Weitere ähnliche Inhalte Kürzlich hochgeladen (20) Proven Techniques for Effective GRC Programs2. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
2
INTRODUCTION
Governance, Risk, and Compliance
(GRC) are measurable capabilities that
organizations utilize to achieve
objectives cost-effectively.
3. 3
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 3
Unfortunately, too often, people define GRC
solely as a technology solution.
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
4. 4Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
The transformation effort intended to
enhance performance and lower risk and
compliance cost must be focused on the
Capability and Maturity Model (CMM) level
of the four enablers of effective GRC.
ACHIEVING GRC
6. 6Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
ACHIEVING GRC
Each of the enablers works together like
separate links in a chain, but the weakest link
will determine the organization’s GRC capability
and maturity level.
THE FOUR ENABLERS OF EFFECTIVE GRC
8. 8Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
UNDERSTANDING CURRENT CMM LEVEL
There are specific Capability & Maturity Models (CMM)
for assessing the capability of people, processes,
technology, data governance, software development, risk
management, project management, performance
analytics, etc. Chose those relevant to your needs.
9. 9Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
The results of this initial CMM assessments give
you the ability to identify problems and
deficiencies that need to be resolved to enable
greater efficiency, effectiveness, and cost savings.
UNDERSTANDING CURRENT CMM LEVEL
10. 10
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
UNDERSTANDING CURRENT CMM LEVEL
Every effective Strategy & Transformation
effort starts by understanding the
organization’s current strengths, weaknesses,
opportunities, and threats relevant to
Financial, Operational, Security, etc.
S W O T
11. 11Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
UNDERSTANDING CURRENT CMM LEVEL
Documenting the current capability and maturity
levels becomes the baseline to improve upon.
12. 12Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
TRANSFORMING CURRENT CMM LEVEL
These problems and the deficiencies are addressed by
resolutions in an executable Risk & Compliance
Transformation Plan, which is utilized to gradually
implement the improvement.
13. 13Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
TRANSFORMING CURRENT CMM LEVEL
During the execution of the Risk & Compliance
Transformation Plan, you should utilize an effective
organizations change management methodology to
implement and guide the organization through the
transformation.
14. 14
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
One of the biggest risks during a Risk & Compliance Transformation is not the
implementation of new Risk & Compliance technology solutions.
It is the culture of the organization, and its ability to accept the amount and pace of change from
the project.
”
“
TRANSFORMING CURRENT CMM LEVEL
15. 15Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
When executing your Risk & Compliance
Transformation Plan, you will likely conduct an
assessment of your existing internal controls intended
to manage your risk and compliance requirements.
16. 16Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
Risk & Compliance programs are performed in many
silos across the organization, risk terminology, and
analysis techniques are not standardized, organizations
lack the ability to see the holistic view of all risk
and compliance objectives, enterprise risk exposure,
or the mitigation controls being utilized.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
1. Risk & Compliance Data Consolidation
17. 17Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
2. Control Optimization
This approach focuses on evaluating the design and
operating effectiveness of your internal controls to
eliminate redundant and ineffective controls, and
transition to more preventive and automated controls.
18. 18Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
Often organizations that have gone through a major risk or
compliance effort for the first time like,
• The Sarbanes-Oxley Act
• Health Insurance Portability and Accountability Act
• Federal Information Security Management Act
• Payment Card Industry Data Security Standard
• The Gramm Leach Bliley Act
find they have an excessive number of internal controls
assigned to each risk.
2. Control Optimization
19. 19Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
Every control has a cost to operate, a cost for the
self-assessment by the business or IT team, a cost for
internal audit to conduct their independent
assessment, and final a cost for the external auditors
to conduct the annual risk and compliance audits.
2. Control Optimization
20. 20Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
3. Common Control Framework
• Common Control Framework is a set of controls or
requirements designed to eliminate or mitigate the
duplication of multiple frameworks
• Establishing a common control framework has the
potential to eliminate the duplication of requirements
within frameworks and simplify the process of
scoping, defining, and maintaining compliance
21. 21Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
As a result, organizations have the potential to save
significant time and resources, since they are not forced to
perform duplicate control assessments. It gives
organizations the power to test once and comply with
many risk and compliance regulations simultaneously.
3. Common Control Framework
22. 22Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
To create a common controls framework, organizations
should determine which regulations they are subject to
and the cost of non-compliance, whether or not
regulators expect strict compliance, and the organization’s
readiness.
3. Common Control Framework
23. 23Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
4. Automation
GRC technology solutions offer great opportunities to
automate processes that were once performed manually,
automate the actual control assessment, automate
workflow, automate notifications, and automate
questionnaires.
24. 24Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
More organizations are turning to Robotic Process
Automation (RPA) because of its ability to reduce staffing
costs and human error, tedious tasks, and freeing workers to
focus on higher-value work. But RPA requires proper design,
planning and governance if it’s to bolster the business.
4. Automation
25. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
25
5. Performance Analytics
Data provides the organization with the ability to make decisions.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
“Performance measurement is failing organizations worldwide. Measures are often a random
collection prepared with little expertise, and signifying nothing. Many companies are working
with the wrong measures, many of which are incorrectly termed key performance indicators
(KPIs). KPIs should be measures that link daily activities to the organization’s critical success
factors and empower the organization to make effective decisions, and drive cost savings.”
Reference: David Parmenter, Key Performance Indicators: Developing, Implementing,And Using Winning KPIs (Third edition), 2015.
26. 26Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
Top Reasons Why Performance Measurement is Failing Organizations Worldwide:
• KPIs are often prepared with little expertise, and signifying nothing
• Many companies are working with the wrong measures, which are incorrectly
termed key performance indicators (KPIs)
• KPIs are not linked to the organization’s critical success factors
• KPIs are not effectively measuring performance, cost, quality, risk, and compliance to
enhance performance and lower operating costs
• Organizations are trying to monitor too many KPIs
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
5. Performance Analytics
28. 28Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
The above techniques will help you get a holistic
view of all risk and compliance objectives, take more
preventive and automated controls, and define and
configure effective KPIs in the GRC tech solution that
enables significant performance enhancement and
cost savings.
PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
29. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
29
Corporater can help you create a
sustainable, efficient, and effective GRC
program aligned with strategy and
performance, all within a single platform.
LEARN MORE
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
GET IN TOUCH WITH OUR
EXPERTS