The Major Components in Developing and Executing a Globalized Governance,

Risk, Compliance & IT Security (GRC3)

Strategy

© COPENHAGEN COMPLIANCE®

Copenhagen Compliance® GRC3 Framework

• Structure and Responsibilities

– What are the responsibilities & structures to be created – Who makes the day-to-day decisions – Who is responsible for IT GRC issues

• Process

– How are management’s decisions made and implemented – What are the decision-making processes for proposing investments, disclosures, compliance with laws and regulations – Define the maintenance of the infrastructure and assets

• Communication

– How will the results monitored, measured and communicated? – What mechanisms will be used to communicate IT stewardship,

issues to the board of directors, executive, business & IT management, employees and shareholders?

GRC3 Design Model

GRC Policies

GRC Procedures

GRC Tasks

GRC Team Review & Sign Off

Functional Review & Sign Off

Supervisor Review & Sign Off

Compliance Regulations

External

Internal

Compliance Laws

Task Complete & Sign Off

The Right GRC3 structure

Centralized

•Intelligence

•Leverage experience

•Big brother feeling

•Business buy-in

•Understand risks

•Response

•Co-operation

Decentralized

•Ownership & Accountability

•Agility

•Understanding

•/Common approach

•Duplication of efforts

•Corporate insights

•Systemic risks

The Right GRC3 process • Define the individual elements

and overarching goals of GRC

implementation (‘my G is your

R which is corporate’s C’))

and map them to the needs

of each division.

• Determine the regulatory and

compliance landscape.

Document and prioritize the volume of corporate information, regulations, policies, controls and the number of GRC groups.

• Determine the (most) logical entry point as a pilot and develop a phased approach to all the divisions, subsidiaries in the GRC scope based on the business case that focuses on values.

The Right GRC Team

• Emphasis on managerial responsibility

• Evaluate personal background and

habits against competency matrix

and organizational culture

• Raising staff awareness on GRC

• Define the various GRC responsibilities

(prevention, detection and repression)

• Designing of programmes for raising awareness and ownershio issues on GRC

• Establish effective system of internal reporting

• Define clear politics and procedures for reporting to external authorities

The GRC3 Challenges 1/2

• The first rule in accounting. You cannot audit a company where management does not have integrity

• Focus on running the business and returning to

profitability & learn from the past experiences, without

micro-managing every business decision

• Ensure that the message of accountability has been

received, loud and clear throughout the organization

• Keep the right perspective on Issues. Boards/audit committees should/not

– Slip into a zero-tolerance attitude about GRC issues

– Panic at any fraud or corruption incident

– Develop tools and techniques on what should be reported and how

– Focus on new ‘fraud’ and other important GRC issues perpetrated by methods the company hadn’t seen before

– Notification matrix to report the biggest GRC issues immediately and smaller issues and risks are rolled up into metrics and reported on an aggregate basis

The GRC3 Challenges 2/2

• Challenge of complacency or Comfort of Controls. If a GRC incident hasn’t happened in a while, there is a risk of developing a lax attitude

• Deterrence is a valuable tool. The acceptance that the

company takes non-compliance to GRC issues seriously.

• How to safeguard that whistleblowers suffer or face

retaliation for making the right ethical decision.

• GRC issues. How it happened, how it was discovered,

how to remediate it, and what to do with the individual

who committed it

• You can have the best compliance program in the world, but Oversight Authorities still want to know why it was possible to get around it

Key Risk Indicator (KRI) &Tollgates for GRC3 Monitoring

GRC3 Maturity Model

Prevention, Response, Controls

• The GRC Assessment process is enhanced by rating the organization to the GRC maturity model.

• The enterprise will eventually reach the desired mature level from a reactive and firefighting mode.

• Move then to an enterprise-wide approach.

• Use qualitative and quantitative metrics to continuously monitor & improve people, processes, and technology.

Types of GRC3 Controls

Integrated GRC3 IT Risk Control Model

An Illustrative GRC3 Risk Model

GRC3 IT/Document Management

• Identify and quantify your key risks

• Automation reduces risk of human error and intervention

• Adopt a holistic view and solution that integrates effective technology with informed people

• Approval & authorization

• Access restrictions

• Transaction controls

• Reconciliations

Good Governance and The Financial Reporting process

Sustainable system of Global Principles of Accountable Corporate Governance.

• Establish Committees with respective roles and responsibilities:

• Audit Committee Charter, Compensation Committee Charter, Nominating Committee Charter and Strategic and Operations Committee Charter

• Code of Conduct for applicable positions and functions

• The Audit Committee approves the Financial Code of Ethics, for applicable functions

– Established a policy for the independent auditors and preapproval of permissible non-audit related services

– Monitors compliance to global financial policies, reporting, internal controls & 3rd party transactions

• The Disclosure Committee evaluates the controls and procedures and reports filed with authorities

• An Compliance Office oversees compliance with the Code of Conduct

• The Code of Conduct charter provides for the anonymous reporting of concerns related to accounting, internal control, auditing, fraud, corruption or The Financial Code of Ethics (Whistle Blower Function)

Consolidate the cross functional GRC3Processes

• Avoid that each GRC group performs its own compliance activity in a silo

• At each GRC level, take the time/effort to achieve its baseline necessities

• From initial implementation initiatives like mitigating risks to risk management

• Develop and build a holistic Enterprise Level Compliance Management Program and Processes focusing on Prevention, Response and Controls

• The result is a clear, defined protocol for managing the GRC portfolio,

Levels of GRC3 Maturity

Organization of the GRC3 efforts 1/4 • Scoping and Planning the areas of GRC

• Framework, Methodologies and Tools

• Design and Implementation of the various GRC aspects

• GRC Facilitation, Advice and Assistance

• Controls, Test, Assessment and Audit

• Training and ‘certification’

• Continuous monitoring and improvement

Organization of the GRC3 efforts 2/4

Scoping and Planning – Prioritizing the GRC profile

Setting up the CG codex and Audit Committee and Charters The GRC Office/Function & Project Management Creating a GRC Communication Plan Organization, Education and Awareness efforts Selection of Tools, Business & IT Processes in scope

Overall Financial Risk Analysis, Assessment and Matrix

Organization of the GRC3 efforts 3/4

• Selection of Framework (COSO, ITIL, Cobit, ISO Standard(s)

• Integrating GRC in existing processes and design of new processes

• Embed the GRC activities overview, monitoring, reporting/disclosures.

• Focus on minimizing the organizational burden and costs

• Establishing sustainable Working Practices

• Framework, Methodologies and Tools for GRC

Organization of the GRC3 efforts 4/4 • Facilitation, Advice and Assistance on Design of GRC Implementation

• GAP analysis of existing and necessary GRC development

• Maturity Assessment of GRC mandates & effectiveness

• Design and implementation of GRC processes. Business and IT

• Focus on IT and automation

• Establishment of methodology, documentation, test, approvals • Root cause analysis, Controls metrics, Test, Assessment and Audit

• Measuring and reporting GRC effectiveness to Board/AC.

• GRC activities are efficient/sustainable with self-assessment methodologies

Key Stakeholders for GRC3

GRC3 Regulations Are Not Equal

A laundry list of GRC3 worries Activity happens beyond the eye of central management. Briefing senior executives and the board on

fraudulent activities. Commit financial reporting fraud to cover up an asset theft (often immaterial to overall company health). Compliance departments not up to date to get an understanding of the kinds of the current GRC risks. Cultural norms about GRC differ. Culture of fear instincts employees to cover up mistakes. Dependence on whistleblowers to help uncover fraud, corruption and ethical issues. Distribution of company Codes of Conduct to third parties. Every culture does not like to use hotlines. GRC and Fraud investigations can span across multiple locations and be very document-intense. GRC risks posed by third parties—resellers, partners, suppliers often an issue. Hotlines can never replace in-person communication. Investigating the GRC tip can take months. Focus on Keep up with the Joneses for certain employees. Large GRC and fraud incident often spring from smaller episodes. Look for the warning signs beyond the numbers. Often, the directors don’t understand a transaction, in terms of risk control, that’s a problem. Operations in geographically dispersed locations. Patrolling GRC, Corruption and Fraud is a coordinated effort, no single corporate department should “own” GRC enforcement. Personal touch is also more expensive. “Push the envelope” on performance. Right-to-audit clauses in contracts with third parties. Separate GRC hotlines (e.g. vendors and suppliers) to report possible ethical misconduct. Share research to determine which outside parties they should avoid. Specific controls on accuracy in financial reporting. Systems to thwart the possible frauds that might happen. Training employees. Understanding the GRC culture of the business is critical, so is the quality and the integrity of the people you are dealing with. Unrest give employees an easier path to commit fraud.

Copenhagen Compliance® Technical University of Denmark

Science and Technology Park Diplomvej 381, DK-2800 Kgs. Lyngby, Denmark

Info@copenhagencompliance.com www.copenhagencompliance.com

Tel. +45 2121 0616

Kersi F. Porbunderwalla is the Secretary General of Copenhagen Compliance and Managing Partner of Copenhagen Charter and Riskability IT Tools. His team has developed and implemented accounting, finance and GRC applications, frameworks and roadmaps. He is a consultant, lecturer, instructor, researcher, analyst and practitioner with a network of qualified associates and consultants on 4 continents.