Scott Farquharson, Principal – Risk Services,

1. Risk Technology
Strategy, Selection and
Implementation
Scott Farquharson
Principal – Risk Services
RMIA 1st October 2014

2. 1
Todays Agenda…
• Context - Risk Capability
• Why do we need technology and
what can it do?
• Focus on Core components
• Strategy
• Selection
• Implementation

3. 2
Our Approach Today…
From the CRO perspective…..
Governance and
Assurance
Office of CRO
Risk SME’s
Business
Look at Capability across the Organisation

4. 3
A Quick Definition…
So what are we talking about
when we say GRC…?
Who are we talking about? What Processes and
Activities?
What Systems?
Corporate Governance
IT Governance
Financial Reporting Compliance
SOX
P7
Operational Risk
Safety
Legal Compliance
Strategic risk
Privacy
Project Delivery Risk
Ethics
Controls
Security
AML
Environmental Compliance
Enterprise Risk Management
Access Risk
Business Continuity Planning
Whistleblower
Risk Financing
Risk Management
Corporate Compliance
Finance
Internal Audit
Security
IT
Legal
HR
Board Liaison
Business Units
Consultants
Customer
Insurance
Board
Operations
Quality Management
Safety
Company Secretarial
External Audit
Risk Assessments
Audits
Self Assessments
Investigations
Risk Reports
Training
Community Consultation
Advice
Remediation
Stakeholder reporting
Policy Management
Frameworks
Incident Management
Risk Financing
Audit Actions
Board Reporting
Audit remediation
Delegation of authority
Hazard Identification
SoD’s
Risk Database
Security System
Audit System
EHS System
Financial Systems
Portfolio Management
Surveys
Audit issues
Operational Systems
Back Office
Compliance system
Spreadsheets
Access Databases
CRM
Loss Management
Claims Management
Investigations Management
FICO
Plant Management

5. 4
What is the Value of Risk…?
Objective What Examples
Licence to Operate
Meeting our legal, regulatory and
social obligations
Good corporate governance
Compliance
Laws and regulation
Protecting Value
Minimising loss and protecting
shareholder value
brand and reputation
Control frameworks
Contract risk Fraud risk
Insurance BCM
Driving Efficiency
Doing things right
Business efficiency
Understanding Total Cost of Risk
Process risk and control
Prioritising management attention
Creating Value
Doing the right things
Where and When to take a “risk”
Better decision support
Risk appetite Risk Culture
Risk adjusted returns
Scenario Planning
Unrewarded risk –
Provides no premium if managed well.
It relates to risk areas such as financial
misstatement, compliance with laws and
regulation and fraud.
“Must” be done.
Rewarded risk
Provides a premium if managed well.
It relates to risks in areas such as mergers and
acquisitions, product development, investment,
markets and business models, risk adjusted
returns, VaR.
Driving Shareholder Value
Guarding the Balance Sheet – Protecting the Brand

6. 5
However a Siloed Approach Lessens Effectiveness…
Risk Integration has a significant impact on overall Risk Management effectiveness
Source – Corporate Executive Board

7. 6
A Number of Stumbling Blocks…
Timely Assessment and Reporting of
Emerging & Changing Risk Information
Duplication with Multiple Assurance
Activities Across Enterprise
Obtaining Quality Risk Information from
the Business
Lack of Transparency of Key Risks
Disconnect between Risk Appetite and
Risk Profile & GRC Efforts
Risk Information is Siloed Across a
Number of GRC Providers
Manual and inefficient processes
GRC efforts are not aligned to strategy
delivery
Poor cross functional integration and
lack of clarity of accountability
Source – Corporate Executive Board

8. 7
Source Systems
Re-Thinking Risk Capability….
Common Enterprise
GRC Processes
Risk and Obligation
Identification
Analysis and
Evaluation
Risk Mitigation and
Control Design
Control Activities
Corporate Policies
Reporting and
Communication
Incident/Loss
Management
Investigations
Monitoring, Testing
and Assurance
EHS Systems
Security Systems
PMO System
Enterprise Risk
Management
System
Compliance
Management
System
Internal Audit
System
Single
Source of
Truth
Information Flows and
Reporting Channels
Roles and Responsibilities
Accountability Model
(RACI)
Technology
Organisational Reporting and Analytics
Structure
Source Systems

9. 8
Operating Model Components…
Three Lines of
Defence
Organisation
Structure and
Engagement
Cultural
Drivers
People
Process
Defined GRC
Processes
Industry
Standards
Common Risk
Language
Technology
Repository -
Single Source of
Truth
Workflows
Analytics and
Reporting
and
automation
Operating Model
Assessed Through
Capability Maturity Model
Governance
Context

10. 9
The Role of Technology…
Information to support
risk decisions
Efficiency of risk
processes

11. 10
What Else Does it Do…
Single source of truth
Consistency of data
Improved transparency
Speed of Action

12. 11
GRC Capability Maturity Model…
Level 1 Level 2 Level 3 Level 4 Level 5 Level 6
Element Non-Existent Ad Hoc
Initial
Siloed
Top Down
Repeatable
Managed
Systematic
Leading
Optimised
Manual (paper)
Processes
Only
Risk registers
for some risks
in Excel
Qualitative
Only
Overall risk
register in
Excel
Some SME
systems in
place for critical
risks
Qualitative
Only
Overall risk
register in a
GRC Tool
SME systems
in place
Some
Quantitative
Integrated
GRC in place
Integration with
SME systems
Integration with
ERP
Qual and Quat
Automated
CSA
Integrated
GRC and SME
ERP
Integration
Risk Appetite
and Tolerances
KRI’s
Decision
Support
Analytics
Predictive

13. 12
Incorporates Industry Standards…
OCEG
ISO31000
HB158
HB254
AS3806
AS8000
HB221
etc
COSO
Enterprise Risk
Management and
Control Framework
IT Specific Components Built into SAP GRC
ITIL
IT Process Model
COBIT5
IT Control Framework
+
ISO27000
AS8015
HB231
PCIDSS
etc
IT Risk and Compliance Management Standards
ISO31000
Risk Management

14. 13
3 Lines of Defence Provides Basis for the Model…
3rd Line of
Defence
Oversight
Board
Board Risk Audit Committee
Assurance
External Audit
External Providers
Internal Assurance Function
Provides oversight, independent testing, verification and
review on the efficacy of:
• GRC frameworks
• Business management of risk
• Business compliance with Internal/External Obligations
Identifies opportunities for improved business performance
2nd Line of
Defence
Common Risk
Infrastructure
Central GRC Functions
Support Units
Provides the major mechanism for Governance through a central
Policy Framework and repository.
Provides enterprise GRC frameworks
Provides enterprise GRC programs
Provides Subject Matter Experts for enterprise risks
Monitors adherence to frameworks, enterprise risk and
compliance programs and losses/incidents
Escalates and provides aggregated risk and compliance
Reporting
1st Line of
Defence
Risk Ownership
Executive
Management
Business Units
Adheres to enterprise risk and compliance frameworks
Owns the risk, control and losses/incidents
Understands it’s risk profile and control framework
Performs risk/control self assessment
Must meet internal and external obligations – compliance
Clear Lines of
Accountability
for GRC
Activities

15. 14
Technology Support at Each Line of Defence
3rd Line of
Defence
Oversight
Board
Board Risk Audit Committee
Assurance
External Audit
External Providers
Internal Assurance Function
Board Papers and Communication
Audit Planning and Management
CCM
Review Risk and Control Profiles
Review Incident Reports
2nd Line of
Defence
Common Risk
Infrastructure
Central GRC Functions
Support Units and SME’s
Consolidate Risk Reports
Risk Analytics
Update Obligations Register
Plan Assessments
Conduct Surveys
1st Line of
Defence
Risk Ownership
Executive
Management
Business Units
Create Risks and Controls
Assess Risks
Control Self Assessment
Review Risk Profile

16. 15
Model Must be Aligned to the Risk Profile...
Compliance Obligations Risk
Policy
Process
GRC
Risk
Specific
ERP Analytics Integrated
Information Compliance
Privacy PCI/DSS FOI
Records / Archives / ACMA
Information Risk
Technology / Info Security
Records & Archives
Information
Management,
IT Security
× x x ×
Financial Compliance
AML / FSL / APRA / SOX / P7
Financial Integrity Risk
Technology / Security
Crime / Fraud
Fraud
P2P
Retail Ops
× ? × × ×
Commercial Compliance
Trade Practices
Contract Compliance
Commercial Risk
Intellectual Property
Contract Risk
Contract
O2C
× ? ? × ×
Health and Safety
Compliance
OHS TSP
CoR Dangerous Goods
Health and Safety Risk
Physical Security
Hazard Identification
Transport
Operations
× × ? ×
Asset Compliance
Property/Fire Services
Asset Risk
Physical Security
Fire Protection
Security,
Facility Mgmt
× × ×
Sustainability &
Environment
EEO, EPBC, NGERS
CPRS
Sustainability &
Environment
Carbon Reduction
Sustainability Principles
Sustainability,
Transport
× × × ×
Strategic Compliance
Investment Projects
Planning Products External
Strategic Risk
Investment Projects
Planning Products
External
Investment Life
Cycle
Planning
? × × × ×
Risk
Universe
Governance
Strategy and
Planning
Operational
Compliance
Reporting

17. 16
Technology Support Model
Technology Layer Role
eGRC Layer • Core functionality to support Risk,
Compliance, Audit, Controls, Policy, Incident
Management
• Centred around data backbone -
risk/obligation/policy/control/test/incident or
loss
• Reporting and dashboards
• Workflows
Systems Integration
• eGRC
• Point Solutions
• Transactional
Systems
• Data and Analytics
• Corporate Reporting
Interface
Risk/Obligation
Specific Layer
HSE/Security Fraud Crime /Plant and Equip/IT
Security/Environmental
ERP Layer Transactional systems
Data and Analytics
Layer
Data warehouse combining eGRC and other
data including transactional/external/social

18. 17
Risk and Compliance Profile sits at the Core of the Model…
Risk Profile by:
• Business Unit
• Business Process
• Business Scorecard
• Strategic Initiatives
• Program/Projects
Each Risk/Compliance Class
Appetite/Thresholds
Key Risk Indicators
Treatments/Controls
Assurance
Incidents/Claims/Losses
Aggregated Exposure
Single Source of GRC Truth
Standard Risk, Control and Policy Library
Aggregated Corporate Profile and Reporting
Bottom Up - Individual Risk Profile for each BU overlays Business Process and Business Objective
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Governance
Strategy and
Planning
Operations
Infrastructure
Compliance Reporting
Top Down
Business Unit Business Unit Business Unit Business Unit

19. 18
Multi Risk and Compliance Framework…
GRC Operating Model
Overarching Enterprise Risk and Compliance Framework
Common Risk Library – Risks can be aggregated for reporting and analysis
Risk can be assessed by multiple methods including control effectiveness
Process Focus
Procure to Pay Hire to Retire Order to Cash Financial Close
etc
External
Legal, Industry and Community Stds
IT and
Information
CoBit
PCIDSS
ISO27000
Cyber
FOI
Privacy
Archives
Integrated Control Library
Cultural, Performance Stds
Control Library with Controls that can be linked to multiple Risk and Compliance Requirements
Control Testing can then satisfy multiple “Regulations” or “Risks”
Functional Focus
Risk and Compliance Profiles by Business Unit
Corporate Policy Framework
Policy Lifecycle Management Linked to:
• Risk and Compliance Framework
• Control Library
Financial
Reporting
SOX
Principal 7
SoD’s
DoA’s
IFRS
Crime
Fraud
Fraud
Austrac
AML
Transport
SoD’s
Cyber
Human
Capital
OHS
Environment
EEO
CoR
Property
Food
Medical
Commerce
Contract
Consumer
Contract
Lease
Liquor
Tobacco
Lotteries
IP
Obligations
Internal
Strategic
Strategic Risk
Strategy
Execution
Project and
Portfolio
BCM
Integration with Other Systems
Continuous testing can be undertaken across the SAP Platform including - EHS SSM ECC HCM etc
Interfaces can also be setup with Non-SAP Systems and Manual Entry
Analytics and Reporting – Dashboards, KRI’s, Aggregated Risk Profiles
Powered By SAP GRC
Provides:
Risk Management
Enterprise Wide Risk
Management Capability
Process Control
Supports Risk and
Compliance control
Frameworks
Policy Framework
Supports
Multiple Regulations
Range of Testing
Methods
Range of Assessment
Techniques
Common Risk
Language
Each
Risk/Compliance
Class
Appetite/Thresholds
Key Risk Indicators
Response
Plans/Controls
Assurance
Incidents/Claims/Losse
s
Aggregated Exposure
Risk Adjusted
Performance
Audit Issues

20. 19
You need a (strategy) road map…
Phase One -
Quick Wins
• Compliance
Obligations
• Training
Phase 2 – Risk
Management
• Risks and
Controls
• Risk
Assessment
Phase 3 - Policy
Management
• Life cycle
• Policy
Surveys
• Mobility –
iPad App
Phase 4 - Risk
Analytics
• Risk Appetite
• KRI’s
• CCM
• Dashboards
Year One Year Two Year Three Year Four

21. 20
The Most Popular GRC Tool in the World…

22. 21
The eGRC Core…
Core functionality to support common
enterprise risk, compliance, and
assurance activities
• Governance
• Enterprise Risk Management
• Compliance Obligations and Risks
• Risk and Compliance Control Framework
• Policy Management
• Incident and Loss Management
• Internal Audit Practice Management
Plus…
• HSE
• Fraud/Financial Crime

23. 22
5 Key Underpinning Technologies
Workflow
Management
Database
Document
and Content
Management
Analytical
and
Reporting
Tools
Data
Warehouse

24. 23
Typical eGRC Functionality…
Overall
Considerations
Risk Control
Data Architecture
Data Aggregation
Workflows
Monitoring and Alerting
Triggers
Analytics and Reporting
Risk Modelling
Risk Data
Risk Creation
Risk Library
Risk Analysis Methods
Risk Assessment
Process
Loss and Incident Data
Risk Appetite
Issues Management
Control Attributes
Control Creation
Control Library
Control Assessment
Link to Risks or
Obligations

25. 24
The User Experience
• Who is going to use it?
• Are they going to log into the
application?
• How often?
• What will they do on the system?
• How is data to be entered?
• How much data?
• How do they run reports?
• Ad Hoc Analysis?
• What platforms? PC Only?

26. 25
Data and Analytics

27. 26
What Can Data Analytics Provide?

28. 27
Analytics
• Some Typical Applications:
- Controls transformation: process
analytics and continuous controls
monitoring
- Contract risk compliance: IT,
employee, supplier and customer
contract reviews
- Financial crime: fraud investigations,
litigation support
- Finance analytics: uncovering
leakage / inefficient processes
- Internal audit transformation:
planning, auditing and reporting.

29. 28
An Example…Simple Outlier Identification

30. 29
Key risk analytics techniques:
• Rules-based quantification of
known profiles
• Statistical modelling
• to understand drivers of known
behaviors,
• raise awareness of unknown
behaviors
• predict future behaviors
• Visualisation to easily
communicate data insights into
informed decision-making

31. 30
Moving to Real Time Risk Analytics…
Source – SAP Analytics

32. 31
Reporting and Dashboards
iPad Risk Reporting Dashboard

33. 32
Corporate Performance Reporting
Source - Enterprise Dashboard
Risk
should be
on this
dashboard
How to
Integrate?

34. 33
What Now…?
Strategy and
Roadmap
Technology
Selection
Build and
Implement
Improvement
An Structured Approach to Risk Technology

35. 34
Technology Strategy

36. 35
Engage with Internal Processes
• Engage Your IT Group
- Architecture
- Data
- Cloud vs On Prem
- Program
• Project Funding
- Capital vs Opex
- Business Case Process
- Benefits
- Gaining Support

37. 36
Elements of a Risk Technology Strategy
• Organisational context
• Maturity of current capability
• Specific problems to be addressed
• Scope of application of the
toolsets
• The current technology
environment
- Data Management
- Application Architecture
• Establish priorities
• The desired end-state and timing
• Benefits and Budget

38. 37
Technology Selection

39. 38
First Steps…
• Refine Phase 1 Scope
• Develop Requirements - Sample
• Identify Suitable Vendors

40. 39
The Market
• Now 00’s of GRC products in the
market place – 40+ in enterprise
• Strengths based on their origins
and focus
• Continued convergence of
products around core functionality
• Addition of more SME functionality
• Bigger not necessarily better
• Niche players

41. 40
Get to Know Your Vendor…
• Industry Knowledge
• Thought Leadership
• Origins – product history
• Their sweet spot
• Customer base
• Drive the product – make sure it
just doesn’t run best on
Powerpoint

42. 41
Some of the Products…Just a Sample
• Nasdaq Bwise
• IBM Open Pages
• Thomson Reuters Accelus
• RSA Archer
• Protecht
• SAP GRC
• Oracle GRC
• MetricStream
• SAI Global
• Wolters Kluwer
• Cura
• Enablon
• Wynard
• Risk Cloud
• Protiviti
• Resolver
• ACL
• Teamate
• Modulo

43. 42
The $’s....

44. 43
The Role of the Analysts and Industry Pundits
The Analysts
• Gartner – Magic Quadrant
• Forrester – Wave
The Pundits
• GRC20/20 – Michael Rasmussen
• Norman Marks – Marks on Governance
Other Sources
• Linkedin Groups
• Forums
• Consultants
• Vendors
• Existing Customers

45. 44
Other Considerations..
• You don't know what you don't
know
• Products typically capture IP and
better practice
• Is there opportunity for
improvement?
• Do a POC with the shortlist – pay
if you have to

46. 45
Define Business
Requirements
Identify
Potential
Vendors
Establish
Market
Response
Requirements
Issue
To
Market
Complete
Market
Sounding
Questionnaire
Develop & Test
Analysis
Toolkit
Conduct
Analysis
Prepare
Market
Sounding
Report
Vendor
Processes
Procuring Authority
Processes
• Define the solution scope
• Review existing flow of
information and reporting output
• Identify potential data sources
• Establish risk information and
reporting needs (including
current and future out to approx.
3 years)
• Consider leading risk practice
functionality across various
software vendor tiers
[integrated/ point solution/
stand-alone]
• Confirm refine system
requirements for market
communication
2 weeks 2 weeks 2 weeks
• Conduct initial
vendor research
based on
Customer
requirements,
using better
practice research
• Consider
appropriate
vendors
• Finalise vendor
list
• Seek registration
of interest (if
required)
• Construct
questionnaire for
responses by
vendors
• Seek review and
approval for
submission of
questionnaire for
approach to
market
• Issue
questionnaire to
finalised vendor
list
• Communicate
nominated contact
person
• Communicate
response times
and requirements
• Consider IT
Architecture and
IT Strategy for
system
integration
• Build response
analysis and
scoring
mechanism
• Determine
visualisation
methods
• Conduct test
analyses
• Map vendor
system
functionality to
business needs
• Receive
completed
questionnaires
• Participate in
vendor
presentations
• Analyse results
• Add qualitative
analysis from
supplementary
material (if
appropriate)
• Communicate
preliminary
analysis results
• Produce formal
Market Sounding
Report
• Issue for review
and comment
• Finalise document
for executive
• Develop a plan to
document,
consolidate, refine
and transform data
pre-implementation
Technology Selection Process

47. 46
Technology Implementation Process
Design
Build
Implement

48. 47
Project Structure
• IT PMO Engagement
• Project Manager
• Business Representative
- Each Functional area
• Implementation Partner
- Solution Architect
- Technical Consultants
• IT Representative

49. 48
Design
Selection should have
confirmed fit
Detailed Requirements
Defined
4 Key Elements in Blueprint
• Selecting Configuration Options
• Defining Master Data
• Defining Processes and Workflows
• Roles and Authorisations

50. 49
Build
Typically the easy bit:
• Data Preparation
- Clean Your Data
- What to do with Historic Data?
• Testing – UAT
• Watch for:
- Performance issues – screen refresh
- Interfaces

51. 50
Roll Out…
Key for Success
• Don’t skimp on Change
Management effort
- Clear Change plan
- Tailored Communication
- Follow up support
• Tailor Training to Users
• Ongoing Support
• Measure Take Up and Feedback

52. 51
Pitfalls and Problems…
Requires major transformation effort across the
enterprise…
Organisation system legacies…
• Lots of different Stakeholders
• Lots of different Systems
• No one owns all the benefits
It’s better to…
• Start.
• It will never be perfect.
So where do you start?
• Big bang usually not possible (or advisable…)
• Need to show value – clear about benefits
• Need an Influential Cross Org Sponsor who sees the value
• Develop Roadmap with incremental benefits
• Sell the vision…needs everyone on board

53. 52
Questions
Thank You