federal home loan bank of chicago maturing grc · 2019. 6. 13. · federal home loan bank of...

PERFORM WITH INTEGRITY ™

Federal Home Loan Bank of Chicago – Maturing GRC

Ian Hardison-Sanchez, Governance Risk & Compliance Program Manager

© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™

Agenda – Maturing GRC

• The Federal Home Loan Bank System

• Federal Home Loan Bank Chicago Overview

• GRC Program – Genesis and Challenges

• Escalating Regulatory Expectations

• Objective > Goals > Framework & Methodology

• Solution Components

• What Builds Our Integrated Risk and Controls Environment

• Integrated Risk and Control Management Infrastructure

• Challenges

• Accomplishments and the Road Ahead

• Lesson Learned


Each FHLB is an SEC-registered, privately managed

cooperative owned by members* in its district

Each FHLB is governed by a separate board of directors, but regulated by a single regulator, Federal Housing Finance Agency

The 11 Home Loan Banks comprising the FHLB System provide liquidity and funding solutions to nearly 7,500 members

FHLBs are significant contributors to affordable housing and economic development initiatives across the nation

As a Government Sponsored Enterprise, the FHLB system has good access to capital markets which provides competitively priced funding

FHLB Chicago • Includes IL and WI

*Members include banks, thrifts, credit unions and insurance companies

The Federal Home Loan Bank System

FHLB Overview

June 5, 2019

3

Our mission is to partner with our member shareholders to provide them competitively priced funding, a reasonable return on their investment, and support for community investment activities.


FHLBC Overview

Federal Home Loan Bank of Chicago • Member owned. Member focused

4

FHLBC is a cooperative that partners with our member shareholders to provide products and solutions that support their business growth

$70 billion wholesale bank

Over 740 members in Illinois and Wisconsin

Our members are our shareholders

Value Proposition:

Low-cost funding and liquidity

Secondary mortgage market products

Grant programs to support community investment


Genesis and Challenges

Integrated Risk & Control Re-engineering

Supervision - Increased supervision

- Increased pressure on regulators

and auditors

- Need for better documentation and

framework

Overhead - Cost of infrastructure

- Multiple Risk, oversight organizations

- Multiple impact on business leaders

- Large number of people

Regulation

- Increased regulatory burden

- Hard to focus on ‘Risk’ rather than

on ‘Compliance’

Business Change - New business activities

- SEC registration

- Flexibility to incorporate business changes

- Changing external risks


Escalating Regulatory Expectations

Increased market complexity and performance needs necessitate further advancement in risk management

• Banks will have to demonstrate not just technical compliance, but also that their boards are capable of effectively

challenging management decisions

• These regulations have increased both director responsibility and potential liability

• Elevated responsibility may have some unintended consequences:

• 80 percent of financial sector nonexecutive directors surveyed1 said the risk committee is the most challenging.

• Three possible explanations: broad range of responsibilities, forward-looking nature of job, and technical nature

of regulatory compliance2

International United States

Federal

Reserve

Enhanced

Prudential

Standards

OCC

Heightened

Standards

CCAR –

Greater focus

on internal

controls

CRD IV

BCBS

Principles on

bank corporate

governance

1,2 Sir Howard Davies, “Audit is no longer the chore the board dreads most,” Financial Times, July 28, 2014


Objective > Goals > Framework & Methodology

Implement a coordinated, efficient and effective framework for risk & compliance management across the enterprise

Improve risk management practices across the organization

Provide greater transparency and consistency to the risk and governance process

across the organization but particularly to managers, executives and the Board

Move the organizational culture from a solely compliance focused organization to an

integrated ‘Risk Management’ culture

Evangelized a philosophy of ownership and accountability for risk and control to line

management

Provide a cost effective infrastructure that integrated the governance framework of

the organization


STRATEGIC

Developed a collaborative relationship between all stake holders

Developed strong executive management support for a best in class Risk & Control framework

Solution Components Program Implementation

Identified

Key

stakeholder

s

Identified

core

objectives

Evaluated alternative

approaches OCEG,

CoBit, COSO etc

Developed

vision for the

framework

Prioritized and set up

multiple paths and a

maturity model

Envisaged a multi-year initiative

based on continuous refinement

and priorities

Develop

conceptual

framework

Implement individual

domains based on

business priorities

Implemented an

enterprise issue

management program

Implemented

consistent

reporting

Enhanced integration into the business

process (outside of the compliance &

governance organization)

TACTICAL

Finance Risk Compliance Audit External Audit

CEO CFO CCO CRO CAE Executive Management

Groups

Eliminate EUC as a data

repository and principle

reporting mechanism

Deliver transparency at

enterprise level and detailed

level of the status of risk / control

/ compliance

Provide a robust infrastructure

for governance and

management of the overall GRC

environment

MetricStream Enterprise GRC Platform

Core Technology Elements

Pro

ce

ss

Pe

op

le

Te

ch

no

log

y

COO

Operations


What builds up our INTEGRATED risk & control environment

Regulatory Compliance

•Compliance program

•New regulations

•Financial Controls (SOx)

•Prudential Standards

Operational Integrity

•Management Risk Assessments

•Fraud Reporting

•Event Reporting

•Technology incidents

•Risk/Control Change Requests

•Business Resumption/Continuity

Independent Reports

•Independent Security Officer Reviews

•Model Validations

•End User Computing

•Internal/External Audits

•FHFA Examinations

Internal Audit Department 6/5/2019


Firs

t Li

ne

• WHERE THE ACTION IS

• Risk Assessment

• Testing controls

• Self Log Identified Issues

• Develop Remediation Plans

• Policy Attestation

• Incident Cases

• BCM - EMNS

• Whistleblowing

• Compliance- i.e. Background checks.

Seco

nd

Lin

e

• WHERE THE PROGRAM IS MANAGED

• Program Plan and Budget

• Governance

• GRC Libraries

• GRC Integration (Vul, CMDB)

• Risk, Audit & Compliance Schedule

• Evidence Review

• Policy and Procedures

• Building and SOPs

• Training Programs

• Executive/BoD Reporting

Thir

d L

ine

• WHERE RESULTS ARE AUDITED AND ASSURED

• Reviews Controls Tests completed by First Line

• Reviews Risk Assessment

• Creates Findings for Action by the First Line

Changing Roles in the 3 Lines of Defense


FHLBC Integrated Risks & Control Management

Infrastructure

Internal Audit Departme

Business Managers

Business Units

Compliance ORM/FIG

Management CommitteesCredit ALCo

Board & CommitteesAudit, Risk, O&T

Change ManagementVendorsSSAE16/SoC1

IncidentManagement

Our People

Integrated Infrastructure

Regulations FramworksCoBIT/COSO

Guidance

Policy & Procedure

ExecutiveManagement

CFO/CRO/CEO

Regulators &Auditors

Common

Platform

Market Controls

Credit Controls

Operational Controls

Technology Controls

Fraud Controls

Compliance Controls

Strategic Controls

Det

aile

d R

isks

General Ledger / Account

Assertions

SOx

Common

Platform

Segregationof

Duties


Lending Mortgage Acquisition

Community Investment

Debt Issuance

& Liquidity

Balance Sheet Mgmt.

(Hedging)

Financial & Performance Reporting

Technology & Operations

Administration

Credit Risk Management

Market Risk Management

Operational Risk Management

Enterprise Strategy & Governance

Internal Audit

Defined Risk Geography

Common Platform

Operational Risk

• Event assessments and loss statistics

• Control Changes

• Enterprise Risk Assessment

• New Products/Processes

• Changes in Market & Credit Risk Framework

Financial Reporting

• Key Control Changes

• Impact of Events and Control Deficiencies on Financial Reporting

• New Accounting Rules

• New Products/Processes

• Uses Risk and Control information to design audit program

• Provides results of audit program to management to inform their risk assessment

• Provides feedback on proposed Control changes

• Evaluates and tracks significant issues and their resolution

Internal Audit

• Best Practices

• Leverage Management and Internal Audit work

• Understand Enterprise Control Environment

• Directly access enterprise key control status

External Audit/ Regulator

• Provides information on New Regulations

• Evaluates impact of regulations

• Evaluates gaps identified in the control environment

Compliance

Improved Collaboration

Products & Business Activities En

terp

rise

Se

rvic

es

& R

isk

Go

vern

ance

Creating a Single View into the Risk Organization

Solution


Where are we going Mature Process Recently Implemented In implementation / Planned

Issue Management Model Validation EUC Object

Certification / Sox EUC Validation Model Object

Internal Audit Event tracking and reporting Other control frameworks

Continuous Monitoring IT assets

Continuous Audit Regulatory Reporting

Compliance Inventory Business Continuity

Internal Audit Departme

Stakeholders growing Requirements expanding USE cases expanding Data conflicts growing


Challenges - Data We have cross referenced multiple data sources:

• How do we update

• Who maintains relationships

• What is the definitive source of Data • Mostly standing / reference data

• Currently supporting three models:

– Primary record

– Primary records + external enhanced data

– Secondary records

• Who develops and supports reporting • Subject Matter Experts


Process

Risks

Controls

etc

Technology

Models

End User Computing

Vendors

Facilities

Regulatory Reporting

IT Inventory


Challenges – Stakeholders & Communication

GRC impacts multiple areas of the organization

• 25% of the organization uses the system monthly

• Business users have built their processes around the system

• Monthly Steering Group – 20 key stakeholders

• Smaller system stakeholder group


Principles and Discipline • Minimize customization • Maximize existing

functionality • Leverage proven

solutions


Challenges – Implementations

Involving new business users

• Devoting adequate resources to the task

• Integrating into the culture of shared resource

• Corporate GRC Philosophy

• Vendor management

• Regression testing - All units involved

• Multiple project in parallel

• New interfaces

• Some Compromise!


Principles and Discipline • Minimize customization • Maximize existing

functionality • Leverage proven

solutions


Challenges – Support


GRC

System Adminsitartion

Project Management

Project Coordinator

Vendor Management

Subject Matter Expert

• Multiple reporting requirements

• Multiple macro & micro projects on-going at one time

• Vendor management

• Production

• Implementation teams

• Coordination of activities

• Consistency

• User provisioning automated


Technology Risk

Operational Risk

Financial Risk

Internal Audit

66.7%

62.5%

87.5%

28.5%

54.5% Savings From Human Capital Costs

Total 54.5%

Realized Benefits

• Created consistent risk evaluation

• Implemented common definitions and standard frameworks

• Delivered critical independent but comparable risk reporting

• Eliminated end user computing based processes

• Delivered risk assessment, issue tracking and control interface to all employees

• Provided a long term ‘Risk’ organization to baseline risk and control metrics and track performance

• Reduced resolution time for critical risk and compliance related issues

• Reduced the number of open risk and compliance issues

• Reduced human capital cost for managing the audit risk and compliance infrastructure

The Road Ahead

• Eliminate majority of remaining end user computing in the operational aspects of control and risk evaluation

• Implement an evergreen risk assessment program

• Integrate continuous monitoring for significant portion of key controls for operational risk, compliance and SOx

• Implement continuous audit practices

• Integrate with management core technology for continuous exception reporting

Accomplishments and the Road Ahead


Lessons Learned Summary by Step (sample from mSIGs)

B

E

S

T

P

R

A

C

T

I

C

E

O

V

E

R

V

I

E

W

S

T

E

P

S

Step Lessons Learned

1. Business Value and CSFs: Driving the Right Priorities

• If you don’t show alignment to strategic initiative and the context (ex app, shared information)) without executive endorsement and pushing it, you may get push back from the silo’s

• Know the benefits and have executive reinforce the value (for example – GRC 101 or GRC Framework)

• Note that Maturity And Readiness (Step 2) reveals an opportunity for business value that Leadership is not aware of – so be flexible in your rollout plan

2. Maturity and Readiness: Sequencing for Value

• Be flexible - Eagerness to get on the system does not translate into Readiness! It takes more time to design and iterate when you are trying to deploy

• Be mindful of shared information from libraries – make sure it is actually ‘capturable’ – if you know where/when to go get it, the deployment will go more smoothly example: normalization of controls

• Make sure you sequence based on what process are well defined, if they can’t tell you what they do, in a well defined way (info on reports, approval process and contacts, for example), they aren’t ready

• If you are 30% sure of the process double the budget and timeline! There is an impact.

3. Rollout Scope: Prioritizing Use Cases with Lines of Defense

• Line 1 users will not get the full scope of benefits – reinforce the overall benefits for their management, leadership, the board – by getting the info right, everyone will appreciate more ‘what you do (even if it takes more time at first before it becomes BAU)

• Get the 1st line and local perspective and terminology right - Football analogy – US vs UK it’s different game !


B

E

S

T

P

R

A

C

T

I

C

E

O

V

E

R

V

I

E

W

S

T

E

P

S


4. Effective Rollout Plans: Leveraging Champions

• Beware that IT does not become ‘the rollout champion – the right people in the business need to really ‘own this for UAT, training, change management needs, information taxonomy, etc

• Make sure champions have the time allocated, and don’t get burnt out and transfer their knowledge to a local person who be the POC (region, LoB, etc)

• Invite Champions to participate in Working Groups – for example, Libraries Information Governance, Change Management, Future Enhancements

5. Organization Change Management: Being Proactive

• Champions and IT needs to be well enough informed to appropriate level of access to roles/people and the security user stories (increasingly important with GDPR and other Security/Cyber controls) – who in the organization is going to act as Administrator and Provisioner of new users? This is a new role and requires a handshake between the business and IT.

• Identify your governance process up front and adapt (or impose!) as you onboard new stakeholder group

• Create awareness and understanding of process alignment of upstream and downstream impacts from potential changes – optimizing in one area can cause a negative impact downstream! Bring people together (that may not work together normally) to really understand this – there can be a multiplier effect +/-.

• Make sure you and your users know the internal SLAs and support structure – when there is a problem or ticket, user satisfaction is tied to the speed of resolution – don’t let frustration set in. Don’t let perception distort app effectiveness – bad news travels faster than good news.



B

E

S

T

P

R

A

C

T

I

C

E

O

V

E

R

V

I

E

W

S

T

E

P

S


6.Communications: Celebrating Successful Adoption

• Adoption – make sure you tracking real usage and adoption and incidents. You don’t have success unless your end users are using the system and know where go when they have a question or a problem

• Reward the team! Toot your own horn! Make good news travel faster and wider!

• Really listen to what you users are saying – Use the Five Whys and Learn to Interpret complaints for the underlying root cause

7. Continuous Improvement: Agile Value Attainment

• Incremental improvements by tweak can have corresponding multiplier effects. “Horseshoe missing, hobbles the

warhorse, loses the King’s battle – For want a nail we lost the kingdom”.

• Schedule regular (at least quarterly) meetings and continue to conduct survey/interact to see how it is working

• Measure the value attained and continue to make incremental improvements to increase value.

• Don’t take criticism personally – they may be frustrated with the change, the process or the app, not you.


© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY TM

June 5, 2019

EXTRA SLIDES YOU MAY WANT TO USE


What Have Achieved as Benefits?

300+ Users

GOALS Effectiveness Efficiency Operational Excellence

OUTCOMES

JOURNEY Risk based audit planning

and execution

Rationalized controls

Aligned Process Workflows

Qualitative and Quantitative risk

Assessments 54%

Human capital cost reduction

58% reduction in

issue resolution time

50% reduction in cost of

audit follow-ups

7 Apps ORM, Internal Audit, Policy,

Compliance, BCM

400+ employees


FHLB Risk Management Environment

People

Business Risks

Business

Units

Controls


operational risk

management

fig risk & control

compliance

internal audit

Support Units


Components of our Environment

Regulations Financial Reporting

Control Environment

Regulatory Reporting

Operational Management

Business Process


market

credit

financial

operational

fraud

legal & regulatory

strategic

Risks


Role & Alignment of Risk Management Functions

CHIEF EXECUTIVE OFFICER

CHIEF RISK OFFICER

CHIEF AUDIT EXECUTIVE

CHIEF COMPLIANCE OFFICER

CHIEF INFORMATION OFFICER

CHIEF OPERATING OFFICER

AUDIT COMMITTEE

BOARD OF DIRECTORS

CHIEF INFORMATION SECURITY OFFICER

CHIEF FINANCIAL OFFICER

Revenue Optimizing Risk Strategies

Issues and Actions affecting financial statements Ex SOX

Issues and Actions sub-optimizing processes and resources

Issues and Actions related to business resilience, 3rd parties, infrastructure

Risk Aware Decision Making Visibility and Accountability into Risk Profile

* This is an indicative organizational hierarchy only. Actual organizational hierarchies and reporting structures will vary from business to business

Issues and Actions related to losses, operations and creating opportunities

Issues and Actions related to Regulatory and Corporate obligations

Issue and Actions related to audits

Issues and Actions related to internal digital and emerging threats

BUSINESS HEADS

Issues and Actions raised in the first line


GRC Program Roadmap and Rollout – Sample Slide FY17 FY18 FY19

PMO – GRC Program Governance, Management and Communications of Progress, Organizational Change

GRC Program Plan

GRC Initiatives: Workstreams

Infolet Integrations: Data feeds

GRC Intelligence Content Feeds

P

R

O

G

R

A

M

P

R

O

C

E

S

S

&

T

E

C

H

N

O

L

O

G

Y

MetricStream Platform and GRC Foundation

Risk and Control Framework, Risk Reporting, Analytics and Governance

GRC Organization Hierarchy. Asset Integration

GRC Readiness Vendor risk Rollout (Wave 1, 2…)

GRC Readiness BCM Rollout (Wave 1, 2, 3)

GRC Readiness ERM Rollout (Wave 1, 2, 3…)

GRC Readiness Controls Testing Rollout (Wave 1, 2, 3…)

GRC Readiness Audit Rollout (Wave 1, 2, 3…)

GRC Readiness Policy Management Rollout (Wave 1, 2…)

P

H

A

S

E

1


Agile auditing is designed to be flexible and iterative. This means that rather than rigid internal audit plans, there's a

continually-updated backlog of audits and projects, prioritized based on risks and company needs that can be undertaken

once resources are available.

Trends: Smart AUDITING of the Future

AI-powered audits enable proactive, intelligent, forward-looking assurance. By bringing together data, analytics and the

human decision making process, it helps identify future risks and opportunities, which ensures better & deeper audit coverage,

while increasing speed and efficiency.

Rigid, single-phase planning

Planning, fieldwork, review, and reporting stages may take up to eight weeks or more

Hierarchy of established roles

Insights the Audit’s end, after reporting and review

Iterative planning on an ongoing basis in “sprints

Three phases are completed in shorter-timeframe sprints. Every two to three weeks

Flat, but empowered roles

Audit’s attention on the insights, risks, and opportunities

Phase 1:

Rules and Correlation based on Metrics

Natural Language Processing

Autonomous AI

Phase 2:

Machine Learning

Robotic Process Automation

Phase 3:

Predictive & Prescriptive Analytics

Traditional Audits

Agile Audits

AI-Powered Audits


From Agile to AI – 3 Critical Foundational Processes - Summary

Today

Silo’d Risk Assessments

Traditional Audits

Basic Master Data and Information

Taxonomies

Crawl

Risk Framework

Agile Auditing

KPIs and Metrics

Walk

Risk Analytics

Continuous Auditing and RPA

Analytics

Run

Integrated Risk and Compliance

Intelligent Audits

Artificial Intelligence


Issue Management Use Case Examples

Issue Management Raise/Trigger Issues from…. • Findings from Control Tests and Audits • Regulatory Examinations • Action Plans from Risk Assessments • Policy Exceptions • Access Control Exceptions • Complaints • Security Threats or Vulnerabilities Action Plan Creation and Collaboration • Assign owner action and due date • Use workflow for approvals, notifications and escalations • use dashboards to reduce cycle time and increase visibility Analytics and Insights • Use metrics and correlation to see what issues are being raised,

to help dig into Root Cause across common processes • Use insights to correct processes and continuously improve

First line user logs the issue

First line management reviews the Issue and sends it to the Second line Triage

team

The Triage team adds details and links to GRC library

information; assigns the Issue to the Issue owner

The Issue owner tracks the Issue to closure

Issue Management for the First Line of Defense – an example


Issue Management Use Case Examples by Group Who What

CAE - Audit Observation, Finding, Issue with Action Plan

CCO - Compliance Regulatory Gap or Control Failure with Remediation Plan

CRO - Risk Risk Unacceptable, with Treatment Plan

CIO - Business Resilience Incident or Outage with Remediation Plan

CxO - Third Parties 3rd Party Policy Acceptance or incident with Action Plan

CIO - IT Risk IT Risk on apps, facilities, ITIL processes, with Remediation Plan

CCO - Policy Policy Exception, with Plan and timeframe for exception

CCO - Complaints Customer or internal Complaints, ex: whistle blowing with Response Plan

CCO - Ethics Violation or Conflict with Response Plan

CISO - Security Vulnerabilities in Infrastructure, with Remediation Plan

CISO - Cyber Threat with Remediation Plan

CQO - Quality Non-Conformance, with CAPA – Correction Action, Preventative Action Plan


Do I have evidence of my work? Do I understand what I need to collect, or I just collect it all? Is my work organized to show consistent control test results regardless of the regulation? Rationalizing controls, reducing number of testing

Is my process efficient or costly? Biggest challenge – have we mapped controls to policies, risks and compliance requirements? Do we have orphan controls?

Do I have proper coverage

What about re-testing controls that failed?

Am I testing controls that are no longer

relied upon?

Do I have a process that enables the

control owners to inform me of changes? GRC language vs. business language makes it difficult for first line to complete forms Who is the owner of the common taxonomy? Should Audit be queried for the control and process library?

Is the right person testing the controls? Do we understand our controls? Is the control really a control? Adding new responsibilities: are they ready/trained? Does everyone in the business need to interact, or is there a point person—LOD 1.5 Are incentives aligned to promote this work as critical?

Are we testing at the right time? Are we assessing controls or testing controls? Performing work where it happens and when the user thinks about it (mobile enabled) Performing work as needed vs. scheduled.

Challenges in Controls Assessment and Testing

Are we testing the right controls? Performing work where it happens and when the user thinks about it (mobile enabled) Performing work as needed vs. scheduled.


Control Testing Use Case Examples by Group Who What Examples

CAE - Audit Control Test sample during audit Cyber controls gap

CFO - Finance SOX Financial Controls Approvals

CCO - Compliance Regulatory Gap or Control Failure Training not taken

CRO - Risk Risk (Enterprise, Operational, …) Loss Event

CIO - Business Resilience Incident or Outage No Failover of Data Center (hurricane)

CxO - Third Parties 3rd Party Policy, Control, Certifications SOC1 for a Cloud Service Provider

CIO - IT Risk IT IL process for apps, facilities, services Access Controls based on Identity

CCO - Policy Policy and Procedure Review/ Acceptance Policy Exception

CCO - Ethics Customer Complaints, ex: whistle blowing Customer Complaint

CCO - Ethics Survey. Results Violation or Conflict Conflict of Interest of Senior Executive

CISO - Security Automated/Manual Controls App Firewall or Network Vulnerability

CISO - Cyber Digital Threat mitigation Anomaly or Virus blocking apps

CQO - Quality Quality Process controls Non-Conformance, with CAPA Plan


Control Testing Use Case Examples

Compliance Assessments with Control Tests and Evidence • Compliance to Laws and Regulations (GDPR, SOX, FISMA, HIPAA…) • Compliance to Frameworks/Standards (COBIT, PCI, NIST….) • Compliance to Business SLAs • Compliance to Processes, Policies and Procedures • Integration with IT/Security monitoring systems • Mapping controls to Standards such as ISO27k or NIST 800.53 • Mapping controls to Regulations such as SOX 404/302, HIPPA and PCI • IT/Security Certifications such as SOC 1, 2 and 3 or ISO • Financial Control Certifications such as SOX

Issue Management • Dashboards reduce cycle time/increase visibility • Findings from Control Assessments and Audits • Assign owner action and due date • Action Plans from Control Testing results • Policy Exceptions • Access Control Exceptions

Example Measurements/Metrics 1. # Assessments/regions 2. # Failures by control 3. # Issues by control 4. % Testing complete by plan 5. # Controls by Area of Compliance 6. # Policy Exceptions 7. # Access Control Exceptions 8. # Action Plans completed 9. More…? 10. More…?

Controls across the enterprise, mapped to regs, frameworks, IT….and Issues…

Discussion: What are your top 10 Compliance Metrics?


PEO

PLE

•Lack of governance results in business developed controls, resulting in duplicates and orphans

•GRC language vs. business language makes it difficult for first line to complete forms

•Personalization of the landing page for each line of defense—what they each need to see differs

•Emerging role of the 1.5 line of defense

•Does everyone in the business need to interact, or is there a point person

•Performing work as needed vs. scheduled. Performing work where it happens and when the user thinks about it (mobile enabled)

PR

OG

RA

M

•Adding new responsibilities to the first line: are they ready/trained? Are incentives aligned to promote this work as critical?

•Do our deployments focus on the quick wins or expansive transformation?

•How can we drive end-user adoption? Gamification, visualizing outcomes

•Who is the owner of the common taxonomy? Should Audit be queried for the control and process library?

TEC

HN

OLO

GY

•User experience must be intuitive

•Capture data at the first point of entry

•No repetitive keystrokes

•Software design for ad hoc work (without 2LOD or 3LOD scheduling)

•Triggers driven by internal and external data

•Layering into 1LOD transaction systems

•Platform scalability and performance

•Mobility through native apps

Considerations for a Strong Compliance Controls program


Compliance Program Metrics and Reporting

Scope and Use of Measurements/Metrics • What processes do you measure – ex. Assessment, RCSA, IT Compliance, Loss Events, Issues…? • What metrics must be tied explicitly to risk appetite and thresholds? • Does each metric have associated thresholds (risk appetites, watch, limits, tolerances)?

Escalation • What is your criteria for escalating metrics or issues to senior leaders, risk committees, or BoD? Reporting • Who uses metrics, and what decisions need to be made based on these metrics? • How do you use/report metrics with different audiences? • What information is contained in your executive-level compliance metrics reports

• Dashboard, Summary, Detail, Trends? • What is the format for these reports?

• MetricStream, PowerPoint, Excel, dashboards created on BI/data visualization software? Sustainability • What ‘meets min’ mappings must be made to ensure these analytics contextually relevant? • What processes do you have around establishing and refreshing your thresholds?

Some Key Considerations - Prioritizing and Rationalizing with Risk, Policy, Issues…

AoC

Control

Risk

Org

Ques/Proc

Requirement

Related to

Related to

Related to

Ap

plie

s to

Asset / Asset Class,

Process, Product

Discussion: What is your Compliance Metrics Program?


Function

Objective

Primary Assessable Entities

Product

Sample Library Model – Compliance

AoC

Control

Risk

Org

Asset Class

Asset

Standard

Ques/Proc

Reg Body Survey / Checklist

Financial Account

Legal Entity

Process

Regulation / Area of Compliance Focus

Location

Requirement

Thank You Continue the conversation on #GRCSummit
http://www.facebook.com/metricstreamhttp://www.linkedin.com/metricstreamhttp://www.twitter.com/metricstream

federal home loan bank of chicago maturing grc · 2019. 6. 13. · federal home loan bank of...

Documents