Risk Technology

Strategy, Selection and

Implementation

Scott Farquharson

Principal – Risk Services

RMIA 1st October 2014

1

Todays Agenda…

• Context - Risk Capability

• Why do we need technology and

what can it do?

• Focus on Core components

• Strategy

• Selection

• Implementation

2

Our Approach Today…

From the CRO perspective…..

Governance and

Assurance

Office of CRO

Risk SME’sBusiness

Look at Capability across the Organisation

3

A Quick Definition…

So what are we talking about

when we say GRC…?

Who are we talking about? What Processes and

Activities?

What Systems?

Corporate Governance

IT Governance

Financial Reporting Compliance

SOX

P7

Operational Risk

Safety

Legal Compliance

Strategic risk

Privacy

Project Delivery Risk

Ethics

Controls

Security

AML

Environmental Compliance

Enterprise Risk Management

Access Risk

Business Continuity Planning

Whistleblower

Risk Financing

Risk Management

Corporate Compliance

Finance

Internal Audit

Security

IT

Legal

HR

Board Liaison

Business Units

Consultants

Customer

Insurance

Board

Operations

Quality Management

Safety

Company Secretarial

External Audit

Risk Assessments

Audits

Self Assessments

Investigations

Risk Reports

Training

Community Consultation

Advice

Remediation

Stakeholder reporting

Policy Management

Frameworks

Incident Management

Risk Financing

Audit Actions

Board Reporting

Audit remediation

Delegation of authority

Hazard Identification

SoD’s

Risk Database

Security System

Audit System

EHS System

Financial Systems

Portfolio Management

Surveys

Audit issues

Operational Systems

Back Office

Compliance system

Spreadsheets

Access Databases

CRM

Loss Management

Claims Management

Investigations Management

FICO

Plant Management

4

What is the Value of Risk…?

Objective What Examples

Licence to OperateMeeting our legal, regulatory and

social obligations

Good corporate governance

Compliance

Laws and regulation

Protecting ValueMinimising loss and protecting

shareholder value

brand and reputation

Control frameworks

Contract risk Fraud risk

Insurance BCM

Driving EfficiencyDoing things right

Business efficiency

Understanding Total Cost of Risk

Process risk and control

Prioritising management attention

Creating ValueDoing the right things

Where and When to take a “risk”

Better decision support

Risk appetite Risk Culture

Risk adjusted returns

Scenario Planning

Rewarded risk

Provides a premium if managed well.

It relates to risks in areas such as mergers and

acquisitions, product development, investment,

markets and business models, risk adjusted

returns, VaR.

Unrewarded risk –

Provides no premium if managed well.

It relates to risk areas such as financial

misstatement, compliance with laws and

regulation and fraud.

“Must” be done.

Dri

vin

g S

har

eho

lder

Val

ue

Gua

rdin

g th

e B

alan

ce S

heet

–P

rote

ctin

g th

e B

rand

5

However a Siloed Approach Lessens Effectiveness…

Risk Integration has a significant impact on overall Risk Management effectiveness

Source – Corporate Executive Board

6

A Number of Stumbling Blocks…

Timely Assessment and Reporting of

Emerging & Changing Risk Information

Duplication with Multiple Assurance

Activities Across Enterprise

Obtaining Quality Risk Information from

the Business

Lack of Transparency of Key RisksDisconnect between Risk Appetite and

Risk Profile & GRC Efforts

Risk Information is Siloed Across a

Number of GRC Providers

Manual and inefficient processesGRC efforts are not aligned to strategy

delivery

Poor cross functional integration and

lack of clarity of accountability

Source – Corporate Executive Board

7

Source Systems

Re-Thinking Risk Capability….

Common Enterprise GRC Processes

Risk and Obligation Identification

Analysis and Evaluation

Risk Mitigation and Control Design

Control Activities

Corporate Policies

Monitoring, Testing and Assurance

Incident/Loss Management Investigations

Reporting and Communication

EHS Systems

Security Systems

PMO System

Enterprise Risk Management

System

Compliance Management

System

Internal Audit System

Single Source of

Truth

Information Flows and

Reporting Channels

Roles and Responsibilities

Accountability Model

(RACI)

Technology

Reporting and AnalyticsOrganisational

Structure

Source Systems

8

Operating Model Components…

Three Lines of

Defence

Organisation

Structure and

Engagement

Cultural

Drivers

People

Defined GRC

Processes

Common Risk

Language

Industry

Standards

Process

Repository -

Single Source of

Truth

Analytics and

Reporting

Workflows

and

automation

TechnologyOperating Model

Assessed Through

Capability Maturity Model

Governance

Context

9

The Role of Technology…

Information to support

risk decisions

Efficiency of risk

processes

10

What Else Does it Do…

Single source of truth

Consistency of data

Improved transparency

Speed of Action

11

GRC Capability Maturity Model…

Level 1 Level 2 Level 3 Level 4 Level 5 Level 6

Element Non-Existent Ad HocInitial

Siloed

Top Down

Repeatable

Managed

Systematic

Leading

Optimised

Manual (paper)

Processes

Only

Risk registers

for some risks

in Excel

Qualitative

Only

Overall risk

register in

Excel

Some SME

systems in

place for critical

risks

Qualitative

Only

Overall risk

register in a

GRC Tool

SME systems

in place

Some

Quantitative

Integrated

GRC in place

Integration with

SME systems

Integration with

ERP

Qual and Quat

Automated

CSA

Integrated

GRC and SME

ERP

Integration

Risk Appetite

and Tolerances

KRI’s

Decision

Support

Analytics

Predictive

12

Incorporates Industry Standards…

OCEG

ISO31000

HB158

HB254

AS3806

AS8000

HB221

etc

COSOEnterprise Risk

Management and

Control Framework

ITIL

IT Process Model

COBIT5

IT Control Framework

+

ISO27000

AS8015

HB231

PCIDSS

etc

IT Risk and Compliance Management Standards

IT Specific ComponentsBuilt into SAP GRC

ISO31000Risk Management

13

3 Lines of Defence Provides Basis for the Model…

3rd Line of

Defence

OversightBoard

Board Risk Audit Committee

AssuranceExternal Audit

External Providers

Internal Assurance Function

Provides oversight, independent testing, verification and

review on the efficacy of:

• GRC frameworks

• Business management of risk

• Business compliance with Internal/External Obligations

Identifies opportunities for improved business performance

2nd Line of

Defence

Common Risk

InfrastructureCentral GRC Functions

Support Units

Provides the major mechanism for Governance through a central

Policy Framework and repository.

Provides enterprise GRC frameworks

Provides enterprise GRC programs

Provides Subject Matter Experts for enterprise risks

Monitors adherence to frameworks, enterprise risk and

compliance programs and losses/incidents

Escalates and provides aggregated risk and compliance

Reporting

1st Line of

Defence

Risk OwnershipExecutive

Management

Business Units

Adheres to enterprise risk and compliance frameworks

Owns the risk, control and losses/incidents

Understands it’s risk profile and control framework

Performs risk/control self assessment

Must meet internal and external obligations – compliance

Clear Lines of

Accountability

for GRC

Activities

14

Technology Support at Each Line of Defence

3rd Line of

Defence

OversightBoard

Board Risk Audit Committee

AssuranceExternal Audit

External Providers

Internal Assurance Function

Board Papers and Communication

Audit Planning and Management

CCM

Review Risk and Control Profiles

Review Incident Reports

2nd Line of

Defence

Common Risk

InfrastructureCentral GRC Functions

Support Units and SME’s

Consolidate Risk Reports

Risk Analytics

Update Obligations Register

Plan Assessments

Conduct Surveys

1st Line of

Defence

Risk OwnershipExecutive

Management

Business Units

Create Risks and Controls

Assess Risks

Control Self Assessment

Review Risk Profile

15

Model Must be Aligned to the Risk Profile...

Compliance Obligations RiskPolicy

ProcessGRC

Risk

Specific ERP Analytics Integrated

Information Compliance

Privacy PCI/DSS FOI

Records / Archives / ACMA

Information Risk

Technology / Info Security

Records & Archives

Information

Management,

IT Security

× x x ×

Financial Compliance

AML / FSL / APRA / SOX / P7

Financial Integrity Risk

Technology / Security

Crime / Fraud

Fraud

P2P

Retail Ops

× ? × × ×

Commercial Compliance

Trade Practices

Contract Compliance

Commercial Risk

Intellectual Property

Contract Risk

Contract

O2C× ? ? × ×

Health and Safety

Compliance

OHS TSP

CoR Dangerous Goods

Health and Safety Risk

Physical Security

Hazard Identification

Transport

Operations× × ? ×

Asset Compliance

Property/Fire Services

Asset Risk

Physical Security

Fire Protection

Security,

Facility Mgmt× × ×

Sustainability &

Environment

EEO, EPBC, NGERS

CPRS

Sustainability &

Environment

Carbon Reduction

Sustainability Principles

Sustainability,

Transport× × × ×

Strategic Compliance

Investment Projects

Planning Products External

Strategic Risk

Investment Projects

Planning Products

External

Investment Life

Cycle

Planning

? × × × ×

Risk

Universe

Governance

Strategy and

Planning

Operational

Compliance

Reporting

16

Technology Support Model

Technology Layer Role

eGRC Layer • Core functionality to support Risk,

Compliance, Audit, Controls, Policy, Incident

Management

• Centred around data backbone -

risk/obligation/policy/control/test/incident or

loss

• Reporting and dashboards

• Workflows

Systems Integration

• eGRC

• Point Solutions

• Transactional

Systems

• Data and Analytics

• Corporate Reporting

Interface

Risk/Obligation

Specific Layer

HSE/Security Fraud Crime /Plant and Equip/IT

Security/Environmental

ERP Layer Transactional systems

Data and Analytics

Layer

Data warehouse combining eGRC and other

data including transactional/external/social

17

Risk and Compliance Profile sits at the Core of the Model…

Risk Profile by:

• Business Unit

• Business Process

• Business Scorecard

• Strategic Initiatives

• Program/Projects

Each Risk/Compliance Class

Appetite/Thresholds

Key Risk Indicators

Treatments/Controls

Assurance

Incidents/Claims/Losses

Aggregated Exposure

Bottom Up - Individual Risk Profile for each BU overlays Business Process and Business Objective

Aggregated Corporate Profile and Reporting

Standard Risk, Control and Policy Library

Risk Dashboard

Risk Appetite Key Risk Indicators

Control Monitoring

Risk Dashboard

Risk Appetite Key Risk Indicators

Control Monitoring

Risk Dashboard

Risk Appetite Key Risk Indicators

Control Monitoring

Risk Dashboard

Risk Appetite Key Risk Indicators

Control Monitoring

GovernanceStrategy and

Planning

Operations

InfrastructureCompliance Reporting

Single Source of GRC Truth

Top Down

Business Unit Business UnitBusiness UnitBusiness Unit

18

Multi Risk and Compliance Framework…

GRC Operating Model

Overarching Enterprise Risk and Compliance Framework

Common Risk Library – Risks can be aggregated for reporting and analysis

Risk can be assessed by multiple methods including control effectiveness

Process F

ocus

Pro

cu

re to

Pa

y H

ire to

Re

tire O

rde

r to C

ash

Fin

an

cia

l Clo

se

etc

IT and

Information

CoBit

PCIDSS

ISO27000

Cyber

FOI

Privacy

Archives

Integrated Control Library

Control Library with Controls that can be linked to multiple Risk and Compliance Requirements

Control Testing can then satisfy multiple “Regulations” or “Risks”

Fun

ctio

nal F

ocus

Ris

k an

d C

ompl

ianc

e P

rofil

es b

y B

usin

ess

Uni

t

Corporate Policy FrameworkPolicy Lifecycle Management Linked to:

• Risk and Compliance Framework

• Control Library

Financial

Reporting

SOX

Principal 7

SoD’s

DoA’s

IFRS

Crime

Fraud

Fraud

Austrac

AML

Transport

SoD’s

Cyber

Human

Capital

OHS

Environment

EEO

CoR

Property

Food

Medical

Commerce

Contract

Consumer

Contract

Lease

Liquor

Tobacco

Lotteries

IP

Obligations

Analytics and Reporting – Dashboards, KRI’s, Aggregated Risk Profiles

Strategic

Strategic Risk

Strategy

Execution

Project and

Portfolio

BCM

External

Legal, Industry and Community Stds

Internal

Cultural, Performance Stds

Integration with Other Systems

Continuous testing can be undertaken across the SAP Platform including - EHS SSM ECC HCM etc

Interfaces can also be setup with Non-SAP Systems and Manual Entry

Powered By SAP GRC

Provides:

Risk Management

Enterprise Wide Risk

Management Capability

Process Control

Supports Risk and

Compliance control

Frameworks

Policy Framework

Supports

Multiple Regulations

Range of Testing

Methods

Range of Assessment

Techniques

Common Risk

Language

Each

Risk/Compliance

Class

Appetite/Thresholds

Key Risk Indicators

Response

Plans/Controls

Assurance

Incidents/Claims/Losse

s

Aggregated Exposure

Risk Adjusted

Performance

Audit Issues

19

You need a (strategy) road map…

Phase One -Quick Wins

• Compliance Obligations

• Training

Phase 2 – Risk Management

• Risks and Controls

• Risk Assessment

Phase 3 - Policy Management

• Life cycle

• Policy Surveys

• Mobility –iPad App

Phase 4 - Risk Analytics

• Risk Appetite

• KRI’s

• CCM

• Dashboards

Year One Year Two Year Three Year Four

20

The Most Popular GRC Tool in the World…

21

The eGRC Core…

Core functionality to support common

enterprise risk, compliance, and

assurance activities

• Governance

• Enterprise Risk Management

• Compliance Obligations and Risks

• Risk and Compliance Control Framework

• Policy Management

• Incident and Loss Management

• Internal Audit Practice Management

Plus…

• HSE

• Fraud/Financial Crime

22

5 Key Underpinning Technologies

Database

Workflow Management

Document and Content Management

Analytical and

Reporting Tools

Data Warehouse

23

Typical eGRC Functionality…

Overall

Considerations

Risk Control

Data Architecture

Data Aggregation

Workflows

Monitoring and Alerting

Triggers

Analytics and Reporting

Risk Modelling

Risk Data

Risk Creation

Risk Library

Risk Analysis Methods

Risk Assessment

Process

Loss and Incident Data

Risk Appetite

Issues Management

Control Attributes

Control Creation

Control Library

Control Assessment

Link to Risks or

Obligations

24

The User Experience

• Who is going to use it?

• Are they going to log into the

application?

• How often?

• What will they do on the system?

• How is data to be entered?

• How much data?

• How do they run reports?

• Ad Hoc Analysis?

• What platforms? PC Only?

25

Data and Analytics

26

What Can Data Analytics Provide?

27

Analytics

• Some Typical Applications:

- Controls transformation: process

analytics and continuous controls

monitoring

- Contract risk compliance: IT,

employee, supplier and customer

contract reviews

- Financial crime: fraud investigations,

litigation support

- Finance analytics: uncovering

leakage / inefficient processes

- Internal audit transformation:

planning, auditing and reporting.

28

An Example…Simple Outlier Identification

29

Key risk analytics techniques:

• Rules-based quantification of

known profiles

• Statistical modelling

• to understand drivers of known

behaviors,

• raise awareness of unknown

behaviors

• predict future behaviors

• Visualisation to easily

communicate data insights into

informed decision-making

30

Moving to Real Time Risk Analytics…

Source – SAP Analytics

31

Reporting and Dashboards

iPad Risk Reporting Dashboard

32

Corporate Performance Reporting

Source - Enterprise Dashboard

Risk

should be

on this

dashboard

How to

Integrate?

33

What Now…?

Strategy and Roadmap

Technology Selection

Build and Implement

Improvement

An Structured Approach to Risk Technology

34

Technology Strategy

35

Engage with Internal Processes

• Engage Your IT Group

- Architecture

- Data

- Cloud vs On Prem

- Program

• Project Funding

- Capital vs Opex

- Business Case Process

- Benefits

- Gaining Support

36

Elements of a Risk Technology Strategy

• Organisational context

• Maturity of current capability

• Specific problems to be addressed

• Scope of application of the

toolsets

• The current technology

environment

- Data Management

- Application Architecture

• Establish priorities

• The desired end-state and timing

• Benefits and Budget

37

Technology Selection

38

First Steps…

• Refine Phase 1 Scope

• Develop Requirements - Sample

• Identify Suitable Vendors

39

The Market

• Now 00’s of GRC products in the

market place – 40+ in enterprise

• Strengths based on their origins

and focus

• Continued convergence of

products around core functionality

• Addition of more SME functionality

• Bigger not necessarily better

• Niche players

40

Get to Know Your Vendor…

• Industry Knowledge

• Thought Leadership

• Origins – product history

• Their sweet spot

• Customer base

• Drive the product – make sure it

just doesn’t run best on

Powerpoint

41

Some of the Products…Just a Sample

• Nasdaq Bwise

• IBM Open Pages

• Thomson Reuters Accelus

• RSA Archer

• Protecht

• SAP GRC

• Oracle GRC

• MetricStream

• SAI Global

• Wolters Kluwer

• Cura

• Enablon

• Wynard

• Risk Cloud

• Protiviti

• Resolver

• ACL

• Teamate

• Modulo

42

The $’s....

43

The Role of the Analysts and Industry Pundits

The Analysts

• Gartner – Magic Quadrant

• Forrester – Wave

The Pundits

• GRC20/20 – Michael Rasmussen

• Norman Marks – Marks on Governance

Other Sources

• Linkedin Groups

• Forums

• Consultants

• Vendors

• Existing Customers

44

Other Considerations..

• You don't know what you don't

know

• Products typically capture IP and

better practice

• Is there opportunity for

improvement?

• Do a POC with the shortlist – pay

if you have to

45

Define Business

Requirements

Identify

Potential

Vendors

Establish

Market

Response

Requirements

Issue

To

Market

Complete

Market

Sounding

Questionnaire

Develop & Test

Analysis

Toolkit

Conduct

Analysis

Prepare

Market

Sounding

Report

Ven

do

r

Pro

cess

es

Pro

curi

ng

Au

tho

rity

Pro

cess

es

• Define the solution scope

• Review existing flow of

information and reporting output

• Identify potential data sources

• Establish risk information and

reporting needs (including

current and future out to approx.

3 years)

• Consider leading risk practice

functionality across various

software vendor tiers

[integrated/ point solution/

stand-alone]

• Confirm refine system

requirements for market

communication

• Conduct initial

vendor research

based on

Customer

requirements,

using better

practice research

• Consider

appropriate

vendors

• Finalise vendor

list

• Seek registration

of interest (if

required)

• Construct

questionnaire for

responses by

vendors

• Seek review and

approval for

submission of

questionnaire for

approach to

market

• Issue

questionnaire to

finalised vendor

list

• Communicate

nominated contact

person

• Communicate

response times

and requirements

• Consider IT

Architecture and

IT Strategy for

system

integration

• Build response

analysis and

scoring

mechanism

• Determine

visualisation

methods

• Conduct test

analyses

• Map vendor

system

functionality to

business needs

• Receive

completed

questionnaires

• Participate in

vendor

presentations

• Analyse results

• Add qualitative

analysis from

supplementary

material (if

appropriate)

• Communicate

preliminary

analysis results

• Produce formal

Market Sounding

Report

• Issue for review

and comment

• Finalise document

for executive

• Develop a plan to

document,

consolidate, refine

and transform data

pre-implementation

2 weeks 2 weeks 2 weeks

Technology Selection Process

46

Technology Implementation Process

Design

Build

Implement

47

Project Structure

• IT PMO Engagement

• Project Manager

• Business Representative

- Each Functional area

• Implementation Partner

- Solution Architect

- Technical Consultants

• IT Representative

48

Design

Selection should have

confirmed fit

Detailed Requirements

Defined

4 Key Elements in Blueprint

• Selecting Configuration Options

• Defining Master Data

• Defining Processes and Workflows

• Roles and Authorisations

49

Build

Typically the easy bit:

• Data Preparation

- Clean Your Data

- What to do with Historic Data?

• Testing – UAT

• Watch for:

- Performance issues – screen refresh

- Interfaces

50

Roll Out…

Key for Success

• Don’t skimp on Change

Management effort

- Clear Change plan

- Tailored Communication

- Follow up support

• Tailor Training to Users

• Ongoing Support

• Measure Take Up and Feedback

51

Pitfalls and Problems…

Requires major transformation effort across the

enterprise…

Organisation system legacies…

• Lots of different Stakeholders

• Lots of different Systems

• No one owns all the benefits

It’s better to…

• Start.

• It will never be perfect.

So where do you start?

• Big bang usually not possible (or advisable…)

• Need to show value – clear about benefits

• Need an Influential Cross Org Sponsor who sees the value

• Develop Roadmap with incremental benefits

• Sell the vision…needs everyone on board

52

Questions

Thank You