O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Proven Techniques for Effective GRC Programs

203 visualizações

Publicada em

Governance, Risk, and Compliance (GRC) are measurable capabilities that organizations utilize to achieve objectives cost-effectively. Unfortunately, too often, people define GRC solely as a technology solution, and they never realize how to enable greater performance and cost-saving in the organization.

In this presentation, we have summarized how you can leverage certain techniques to improve your organization’s Governance, Performance, Risk & Compliance capabilities while lowering the cost.

Acknowledgment:
Originally written by David Vincent for the blog titled “Proven Techniques for Enhancing Performance & Lowering the Cost of Your GRC Programs” published by Corporater on January 24, 2020. Read the full blog here: http://ow.ly/3i5p50yyanW

Publicada em: Software
  • Seja o primeiro a comentar

Proven Techniques for Effective GRC Programs

  1. 1. Proven Techniques for Effective GRC Programs
  2. 2. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 2 INTRODUCTION Governance, Risk, and Compliance (GRC) are measurable capabilities that organizations utilize to achieve objectives cost-effectively.
  3. 3. 3 Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 3 Unfortunately, too often, people define GRC solely as a technology solution. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
  4. 4. 4Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. The transformation effort intended to enhance performance and lower risk and compliance cost must be focused on the Capability and Maturity Model (CMM) level of the four enablers of effective GRC. ACHIEVING GRC
  5. 5. 5Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. ACHIEVING GRC THE FOUR ENABLERS OF EFFECTIVE GRC
  6. 6. 6Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. ACHIEVING GRC Each of the enablers works together like separate links in a chain, but the weakest link will determine the organization’s GRC capability and maturity level. THE FOUR ENABLERS OF EFFECTIVE GRC
  7. 7. 7Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. ACHIEVING GRC – THE PROCESS
  8. 8. 8Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. UNDERSTANDING CURRENT CMM LEVEL There are specific Capability & Maturity Models (CMM) for assessing the capability of people, processes, technology, data governance, software development, risk management, project management, performance analytics, etc. Chose those relevant to your needs.
  9. 9. 9Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. The results of this initial CMM assessments give you the ability to identify problems and deficiencies that need to be resolved to enable greater efficiency, effectiveness, and cost savings. UNDERSTANDING CURRENT CMM LEVEL
  10. 10. 10 Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. UNDERSTANDING CURRENT CMM LEVEL Every effective Strategy & Transformation effort starts by understanding the organization’s current strengths, weaknesses, opportunities, and threats relevant to Financial, Operational, Security, etc. S W O T
  11. 11. 11Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. UNDERSTANDING CURRENT CMM LEVEL Documenting the current capability and maturity levels becomes the baseline to improve upon.
  12. 12. 12Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. TRANSFORMING CURRENT CMM LEVEL These problems and the deficiencies are addressed by resolutions in an executable Risk & Compliance Transformation Plan, which is utilized to gradually implement the improvement.
  13. 13. 13Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. TRANSFORMING CURRENT CMM LEVEL During the execution of the Risk & Compliance Transformation Plan, you should utilize an effective organizations change management methodology to implement and guide the organization through the transformation.
  14. 14. 14 Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. One of the biggest risks during a Risk & Compliance Transformation is not the implementation of new Risk & Compliance technology solutions. It is the culture of the organization, and its ability to accept the amount and pace of change from the project. ” “ TRANSFORMING CURRENT CMM LEVEL
  15. 15. 15Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS When executing your Risk & Compliance Transformation Plan, you will likely conduct an assessment of your existing internal controls intended to manage your risk and compliance requirements.
  16. 16. 16Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. Risk & Compliance programs are performed in many silos across the organization, risk terminology, and analysis techniques are not standardized, organizations lack the ability to see the holistic view of all risk and compliance objectives, enterprise risk exposure, or the mitigation controls being utilized. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS 1. Risk & Compliance Data Consolidation
  17. 17. 17Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS 2. Control Optimization This approach focuses on evaluating the design and operating effectiveness of your internal controls to eliminate redundant and ineffective controls, and transition to more preventive and automated controls.
  18. 18. 18Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS Often organizations that have gone through a major risk or compliance effort for the first time like, • The Sarbanes-Oxley Act • Health Insurance Portability and Accountability Act • Federal Information Security Management Act • Payment Card Industry Data Security Standard • The Gramm Leach Bliley Act find they have an excessive number of internal controls assigned to each risk. 2. Control Optimization
  19. 19. 19Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS Every control has a cost to operate, a cost for the self-assessment by the business or IT team, a cost for internal audit to conduct their independent assessment, and final a cost for the external auditors to conduct the annual risk and compliance audits. 2. Control Optimization
  20. 20. 20Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS 3. Common Control Framework • Common Control Framework is a set of controls or requirements designed to eliminate or mitigate the duplication of multiple frameworks • Establishing a common control framework has the potential to eliminate the duplication of requirements within frameworks and simplify the process of scoping, defining, and maintaining compliance
  21. 21. 21Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS As a result, organizations have the potential to save significant time and resources, since they are not forced to perform duplicate control assessments. It gives organizations the power to test once and comply with many risk and compliance regulations simultaneously. 3. Common Control Framework
  22. 22. 22Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS To create a common controls framework, organizations should determine which regulations they are subject to and the cost of non-compliance, whether or not regulators expect strict compliance, and the organization’s readiness. 3. Common Control Framework
  23. 23. 23Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS 4. Automation GRC technology solutions offer great opportunities to automate processes that were once performed manually, automate the actual control assessment, automate workflow, automate notifications, and automate questionnaires.
  24. 24. 24Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS More organizations are turning to Robotic Process Automation (RPA) because of its ability to reduce staffing costs and human error, tedious tasks, and freeing workers to focus on higher-value work. But RPA requires proper design, planning and governance if it’s to bolster the business. 4. Automation
  25. 25. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 25 5. Performance Analytics Data provides the organization with the ability to make decisions. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS “Performance measurement is failing organizations worldwide. Measures are often a random collection prepared with little expertise, and signifying nothing. Many companies are working with the wrong measures, many of which are incorrectly termed key performance indicators (KPIs). KPIs should be measures that link daily activities to the organization’s critical success factors and empower the organization to make effective decisions, and drive cost savings.” Reference: David Parmenter, Key Performance Indicators: Developing, Implementing,And Using Winning KPIs (Third edition), 2015.
  26. 26. 26Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. Top Reasons Why Performance Measurement is Failing Organizations Worldwide: • KPIs are often prepared with little expertise, and signifying nothing • Many companies are working with the wrong measures, which are incorrectly termed key performance indicators (KPIs) • KPIs are not linked to the organization’s critical success factors • KPIs are not effectively measuring performance, cost, quality, risk, and compliance to enhance performance and lower operating costs • Organizations are trying to monitor too many KPIs PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS 5. Performance Analytics
  27. 27. 27Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. SUMMARY
  28. 28. 28Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. The above techniques will help you get a holistic view of all risk and compliance objectives, take more preventive and automated controls, and define and configure effective KPIs in the GRC tech solution that enables significant performance enhancement and cost savings. PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
  29. 29. Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 29 Corporater can help you create a sustainable, efficient, and effective GRC program aligned with strategy and performance, all within a single platform. LEARN MORE Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. GET IN TOUCH WITH OUR EXPERTS
  30. 30. Thank You marketing@corporater.com www.corporater.com

×