthenewconfiguration.

This final structuredoesnotnecessarily intend toeliminate thedepartments,but it isnecessary to break down the “walls” which, in the "silo structure”, isolate the variousfunctions;thisismainlydonebytheGovernancefunctionofthenewintegratedGRCsystemviathecreationofthecentralizedinformationmanagementsystem.

These suggestions should help and support the company during the implementation

phase, however it is not possible to identify the exactmoment inwhich it is accomplishedbecausetheorganizationhasjustbegunthepathtoreachwhatOCEGcalls“AdvancedGRC”.InotherwordthisistheconditioninwhichtheintegratedGRCsystemreachesitsmaturity,the

60

companyhasmanagedtobecomefullyconfidentinusingitandhas“refined”alltheprocessesinordertomakethemeffectiveandefficient.

Intheappendixwillbeprovidedanimagethatshouldbeabletogiveanideaofthemainphases in which a company should go through in order to reach the conditions we justpresent.

Unfortunately,thematerialavailableinthisregardisnotsufficienttoproperlytreatitinthis document. In fact, usually companies dealswith these phases in an unstructuredway,making almost impossible to identify the set of steps that contributes to the creationof an“AdvancedGRC”.

Thegoodthingisthat,consideringthefactthatthematerialabouttheimplementationphaseanditsprerequisitesisrelativelynewandiscontinuingtogrow,wemayexpectthatinthe futuremore andmore informationwill become available, allowing to collect and shareusefulguidelinestoincreasetheknowledgeandtheawarenessalsoonthistopic.

Howeverwhatwecandoatthemomentisprovidesomesuggestionaboutmanagementtechniques or tools capable supporting and completing an integrated GRC system takingadvantageofsomecommonpointsandsynergies.Thefollowingchapteristhereforedevotedtoaddressthistopic.

61

6. SUGGESTIONSFORFUTUREDEVELOPMENT

ThislastchapterintendstoprovidesuggestionstocontinuetheimprovementpaththatthecompanyhasundertakenwiththeimplementationoftheGRCanditsuseduringday-to-dayoperations.

Forthisreason,twomanagementtechniquesperfectlyalignedwiththephilosophyandmodus operandi of integrated GRC systems have been selected and can therefore beimplemented inaparticularlyeasywayandmake important contributions toboth theGRCsystemandtheenterprise.

Wewillpresent:

• TheBYOD(BringYourOwnDevice)policy.

• The“JustCulture”.

6.1 BYODPolicy

In recentyears, themarketofpersonaldevices (smartphones, tablets,PCs,notebooks,etc.) has radically changed by incorporating more and more features and allowing betterinterconnection.

Thishasledtothedevelopmentofpoliciesandmanagementtechniquesthatallowtheuseofpersonaldevicesalso forenterpriseapplications,with theaimof respondingboth tothedemandof thestaff tobeabletousetheirowndevicesandtheneedof thecompanytoreduceequipmentpurchasecosts.

The use of these policies allows for increased productivity (mainly linked to fasterresponsetimesasemployeesbecomemorefamiliarwiththeirdevices)andtheguaranteeofanadequatelevelofprotectionofsensitivecompanydatabyexternalattacksorviolations.

Usually, within a company, IT department is in charge of dealing with devicemanagementanddatasecurity,andinordertodosocanchoosetoactatmultiplelevels:

• MAM(MobileApplicationManagement)includesasetofsoftwarepracticesthatallowthecompany tocreateandmanage theirownappdirectly,allowing theemployee tohavetheprivilegesofaccessingenterprisesystemsfromtheirdevice.Inthiscase,thecompanymayperformvariousactionssuchasobligatoryupdateof theapp tomakeeveryoneusethesameversionofthesystematthesametimeandrevokeaccessrightsincaseofterminationoftheemploymentrelationship.Itistypicallyusedtohandlethedevices of company’s representatives and sellers who need to move freely on theterritory.

• MDM(MobileDeviceManagement)allowsthecompanytocontrolalldevicesthathavethe right to access the corporate network. This requires the interaction of twocomponents:aninternalserver(whichsendsthecommands)andanelementinternaltothedevice(whichreceivesandexecutesthem).Thisisthesameprocedureusedtoallowuserstodownloadandinstalloperatingsystemupdatesontheirdeviceswithouttheneedtoconnecttoacomputer.

• MEM(MobileExpenseManagement) enables the company touse software to collectinformation about mobile device expense. In this way, it is possible to have acomprehensivecostcontrol(bydistinguishingthecostsbetweenvoiceanddatatrafficforbusinessuseandtheoneforpersonalusechargedbytheindividualemployee)inorder to choose the most appropriate type of contract for their needs. It is alsoparticularly useful for assessing the use of personal devices inside a company thatintendstochoosethemostappropriatemanagementstrategy(e.g.:MAMorMDM).

62

Thechoiceofusingandmanagingpersonaldevices forbusinesspurposes,however, isverychallengingforITdepartment,whichhastooperateinsituationsofgreatcomplexity.

Infact,ifwetrytolookatthepersonaldevicesofacompany'semployeeswewouldnotonlyfindavarietyofbrands(LG,Apple,Huawei,etc.)andoperatingsystems(Android,iOS),butalsothecoexistenceofdifferentmodels(iPhone4S,IPhone5,iPhone6,etc.)anddifferentversionsofthesameoperatingsystem(infactnoteveryoneupgradetheirdevicesatthesametime).

Knowingthat, ifwetryto lookagainat thetwomainadvantages identifiedbefore,weunderstandthatalthoughanincreaseinproductivitywouldbeverylikelyachieved,reductioncost is a different story. In fact, while the company saves on purchasing the devices to beprovided to employees, the ITdepartmentwill needbetter tools and resources toproperlymanage its tasksand toguarantee theadequate levelofdatasecurityand theprotectionofboththeemployeesandthecompany.

If we apply BYOD policies into an existing integrated GRC system, it is clear that aneasierandfasteraccesstothecentralizedinformationmanagementsystemallowstheoverallsystemtobemoreresponsiveandatthesametimemotivatesandinvolvesthestaffinusingit,thusbroadeningtheamountofdataitcanreceives,analyzesandmakesavailable.

6.2 JustCulture

Thissubchapter intendstopresentthesocalled“JustCulture”,aconceptcomingfromtheaeronauticaldomain(relatedtomanagementofaviationsafety)basedonthefactthatoneofthekeyfactorsforaccidentpreventionistheriskmanagementcultureandthepossibilityto count on (as large as possible) set of information onwhich to build the process of riskmanagement.

To introduce thediscussionon this topicwearegoing toprovideapartof thearticle“Trasportoaereo.Impararedaglierrori.Eccocos’èlajustculture”(InEnglish:“AirTransport.LearnFromErrors.HereistheJustCulture”)byPatrizioPaolinelli(Wordpress);thisarticleisparticularlyhelpfulnotonlytopresentwhat“JustCulture”is,butaboveallittriestoexplainwhyitissoimportanttobringitINOURCOUNTRYandfacilitateitsdiffusion.

"Just Culture is a concept born in theAnglo-Saxonworld that brings together a number ofpractices and attitudes regarding security in high-risk environments. This is an approachaimedatpreventionandforwhatconcernsairtrafficmanagementitoverturnsourapproachtoaddressdailyproblems.TooofteninItalytheoccurrenceofinconveniencesor,evenworse,aviation accidents triggers a kind of manhunt. Once the person to blame is identified andcondemned, INjustice hasbeendonebecause everything remainsmoreor less the sameasbeforeand the root causesof theproblemhasnotbeenaddressed.Thismodusoperandi isbasedonthe“BlameCulture”andconsistsessentiallyinthepursuitofascapegoat.This pursuit always ends up finding a sacrificial victim, ignoring the responsibilities of theorganization,andfailingtotakefulladvantageoftheinformation.Paradoxically,whatappearstobeastronglypunitiveapproachisinfactlargelyexculpatory.But,controversyaside,what'sworseisthatasaninvisiblecloaktheguiltymentalityinfluencestheday-to-dayoperationofflightcontrollersevenwhenanomaliesorerrorsdonothaveanegativeimpact."

Fromthesefewlinestheauthorwantstomakeusunderstandhowtheblindwilltofindand punish the guilty can lead to the loss of the opportunity to prevent other similaraccidents.

Asuperficialvisionmightconcludethatthiswouldmeanthatthosewhoareresponsiblecouldremainunpunishedandfreeofconsequencesforthesakeofpreventingothernegativeevents,butinrealityit’sexactlytheopposite.

63

Like the author said awell-conducted investigation does not only lead to identify therootcausesoftheeventbutalsothetrueresponsibles(insteadoflookingforwhattheauthordefinesasscapegoats)sowedon’thavetogiveupjusticetopreventnewaccidentsbutwecangetbenefitsonbothsides.

6.2.1 Linateaccident,October8,2001

National Geographic has created a series of documentaries called "Air CrashInvestigations" (in Italian “Indagini ad alta quota”) that shows (through detailedreconstructions,archivefootageandactors)theinvestigationofaerialaccidents.

IntheepisodededicatedtotheLinateaccidentofOctober8,2001,wecanseethatwhentheANSV chief investigator arrives on the scenehewasprevented toproceedby local lawenforcement for fewhours and the narrator of theNational Geographic (thus providing an“international”pointof view)explains that: "Unlikemany countries, Italy considers aircraftaccidentsascrimes,solawenforcementhastheleadoftheinvestigation."

If we think about it we can easily imagine that local law enforcement are totallyunprepared to investigate an aircraft accident because the complexity of the event and theairplanethatwouldrequireawidesetofspecificcompetencesinordertoknowwhataretherelevantcluesandhowtoproceed.

The bestwaywe can imagine to dealwith a situation like thatwould be to inspire areciprocalcooperationbetweenthe twoparties, toassist theknowledgeofANSVdetectiveswiththeworkforceoflocallawenforcement.

Unfortunately what happened is that the ANSV detectives has to wait several hourbeforetheywasauthorizedtoentertheaccidentsceneandatthatpointalotofrelevantclueshadalreadygonelost.

However,despitethelostinformation,itwasstillpossibletoreconstructthetrueseriesofeventsthatledtotheincident,identifytherootcausesandmakethenecessarychangestoLinateAirport.

Thisbriefexcursushadtwoaims:providinganexampleoftheproblemsrelatedtowhatwe can define “a blind pursuit of justice” (in a very complex and critical system such asaviationiseasiertoseeitbutaswewillshowlateralsoinindustrialfieldwecangetbenefitsfromapplyingtheprinciplesofJustCulture)andtoprovidethebackgroundtotheconclusionsreachedbytheANSVinvestigatorsthat,howwewillsee,arenothingbutthesymptomsofa“corrupted” risk management culture and can be found almost in every sector, not onlyaviation.

Theinvestigatorsdiscoveredtwoshockingthings:

1. Staffhadbecomeaccustomed to the lackofappropriate tools (theradargroundwasstoredinthewarehousebutneverinstalled,sensorshasbeenpermanentlydisabledtoavoidfalsealarms,navigationsignagewasunreadable,etc.).

2. Thestaffhadbecomeaccustomedtoavarietyof"nearmisses",eventsthatwereabouttobecomeaccidentsbutwereavoidedatthelastmomentmostlybychance.Infactlessthan24hoursbeforeaverysameaccidentwasabouttohappenonthatsamerunway,but thecollisionwasavoidedat last thanks topilots'promptness, favorableweathercondition (theyhadgoodvisibility, onOctober8 instead therewasadense fogwithverypoorvisibility)andalargedoseof"goodfortune".

64

6.2.2 Riskmanagementculture

Theseproblemsare the consequencesofwrong riskmanagement culture andmaybeseen in any other situation; in fact also during our daily life we may act in this way. Forexampleifweclimbonaladdertocleanahighshelfwecandecideto"taketherisk"ofleaningfromtheladderinordertoreachafarshelfwithout“wastingtime”tomovetheladder.Thenifweriskfallingbutattheend(luckily)nothinghappensweexperiencea“nearmiss”eventandhavetheopportunitytodecidehowtousethatexperience.

Wemay decide to ignore that event and to take again that same risk or modify ourbehaviorinordertoreachahigherlevelofprotection.

This example might seem trivial but could be useful to understand how easy is tobecomeaccustomed to takealways thesamerisk (ignoringwarnings)until somethinggoeswrongandhowcrucial is todeveloptheriskmanagementsystembasedona“healthy”riskculture.

6.2.3 HowJustCultureworks

JustCultureacts righton thecultureof riskmanagement, seeking to improve internalcommunicationtohelpgatherandanalyzeimportantdata.

ThemainpillarsofJustCulturearethecreationofaspiritofcollaborationandmutualtrustbetweenallhierarchicallevelsoftheorganizationandtheawarenessoftheimportanceandeffectivenessofprevention.

The first thing to do is to make clear and structured the risk management and itsprocedureswiththesupportofregulatoryguidelinesandotherresources,sothattheentireorganization can align its efforts and objectives in order to improve its risk oversight andeffectivenessinprevention,protectionandreliabilityofitssystems.

The entire company is therefore acting together to continuously improving its riskmanagementprocesses, gatheringprecious information from lower-level staff (theone thatcan reports all the issues encountered during day-to-day operations) and using them tointegrateexistingproceduresandtrainingprogramsorcreatingnewandmoreeffectiveones,all according to the “learning culture” that we already encountered during our discussionaboutenterpriseresilience.

Bydoingso,alsoiftheindividualworkerisfacinganewsituationisnotalonebutcancount on a series of instructions and guidelines providedby the company and created alsothankstohiscontribution.

Inordertocreatetheconditionsnecessarytoputinplacetheseprocessesthecompanyneedstoencourageasmuchaspossiblethecollectionofvoluntaryreports(thoseconsiderednot mandatory by the regulations) that usually concern the "near misses" events wementionedearlieroranyminorproblemorfailureencounteredduringnormaloperationsormaintenance.

In some particularly complex sectors such as aeronautics or other businesscharacterized by the interconnection of different systems, procedures and competences, isverydifficulttocarryoutaneffectiveproactivemanagementcapableof identifying(ideally)alltherisks.

Itisthereforeessentialtobeabletocountonasetofdataaswideaspossible,thatcouldprovide vital information for protection and prevention, especially because we couldencounterminoreventsthathighlightssomecriticalitiesthat,inotherconditions,mayleadtoseriousconsequences(asweseenforLinateaccident, the“nearmiss”eventof thepreviousdaycouldhassavedahundredoflivesifmanagedproperly).

65

This “treasure” of information, althoughwehave started considering the aeronauticalfieldforitsparticularcharacteristics,isstartingtoraiseanever-growinginterestedinothersectorsandwillbemostlikelyadoptedintheindustrialfieldinfewyears.

In fact even in this sector, we have always more and more examples of particularlycomplexsystems(powerplants,oilplatforms,state-of-the-art facilities,etc.)andcompaniesaimingtocontinuouslyimprovetheirproactiveriskmanagementinordertogainanumberofadvantages:

• Betterprotectionagainsttherisksofadisruption;

• Lowercostsfortheconsequencesofaccidents;

• Lessrisks/legalcosts;

• Betterinsuranceconditions;

• A more robust risk profile that increases the attractiveness perceived by potentialpartners,investorsorbuyers;

• Etc..

It’snotacoincidencethatwekeepencounteringmoreorlessthesamekindofbenefitswhentalkingaboutGRCs,enterpriseresilience,proactiveriskmanagement,JustCulture,butisaproofthattheyareallalignedandsharecommongoals,collaboratingandintegratingeachothers.

6.2.4 Creatingthenecessaryconditions

Let's now give a look to what is needed to create the conditions necessary forestablishingavoluntaryreportingsystem.

Everything is based on the mutual trust between the one that makes the voluntaryreport(usuallylower-levelstaff)andtheorganization:aswehavesaid,theeventmaybeananomalyortheresultofamistakecaused(thenblockedbeforeitwouldhaveanyparticularconsequences)bytheonethatnowisreportingittothecompany.

In fact, although thesedataareentered in the system followingpreciseprocedures toprotect the privacy of the people involved (personal information are removed, but generalinformationareusedtoclassifyandanalyzetheevent;forexamplesthereportdescribingforexampletheroleofthepeopleinvolved:e.g.:pilot,mechanic,etc.;thetypeofsystem:airplaneX,machineY,etc.),itmaybestillpossibletoidentifythepeoplementioned.

For example, if we consider a small airline in which only two pilots are trained andassignedtopilotaircraftXYorasmallcompanywherethereisonlyonemillingmachine.Weunderstand that if the report is about a “nearmiss” eventhappened to the aircraftXYor amilling machine, it would be straightforward to trace who might have committed and“anonymouslyconfessed”themistake.

Apart fromthecaseofabuse,malicious intentorseriousnegligenceattributable toanindividualwhowillbeproperlyprosecuted,thesolewaytousethesevoluntaryreportsisandmustbeananonymousandaggregatedanalysisforriskmanagementpurposes.

Hereiswheremutualtrustcomesintoplayanditispreciselyherethatwereconnecttowhatwe,andPaolinelli,meantbysayingthatapplyingitinourcountryisverydifficult.

66

As Paolinelli highlighted, Just Culture was born in a British context and has beensuccessfullytransposedinthecountriesofnorthernEurope, just forthereasonswecanlisthere:

• voluntarydataarevaluableforproactiveriskmanagementandcanthereforehelpsavelives(preventaccidentsevenifwearedealingwithoccupationalhealthandsafety);

• JustCulturehelps identifying therootcausesandattributerealresponsibilities toallthoseinvolved;

• doing this does not mean leaving the "guilty" unpunished (we already know thatpeople guilty of abuse, malicious intent, or serious negligence are prosecuted andpunished).

Ifweareabletoabsorbtheseconceptsintoourculturewecouldgetallthebenefitsthatwehavehighlightedandatthesametimeincreasethepossibilitytoidentifyandpunishtherealguiltyratherthanthescapegoats.

JustCulturerequiresthatthecompanyoranyoneelseshouldnotbeabletopursuetheemployeeinanywayunlesshefallsintooneofthoseseriouscases,listedpreviously.

Nowadays, in Italy, even if a company tries to create thismutual trust betweenall itshierarchical levels and gather voluntary reports, we can be quite sure that, without lawscapabletounderstandthetruepotentialityoftheseprinciplesandprotectthem,ifanaccidentshouldhappenthejudiciarywouldcompromisethatmutualtrustbymisusingvoluntarydata.

Maybe all we can do for now is spreading the knowledge of techniques such as JustCulture inorder toopentheway for improvementandasking for thesupportofregulatorybodiesandinstitutions.

6.2.5 WhatJustCulturecanmakesforintegratedGRCsystems

Aswehavepointedoutseveral timesduring thiswork, theGRCsrequireanumberofchanges to the company, including some cultural ones, sowebelieve that they represent agreatopportunitytobeginachangethatisbecomingmoreandmorenecessary.

In doing so, it could also open the door to the introduction of Just Culture and otherinnovationsthatrequireadifficultandlong-lastingculturalevolution.

ToconcludethisdiscussionwecanlistsomeoftheexpectedbenefitsderivingformtheintroductionofJustCulturewithinanintegratedGRCsystem:

• The foundations of Just Culture can support and promote better use of the GRCinformation systemby introducing thevolunteer reportingandanalysis componentsregardingnotonlyriskmanagementbutalsocomplianceandhopefullyanyotherareapromotingtheimportanceofnon-compulsoryreports.

• JustCulturephilosophyisveryalignedandcansomehowcompletethewayinwhichGRCsaregoingtoconductriskmanagement:supporttheproactiveriskmanagementwithawiderdatabase.

• Collaborationandmutualtrustbetweenthevariousbusinesslevelsissomethingthatwehavealreadysuggestedtoimplementandexploitduringtheimplementationphase,which could thus represent a starting point for creating the conditions necessary toadopttheJustCulture.

67

7. CONCLUSIONS

Wehopethatthisworkhasbeenabletoprovideideasandinformationusefultoclarifythe main aspects of GRC systems and their implementation and can therefore serve as astartingpointtoallowcompaniestodeepentheelementsmostinterestingfortheirbusinessreality.

One of the ways to continue this “preparatory work” could be the creation of othercomplementary studies, each one focused on one of the topics, here addressed onlysuperficially,inordertocreateasetofdocumentscapableofhelpingthecompaniesindealingwithspecificproblemsandneeds. Inthisopticsthisdocumentcouldbecomethefulcrumofthisproject,introducingandconnectingalltheothersworks.

Inouropiniononeofthemostinterestingtopicisabouttheidentificationsandstudyofothermanagement techniques and tools andhow they can interact or enrich an integratedGRC system.Thiswouldallow the identificationofuseful andvaluables synergies thatmaybring great benefits to companies interested in using and supporting an integrated GRCsystem.

Infact,evenifinthisdocumenthasbeenselectedonlytheBYODpolicyandJustCulture,thisisjustthetipoftheicebergofsuchaninterestingtopic.

68

BIBLIOGRAPHY

• (n.d.).Retrievedfromhttp://www.tapestrynetworks.com/issues/corporate-governance/risk-management-and-oversight.cfm

• (OCEG),O.C.(2009).GRCCapabilityModel"RedBook"2.0.

• 1.27-1.29,I.t.(n.d.).theinstitute.org.Retrievedfrom

https://www.theinstitutes.org/comet/programs/arm/assets/arm54-chapter.pdf

• Aaker,D.(n.d.).RetrievedfromProphet.com:https://www.prophet.com/thinking/2016/02/256-silo-saboteur-the-organizational-structure-destroying-your-brand-strategy/

• AnilSuri,P.(n.d.).VicePresidenrandChiefRiskandAuditOfficer,PacificGasand

ElectricCompany.Governance,RiskManagement,andCompliance:CreatingtheRightGRCStrategyforYourCompany.ExecBlueprints.

• Association,W.A.(n.d.).3C'sModel(3Canalysisbusinessmodel).

• Banham,R.(2007,61).IsERMGRC?Orviceversa?RetrievedfromTreasuryandRisk:

http://www.treasuryandrisk.com/2007/06/01/is-erm-grc-or-vice-versa-

• BarbaraMonda,P.d.(n.d.).TheeffectsifEnterpriseRiskManagementadoptiononfirms'valueandperformances:anempiricalanalysisusingstructuralequationmodelling.

• Benegal,B.(n.d.).RetrievedfromIdmWorks.com:

http://www.idmworks.com/breaking-silos-network-security-using-grc/

• Boldrini,N.(2010,0707).Governance,riskandcompliance:apassilentiversol’integrazione.RetrievedfromZeroUno:http://www.zerounoweb.it/osservatori/securityjournal/governance_risk_and_compliance_a_pabi_lenti_verso_integrazione.html

• Cervelli,R.(2012,0126).Governance,RiskeCompliance:unframeworkpercalcolarne

ilRoi.RetrievedfromZeroUno:http://www.zerounoweb.it/osservatori/securityjournal/governance-risk-e-compliance-un-framework-per-calcolarne-il-roi.html

• Cryptonet.(n.d.).GRC-Governance,RiskManagement,Compliance.Retrievedfrom

Cryptonet.it.

• Eshna.(n.d.).RetrievedfromSimlpyLearn.com:https://www.simplilearn.com/financial-risk-and-types-rar131-article

• Eurocontrol.int.(n.d.).Retrievedfromhttp://www.eurocontrol.int/articles/just-

culture

69

• Evans,D.(2015,1007).WhatisBYODandwhyisitimportant?Techradar.com.

• Gleeson,B.(n.d.).RetrievedfromForbes.com:https://www.forbes.com/sites/brentgleeson/2013/10/02/the-silo-mentality-how-to-break-down-the-barriers/#4a3817d8c7e9

• Kapoor,G.(n.d.).ChiefOperatingOfficer,MetricStream.Governance,RiskManagement,

andCompliance:CreatingtheRightGRCStrategyforYourCompany.ExecBlueprints.

• KPMG.(n.d.).L'EnterpriseRiskManagementinItalia.

• OCEG.(n.d.).Retrievedfromhttps://www.oceg.org/about/what-is-grc/

• Paolinelli,P.(2010,0122).Trasportoaereo.Impararedaglierrori.Eccocos’èlaJustCulture.Retrievedfrompaolopaolinelli.wordpress.com:https://patriziopaolinelli.wordpress.com/2010/01/22/trasporto-aereo-imparare-dagli-errori-ecco-cose-la-just-culture/

• Protoviti.(2009).KeyQuestionsRegardingIntegratedGRC.

• Quadrants,R.(n.d.).Retrievedfromerm360.com:https://www.erm360.com/tag/risk-

quadrants/

• RaminEdmond,N.W.(2015,1111).BusinessmovebeyondtheBYODmodel.TechTarget.com.

• Reply.(n.d.).G.R.C.-GOVERNANCE,RISK&COMPLIANCE.RetrievedfromReply.com:

http://www.reply.com/it/topics/security/g-r-c-governance-risk-compliance

• RichardHunt,T.C.(2014,06).Whygovernance,riskandcomplianceprojectsfailandhowtopreventit.ComputerFraud&Security.

• RobertE.Hoyt,A.P.(2013).ThedeterminantsofEnterpriseRiskManagement:

evidencefromtheappointmentofchiefriskofficers.InRiskManagementandInsuranceReview(Vol.6,pp.37-52).

• RobertE.Hoyt,A.P.(2011).Thevalueofenterpriseriskmanagement.InTheJournalof

RiskInsurance(Vol.78,pp.795-822).

• Seufert,N.R.-E.-A.(n.d.).AframeofreferenceforresearchofintegratedGovernance,RiskandCompliance(GRC).

• Skybrary.aero.(n.d.).Retrievedfrom

http://www.skybrary.aero/index.php/Just_Culture

• Switzer,C.S.(n.d.).Co-FounderandPresident,OCEG.Governance,RiskManagement,andCompliance:CreatingtheRightGRCStrategyforYourCompany.ExeBlueprints.

70

• VictorLipman,C.(2016,0601).KeyManagementTrendsfor2016?Hereare6Research-BasedPredictions.Forbes.

• Vliet,V.v.(2015,0217).3Cmodel(Ohmae).

• Watson,Z.(n.d.).WhythemarketmovedfromMobileDeviceManagementto

EnterpriseMobilityManagement.TechnologyAdvice.com.

APPENDIX

Figure12:Anexampleofthephasesthatacompanyshouldgotroughinordertoreachthematuritylevel,called“AdvancedGRC”

(Source:OCEGIllustrated;https://www.rsa.com/content/dam/rsa/PDF/2016/06/tool-oceg-pictographic-

journey-to-advantaged-grc.pdf)

(imageonthenextpage)

MILANO 1863 Zacc… · MILANO 1863 School of Industrial and Information Engineering ... 5.5 Handle...

Documents

Transcript of MILANO 1863 Zacc… · MILANO 1863 School of Industrial and Information Engineering ... 5.5 Handle...