how to implement a world-class grc program · prioritize technologies that are flexible enough to...
TRANSCRIPT
How to Implement a World-Class GRC Program: Get up to speed in 45 minutes with the industry thought-leaders
Enablon 2013 - Copyright
Welcome!
Enablon 2013 - Copyright How to Implement a World-Class GRC Program
Johannes Swanepoel,
Risk Product Marketing,
Enablon
Chris McClean, Principal Analyst, Forrester Research, Inc.
André Smiley, Senior VP GRC, Bank of the West
Agenda
Enablon 2013 - Copyright How to Implement a World-Class GRC Program
• Current and future trends in risk management from the latest GRC research
• How to assess organizational risk management maturity
• How to embed risk management in all organizational processes
• First-hand experience from Bank of the West
GRC in the organization
Usually seen as a
separate function
Still brought in as an
afterthought
Starting to
consolidate
© 2012 Forrester Research, Inc. Reproduction Prohibited
At your organization, who is responsible for the day-to-day coordination of your GRC program?
0%
0%
0%
2%
2%
6%
6%
8%
9%
11%
19%
28%
Chief Executive Officer (CEO)
Chief Operating Officer (COO)
General Counsel (Legal)
Chief Information Officer (CIO)
Enterprise Risk Steering Committee
Chief Compliance Officer (CCO)
Head IT Risk / CISO
Chief Financial Officer (CFO)
Chief Risk Officer (CRO)
Internal Audit
Other
Responsibility split over multiple depts
GRC efforts involve many functions…
Base: 53 global GRC decision-makers
Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012
© 2012 Forrester Research, Inc. Reproduction Prohibited
At your organization, who is responsible for the overall success of your GRC program?
6%
4%
4%
4%
6%
6%
6%
6%
8%
9%
11%
13%
19%
Don't know
Chief Information Officer (CIO)
Chief Operating Officer (COO)
Internal Audit
Chief Compliance Officer (CCO)
Enterprise Risk Steering Committee
General Counsel (Legal)
Head of IT Risk / CISO
Chief Executive Officer (CEO)
Other
Chief Financial Officer (CFO)
Responsibility split over multiple depts
Chief Risk Officer (CRO)
…but ultimate authority may be unclear
Base: 53 global GRC decision-makers
Source: Forrester’s Online GRC TechRadar Customer Reference Survey, Q3 2012
Customer use cases are diverse…
Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011
Which of the following functions do you use the product for?
Please select all that apply
Source: Forrester’s Q2 2011 Global Governance, Risk, And Compliance Platforms Wave Customer Reference Online Survey
…but they haven’t changed much.
Base: 121 Customer references for the Enterprise and IT GRC Platforms Waves, Q4 2011
Which of the following functions do you use the product for?
Please select all that apply
Base: 69 Customer references for the Enterprise GRC Platforms Wave, Q3 2009
2011
2009
GRC in the future
Central process
guidance
Distributed
responsibilities
Part of standard
business process
The GRC Maturity Curve
•Business process
•Business performance
•Control monitoring
•Process modeling
•Dashboards
Facili
tate
d
Auto
mate
d
Em
bedded
GR
C M
atu
rity
Time
•Documentation
FOCUS TECHNOLOGY
•Control enforcement
•BI/analytics
•GRC monitoring
•Manual assessments
•Workflow and alerts
•Aggregation
© 2012 Forrester Research, Inc. Reproduction Prohibited
GRC benefits
13
CATEGORY BENEFITS METRICS
Efficiency • Reduced costs of risk assessments and
aggregation
• Speed of policy development, approval,
distribution
• Improved speed/cost of risk reporting
• Improved speed/cost/coverage of audits
• Staff-hours saved per
process
• Payroll savings from delay
or avoidance of staff
increase
• Reduction in costs for
internal and external audits
Risk
reduction
• Reduction in incidents, near misses, loss events
• Reduction in regulatory fines, actions, law suits,
etc.
• Reduction in time to discover control gaps,
violations
• Reduction in audit/assessment findings
• Reduced number and cost
of incidents
• Reduced number/size of
fines
• Reduced cost of capital
• Reduced insurance
premiums
Strategic
support/
Enhanced
performance
• Use of risk info in management/exec decisions
• Improved decision making when risk is
considered
• Risk intelligence coverage
• Risk management process coverage
• Improved reputation among stakeholders
(partners, regulators, customers, etc.)
• Reduction in reactionary
costs
• Frequency of risk data used
in business decisions
• Improvement in financial or
operational metrics
Prioritize technologies that are flexible enough to meet changing risk
and compliance demands.
Tips for Success
Consider the benefits of efficiency and cost reduction first, then look
for risk reduction and strategic support for long-term value.
Remember that a large part of maturity will come with connections
made between functions, roles, and frameworks.
GRC…
RISK MANAGEMENT
AUDIT SOX POLICIES BCP SELF
ASSESSMENTS ITGRC
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Spot the Difference
• The whole is greater than the sum of its parts
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
HINDSIGHT: Root Cause Analysis and Lessons Learnt
INSIGHT: Control Assurance
FORESIGHT: Risk Assessment and Planning
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Risk Management Maturity · Typical ERM top down
approach· Different types of processes for
Different types of risk· Risk categorization is largely
consequence based· There may be some attempts
at 'integrated' measurement· Risk is seem primarily as a loss,
harmful and detrimental· Very closely linked to insurance· The terms, 'risk', 'hazards',
'threats' are used interchangeably
· Risk assessment emphasis is on documentation of risk and assessment focuses on current risk, not future risk
· Risk events are not documented appropriately as uncertainty
· RM is motivated by reporting requirements
· Entity level risk assessment is stimulated by compliance reporting requirement
· RM measures are different for certain types of risk
· Risk is primarily seen as events- but with negative consequences
· There are inconsistent approaches to managing different risks
· Risk prioritization is leveraged in assurance activities
· RM is associated with internal control activities
· Risk identification is limited to certain business processes
· Risk is primarily seen as a statement of non-compliance
· RM is associated with the management of change
· RM processes are separate from key business processes but invoked
· RM is driven by performance based standards
· Risk is seen primarily as an uncertainty
· There is a uniform system for the analysis of risk
· Risk is associated with strategic business plans and objectives
· RM is implicit in all decisions· RM processes are integrated
in all key organizational processes
· RM is culturally driven· Risk is seen as an uncertainty · RM is leveraged to gain
strategic advantage· Risk is escalated up from the
key process
Silo Oriented Compliance Change Driven Enterprise Wide
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Poll Question #2
• Where would you say your organization is today in terms of risk management maturity?
Silo oriented
• 33 %
Compliance / governance oriented
• 41 %
Change oriented
• 15 %
Enterprise wide oriented
• 11 %
Enablon 2013 - Copyright How to Implement a World-Class GRC Program
Enablon 2013 - Copyright
Acc
ou
nta
bili
ty
Dec
isio
n m
akin
g
Agg
ress
ivel
y em
bed
ded
Wid
e co
mm
un
icat
ion
s
Emp
has
ized
imp
rove
men
t
Let’s evaluate the attributes of a mature program!
• Enforced and fully accepted accountability for risk management, risks, controls and treatment
• Directly associated to all organizational objectives
• Embedded in all organizational processes including governance and key business processes
• Wide communication to all stakeholders
• Pronounced emphasis on continual review and improvement
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Hold people accountable
Report against objectives and management actions
Monitor “RCE” and, together with “Potential Exposure” use to prioritize assurance activities
1. Enforce accountability
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
2. Explicitly linked with decision making
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Risk management is about decisions. What is tolerable? What is
our “target” level
2. Explicitly linked with decision making
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
3. Embedded risk management
• Always viewed as core organizational process
• Regarded by senior managers as essential for the achievement of objectives
• Governance structure and process is founded on the risk management process
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
4. Wide communications
• Create governance structure and management reports to share risk management plan, risk registers, performance with Employees
Management
Risk committee
Shareholders
Other stakeholders
• ALL INTERESTED PARTIES
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Aggregate Risk Profile Summary
Summarize the factors that lead to a change in the risk profile
Report risk event summary and changes to the risk profile over time at periodic intervals
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
5. Manage performance and improve!
• Use unit comparison, “shame and fame” reports
• Tie to balance scorecards
• Tie to personal and organizational objectives
• Use risk maturity programs to steer context for risk management
How to Implement a World-Class GRC Program Enablon 2013 - Copyright
Thank you Johannes Swanepoel
Enablon
Enablon 2013 - Copyright How to Implement a World-Class GRC Program
Poll Question #3
• What should be embraced when implementing risk management?
Cultural changes in the organization will be inevitable
• 88 %
This is a short term commitment (6-12 months)
• 0 %
Risk management is about forcing people to change
• 12 %
Risk management is maintaining your risk register monthly
• 0 %
Enablon 2013 - Copyright How to Implement a World-Class GRC Program
pg.
GRC Defined
All encompassing,
compressive
identification and
mitigation of risks among
various oversight groups.
Examples:
Operational Risk
Financial Controls (SOX)
Corporate Compliance
ERM
Policy Management
“Risk Management … because all the fun jobs were taken”
pg.
The Governance, Risk and Compliance (GRC) platform is a framework that will assist risk
professionals in the management of risk – includes people, processes and technology.
Supports the risk objectives of Operational Risk, Corporate Compliance and Financial
Controls
All groups share common reference hierarchies (e.g. Organization, Process, Risks libraries,
Control libraries, etc.)
Shared modules: Assessment, Testing, Issues Tracking, Document Repository, Policy
Management etc.
• Each module will support multiple processes (the Assessment Module will support Enterprise
Risk Assessment, RCSAs, Compliance Risk Assessment and Financial Controls Business Risk
Assessment)
Data within and between the modules can be shared and re-used (alignment)
The three risk functions continue to explore opportunities to align processes beyond sharing
results and data
What is the GRC – Our Definition
pg.
Pre work – “Why”
“Inception”
Understand the strategic objectives and primary
drivers of the decision to implement GRC –
what are the drivers?
Regulatory?
Operational?
Obsolescence of current systems?
Maturity and growth of risk management
culture?
pg.
Pre work – “What”
Determine the strategic direction
early on
Potentially dictates or limits vendors
Informs the due diligence process
Brings people to the table (or excuses
them)
Builds enthusiasm and momentum
Start defining the culture early
pg.
Pre work – “Who”
More importantly, who is NOT!
Success means building strong
allegiances
Determine unified goals
Look for opportunities to align business
partners and processes
pg.
Pre work – “When”
•Be realistic about timeline and business drivers!
What commitments have been made and to whom? – Regulators
– Board and senior management
Give yourself more time than you think – at every step and
for every milestone
Nov Dec Jan Feb Mar Apr May Jun July Aug Sept
Original
Bus Req
Spec & Anal.
Build
QA
BOW UAT
Deploy
Current
Bus Req
Specifications & Analysis
Build
QA
BOW UAT
Deploy
pg.
Leading Practices
Thoughtful planning
Plan the scope of work before you do anything
Scope creep can be costly in time and dollars
Garner executive management support, early
Timing – allow time to make thoughtful decisions, and
allow for slippage
Develop your “program office” early on – define the
vision
Business requirements and technical specifications
are critical
Define an engagement model
pg.
GRC in the Organization
Michael Lane
(IT Ops)
(Risk
Management)
GRC Program
Team
Program Team
Program Team
Platform
Ownership
(OR)
(FCM)
(CC)
GRC Risk Groups
(OR)
(FCM)
(CC)
Governance
Team Risk Specialists
(Operational
Risk)
(Financial
Controls)
GRC Steering
Committee
(Risk
Architecture)
(Regulatory
Compliance )
46
Business Units
(Operational
Risk)
IT Support
(IT Ops)
(Chief Financial
Officer)
Executive Sponsors
(Chief Risk Officer)
(General Counsel)
PROJECT LEADERSHIP
Risk
Assessment
Controls
Testing Regulatory
IT Operations Representatives
Work streams
Audit
Working Groups
pg.
Personnel
Hierarchy
Risk
Entities
Organizational
Hierarchy
Risk &
Control Self
Assessment
RCSA
Key Risk
Indicators
(KRI)
Incident &
Loss Mgmt
Financial
Hierarchy
Compliance
Regulatory
Hierarchy
Scenario
Analysis
Control Testing,
Remediation &
Issue Tracking
Compliance
Assessment
Financial
Assessment
Control Assessments & Testing
Compliance
Reporting
Financial
Reporting
Reporting
External Loss
Events
Tracking and
Performance
Data
Additional Potential Framework Elements
Capital
Framework - Example
Other Repositories?
Domain Management
Features
• Standardized hierarchies across Finance,
Compliance and Operational Risk
• Shared framework and tool for Domain
Management, Control Assessments &
Testing, and Reporting
• Tool support for additional Operational Risk
Framework elements
Process
Hierarchy
Control
Hierarchy
Product
Hierarchy
Op Risk
Reporting
Enterprise
Reporting
pg.
Data Structure - Example
Data is structured align with the Organizations and Activities (Processes) of the Bank. In
addition, data collected as part of the risk assessments is aligned to standard categories
(Risk Libraries, Control Libraries, Products) to allow for comparative analysis and
consolidated reporting.
Activitie
s (
Pro
cesses)
Cate
go
ries
Advisory, Investment Brokerage, Asset Management & Capital Markets
Deposit & Other related products
Insurance
Leasing
Lending
Money Movement
Manage Capital Funding & Liquidity
Manage Compliance, Corporate Security & Legal
Manage financial Reporting and Taxation
Manage Human Resources
Manage Information Technology
Manage Marketing Programs
Manage Physical Assets and Facilities
Manage Risk Systems
Manage Suppliers and Outsourcing Service Providers
Ris
k T
yp
es
Con
tro
l T
yp
es
Reg
ula
tio
ns
Fin
an
cia
l Acco
un
ts
Pro
du
cts
pg.
Risk and Control Taxonomy - Example
The following example is for illustrative purposes only:
BASEL II Level 2 Reg B Risk Categories
Suitability, Fiduciary and Disclosure
Improper business or market practices
Services or products flaws
Transaction Capture, Execution and Maintenance
Financial surveillance and notification
Customer intake and documentation
Customer / Client Account Management
BASEL I Reg B Risk Categories
Internal Fraud
External Fraud
Disasters and other events
Practices regarding employment and safety
on the workplace
Clients, Products, and Business Processes
Business disruption and system failure-Other
Disruption
Business disruption and system failure-System
Failure
Execution Delivery and Process Management
pg.
Industry Challenges
•Industry Challenge Discussion Topic: Convergence vs. Alignment
Convergence: An act or instance of converging – concurrence in thought
Alignment: A state of agreement or cooperation among persons, groups etc., with a common
cause or viewpoint – coordinated functioning
• Sharing like perspectives, concepts and frameworks
– Enterprise Risk Hierarchy
– Risk Assessment
– Taxonomy
– Library Framework
– Governance Structure
What’s the difference:
– Convergence implies “concurrence” in thought – assertion that there can
only be one way to do something correctly
– Alignment strives for a shared cooperative vision. “Common where
possible but custom where necessary” approach
Poll Question #4
• Where does your institution fall on the Risk Management / GRC Maturity curve?
Manual / not started
• 24 %
Inception / we have a plan
• 26 %
Implemented / foundation
• 46 %
Fully embedded / maximizing business performance
• 4 %
pg.
Foundational
Developing
Integrated
Business Value
GRC Risk Management Maturity Model
• Framework identified and adopted
• Policies & Standards developed
• Reactive risk response
• Identification and assessment processes are deployed
• Resources are dedicated across the enterprise to support Operational Risk processes
• Risk measurement processes are under development
• Business level view of risk
• Risk-aware culture • Management utilizes
risk management to gain competitive advantage (strategic)
• Control environments are optimized and balanced against rewards
• Risk measurement processes are maturing
• Enterprise level view of risk
• Risk processes are integrated
• Management of risk built into routine business processes
• Proactive monitoring of risk environment deployed
• Risk appetite and tolerance levels integrated into risk processes
Fra
mew
ork
Att
ribute
s
As Risk Professionals move up the
maturity curve. This evolution of
maturity will impact the deployment of
the GRC program.
pg.
Foundational
Developing
Integrated
Business Value
GRC Risk Management Maturity Model
• Framework identified and adopted
• Policies & Standards developed
• Reactive risk response
• Identification and assessment processes are deployed
• Resources are dedicated across the enterprise to support Operational Risk processes
• Risk measurement processes are under development
• Business level view of risk
• Risk-aware culture • Management utilizes
risk management to gain competitive advantage (strategic)
• Control environments are optimized and balanced against rewards
• Risk measurement processes are maturing
• Enterprise level view of risk
• Risk processes are integrated
• Management of risk built into routine business processes
• Proactive monitoring of risk environment deployed
• Risk appetite and tolerance levels integrated into risk processes
Fra
mew
ork
Att
ribute
s
As Risk Professionals move up the
maturity curve. This evolution of
maturity will impact the deployment of
the GRC program.
Business Process
Business Performance
pg.
Appendix: Guiding Principles
Guiding Principles Theme
1
2
3
4
5
6
Accountability
Change
Management
Complexity
Alignment
Sustainability
Risk
Content
There is clearly defined ownership of the GRC tool and of all components within the
GRC platform. Establish the program office early on.
Changes to the scope of the project or to the business requirements must be approved
by the cross- functional governance team prior to implementation of changes.
Simple solutions to a problem will be selected over complex solutions. Customization
of the GRC platform will be kept to a minimum.
Risk Group approaches will be aligned to the fullest practicable extent (e.g. “context”
elements” risk hierarchy, taxonomy, controls framework, governance).
Risk information takes into consideration constituencies (e.g., board, management, customers, regulators, rating agencies), aligns strategic objectives and drives business value.
Processes within the solution will be engineered to be repeatable year after year with
flexibility to be improved over time as needs arise.
SAMPLE
pg.
Appendix: Roles and Responsibilities
Role Key Responsibilities RACI BoW Resources
Executive
Sponsors
Provide ultimate accountability for implementation of project.
Align project goals with corporate strategy.
Define and promote GRC vision, mission, objectives and
responsibilities.
Accountable Counsel
Chief Risk Officer
Leadership
Team
Lead overall execution of tool implementation.
Provide approval for completion of milestone tasks and project
progression.
Provide approval for finalized documentation and other deliverables.
Responsible Chief Compliance Officer
Finance Lead
Head of Operational Risk
Project
Managers
Coordinate assignment of tasks to individual members of their risk
group.
Determine areas of convergence/alignment.
Ensure timely delivery of work product within their risk group
Serve as main point of contact between their group, vendor and
advisor staff.
Provide staff resources for project tasks.
Responsible Risk Group Project
Managers
Working Group
Representatives
Risk Group Representatives
Provide subject matter expertise on processes and technology
requirements within their group (CC, FCM, ORM).
Attend weekly status meetings with vendor and advisor.
Provide guidance on details of execution of alignment activities.
Resolve IT access and environmental issues (IT Ops).
Responsible
Consulted
Risk Group Specialist
Subject Matter Experts
SAMPLE
Speaker Contact Details
• Chris McClean Principal Analyst at Forrester Research, Inc
• André Smiley Senior VP, GRC at Bank of the West
• Johannes Swanepoel Product Marketing Manager at Enablon
• For additional information [email protected]
Enablon 2013 - Copyright How to Implement a World-Class GRC Program