GRC 2.0 : A Business Friendly Framework How to make GRC initiatives more relevant? Gonzalo Cuatrecasas GRC Practice Leader, Consider Solutions solutions for world class finance Today’s Presenters Gonzalo Cuatrecasas Dan French GRC Practice Leader CEO Former Head IT Audit - Consider Solutions Colgate Palmolive 2 solutions for world class finance 3 solutions for world class finance For this Session GRC 4 solutions for world class finance Who should “Own” GRC in the Organization? (Choose one) 1. Chief Operating Officer 2. Chief Information Officer 3. Chief Financial Officer 4. Internal Audit 5. Other © 2013 Consider Solutions All rights reserved 5 solutions for world class finance GRC Complexity Corporate Governance Risk Management Policy Management Internal Control Compliance Systems Security / IM A lot of software “External Influences often drive GRC initiatives” Finance Community IT Department Internal Audit Internal Controls Legal Operations Community 6 solutions for world class finance Gartner’s compliance and risk management research Governance The processes by which policies are set and decision making is executed. Risk Management The process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond which creates an unacceptable potential for loss. Compliance The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. 7 solutions for world class finance Open Compliance and Ethics Group A system of people, processes, and technology that enables an organization to: Understand and prioritize stakeholder expectations. Set business objectives that are congruent with values and risks. Achieve objectives while optimizing risk profile and protecting value. Operate within legal, contractual, internal, social, and ethical boundaries. Provide relevant, reliable, and timely information to appropriate stakeholders. Enable the measurement of the performance and effectiveness of the system. 8 solutions for world class finance GRC Evangelists Norman Marks – ‐ GRC it’s about “how we can optimize outcomes and performance, addressing uncertainty and acting with integrity”. Michael Rasmussen – ‐ “GRC maturity is highly dependent on technology… …you cannot buy GRC — GRC is something you do”. Carole Switzer – ‐ “Today’s boards and executive management are increasingly cognizant of the need for an integrated approach that is proactive, effective, and organization-wide” 9 solutions for world class finance Vendors Business and IT management can get caught-up in the GRC vendor jumble Do not assume the vendor is talking about the same ‘GRC’ as you! Vendors tend to define GRC to suit the strengths of their offerings – they all have their ‘sweet spots’ No single vendor has a solution that integrates capabilities for every GRC process Managers should ensure that vendors focus on business processes and how they address business goals and current maturity level 10 solutions for world class finance GRC Landscape “GRC” Components & Related Services Corporate Reporting Governance Layer Align Performance With Corporate Objectives Risk/Compliance Layer ‘eGRC’ Documentation / Alignment / Rationalization Enterprise Risk Policy Management. Audit Management E-Discovery Establish The Rules For Business Operations Control Execution & Risk Monitoring Business/Performance Layer Assure That Operations Follow Set Policies and Expectations Continuous Monitoring Layer Provide Insight & Perform Specialized Functions Policy, procedure & control definition ERP Finance HR Sales Supply Chain Manuf. Ops. LOB Pharma Retail Healthcare Transportation Manufacturing Financial Services Energy SOX Basel II HIPPA FCPA J-SOX PCI Others. Automated testing Application Configuration (CCM-AC) IT Infrastructure Layer Assure That Information Is Properly Controlled User Access (CCM-SOD) Master Data (CCM-MD) Transactions (CCM-T) IT Control Monitoring, Testing & Enforcement Networks Web E-mail Servers Storage solutions for world class finance Business Value GRC Maturity Model Predictive Operational Effectiveness Business Efficiency Continuous Ongoing Monitoring Process Improvement Integrated Consistent Financial and Operational Controls Common Risk Management Framework Repeatable Mandated Defined Risk/Control Framework Simple Compliance Monitoring (SoD) Ad-Hoc Only Legal Obligations No Risk Management Framework External Stakeholder “How Much GRC is Enough?” Internal Stakeholder 12 solutions for world class finance Discussion 1 (4min) What comes to mind with reference to the proposed GRC Maturity Model? 13 solutions for world class finance Governance, bigger need than its ever been! Internal Environment Objective Setting Legal CobiT 5 IT Operations GRC Finance & Control ITIL Audit ITval 14 solutions for world class finance Growing Risk Complexity Event Identification Risk Assessment Risk Response Legal Technology risk IT Operations GRC Finance & Control Mobile / Social Audit Credit risk 15 solutions for world class finance The society and regulatory entities demand more Compliance Control Activities Stakeholder Communication Transaction Monitoring Legal Basel III IT Operations GRC HIPAA Finance & Control Audit EU 8th Directive 16 solutions for world class finance Convergence of GRC Value Governance Built on principles of ethics, independence, transparency, integrity and accountability. Compliance Encompassing internal as well as external compliance requirements rather than external requirements only Risk Management Mechanisms to identify, assess and mitigate risk while seizing business opportunity and protecting reputation GRC capability integrity-driven business performance 17 solutions for world class finance Discussion 2 (4 Min) Do your Stakeholders believe that there is an opportunity to add value to the business from GRC initiatives? What examples can you share? 18 solutions for world class finance In which business area do you think GRC initiatives can add more value? (Chose up to 3) Risk management Process standardization Information timeliness/consistency Process efficiency/effectiveness Information availability Exception Handling 19 solutions for world class finance GRC Maturity & Business Performance Value Risk management Process standardization Information timeliness/consistency Process efficiency/effectiveness Information availability Exception Handling 20 solutions for world class finance Process Efficiency / Effectiveness Exception Handling ERP is configured to only allow GR if PO exists, however… Truck drops off shipment, but no PO exists Warehouse calls up Purchasing to create a PO Purchasing creates PO for Shipment GR is created against PO 21 solutions for world class finance GRC Maturity and Domain Value Legal GRC IT GRC GRC Domains Governance Reporting Security Controls Anti-fraud Anti-Bribery Anti-Corruption System Controls Legal Data Protection Operational GRC IDM IT Operations Manufacturing GRC Finance GRC Audit Finance & Control GRC Audit HR Systems Management Representation ICFR Whistleblower SoD/ST Corporate Risk Management KEI 22 PO Management and Procurement © 2013 Consider Solutions All rights reserved solutions for world class finance GRC 2.0 - A Business Friendly Framework Complia nCompli an Legal GRC Domains Operations IT Finance & Control Audit GRC Context 23 solutions for world class finance Stakeholder Oriented Risk focused, and business deep Business process friendly Quick wins Manageable projects Parallel initiatives Legal Easy to prioritize Ops Measurable ROI GRC Domains GRC 2.0 - Stakeholder Focus & Prioritization IT Finance & Control Audit GRC Context 24 solutions for world class finance Discussion 3 (4 Min) How should GRC initiatives be prioritized? ROI, Business Risk, Business Value, Audit comment Who should approve the GRC initiatives? Ad-hoc by dept / business need, Central GRC Program, Steering Committee… 25 solutions for world class finance The COSO Situation (Example 1) COSO Framework ‐ Reliance as “suitable framework” for statutory compliance. ‐ Helps provide “reasonable assurance” over IC New 2013 COSO guideline ‐ Supersedes current framework (Dec 15, 2014) ‐ Enhanced coverage and adapted scope ‐ High level awareness (CEO,CFO) Opportunity ‐ Simplify and Streamline IC activities ‐ Performance of Business Operations ‐ Revisit Anti-Fraud Measures 26 solutions for world class finance Core Differences Broadening Scope ‐ Operations - All operational and financial goals ‐ Reporting – (Non-)Financial reporting to various internal and external stakeholders ‐ Compliance – Incorporating evolution in laws, regulations and accounting standards 5 Components Clarifying Requirements 17 Principles ‐ Explicit Principles of effective internal control Points of Focus ‐ Optional Points of Focus Controls Providing updated Context ‐ Approaches and Examples that illustrate how to apply 27 solutions for world class finance Transition Challenges Increased Role of Technology ‐ Relevant Principles: #11 and #13 ‐ Increased focus on quality of control documentation ‐ Consider utilizing recognised frameworks (e.g. CobiT) Anti-Fraud Focus ‐ Relevant Principles: #8 ‐ Explicit focus on Anti-fraud measures and programs Risk-Assessment Process ‐ Relevant Principles: All 17 ‐ The Framework still emphasises a top-down risk-based approach. ‐ The slavish following of principles might lead to a control-based approach rather than risk-based 28 solutions for world class finance COSO Transition Opportunities (Example 1) Stakeholder Focus & Prioritization ‐ Board Awareness, COSO Deadline ‐ Select one/two business areas of C Level concern Risk focused, and business deep ‐ Business like (Points of Focus) Automate Control Activities Broader application scope Improve Anti-fraud Measures Enhance Risk & Assurance Coverage GRC Domains Attest Manual Controls & Monitoring Legal Ops Business process friendly ‐ COSO framework evolution Quick wins ‐ ICFR, Fraud coverage IT Finance & Control Audit GRC Context 29 solutions for world class finance Which controls framework do you rely upon for GRC management? (choose one) 1. CobiT 2. COSO 3. ISO/IEC 4. GAO Green Book 5. CoCo 6. Any Combination 30 solutions for world class finance Survey - The Landscape over Financial Controls (example 2) Control Testing Approach Control Activity Manual % IT Dependent Automated % % Owner ITGC Process Entity Level Owner Distribution of ICFR ? Level of Automation ? 31 © 2014 Consider Solutions All rights reserved solutions for world class finance The Survey: Breakdown of ICFR controls The majority (59%) felt that Entity Level Controls (ELCs) accounted for less than 25% 50% of respondents stated that their IT General Controls accounted for 25% or less overall 44% of respondents felt that the majority of their ICFR controls are process level controls 32 © 2014 Consider Solutions 0% 25-50% 75-100% <25% 50-74% I don't know 60 50 40 30 20 10 0 *Entity Level Controls **IT ***Process General Controls Controls (ITGC) All rights reserved solutions for world class finance The Survey: Entity Level Controls and Automation 70% of respondents stated that less than 25% of ELCs are automated 33% said zero percent of ELCs are automated 0% 25-50% 75-100% <25% 50-74% I don't know 60 50 40 30 20 10 0 *Automated **Manual ***IT dependent / hybrid 33 © 2014 Consider Solutions All rights reserved solutions for world class finance The Survey: ITGCs and Automation 50% of respondents stated that less than 25% of ITGCs are automated 0% <25% 25-50% 50-74% 75-100% I don't know 60 50 40 30 20 10 0 *Automated **Manual ***IT dependent / hybrid 34 © 2014 Consider Solutions All rights reserved solutions for world class finance The Survey: Process Controls and Automation 65% of respondents stated that less than 25% of Process Controls automated 0% 25-50% 75-100% <25% 50-74% I don't know 60 50 40 30 20 10 0 *Automated **Manual ***IT dependent / hybrid 35 © 2014 Consider Solutions All rights reserved solutions for world class finance Survey Results – Conclusions & Insights There was a broad distribution of responses Despite common frameworks, the taxonomy of controls is still imprecise Large scale ERP / systems implementation has not raised the level of automated control significantly Even the majority of IT General Controls are not automated, which might sound counter-intuitive The majority of controls are not benefitting from automation either in terms of implementation or testing ELC largely ignored by automation 36 © 2014 Consider Solutions All rights reserved solutions for world class finance Potential Reasons for low penetration of automated controls 1. Incomplete ERP implementation 2. Automation plans underway 3. Diverse landscape of financial systems with complex interfaces 4. Insufficient benefit from automation 5. Need for management oversight & attestation 37 ‐ Entity Level Controls & Policies ‐ Approvals, Authorizations and Verifications ‐ Reconciliations ‐ Reviews of Performance ‐ Security of Assets ‐ Controls over Information Systems © 2014 Consider Solutions All rights reserved solutions for world class finance Management Oversight Automation (Example 2) Stakeholder Focus & Prioritization ‐ Protect the board from both criminal as well as civil liability. Risk focused, and business deep ‐ Reputational focus Business process friendly ‐ Automation of existing attestation ‐ SoX 404(b) compliance GRC Domains Quick wins Legal Ops IT Finance & Control Audit GRC Context 38 © 2013 Consider Solutions All rights reserved solutions for world class finance Discussion 4 (4min) Do you believe that companies only “react” to external governance & control requirements (such as COSO migration, Fraud incidents or Data security breaches)? What can be done so that companies are genuinely seeking to deliver business value from GRC initiatives? 39 © 2013 Consider Solutions All rights reserved solutions for world class finance Integrated GRC Portfolio Management The Cube as the Framework for Stakeholder Focus & Prioritization Execute strategic interests Manage the GRC totality Evaluate using consistent criteria 40 © 2013 Consider Solutions All rights reserved solutions for world class finance How to Prioritize Quick Wins Identify Stakeholders Develop GRC needs assessment Map to strategic reference model Assess returns by initiative Prioritize actions Act Review & Refine Repeat 41 © 2013 Consider Solutions All rights reserved solutions for world class finance Key Takeaways Strategy is critical ‐ Maturity model defines appetite & achievement Execution is everything ‐ Alignment needs common understanding Planning ensures performance ‐ Workshop assesses status & future initiatives 42 © 2013 Consider Solutions All rights reserved solutions for world class finance Questions? Gonzalo Cuatrecasas & [email protected] Dan French [email protected] Experiences & Observations . . . http://www.consider.biz/thinking 43 © 2013 Consider Solutions All rights reserved solutions for world class finance solutions for world class finance GRC 2.0 A Business Friendly Framework © 2014 Consider Solutions All rights reserved.