how to implement a world-class grc program · prioritize technologies that are flexible enough to...

How to Implement a World-Class GRC Program: Get up to speed in 45 minutes with the industry thought-leaders

Enablon 2013 - Copyright

Welcome!

Enablon 2013 - Copyright How to Implement a World-Class GRC Program

Johannes Swanepoel,

Risk Product Marketing,

Enablon

Chris McClean, Principal Analyst, Forrester Research, Inc.

André Smiley, Senior VP GRC, Bank of the West

Agenda


• Current and future trends in risk management from the latest GRC research

• How to assess organizational risk management maturity

• How to embed risk management in all organizational processes

• First-hand experience from Bank of the West

The Current & Future State of Risk

Management

Chris McClean

Principal Analyst, Research Director

GRC is showing sign of maturity

GRC in the organization

Usually seen as a

separate function

Still brought in as an

afterthought

Starting to

consolidate

© 2012 Forrester Research, Inc. Reproduction Prohibited

At your organization, who is responsible for the day-to-day coordination of your GRC program?

0%

0%

0%

2%

2%

6%

6%

8%

9%

11%

19%

28%

Chief Executive Officer (CEO)

Chief Operating Officer (COO)

General Counsel (Legal)

Chief Information Officer (CIO)

Enterprise Risk Steering Committee

Chief Compliance Officer (CCO)

Head IT Risk / CISO

Chief Financial Officer (CFO)

Chief Risk Officer (CRO)

Internal Audit

Other

Responsibility split over multiple depts

GRC efforts involve many functions…

Base: 53 global GRC decision-makers

Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012


At your organization, who is responsible for the overall success of your GRC program?

6%

4%

4%

4%

6%

6%

6%

6%

8%

9%

11%

13%

19%

Don't know

Chief Information Officer (CIO)

Chief Operating Officer (COO)

Internal Audit

Chief Compliance Officer (CCO)

Enterprise Risk Steering Committee

General Counsel (Legal)

Head of IT Risk / CISO

Chief Executive Officer (CEO)

Other

Chief Financial Officer (CFO)

Responsibility split over multiple depts

Chief Risk Officer (CRO)

…but ultimate authority may be unclear

Base: 53 global GRC decision-makers

Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012

Customer use cases are diverse…

Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011

Which of the following functions do you use the product for?

Please select all that apply

Source: Forrester’s Q2 2011 Global Governance, Risk, And Compliance Platforms Wave Customer Reference Online Survey

…but they haven’t changed much.

Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011

Which of the following functions do you use the product for?

Please select all that apply

Base: 69 Customer references for the Enterprise GRC Platforms Wave, Q3 2009

2011

2009

GRC in the future

Central process

guidance

Distributed

responsibilities

Part of standard

business process

The GRC Maturity Curve

•Business process

•Business performance

•Control monitoring

•Process modeling

•Dashboards

Facili

tate

d

Auto

mate

d

Em

bedded

GR

C M

atu

rity

Time

•Documentation

FOCUS TECHNOLOGY

•Control enforcement

•BI/analytics

•GRC monitoring

•Manual assessments

•Workflow and alerts

•Aggregation


GRC benefits

13

CATEGORY BENEFITS METRICS

Efficiency • Reduced costs of risk assessments and

aggregation

• Speed of policy development, approval,

distribution

• Improved speed/cost of risk reporting

• Improved speed/cost/coverage of audits

• Staff-hours saved per

process

• Payroll savings from delay

or avoidance of staff

increase

• Reduction in costs for

internal and external audits

Risk

reduction

• Reduction in incidents, near misses, loss events

• Reduction in regulatory fines, actions, law suits,

etc.

• Reduction in time to discover control gaps,

violations

• Reduction in audit/assessment findings

• Reduced number and cost

of incidents

• Reduced number/size of

fines

• Reduced cost of capital

• Reduced insurance

premiums

Strategic

support/

Enhanced

performance

• Use of risk info in management/exec decisions

• Improved decision making when risk is

considered

• Risk intelligence coverage

• Risk management process coverage

• Improved reputation among stakeholders

(partners, regulators, customers, etc.)

• Reduction in reactionary

costs

• Frequency of risk data used

in business decisions

• Improvement in financial or

operational metrics

Prioritize technologies that are flexible enough to meet changing risk

and compliance demands.

Tips for Success

Consider the benefits of efficiency and cost reduction first, then look

for risk reduction and strategic support for long-term value.

Remember that a large part of maturity will come with connections

made between functions, roles, and frameworks.

Thank you

Chris McClean

[email protected]

How to Implement a World-Class GRC Program Johannes Swanepoel, Enablon


GRC…

RISK MANAGEMENT

AUDIT SOX POLICIES BCP SELF

ASSESSMENTS ITGRC

How to Implement a World-Class GRC Program Enablon 2013 - Copyright

Spot the Difference

• The whole is greater than the sum of its parts


How do we overcome this?


HINDSIGHT: Root Cause Analysis and Lessons Learnt

INSIGHT: Control Assurance

FORESIGHT: Risk Assessment and Planning


Risk Management Maturity · Typical ERM top down

approach· Different types of processes for

Different types of risk· Risk categorization is largely

consequence based· There may be some attempts

at 'integrated' measurement· Risk is seem primarily as a loss,

harmful and detrimental· Very closely linked to insurance· The terms, 'risk', 'hazards',

'threats' are used interchangeably

· Risk assessment emphasis is on documentation of risk and assessment focuses on current risk, not future risk

· Risk events are not documented appropriately as uncertainty

· RM is motivated by reporting requirements

· Entity level risk assessment is stimulated by compliance reporting requirement

· RM measures are different for certain types of risk

· Risk is primarily seen as events- but with negative consequences

· There are inconsistent approaches to managing different risks

· Risk prioritization is leveraged in assurance activities

· RM is associated with internal control activities

· Risk identification is limited to certain business processes

· Risk is primarily seen as a statement of non-compliance

· RM is associated with the management of change

· RM processes are separate from key business processes but invoked

· RM is driven by performance based standards

· Risk is seen primarily as an uncertainty

· There is a uniform system for the analysis of risk

· Risk is associated with strategic business plans and objectives

· RM is implicit in all decisions· RM processes are integrated

in all key organizational processes

· RM is culturally driven· Risk is seen as an uncertainty · RM is leveraged to gain

strategic advantage· Risk is escalated up from the

key process

Silo Oriented Compliance Change Driven Enterprise Wide


Poll Question #2

• Where would you say your organization is today in terms of risk management maturity?

Silo oriented

• 33 %

Compliance / governance oriented

• 41 %

Change oriented

• 15 %

Enterprise wide oriented

• 11 %



Acc

ou

nta

bili

ty

Dec

isio

n m

akin

g

Agg

ress

ivel

y em

bed

ded

Wid

e co

mm

un

icat

ion

s

Emp

has

ized

imp

rove

men

t

Let’s evaluate the attributes of a mature program!

• Enforced and fully accepted accountability for risk management, risks, controls and treatment

• Directly associated to all organizational objectives

• Embedded in all organizational processes including governance and key business processes

• Wide communication to all stakeholders

• Pronounced emphasis on continual review and improvement


1. Enforce accountability


Hold people accountable

Report against objectives and management actions

Monitor “RCE” and, together with “Potential Exposure” use to prioritize assurance activities

1. Enforce accountability


2. Explicitly linked with decision making


Risk management is about decisions. What is tolerable? What is

our “target” level

2. Explicitly linked with decision making


3. Embedded risk management

• Always viewed as core organizational process

• Regarded by senior managers as essential for the achievement of objectives

• Governance structure and process is founded on the risk management process


4. Wide communications

• Create governance structure and management reports to share risk management plan, risk registers, performance with Employees

Management

Risk committee

Shareholders

Other stakeholders

• ALL INTERESTED PARTIES


Aggregate Risk Profile Summary


Aggregate Risk Profile Summary

Summarize the factors that lead to a change in the risk profile

Report risk event summary and changes to the risk profile over time at periodic intervals


5. Manage performance and improve!

• Use unit comparison, “shame and fame” reports

• Tie to balance scorecards

• Tie to personal and organizational objectives

• Use risk maturity programs to steer context for risk management


Thank you Johannes Swanepoel

Enablon

[email protected]


mailto:[email protected]

Poll Question #3

• What should be embraced when implementing risk management?

Cultural changes in the organization will be inevitable

• 88 %

This is a short term commitment (6-12 months)

• 0 %

Risk management is about forcing people to change

• 12 %

Risk management is maintaining your risk register monthly

• 0 %


Building a Mature GRC

Program

André Smiley, SVP, GRC Program Manager

February 12, 2013

pg.

GRC Defined

All encompassing,

compressive

identification and

mitigation of risks among

various oversight groups.

Examples:

Operational Risk

Financial Controls (SOX)

Corporate Compliance

ERM

Policy Management

“Risk Management … because all the fun jobs were taken”

pg.

The Governance, Risk and Compliance (GRC) platform is a framework that will assist risk

professionals in the management of risk – includes people, processes and technology.

Supports the risk objectives of Operational Risk, Corporate Compliance and Financial

Controls

All groups share common reference hierarchies (e.g. Organization, Process, Risks libraries,

Control libraries, etc.)

Shared modules: Assessment, Testing, Issues Tracking, Document Repository, Policy

Management etc.

• Each module will support multiple processes (the Assessment Module will support Enterprise

Risk Assessment, RCSAs, Compliance Risk Assessment and Financial Controls Business Risk

Assessment)

Data within and between the modules can be shared and re-used (alignment)

The three risk functions continue to explore opportunities to align processes beyond sharing

results and data

What is the GRC – Our Definition

pg.

Pre work – “Why”

“Inception”

Understand the strategic objectives and primary

drivers of the decision to implement GRC –

what are the drivers?

Regulatory?

Operational?

Obsolescence of current systems?

Maturity and growth of risk management

culture?

pg.

Pre work – “What”

Determine the strategic direction

early on

Potentially dictates or limits vendors

Informs the due diligence process

Brings people to the table (or excuses

them)

Builds enthusiasm and momentum

Start defining the culture early

pg.

Pre work – “Who”

Determine who’s in the sandbox

with you!

pg.

Pre work – “Who”

More importantly, who is NOT!

Success means building strong

allegiances

Determine unified goals

Look for opportunities to align business

partners and processes

pg.

Pre work – “When”

•Be realistic about timeline and business drivers!

What commitments have been made and to whom? – Regulators

– Board and senior management

Give yourself more time than you think – at every step and

for every milestone

Nov Dec Jan Feb Mar Apr May Jun July Aug Sept

Original

Bus Req

Spec & Anal.

Build

QA

BOW UAT

Deploy

Current

Bus Req

Specifications & Analysis

Build

QA

BOW UAT

Deploy

pg.

Leading Practices

Thoughtful planning

Plan the scope of work before you do anything

Scope creep can be costly in time and dollars

Garner executive management support, early

Timing – allow time to make thoughtful decisions, and

allow for slippage

Develop your “program office” early on – define the

vision

Business requirements and technical specifications

are critical

Define an engagement model

pg.

GRC in the Organization

Michael Lane

(IT Ops)

(Risk

Management)

GRC Program

Team

Program Team

Program Team

Platform

Ownership

(OR)

(FCM)

(CC)

GRC Risk Groups

(OR)

(FCM)

(CC)

Governance

Team Risk Specialists

(Operational

Risk)

(Financial

Controls)

GRC Steering

Committee

(Risk

Architecture)

(Regulatory

Compliance )

46

Business Units

(Operational

Risk)

IT Support

(IT Ops)

(Chief Financial

Officer)

Executive Sponsors

(Chief Risk Officer)

(General Counsel)

PROJECT LEADERSHIP

Risk

Assessment

Controls

Testing Regulatory

IT Operations Representatives

Work streams

Audit

Working Groups

pg.

Personnel

Hierarchy

Risk

Entities

Organizational

Hierarchy

Risk &

Control Self

Assessment

RCSA

Key Risk

Indicators

(KRI)

Incident &

Loss Mgmt

Financial

Hierarchy

Compliance

Regulatory

Hierarchy

Scenario

Analysis

Control Testing,

Remediation &

Issue Tracking

Compliance

Assessment

Financial

Assessment

Control Assessments & Testing

Compliance

Reporting

Financial

Reporting

Reporting

External Loss

Events

Tracking and

Performance

Data

Additional Potential Framework Elements

Capital

Framework - Example

Other Repositories?

Domain Management

Features

• Standardized hierarchies across Finance,

Compliance and Operational Risk

• Shared framework and tool for Domain

Management, Control Assessments &

Testing, and Reporting

• Tool support for additional Operational Risk

Framework elements

Process

Hierarchy

Control

Hierarchy

Product

Hierarchy

Op Risk

Reporting

Enterprise

Reporting

pg.

Data Structure - Example

Data is structured align with the Organizations and Activities (Processes) of the Bank. In

addition, data collected as part of the risk assessments is aligned to standard categories

(Risk Libraries, Control Libraries, Products) to allow for comparative analysis and

consolidated reporting.

Activitie

s (

Pro

cesses)

Cate

go

ries

Advisory, Investment Brokerage, Asset Management & Capital Markets

Deposit & Other related products

Insurance

Leasing

Lending

Money Movement

Manage Capital Funding & Liquidity

Manage Compliance, Corporate Security & Legal

Manage financial Reporting and Taxation

Manage Human Resources

Manage Information Technology

Manage Marketing Programs

Manage Physical Assets and Facilities

Manage Risk Systems

Manage Suppliers and Outsourcing Service Providers

Ris

k T

yp

es

Con

tro

l T

yp

es

Reg

ula

tio

ns

Fin

an

cia

l Acco

un

ts

Pro

du

cts

pg.

Risk and Control Taxonomy - Example

The following example is for illustrative purposes only:

BASEL II Level 2 Reg B Risk Categories

Suitability, Fiduciary and Disclosure

Improper business or market practices

Services or products flaws

Transaction Capture, Execution and Maintenance

Financial surveillance and notification

Customer intake and documentation

Customer / Client Account Management

BASEL I Reg B Risk Categories

Internal Fraud

External Fraud

Disasters and other events

Practices regarding employment and safety

on the workplace

Clients, Products, and Business Processes

Business disruption and system failure-Other

Disruption

Business disruption and system failure-System

Failure

Execution Delivery and Process Management

pg.

Industry Challenges

•Industry Challenge Discussion Topic: Convergence vs. Alignment

Convergence: An act or instance of converging – concurrence in thought

Alignment: A state of agreement or cooperation among persons, groups etc., with a common

cause or viewpoint – coordinated functioning

• Sharing like perspectives, concepts and frameworks

– Enterprise Risk Hierarchy

– Risk Assessment

– Taxonomy

– Library Framework

– Governance Structure

What’s the difference:

– Convergence implies “concurrence” in thought – assertion that there can

only be one way to do something correctly

– Alignment strives for a shared cooperative vision. “Common where

possible but custom where necessary” approach

Poll Question #4

• Where does your institution fall on the Risk Management / GRC Maturity curve?

Manual / not started

• 24 %

Inception / we have a plan

• 26 %

Implemented / foundation

• 46 %

Fully embedded / maximizing business performance

• 4 %

pg.

Foundational

Developing

Integrated

Business Value

GRC Risk Management Maturity Model

• Framework identified and adopted

• Policies & Standards developed

• Reactive risk response

• Identification and assessment processes are deployed

• Resources are dedicated across the enterprise to support Operational Risk processes

• Risk measurement processes are under development

• Business level view of risk

• Risk-aware culture • Management utilizes

risk management to gain competitive advantage (strategic)

• Control environments are optimized and balanced against rewards

• Risk measurement processes are maturing

• Enterprise level view of risk

• Risk processes are integrated

• Management of risk built into routine business processes

• Proactive monitoring of risk environment deployed

• Risk appetite and tolerance levels integrated into risk processes

Fra

mew

ork

Att

ribute

s

As Risk Professionals move up the

maturity curve. This evolution of

maturity will impact the deployment of

the GRC program.

pg.

Foundational

Developing

Integrated

Business Value

GRC Risk Management Maturity Model

• Framework identified and adopted

• Policies & Standards developed

• Reactive risk response

• Identification and assessment processes are deployed

• Resources are dedicated across the enterprise to support Operational Risk processes

• Risk measurement processes are under development

• Business level view of risk

• Risk-aware culture • Management utilizes

risk management to gain competitive advantage (strategic)

• Control environments are optimized and balanced against rewards

• Risk measurement processes are maturing

• Enterprise level view of risk

• Risk processes are integrated

• Management of risk built into routine business processes

• Proactive monitoring of risk environment deployed

• Risk appetite and tolerance levels integrated into risk processes

Fra

mew

ork

Att

ribute

s

As Risk Professionals move up the

maturity curve. This evolution of

maturity will impact the deployment of

the GRC program.

Business Process

Business Performance

pg.

Appendix

GRC Program Development

pg.

Appendix: Guiding Principles

Guiding Principles Theme

1

2

3

4

5

6

Accountability

Change

Management

Complexity

Alignment

Sustainability

Risk

Content

There is clearly defined ownership of the GRC tool and of all components within the

GRC platform. Establish the program office early on.

Changes to the scope of the project or to the business requirements must be approved

by the cross- functional governance team prior to implementation of changes.

Simple solutions to a problem will be selected over complex solutions. Customization

of the GRC platform will be kept to a minimum.

Risk Group approaches will be aligned to the fullest practicable extent (e.g. “context”

elements” risk hierarchy, taxonomy, controls framework, governance).

Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business value.

Processes within the solution will be engineered to be repeatable year after year with

flexibility to be improved over time as needs arise.

SAMPLE

pg.

Appendix: Roles and Responsibilities

Role Key Responsibilities RACI BoW Resources

Executive

Sponsors

Provide ultimate accountability for implementation of project.

Align project goals with corporate strategy.

Define and promote GRC vision, mission, objectives and

responsibilities.

Accountable Counsel

Chief Risk Officer

Leadership

Team

Lead overall execution of tool implementation.

Provide approval for completion of milestone tasks and project

progression.

Provide approval for finalized documentation and other deliverables.

Responsible Chief Compliance Officer

Finance Lead

Head of Operational Risk

Project

Managers

Coordinate assignment of tasks to individual members of their risk

group.

Determine areas of convergence/alignment.

Ensure timely delivery of work product within their risk group

Serve as main point of contact between their group, vendor and

advisor staff.

Provide staff resources for project tasks.

Responsible Risk Group Project

Managers

Working Group

Representatives

Risk Group Representatives

Provide subject matter expertise on processes and technology

requirements within their group (CC, FCM, ORM).

Attend weekly status meetings with vendor and advisor.

Provide guidance on details of execution of alignment activities.

Resolve IT access and environmental issues (IT Ops).

Responsible

Consulted

Risk Group Specialist

Subject Matter Experts

SAMPLE

Speaker Contact Details

• Chris McClean Principal Analyst at Forrester Research, Inc

[email protected]

• André Smiley Senior VP, GRC at Bank of the West

[email protected]

• Johannes Swanepoel Product Marketing Manager at Enablon

[email protected]

• For additional information [email protected]







Thank you!


how to implement a world-class grc program · prioritize technologies that are flexible enough to...

Documents