Proven Techniques for Effective GRC Programs

Proven Techniques for Effective
GRC Programs

Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
2
INTRODUCTION
Governance, Risk, and Compliance
(GRC) are measurable capabilities that
organizations utilize to achieve
objectives cost-effectively.

3
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved. 3
Unfortunately, too often, people define GRC
solely as a technology solution.

4Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
The transformation effort intended to
enhance performance and lower risk and
compliance cost must be focused on the
Capability and Maturity Model (CMM) level
of the four enablers of effective GRC.
ACHIEVING GRC

5Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
ACHIEVING GRC
THE FOUR ENABLERS OF EFFECTIVE GRC

ACHIEVING GRC
Each of the enablers works together like
separate links in a chain, but the weakest link
will determine the organization’s GRC capability
and maturity level.
THE FOUR ENABLERS OF EFFECTIVE GRC

ACHIEVING GRC – THE PROCESS

UNDERSTANDING CURRENT CMM LEVEL
There are specific Capability & Maturity Models (CMM)
for assessing the capability of people, processes,
technology, data governance, software development, risk
management, project management, performance
analytics, etc. Chose those relevant to your needs.

The results of this initial CMM assessments give
you the ability to identify problems and
deficiencies that need to be resolved to enable
greater efficiency, effectiveness, and cost savings.

10
Every effective Strategy & Transformation
effort starts by understanding the
organization’s current strengths, weaknesses,
opportunities, and threats relevant to
Financial, Operational, Security, etc.
S W O T

Documenting the current capability and maturity
levels becomes the baseline to improve upon.

TRANSFORMING CURRENT CMM LEVEL
These problems and the deficiencies are addressed by
resolutions in an executable Risk & Compliance
Transformation Plan, which is utilized to gradually
implement the improvement.

During the execution of the Risk & Compliance
Transformation Plan, you should utilize an effective
organizations change management methodology to
implement and guide the organization through the
transformation.

14
Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.Confidentialand/or proprietary. Not to be copied to third parties. © Copyright Corporater AS - All rights reserved.
One of the biggest risks during a Risk & Compliance Transformation is not the
implementation of new Risk & Compliance technology solutions.
It is the culture of the organization, and its ability to accept the amount and pace of change from
the project.
”
“

PROVEN TECHNIQUES FOR EFFECTVE GRC PROGRAMS
When executing your Risk & Compliance
Transformation Plan, you will likely conduct an
assessment of your existing internal controls intended
to manage your risk and compliance requirements.

Risk & Compliance programs are performed in many
silos across the organization, risk terminology, and
analysis techniques are not standardized, organizations
lack the ability to see the holistic view of all risk
and compliance objectives, enterprise risk exposure,
or the mitigation controls being utilized.
1. Risk & Compliance Data Consolidation

2. Control Optimization
This approach focuses on evaluating the design and
operating effectiveness of your internal controls to
eliminate redundant and ineffective controls, and
transition to more preventive and automated controls.

Often organizations that have gone through a major risk or
compliance effort for the first time like,
• The Sarbanes-Oxley Act
• Health Insurance Portability and Accountability Act
• Federal Information Security Management Act
• Payment Card Industry Data Security Standard
• The Gramm Leach Bliley Act
find they have an excessive number of internal controls
assigned to each risk.

Every control has a cost to operate, a cost for the
self-assessment by the business or IT team, a cost for
internal audit to conduct their independent
assessment, and final a cost for the external auditors
to conduct the annual risk and compliance audits.

3. Common Control Framework
• Common Control Framework is a set of controls or
requirements designed to eliminate or mitigate the
duplication of multiple frameworks
• Establishing a common control framework has the
potential to eliminate the duplication of requirements
within frameworks and simplify the process of
scoping, defining, and maintaining compliance

As a result, organizations have the potential to save
significant time and resources, since they are not forced to
perform duplicate control assessments. It gives
organizations the power to test once and comply with
many risk and compliance regulations simultaneously.

To create a common controls framework, organizations
should determine which regulations they are subject to
and the cost of non-compliance, whether or not
regulators expect strict compliance, and the organization’s
readiness.

4. Automation
GRC technology solutions offer great opportunities to
automate processes that were once performed manually,
automate the actual control assessment, automate
workflow, automate notifications, and automate
questionnaires.

More organizations are turning to Robotic Process
Automation (RPA) because of its ability to reduce staffing
costs and human error, tedious tasks, and freeing workers to
focus on higher-value work. But RPA requires proper design,
planning and governance if it’s to bolster the business.
4. Automation

25
5. Performance Analytics
Data provides the organization with the ability to make decisions.
“Performance measurement is failing organizations worldwide. Measures are often a random
collection prepared with little expertise, and signifying nothing. Many companies are working
with the wrong measures, many of which are incorrectly termed key performance indicators
(KPIs). KPIs should be measures that link daily activities to the organization’s critical success
factors and empower the organization to make effective decisions, and drive cost savings.”
Reference: David Parmenter, Key Performance Indicators: Developing, Implementing,And Using Winning KPIs (Third edition), 2015.

Top Reasons Why Performance Measurement is Failing Organizations Worldwide:
• KPIs are often prepared with little expertise, and signifying nothing
• Many companies are working with the wrong measures, which are incorrectly
termed key performance indicators (KPIs)
• KPIs are not linked to the organization’s critical success factors
• KPIs are not effectively measuring performance, cost, quality, risk, and compliance to
enhance performance and lower operating costs
• Organizations are trying to monitor too many KPIs
5. Performance Analytics

SUMMARY

The above techniques will help you get a holistic
view of all risk and compliance objectives, take more
preventive and automated controls, and define and
configure effective KPIs in the GRC tech solution that
enables significant performance enhancement and
cost savings.

29
Corporater can help you create a
sustainable, efficient, and effective GRC
program aligned with strategy and
performance, all within a single platform.
LEARN MORE
GET IN TOUCH WITH OUR
EXPERTS

Thank You
marketing@corporater.com
www.corporater.com

Proven Techniques for Effective GRC Programs

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Corporater

Mais de Corporater (20)

Último

Último (20)

Proven Techniques for Effective GRC Programs