Risk management is increasingly becoming a strategic, executive-sponsored solution that many organizations view as providing a competitive advantage. When companies have an aggregated view of all the different kinds of risk and compliance data, they can start to generate insights about how to run the business better. In this presentation, learn why and how to empower business leaders to make more risk-aware decisions with visibility across controls and associated issues and actions throughout the organization.
2. Companies are seeking to embed
Governance, Risk and Compliance
(GRC) into the fabric of the organization—
allowing business managers and leaders
to make more risk-aware decisions.
3. Why? Because GRC impacts
every aspect of an organization…
Operational
Risk
Compliance
IT
Governance
SOX
EUC
Audit
Vendor Risk
Management
Business
Continuity
ManagementPolicy
Management
Model Risk
Governance
Data Security
4. GRC has many disciplines that also interact
with each other in a complex web.
Operational
Risk
Compliance
IT
Governance
SOX
EUC
Audit
Vendor Risk
Management
Business
Continuity
ManagementPolicy
Management
Model Risk
Governance
Data Security
5. A lack of visibility into policy could set
off a series of events across controls
and associated issues and actions.
Operational
Risk
Compliance
IT
Governance
SOX
EUC
Audit
Vendor Risk
Management
Business
Continuity
ManagementPolicy
Management
Model Risk
Governance
Data Security
6. Business & Risk Owners Executive Oversight Teams Regulators
Process Owners Compliance Teams Audit Teams
Who would benefit most from
an aggregated view of GRC?
7. An aggregated view informs key individuals
how issues and actions may affect the
organization and departments within it.
Operational
Risk
Compliance
IT
Governance
SOX
EUC
Audit
Vendor Risk
Management
Data Security
Policy
Management
Model Risk
Governance
Business
Continuity
Management
8. For example, an internal audit team
conducts a test of an organization’s IT
control—changing of passwords…
IT Governance
LDAP
Unauthorized
AccessRisk
Processing Systems
CRM
ERP HR Systems
HR Systems
NA Data Center
Security
Secure Logins
Password Security
Review password
changes and exceptions
Audit
Section
Workpaper
Control Test
Audit
Change passwords
every 60 days.
Control
9. Operational
Risk Mgmt
Policy and
Compliance
Mgmt
Financial
Controls Mgmt
Business
Area
Retail Banking …
Processing and
Operations …
Payment,
Settlement and
Collections …
Process
Subprocess
Business
Area Reg. Library …
FFIES Info
Security …
Exam Tier II Obj
A.4 …
(Authentication)
Mandate
Sub-
mandate
Business
Area
Finance …
Purchasing and
Payments …
Adjustments and
Payments …
Process
Subprocess
Shared Control
The result of that test has a knock-on
effect to multiple areas of the business.
NA Data Center
Security
Secure Logins
Password Security
Review password
changes and exceptions
Audit
Section
Workpaper
Control Test
Audit
Change passwords
every 60 days.
Control
10. Unauthorized
Access
Risk
Change
Passwords on
Regular Basis
Requirement Invalid or
Unapproved Entries
Risk
It finds that the policy of regularly
changing passwords has not
been enforced in key systems.
Shared Control
Operational
Risk Mgmt
Policy and
Compliance
Mgmt
Financial
Controls Mgmt
Business
Area
Retail Banking …
Processing and
Operations …
Payment,
Settlement and
Collections …
Process
Business
Area Reg. Library …
FFIES Info
Security …
Exam Tier II Obj
A.4 …
(Authentication)
Mandate
Business
Area
Finance …
Purchasing and
Payments …
Adjustments and
Payments …
Process
Subprocess Sub-
mandate
Subprocess
NA Data Center
Security
Secure Logins
Password Security
Review password
changes and exceptions
Audit
Section
Workpaper
Control Test
Change passwords
every 60 days.
Control
11. Operational
Risk Mgmt
Policy and
Compliance
Mgmt
Financial
Controls Mgmt
Business
Area
Retail Banking …
Processing and
Operations …
Payment,
Settlement and
Collections …
Unauthorized
Access
Process
Risk
Business
Area Reg. Library …
FFIES Info
Security …
Exam Tier II Obj
A.4 …
(Authentication)
Change
Passwords on
Regular Basis
Mandate
Requirement
Business
Area
Finance …
Purchasing and
Payments …
Adjustments and
Payments …
Invalid or
Unapproved Entries
Process
Risk
A breach of those passwords could impact
the system’s operations and compromise
key processes in various lines of business.
Shared Control
Subprocess Sub-
mandate
Subprocess
NA Data Center
Security
Secure Logins
Password Security
Review password
changes and exceptions
Audit
Section
Workpaper
Control Test
Change passwords
every 60 days.
Control
12. The impact to the business if risks like
these are incurred could be significant.
So what is keeping organizations from
integrating and optimizing GRC?
13. Siloed people, data,
knowledge, projects
Defining system
interlock (granularity,
lookup, golden source)
Lack of executive
sponsorship and
alignment
Lack of skills, adoption,
engagement, agile
self-service
Data integration issues
(middleware, API, ETL)
Defining workflow
and reporting across
multiple systems
There are complexities and challenges
to integrating systems and creating a
single view of nonfinancial risk.
14. No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12
Departmental Initiatives
??
?
Tactical, siloed
approach to GRC.
No integration or
sharing of
information.
Too much reliance
on fragmented
technology.
Recognizes the
need for greater
GRC integration.
Strategic approach,
mature processes,
good reporting and
trending at the
department level.
Because of these issues, GRC is still at the
departmental level for many organizations...
Fragmented
Integrated
Unaware
15. No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12
Departmental Initiatives Enterprise GRC
??
?
Tactical, siloed
approach to GRC.
No integration or
sharing of
information.
Too much reliance
on fragmented
technology.
Recognizes the
need for greater
GRC integration.
Strategic approach,
mature processes,
good reporting and
trending at the
department level.
Strategic approach
to GRC across
departments.
Silos are
eliminated.
Leverages GRC to
realize business
benefits.
GRC is integrated
throughout the
business and is
part of strategic
planning.
Extensive
measurement and
monitoring of GRC
in the context of
business.
While advanced and forward-thinking
organizations have adopted enterprise GRC.
Fragmented
Integrated
Unaware
Aligned
Optimized
17. Leverage big data and AI
to create a sophisticated
risk warning system.
Secure a strong
corporate sponsorship
Create a strategy
for integrating all
aspects of GRC
Centralize on one
Enterprise GRC
Software vendor
Prioritize GRC
projects
Establish a centralized
GRC solutions team
Here are our recommendations:
18. An aggregated view from a standardized
Governance, Risk & Compliance deployment:
19. There are tangible advantages to
creating this aggregated view of GRC:
Improved alignment of objectives with mission,
vision and values of the organization, resulting in
better decision-making agility and confidence.
Leverage cognitive capabilities to improve quality
of information, user interaction and reduce
manual tasks.
Reduced costs in maintaining duplicated controls,
tests, issues, actions and reporting across multiple
disciplines.
Reduced IT costs by consolidating on a
single GRC solution.
20. Learn more about IBM solutions for
governance, risk and compliance.
ibm.com/OpenPages