John G.H. Schell November 2002 Managing Outsourced IT Using Business Technology Management.
Moving Governance, Risk Management and Compliance from a ...€¦ · management – management...
Transcript of Moving Governance, Risk Management and Compliance from a ...€¦ · management – management...
![Page 1: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/1.jpg)
Proprietary/Confidential
MovingGovernance,RiskManagementandCompliancefromaCosttoaStrategicBenefit
![Page 2: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/2.jpg)
Presenters
2
KevinMalickiDirectorofProductManagement,HarlandClarke
SamAbadirDirectorofProductAlliances,LockPath®
![Page 3: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/3.jpg)
WhatYouWillLearn
● Howfinancialinstitutionsrealizedifferenttypesofriskandhowtheyaddresstheirrisk
● Howfinancialinstitutionsmanageseeminglydisparatedatatobettermanagedifferent
typesofrisk
● Howcomplianceandriskneedstobemessageddifferentlyacrosstheorganization
● Howefficientandeffectivegovernance,complianceandriskmanagementmoves
beyond‘checkingthebox’toprovidingcompetitiveadvantage
![Page 4: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/4.jpg)
> > >ITRiskManagement
asaCompetitiveAdvantage
Casestudyatalargebank
![Page 5: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/5.jpg)
DisparateDataThroughouttheBusiness
VulnerabilityScanner
ThreatFeed
Tactical&StrategicActivities
BusinessPriorities
![Page 6: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/6.jpg)
PollQuestion- ITRiskManagementMaturity
6
• Notmanaged• Nottiedtorisk
• Attemptatsimilarmanagement• Oneormanyscanningtools,allmanagedindividuallyinthetool• Noinformationabouttheassets
• Assetsclassifiedandgrouped• Metrics/SLAsdefinedandmanaged• Manualassessments• Manualprocess• Limitedscaleduetohighcost• Vulnerabilityassessmentsmanagedindividually
AdHoc Considered Defined
• Assetstiedtocomplianceandinternalcontrols• Assessmenttoolsused• Workflowusedforcommunication• Standardizedreporting• Automationprovidesforscalability• Standardizedprocess• Automaticdeduplicationofscans• Datadriveworkflowtriagescans
Managed
• ITthreatsandriskstranslatedtooperationalrisks• Agileapproachtoriskmanagement–managementdefinedbyrisklevel• Outsourcedprocesseslinkedtostrategicgoals,risks,andprocessrequirements• BusinessContinuityplansextendedtovendors• Riskreportingandanalytics• Integratedauditmanagement
Optimized
![Page 7: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/7.jpg)
BusinessOperationsSupportedbyTechnology
IT Infrastructure
Operations
Value
OperationalRisks
ITRisks
ITSupportsBusiness
![Page 8: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/8.jpg)
RisktoValue
ThreatstoProcessesPutValueAtRisk
ThreatstoSupportingTechnologyPutValueAtRisk
8
§ CRM System§ Marketing
Systems
§ CRM System§ Account
Management
§ Credit Systems§ CRM Systems
§ Accounting Systems
§ CRM Systems
§ Accounting Systems§ CRM Systems§ Trading Systems
TargetedMarketingNew
AccountCreation
CreditProcessing
AccountFunding
TradingandSettlement
IT Threats• System vulnerabilities• Applicatiaon vulnerabilities• Inadequate security• Data integrity
Operational Threats• Poor execution• Reputation• Expensive compliance• Regulatory
5/11/17
![Page 9: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/9.jpg)
ITandBusinessDataAreInputstoRiskManagement
9
GRC
5/11/17
![Page 10: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/10.jpg)
GRCArchitecture
GRCPlatform ContextualizedActionableInfo
BusinessMetrics
• Incidents• KPIs• OtherBusinessRecords
ITMetrics
• VulnerabilityScanners
• WebAppScanners• ConfigurationScanners
• Syslog• SIEM
GRCPlatform
• RiskRegister• RiskThresholds• Workflow• Reporting• Dashboards
ContextualizedActionableInfo
• StaffReports• ManagementReports
• BoardofDirectorReports
EnterpriseData
![Page 11: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/11.jpg)
ITRiskManagementAcrosstheOrganization
11 5/11/17
OperationalReports
Whichassetsaremostatriskto…
● Vulnerabilityfindings?
● Scannerfindings?● SIEMfindings?● Etc.?
Assetprioritization● WhatdoIfixfirst?
Assetriskhistory
ManagementReports
Averageincidentresponsecost?
Areresourcesdeployedeffectively?
Whatistheaveragepatchlatency?
Areassetsenrichedwithbusinessinformation?
BOD/AuditReports
Howmuchvalueisatrisk?
DoIneedtomakeadditionalinvestmentstomanagerisk?
Arecurrentriskmanagementeffortseffective?
![Page 12: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/12.jpg)
BenefitstoITOrganization
● Movefrom“supportingthebusiness”to“partofthebusiness”
● Fasterandmorefrequentfunding
● BetterITandoperationalriskmanagement
5/11/1712
![Page 13: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/13.jpg)
> > >
13 5/11/17
ComplianceManagementasaCompetitiveAdvantage
Casestudyatafinancialservicesorganization
![Page 14: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/14.jpg)
ComplianceManagement
14
Internal/CustomerAudits
Attestations
ManualReporting
SharePoint
TechnologySecurity
LegalRequirements
CustomerRequirements
PublishedPolicy
IntegratedRisk
IntegratedRequirements
RequirementsUpdates
IntegratedControls
IntegratedIncidents
ContinuousMonitoring
Risk-basedWorkflowReview
EfficientEffective
ComplianceManagement
5/11/17
![Page 15: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/15.jpg)
ProblemsWithManualComplianceManagement
15
Customer
State
Internal
Local
National
5/11/17
![Page 16: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/16.jpg)
TheManualProcessandItsResults
16 5/11/17
![Page 17: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/17.jpg)
PollQuestion- PolicyManagementMaturity
17
• Policiesaddressedonacase-by-casebasis
• Policiestemplatesexist• Policiesnotcomplete,• Dependenceonorganizationalknowledge
• Policieshavebeenstandardized• Policiespartoftrainingprogram• Employeestestedonpolicymatters• Policiesstoredindedicatedshareddrives/sharedspaces
Reactive Controlled Defined
• Policiesaremonitored• Policyeffectivenessmeasured• Policiestiedtoassetsandprocesses• PoliciesstoredandaccessedinGRCtools• AttestationprocessformalizedandinGRCplatform• Policiesmappedtointernalcontrolsandframeworks
Scalable
• Policiesarestrategicallycreatedtominimizecontrolsandremovecontrolrepetition• Policiesreflectstrategicgoalsandriskregister• Policyworkflowskickoffreviewbasedonrisklevels• Policymanagementintegratedwithauditmanagementandincidentmanagement
Optimized
5/11/17
![Page 18: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/18.jpg)
StreamlinePolicyAuditManagement
● HistoryofComplianceDocuments
● CorporateControls
● Incidents
● IncidentRemediation/Acceptance
● RiskManagement
● Technology&SecurityCompliance
18
GRCPlatformManagingComplianceRequirements,
Policies,Incidents,Exceptions,RisksandRelatedTransactions
TypesofData
ComplianceAuditWorkPapers
RelevantEvidence
5/11/17
![Page 19: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/19.jpg)
GRCinAction
19
WorkflowSimplifiesComplexity
AuditImprovement&Simplification
ComplianceSimplification
5/11/17
![Page 20: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/20.jpg)
GRCforCompetitiveAdvantage
20
DecreasedtimespentonCompliance
SavedonpilotprojectIncreasedNumberofZeroFindingAudits
90%>5%
+$500,0000
ProjectManagersmovedtomoney-makingprojects
3
5/11/17
![Page 21: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/21.jpg)
> > >ITVendorRiskManagementas
CompetitiveAdvantage
CaseStudyatafinancialservicesorganization
21
![Page 22: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/22.jpg)
VendorRiskManagementManualProcess
22
+ +
= 30vendors
5/11/17
![Page 23: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/23.jpg)
DemandforVendorRiskManagement
23
IntegraltoSeveralVendorNetworks
IncreasingRegulatoryDemand
5/11/17
![Page 24: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/24.jpg)
PollQuestion- VendorRiskManagementMaturity
24
• Notmanaged• Nottiedtorisk
• Attemptatsimilarmanagement• Random,manualassessments
• Vendorsclassified• Metrics/SLAsdefinedandmanaged• Manualassessments• Manualprocess• Limitedscaleduetohighcost
AdHoc Considered Defined
• Vendorstiedtocomplianceandinternalcontrols• Assessmenttoolsused• Vendorportalsusedforcommunication• Standardizedreporting• Automationprovidesforscalability• Standardizedprocess
Managed
• Vendorriskmanagementisadefinedprincipal• Agileapproachtoriskmanagement–managementdefinedbyrisklevel• Outsourcedprocesseslinkedtostrategicgoals,risks,andprocessrequirements• Vendorduediligencetiedtoprocessrequirements• BCplansextendedtovendors• Riskreportingandanalytics• Fourth-partyriskmanagement
Optimized
![Page 25: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/25.jpg)
GRCinAction
25
WorkflowSimplifiesComplexity
Integrated,dynamicassessments
Dedicatedanalyticsengine
Scalable,robustriskmanagement
5/11/17
![Page 26: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/26.jpg)
Results
26
LimitedStaffandLimitedProcesses
LimitedandRestrictedRiskManagement
SavedandExpandedBusiness
Opportunities
5/11/17
IncreasedProductivity
650%
Effective,EfficientThirdPartyRiskManagement
![Page 27: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/27.jpg)
Summary
● GRCtakesinputsfromacrosstheenterpriseandthirdpartiestoefficientlymanageareas
ofriskandallowthebusinesstofocusonothervaluecreatingactivities
● GRCautomatesmessagingofriskandcompliancedatatostakeholdersacrossthe
organizationinanefficient,effectiveandrisk-specificmanner
● GRCtoolsremovethecomplexityofcomplianceandallowthebusinesstofocusonits
coreobjectives
27 5/11/17
![Page 28: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/28.jpg)
TheGRCSpotlightEcosystem
• Automatebusinessprocesses • Reduceenterpriserisk • Eliminateredundancy
28 5/11/17
GRCSpotlightPlatform
![Page 29: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/29.jpg)
GRCSpotlightAdvantage
29
OperationalRiskManagement
Compliance&PolicyManagement
ITRiskManagement
BusinessContinuityManagement&Planning
AuditManagement
VendorRisk Management
ConfigurableWorkflow
DedicatedAnalyticsEngine
Integrated,Dynamic
Assessments
ConsumerEnterpriseData
andKPIs
5/11/17
![Page 30: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/30.jpg)
Q&AWrapUp
30
Typeyourquestioninthechatpanel
Presentationmaterialsandvideoreplaywillbeprovidedwithinoneweek.harlandclarke.com/LinkedIn
harlandclarke.com/Twitter
www.harlandclarke.com/webcasts
HCGRC-0036-01
KevinMalickiDirectorofProductManagement,HarlandClarke
SamAbadirDirectorofProductAlliances,LockPath®
![Page 31: Moving Governance, Risk Management and Compliance from a ...€¦ · management – management defined by risk level •Outsourced processes linked to strategic goals, risks, and](https://reader034.fdocuments.us/reader034/viewer/2022050312/5f73fe90be9fa465d57272ab/html5/thumbnails/31.jpg)
ThankYou