THE METRICSTREAM GRC EBOOK

P E R F O R M W I T H I N T E G R I T Y

THE METRICSTREAM GRC EBOOKCURATED INSIGHTS ON RISK COMPLIANCE AUDIT THIRD-PARTY GOVERNANCE AND IT GRC

Integrated GRC The Key to BetterRisk Awareness and Better Performance

P E R F O R M W I T H I N T E G R I T YP E R F O R M W I T H I N T E G R I T Y

The concept of Governance Risk and Compliance (GRC) isnrsquot new However the process of implementing GRC in an integrated and federated manner aligned with business processes and strategic objectives is something that many organizations continue to struggle with Integrated GRC demands that several roles ndash including audit risk management and compliance ndash work together to share information data assessments metrics risks and losses

GRC as a discipline is aimed at collaboration and synchronization of information and activities If implemented effectively it enables stakeholders to predict risks with greater accuracy and capitalize on the opportunities that truly matter However more often than not GRC initiatives are fragmented and addressed in an ad hoc manner by different departments working within their limited

spheres This approach prevents senior management from acquiring a clear and expansive view of the risks faced by the organization along with the measures implemented to deal with those risks

The ideal state is a federated approach to GRC wherein audit risk and compliance management activities are integrated while simultaneously a centralized view of risk is provided to the executive leadership team to help them understand enterprise-wide risksmore clearly By adopting a federated GRC program process owners at the business unit level can independently assess and manage their own risks and compliance requirements at the same time key risk and compliance metrics can be rolled up to the top of the organization for reporting and analysis

Why GRC Convergence

Risk and compliance information in the right format at the right time and in the right hands is key to organizational success It supports quick and informed decision-making which in turn can save an organization from financial and reputational loss data breaches compliance violations and more Stakeholders need to always be cognizant of issues such as ineffective controls unmitigated risks and policy conflicts The path to achieving this objective lies in GRC convergence

Some of the benefits of GRC convergence include

bull Continuous collaboration acrossassurance functions which in turn helpscreate a holistic picture of risk

bull A ldquosingle version of the truthrdquo that isprovided to employees managementauditors and regulatory bodies

bull Accuracy of risk and controlinformation that enables stakeholders tomake fast risk-informed businessdecisions

bull Effective compliance programs to addressconstant changes in regulationstechnology and the business

bull Consistency in GRC measurescomprehensive insights into the internaloperating environment

bull Ability to respond proactively to risks bybreaking down restrictive functionalbusiness and organizational silos

bull A unified operating model for the businesswith the agility needed to manageemerging risks

bull Lower cost of assurance

everybody understands what is requiredRemember that the three components of governance risk and compliance are connected but at the same time they are separate disciplines that require their own strategies steps and procedures That level of flexibility must be built into the GRC program while also ensuring that certain elements such as the risk language are consistent across all three disciplines

When establishing an integrated GRC program focus first on the foundational elements such as defining and aligning

policies establishing common risk and control taxonomies consolidating GRC data in a central repository defining the scope and role of each group in GRC and establishing points of integration between them The design of this GRC foundation or framework is critical to driving successful results

One of the biggest obstacles in cultivating a risk-aware culture is inadequate governance If the organization does not establish a sound vision and tone at the top then it cannot expect a culture committed to risk management down the chain Additionally a

lack of governance andor leadership in an organization can create difficulty in terms of cross-functional collaboration It can also result in inadequate allocation of resources for GRC or even conflicts of interest between assurance functions The senior management and board of directors must assume the ultimate responsibility for ensuring the efficiency and effectiveness of GRC processes Another best practice is to develop a set of Key Performance Indicators (KPIs) to measure the effectiveness of GRC activities The way to do that is to assess the organization needs culture and requirements and determine the parameters that make GRC departments effective and successful

Also ensure that the data produced in one department can be reused in another one to maintain consistency

Many organizations are striving to standardize their GRC processes This allows them to quickly identify risks and expedite mitigation actions while also improving GRC efficiency and minimizing unnecessary costs

One of the best ways to optimize GRC is to use technology There are for instance tools to automate and streamline audit risk and compliance management processes There are

also systems to help import aggregate and process GRC information from various sources such as cloud security applications and transaction systems This data can then be quickly routed for reporting and visualization

A comprehensive GRC solution can provide the ability to map GRC data in such a way that users immediately understand the relationships and interactions between various risks regulations policies controls strategic objectives and other elements Such a solution can enable users to harmoniously manage risk compliance and audit areas bybreaking down restrictive silos and facilitating robust information sharing and decision-making

GRC Integration An Intelligent Investment

In the current business environment where executives are under immense pressure to demonstrate high performance a strong and integrated GRC program can make all thedifference The market rewards risk takers but to play the high stakes game processes need to be in place In fact the cost of not establishing a formidable GRC infrastructure is much higher than the cost of investing in one

The choice is up to each company to decide whether they want to live with the threat of punitive and legal damages that could go beyond financial stress or build a preventivemechanism that helps them stay in control and balance risks and opportunities effectively In recent years there has been a perceptible shift toward a cohesive and technology aided approach to enterprise-wide GRC More risk professionals using this approach are realizing incremental ROI while saving on resources A harmonious integration of GRC has proved to be transformational Are you game





Practical Steps to Strengthen GRC Convergence or Integration

How do we enable collaboration on GRC across business functions and instill an effective risk assessment and mitigation discipline In fact the question most often asked by organizations is ldquoHow do we simplify GRC and inculcate a risk-aware culturerdquo

The key is to start small Implement a phased GRC journey plan with clearly defined roles and priorities for each stage ensuring that












Satisfaction with GRC Integration

89 of organizations report that GRC integration provided benefits that met or exceeded expectations

Source OCEG 2017 GRC Maturity Survey

Where your organization has integrated processes for governance assurance andor management of performance risk and compliance (GRC) the results have

Failed to meet expectations Provided benefits that

exceeded expectations

Provided benefits thatmet expectations







Email infometricstreamcom copy 2019 Copyright MetricStreamAll Rights Reserved










A lot has happened since the early 2000s when operational risk management (ORM) was formally instituted as a risk discipline under the Basel reforms The increasing threat of cyberattacks coupled with high-profile incidents of fraud and growing vulnerabilities in the third-party ecosystem have thrown up new challenges and priorities for operational risk practitioners

To shed light on some of these issues and to discuss the ongoing evolution of ORM the GRC Summit 2018 brought together a panel of risk experts including Alex Gacheche Director GRC at Freddie Mac Joseph Monks CRO at MarketAxess Bob Wordelmann SVP US Operational Risk Management at TD Bank and Stephen Woitsky SVP Operational Risk Management at Bank of the West The discussion was moderated by Brenda Boultwood SVP Industry Solutions MetricStream

Here are some of the key insights from the panel

Operational Risk ManagementNew Challenges New Approaches


Over the last decade ORM practitioners have focused on implementing and strengthening ORM programs ndash establishing key risk indicators (KRIs) defining loss events and conducting scenario analyses Today as these programs reach a mature level ORM practitioners are beginning to shift their focus to how they can add more value to the business The emphasis is increasingly on risk intelligence ndash how to leverage the risk data gathered from ORM programs to provide more credible challenge to the business as well as to guide strategy and performance

A wealth of risk information exists waiting to be tapped But how does one aggregate filter and interpret that data efficiently Many banks are establishing common risk taxonomies methodologies and platforms to piece together risk information from across the lines of defense Others are going a step further and adopting robust analytics to transform raw data into actionable insights

Predictive analytics hold a lot of promise enabling banks to anticipate operational risks in a way that wasnrsquot really possible before the 2008-09 financial crisis ORM practitioners can now tell if there has been an uptick in foreclosures for a particular region or they can determine where the next potential defaults lie and take steps to address the issue before it becomes a larger problem

Artificial intelligence (AI) also offers tremendous potential to predict risks A decade ago it was near impossible to keep track of all the issues and risks that occurred across onersquos global enterprises But with AI and natural language processing ORM practitioners can efficiently bring together all that information and slice and dice it to identify which risk areas need their attention and resources

Sifting the Signal from the Noise

Post the 2008-09 financial crisis the second line functions in many banks stepped in to close the gaps in the first line As a result they ended up not only creating the risk management policies methodologies and frameworks that their organization needed but also conducting the risk assessments themselves ndash an approach that may not have given them the objectivity to challenge risk findings or even to gain a big picture view of risks

That has changed though Over the past few years the responsibility and accountability for risk assessments has shifted more to the first line ndash to where the risks are -- be it in sales marketing or product development And as business units take more ownership of risks wersquore beginning to see the emergence of ldquo15 lines of defenserdquo where risk specialists are deliberately embedded within the first line as an additional level of support They provide training and advisory services to the business units while also dealing with ground-level risk issues That gives the second line risk management functions the independence they need to step back look at risk more holistically and objectively challenge the decisions of the first line

The third line or internal audit provides a final layer of oversight identifying gaps in risk management processes or questioning risk findings and thereby helping fortify the whole risk management program Some large banks have a third line just to oversee risks and to ensure that nothing slips through the cracks Others are beginning to ldquothinrdquo their third and second line functions especially as more risk responsibilities descend to the front lines

Whichever approach banks choose the important point is to ensure clear definitions and separation of responsibilities in ORM Cross-functional collaboration is also key to ensuring that risk data is aggregated shared rolled up and reported in a timely and streamlined manner

Evolution of the Lines of Defense

The last few years have seen the rise of multiple new compliance requirements that directly impact how operational risks are managed GDPR MiFID II BCBS 239 and the Federal Reserversquos Comprehensive Capital and Analysis Review all have implications for ORM practitioners

The key to staying compliant is to be proactive -- tracking regulations as they emerge understanding their impact on the enterprise embedding them into ORM and audit frameworks and defining clear lines of ownership These processes apply also to external risk incidents A scandal or regulatory fine at one bank should be a wake-up call for others to re-examine their own risks and controls

From a Basel reforms perspective a number of changes have occurred over the last decade Basel II defined operational risk as the risk of loss arising from four broad categories -- internal processes people systems and external events Today other risk categories have become just as important be it

Proactive Compliance Mattersthird-party risks cybersecurity risks capital adequacy risks fraud risks or model risks In other words what were traditionally level 2 risks are now moving into level 1 so that organizations can give them the attention and scrutiny they need

As these new risk categories emerge banks are beginning to build frameworks around them to ensure effective risk management They are also striving to understand how operational risks map to other risks and to the larger business objectives of the organization Siloed inconsistent risk frameworks and approaches are on their way out More banks are looking to standardize risk management ndash be it in their definitions of risks and controls or in their risk scoring methodologies

Key Areas of Focus for ORM

Stepping Up to the Plate

With risks around cybersecurity and outsourcing growing more critical all eyes are on the ORM function Their ability to assess manage and mitigate risks and losses in a timely manner will continue to have a direct impact on business performance and integrity

While a great deal of progress has been made in terms of building ORM frameworks and processes there are still opportunities for improvement ndash particularly in terms of enhancing integration across risk and assurance functions ensuring more timely risk intelligence and building a pervasive risk culture Proactive action in these areas will go a long way towards strengthening the maturity of the ORM function and enabling them to continue being a valued partner to the business

bull Develop a strong risk department in terms of ORM capabilities

bull Demonstrate the maturity and sustainability of the ORM program to regulators

bull Shift the focus from ORM program implementation and administration to risk intelligence and how it can be used to drive change in the bank

bull Put together an enterprise-wide view of each business functionrsquos risk profiles on a consistent basis

bull Define the three lines of defense more clearly to deal with increasing regulatory pressures

bull Leverage statistical analysis techniques AI and predictive analytics to ask the right questions of the business

maertScirteM thgirypoC 9102 copy All rights reserved


Risk-based Internal Audits Key Considerations

In a 2018 MetricStream Research survey internal auditors reported that one of their top three priorities is to strengthen risk awareness ie provide more timely insights on risks While risk identification is ultimately a management responsibility internal auditors play a pivotal supporting role by using their evaluations of organizational processes and controls to highlight critical risks that could hinder the achievement of business objectives while also providing assurance that both existing and emerging risks are properly controlled and monitored

To achieve these objectives a continuous risk-based audit program is essential It enables auditors to proactively identify potential risks fraud errors and areas of improvement It also ensures that audit engagements and resources are efficiently prioritized

Here are a few key points to consider while conducting risk-based internal audits1

Understand the Business Its Objectives and Risks

Unlike a checklist-based audit which evaluates compliance with a specific set of requirements a risk-based audit has a broader scope and requires an understanding of organizational strategies goals and objectives Auditors must have a thorough knowledge of the business including its strengths weaknesses and challenges so that they can plan their audits to focus on the most critical risk areas

A good place to start is by identifying key business objectives and associated risks Based on that audit engagements can be prioritized and scheduled to provide insights on where controls are adequate with respect to those risks and where they are not Risks across the organization must be considered be it legal compliance IT or technology risks Auditors must dig deep enough to identify the most significant business risk or risk category that could impede a projectrsquos ability to meet its objectives They must also check that stakeholders are incorporating risks into decision-making and strategic planning processes

Another important area to evaluate is the companyrsquos readiness to deal with the unexpected Auditors need to determine if there are well-defined steps or controls in place to manage potentially significant changes that could impact the overall internal control system For instance what happens when management identifies a deficiency in their own processes How do they address it what actions do they take and whom do they inform Posing these kinds of questions helps auditors determine how prepared the organization is for change

Takeaway Identify the most significant drivers of the business and use those as parameters for measurement within a risk-based audit

1Based on a MetricStream hosted webinar - Is your Organization Ready for RBIA Featuring Lynn Fountain GRC Consultant Trainer Author and Former Chief Audit Executive along with Nisha Sharma Senior Manager MetricStream

Get Management Involved

While designing a risk-based auditing and monitoring program internal auditors would do well to work closely with senior leadership and management teams to align business strategy risks and issues with the audit mission Regular opportunities for dialogue and communication allow internal auditors to utilize managementrsquos assistance in conducting a true ldquorisk assessmentrdquo of various business areas while also understanding risk tolerance and thresholds

Emerging risks should be identified in a collaborative manner with management teams In fact senior leadership must participate in and agree on high-risk priorities for the audit plan Given that they are ultimately the ldquoownersrdquo of risk they are likely to have already identified emerging risks that could threaten the organization Transparency and ongoing communication are key in ensuring that audits are optimally designed to focus on the most important risks

Takeaway Ensure that the internal audit function has a ldquoseat at the tablerdquo to gain timely insights on strategies They must be involved in the communication chain on emerging risks across the organization

Determine Managementrsquos Risk Tolerance and Appetite

Risk appetite or acceptable risk is the amount of risk exposure that a business is willing to accept Stakeholders must set risk thresholds to identify when and where controls need to be implemented This process is essential in distinguishing between those controls that are nice to have and those that are necessary to protect business functions

For auditors the first step is to identify and understand the risk management policies in place as well as the risk appetite at the organizational and individual process levels Next determine the risk tolerance of the management and board and use them as a starting point for independent risk assessments

This approach of leveraging true risk appetites and tolerance levels adds credibility to the process of audit issue management When auditors understand managementrsquos ldquotolerancerdquo they can better identify a control gap that is about to breach the tolerance threshold and flag it as a critical issue for reporting

Takeaway Understanding managementrsquos risk appetite helps you focus on the key issues to report while also supporting risk-informed decisions

More than 20 of the respondents polled in a December 2018 MetricStream webinar reported ldquolack of management supportrdquo as one of the key challenges in a risk-based internal audit

Takeaway First identify the categories that will be used to measure risk (eg reputational issues health and safety issues) Then put ldquowordsrdquo to the categories

Define risk impact using both quantitative and qualitative methods while taking into consideration the factors that affect the organization the most (eg regulations shareholder and community expectations)

When defining risk likelihood clearly establish the overall range of values or level of categories Try to use more levels if possible and describe them qualitatively Include any or all values that could possibly be encountered so that situations can be differentiated easily

Ensure that assessments include all aspects of risk for a specific business area Examine critical points in the process to ensure that they have relevant and effective controls in place

Be prepared to present and verify all conclusions audit findings reports and corrective action plans to the management

Make sure that control tests are designed to adequately cover probable concerns Ensure that testing processes are well documented with supporting documents or evidence Enable exceptions to be validated if needed

1 235

4

Assess Risk Impact and Likelihood

Once the key risks have been identified they need to be assessed to determine their likelihood and impact on the organization as well as managementrsquos ability to mitigate these risks Internal audits should assess the effectiveness of defined processes and determine whether or not management is appropriately addressing the most significant risks The results can then be used in the audit planning activity as well

Every organization will have a different attitude to risks Therefore risk assessment parameters should be defined based on each organizationrsquos own unique needs However there are a few universal practices to keep in mind

copy 2019 Copyright MetricStream All rights reserved

In a Nutshell

Internal auditors by virtue of their understanding of risks and controls across the enterprise are well-positioned to not only help organizations enhance operational efficiency and compliance but also drive better business performance Through risk-based internal audits they can be the strategic advisers that the business needs them to be by delivering timelier deeper insights on risks as well as advice on how to respond to issues Armed with these insights stakeholders can take proactive steps to catalyze business growth in a way that is true to their risk appetite values and integrity


4 STEPS TO NURTUREA BETTER RELATIONSHIPWITH REGULATORS

4 STEPS TO NURTUREA BETTER RELATIONSHIPWITH REGULATORSThe Nuances of Effective Regulatory Engagement

For years banks and financial institutions have been subject to stringent regulatory scrutiny from federal state and international authorities Today the pressure on them is even greater as regulators strive to secure the financial system against corporate scandals data breaches corruption and fraud Be it the OCC and CFPB in the US or the OSFI in Canada or the FCA1 in the UK regulators have been persistent in issuing requests initiating meetings and conducting examinations to evaluate banksrsquo safety soundness capital adequacy and compliance with regulations

As regulatory engagement managers strive to meet these demands their responsibilities continue to grow -- managing and responding to regulatory requests on time coordinating internal and external meetings with regulators navigating the complexities of regulatory examinations and preparing the business for various regulatory interactions Added to that is the task of supporting the management and board in proactively addressing various risks or issues that may harm the organizationrsquos reputation with regulators

The challenge is compounded in banks that operate in multiple geographies Engagement managers in these institutions often deal with hundreds of annual regulatory exams and meetings with different regulators And thatrsquos just in one region Teams in another location often face a different set of regulatory requirements and exams Each of them has to keep track of requests from various regulators while ensuring that the relevant tasks are initiated document submission deadlines are met meetings and exams run as scheduled and the right information reaches the right regulators at the right time

Achieving these objectives isnrsquot easy but there are certain steps that engagement managers can take to improve the efficiency and effectiveness of their regulatory interactions

A leading bankrsquosregulatory landscapein the US alone

50+Regulators

75+Regulatory exams per year

12Regulatory exams in progress simultaneously

1000+ Tasks and

3000+ sub-tasks for a single exam

60-70Tasks every day

1OCC - Office of the Comptroller of the Currency CFPB - Consumer Financial Protection Bureau OSFI - Office of the Superintendent of Financial Institutions FCA - Financial Conduct Authority

Formulate aStrategy1

Building successful relationships with regulators takes planning and commitment The key is to develop a solid strategy on how the bank will manage various types of regulatory engagements and relationships Doing so will not only position the bank for optimal success in their regulatory interactions but will also prepare them to deal with potential regulatory issues or risks that may have an adverse impact on their operations

Banks that do not have a well-thought-out strategy and good relationship with their regulators are likely to be put in a tight spot if and when they get involved in a regulatory issue Senior management and compliance teams could end up scrambling to gain control of the situation and to convince regulators that adequate controls processes and procedures are in place

An effective regulatory engagement strategy focuses on ensuring that all engagements are managed in a logical transparent and well-coordinated manner through standardized practices processes and tools It also defines how regulatory relationships and communication are to be handled across various stages (eg when there are no proposed regulations when there are no examinations underway when a rule is likely to be proposed or when an examination is in progress)

Streamline RegulatoryExaminations

At the start of each year or quarter a company-wide calendar of all scheduled regulatory examinations should be published along with regular updates every time a schedule is changed Generally banks that have a good rapport with their regulators are more tuned in to upcoming examinations requirements and schedule updates than those that donrsquot take the time to build these relationships

Before an examination engagement managers would do well to coordinate with internal stakeholders to ensure appropriate allocation and ownership of examination management

responsibilities A pre-examination training can also be conducted to get members of the regulatory team and affected businesses up

to speed Ideally the training should include an overview of policy requirements examination procedures and best practices Team

members interfacing with examiners should be coached on the conduct expected of them as well as other relevant information about

the regulators and their areas of focus

It helps to have a robust regulatory engagement software system that can provide a single point of reference for bank representatives to communicate with

examiners and to capture all forms of information exchange The system can also be used to organize and maintain relevant documents including exam workpapers interim status reports exception sheets draft comments and other key findings Having all this data together in one place makes it simple for stakeholders to keep track of the examination flag important documents and stay alert to any major findings or issues before the conclusion of each examination so that they can then proactively clarify the bankrsquos position

2

Manage RegulatoryMeetings Efficiently3

One way to optimize the time and effort spent on regulatory meetings is to standardize the process as much as possiblemdashright from the meeting preparation stage to the actual interaction and subsequent follow-ups Another way is to assign an engagement coordinator to lead the meeting planning process and other activities He or she can work in close consultation with other stakeholders to ensure that the organization is adequately prepared for the regulatory interaction

During the actual meeting participants will be expected to accurately and comprehensively answer questions on their areas of accountability The engagement coordinator can summarize the key feedback from the meeting and communicate with regulators on follow-up tasks

To make things easier a regulatory engagement management system can be used to record upcoming regulatory meetings and tag them to the relevant operational locations business units and meeting owners Applicable notes and documents can also be attached and sorted into pre-defined categories

The system will essentially act as a database of meetings by capturing all required details including meeting dates and participant information Each meeting can be mapped to existing regulatory engagements regulatory authorities areas of compliance and associated risks This integrated data model gives engagement coordinators and other stakeholders a birds-eye view of each regulatory interaction They can also document and track meeting findings till closure

Strengthen Collaboration throughCentralized Document Management4

Since there are so many types of documents that banks need to share with regulators it helps to have them all stored in one central location where they can be sorted and worked on collaboratively by multiple stakeholders These documents typically include first day letters findings response letters regulatory notifications supervisory letters evidence of action plans and email records With a centralized document repository engagement managers can easily attach supporting files at each stage of the regulatory interaction or task management process They can also enable a quick search of documents based on title and type

Being Examination-ReadyEvery bank must decide on their regulatory engagement strategy and establish a structured process to see it through Successful regulatory engagements are about being examination-ready and investigation-ready at all times That in turn requires thorough planning and preparation Having clearly-defined processes and tools goes a long way in managing regulatory requests and ensuring that the required information is quickly gathered and submitted The more efficient the regulatory engagement process the higher a bankrsquos chances of increasing trust and credibility with regulators



How to Boost YourTHIRD-PARTYMANAGEMENT PROGRAM

GlobalizationAs the world gets flatter third-party ecosystems are rapidly expanding With more third parties come more risks regulations rules policies standards and data that need to be managed in a holistic manner

Disruptive Technology The advent of the cloud virtual data centers and hosted apps has given rise to multiple IT service vendors who can efficiently process critical business information The result is more convenience but also more risk exposure

Social MediaOn one hand social media provides a platform for companies to strengthen communication and collaboration with their third parties in an informal setting On the other hand it creates potential data security and privacy risks that can get out of control if not managed efficiently

RegulationThe Office of the Comptroller of the Currency in the US the Financial Conduct Authority in the UK and many others have stipulated regulations and guidelines for third-party governance The underlying message is that while companies can outsource their activities they canrsquot outsource their responsibilities

KEY TRENDS IMPACTINGTHIRD-PARTY MANAGEMENT

For years after the financial crisis the primary catalyst behind enterprise efforts to strengthen third-party management was regulatory scrutiny Today however companies are recognizing that by proactively detecting and mitigating third-party risks and other issues they arenrsquot just ticking a compliance check-box They are actually building trust with customers strengthening confidence with boards and investors and improving overall business performance Put simply effective third-party governance just makes good business sense

As a result companies are now going beyond traditional third-party surveys and assessments Theyrsquore taking comprehensive steps to ensure that their third parties are protecting confidential IT information avoiding unethical practices keeping up a safe and healthy working environment strengthening supply chain security handling disruptions effectively and sustaining high quality and performance levels

It is in this context that there emerges the need for an integrated view of third-party risk compliance performance quality and adherence to contracts Developing a strategy to optimize third party relationships is essential as is knowing the third parties one deals with

BEST PRACTICES TO OPTIMIZE THIRD-PARTY RELATIONSHIPS

Overcome Risk Blindness

Each third-party relationship introduces a number of risks Some of these risks are multi-dimensional ie they extend across suppliers vendors contractors service providers and other third parties Other risks may impact different levels of the organization such as product lines business units and geographies Staying ahead of these risks requires a systematic approach

a Identify important third-party risks such as political risks undesirable events financial risks contract risks legal and regulatorycompliance risks and information system failures Follow it up with an analysis of the specific drivers that increase third-party risk

b Focus on contracts that govern third-party relationships A comprehensive and carefully written contract will outline the rights andresponsibilities of all parties enabling the organization to effectively manage its third-party relationships

c Design and implement policies and controls to mitigate third-party risks Also build appropriate monitoring and testing processes toensure that the controls are working as expected

d Leverage content from external sources such as Dow Jones Dun amp Bradstreet BitSight and SecurityScorecard These firms curatethird-party data from adverse media reports sanction lists information on politically exposed persons (PEP) cybersecurity ratings andother sources ndash all of which can be invaluable when identifying potentially high-risk third parties

Streamline Third-Party Due Diligence A robust third-party screening and due diligence process provides a clear understanding of third-party risks It also helps companies choose the right firms to work with The process is often part of a larger third-party onboarding program which forms the backbone of effective third-party management During onboarding companies can capture all the required third-party information along with certifications contracts and documents Meanwhile onboarding assessments can help determine the level of risk monitoring required for each third party

Many organizations adopt a risk-based approach to third-party due diligence They stratify third parties into various risk categories based on the offered product or service as well as third-party location countries of operation and other key factors Based on the resulting risk category and score the appropriate level of screening and due diligence can be defined

One thing to remember is that due diligence isnrsquot a one-time event Third-party risks can change anytime and therefore companies need to have continuous monitoring and screening processes to ensure that nothing slips through the cracks

1

2

Donrsquot Lose Sight of Fourth PartiesOften companies have landed in trouble over worker exploitation issues or data breaches resulting not from their primary third parties but from sub-contractors ndash particularly unauthorized sub-contractors Thatrsquos why itrsquos important to have complete visibility into the third-party ecosystem Companies need to be able to determine if products and services are being provided by third parties or if they are actually being sub-contracted to a fourth party One way of doing that is to contractually bind third parties to inform and gain approvals on any kind of fourth-party involvement Another good practice is to ensure that all essential fourth-party information is collected and stored Fourth parties should also be included in the scope of the screening and risk management process

Set the Right Tone at the Top The senior management including the C-suite and board are ultimately accountable for third-party risks It is their responsibility to ensure that sufficient risk management processes frameworks and controls are in place They also need to be aware of the top risks inherent in third-party relationships so that they can make informed decisions

The health of a third-party risk management program depends to a large extent on the involvement of the C-suite and board When they demonstrate a commitment towards fostering a culture of risk awareness and accountability as well as investing sufficient resources in risk mitigation thatrsquos when third-party governance programs are likely to succeed

Be Vigilant of New and Emerging Risks With more third parties being given access to sensitive company information the likelihood and impact of data security incidents have risen In the past few years some of the biggest companies have been brought to their knees by data breaches resulting from a vendor vulnerability or unsecured network Therefore vendor data security and privacy risk management have become important elements of any third-party governance program

To keep risks in check vendors need to be categorized based on their risk profile and then subject to an appropriate level of risk monitoring A useful tool in these efforts is the ldquoStandard Information Gatheringrdquo (SIG) questionnaires from Shared Assessments which can be used to gather key information about a vendorrsquos IT privacy and data security controls Content providers like BitSight and SecurityScorecard also provide useful information on the cybersecurity posture of third parties

3

4

5

Measure the Effectiveness of the Third-Party Management ProgramHow do you know if your approach to third-party management is effective How do you determine if any gaps or issues have risen Herersquos where it helps to regularly evaluate all aspects of third-party management including policies codes of conduct processes controls compliance surveys assessments and audits

By measuring the effectiveness of third-party management programs stakeholders can determine if potential risks are being identified and mitigated if compliance requirements are being met and if appropriate remediation actions are being carried out when red flags arise As part of the evaluation companies can also check if sufficient resources have been allocated to third-party management with well-defined responsibilities A 360-degree view of the third-party ecosystem is a must

Strengthen Collaboration and VisibilityA ldquosiloedrdquo approach to third-party managementmdashwherein different departments manage different third-party processesmdashcan often lead to redundancies and duplication of effort It also complicates the aggregation and roll-up of risk information making it difficult for senior management to achieve a holistic view of third-party relationships

Overcoming this challenge calls for greater integration and collaboration A common language can be established across the enterprise to talk about third-party risks Additionally a single system can be used to coordinate third-party risk management as well as third-party compliance performance management due diligence and other key processes

Leverage TechnologyAs third-party ecosystems grow more complex technology is playing a critical role in strengthening risk evaluation monitoring and management An integrated third-party management solution can offer the following benefits

a Comprehensive visibility into third-party risks compliance issues and other key insights that enable companies to take pre-emptive riskmitigation measures towards protecting the business

b Ability to automate and streamline third-party information management onboarding and due diligence as well as risk managementaudits compliance management and performance management

c Agility to respond to changes in competitive markets regulations and geopolitical environments

d Comprehensive and validated information about a third party including their profile contracts documents and service level agreements

e Risk intelligence to support decision-making with advanced reporting and dashboard capabilities that consolidate and roll up third-partydata

7

8

9

Forging AheadThe average mid-sized enterprise has anywhere between 500 and 5000 third parties while large-sized enterprises can have up to 10000 third parties These numbers arenrsquot likely to decrease anytime soon and that makes it all the more imperative for companies to step up their third-party management efforts

An integrated streamlined third-party management process built on a strong technology solution can provide the required level of third-party visibility that companies need to make confident sourcing decisions It can also strengthen onersquos ability to prevent detect and respond to third-party risks and disruptions proactively The result is a more resilient enterprise that is well-positioned to maximize the value of their third-party relationships



MANAGING TOMORROWrsquoSRISKS TODAYThe Role of Cybersecurity in Enterprise Risk Management

As enterprises go digital cyberattacks and their financial implications continue to hobble organizations According to a report by PwC the average total financial cost of cyber incidents in 2018 was pound857000 Cyberattacks today often have the power to disrupt critical business operations lower the performance of an organization and adversely impact brand reputation Under these circumstances CxOs and boards are under constant pressure to better understand and manage cybersecurity risks

The increase in the number of cyberattacks in recent times demands the inclusion of cybersecurity in the overall enterprise risk management plan Such a plan will enable enterprises to involve relevant stakeholders and business lines in strategic decisions while helping them respond faster to rapidly evolving cyberattacks The plan will also ensure that enterprises incorporate cybersecurity policies and practices in the foundation of their over-all enterprise risk management strategy

But how do you incorporate cybersecurity strategies as part of an overall enterprise risk management plan and stay secure

Involve boards and leadership teams

A major challenge in including cybersecurity protocols as part of an enterprise risk management strategy is getting boards and leadership teams involved in the formulation of

a cybersecurity response plan This lack of involvement can be due to the false perception that a cybersecurity threat is an IT-related risk rather than a business risk Such a perception can be changed by measuring the potential impact of a cyberattack on the revenue of an organization in terms of reputational loss

In a recent survey by MetricStream more than 60 of respondents indicated that their CEOs or boards are either engaged or very engaged in managing GDPR compliance A strong tone at the top enables enterprises to build trust and confidence around their data protection programs and foster a culture of security

Maintain a common taxonomy

Maintaining a common taxonomy within an enterprise is key as fragmentation in taxonomies is likely to hinder the process of understanding and responding to an incident Having a common taxonomy also eases the understanding

of multi-country and multi-sector cyberattacks and improves the effectiveness of an enterprisersquos cybersecurity incident response strategy

One of the main advantages of enterprise risk management is the ability to compare risk across various departments This is not possible unless all the stakeholders implement the same metrics to measure risk Developing consistent and common descriptions of probability and impact will enable all relevant stakeholders to be on the same page

1 2

Build a risk-resilient strategy

Enterprises are often focused on operational and compli-ance risks and fail to formulate a strong business resilience strategy With cyber threats growing more sophisticated enterprises need to have a robust business continuity and

resilience strategy in place as part of the overall enterprise risk management plan The first step in that direction is to apply a risk-based approach to the data that is stored across the systems in an enterprise and then determine how they can be affected by a major disruption such as a cyberattack Accordingly a business continuity plan (BCP) with a focus on cybersecurity needs to be developed with defined roles and responsibilities along with the key steps for communication and coordination

Formulate an actionable risk intelligence plan

With information scattered across IT landscapes enter-prises often rely on the manual reconciliation of data from various systems users and reports Today there is a

growing demand for applications that combine data from various parts of the business as well as tools that convert this data into formats such as data visualizations charts and reports Having effective risk management solutions with strong reporting and dashboard capabilities help capture real-time risk information from different sources while enabling data-driven decisions Such solutions will also enable enterprises to accelerate the exploration and discovery of valuable insights that can be applied to achieve a business advantage

3 4

A Five-Point Checklist to Assess Cybersecurity in Your Organizationrsquos Enterprise Risk Management Framework

1 2 3 4 5 Are cyberattacks

considered a top threat in your organization

Enterprises today face a multitude of internal and external risks ranging from strategic and operational risks to legal risks IT risks and financial risks But according to the Global Risks Report 2018 by World Economic Forum (WEF) cyberattacks rank among the top three risks in terms of the likelihood of occurring Therefore to stay secure enterprises need to ensure that cybersecurity plans are incorporated as part of their overall enterprise risk management plan

Is cybersecurity an enterprise-wide risk

management issue and not an IT risk within your

enterprise

How engaged are your board and CEO in

managing cybersecurity risks

Do you evaluate the effectiveness of your

business continuity plan in the context of a

cyberattack

How is threat intelligencemonitoring incorporated into your

enterprisersquos security efforts


Integrated GRC The Key to BetterRisk Awareness and Better Performance






Why GRC Convergence



























































































































1 235

4





In a Nutshell










50+Regulators



1000+ Tasks and

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack








Why GRC Convergence



























































































































1 235

4





In a Nutshell










50+Regulators



1000+ Tasks and

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack







































































































1 235

4





In a Nutshell










50+Regulators



1000+ Tasks and

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack





In a Nutshell










50+Regulators



1000+ Tasks and

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack












50+Regulators



1000+ Tasks and

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack

















2






























1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack

































1

2






3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack









3

4

5











7

8

9

















1 2







3 4







enterprise





cyberattack














7

8

9

















1 2







3 4







enterprise





cyberattack




















1 2







3 4







enterprise





cyberattack










3 4







enterprise





cyberattack




THE METRICSTREAM GRC EBOOK

Documents

Transcript of THE METRICSTREAM GRC EBOOK