GRC 2.0 : A Business Friendly Framework How to make GRC

GRC 2.0 : A Business
Friendly Framework
How to make GRC
initiatives more
relevant?
Gonzalo Cuatrecasas
GRC Practice Leader, Consider Solutions
solutions for world class finance
Today’s Presenters
Gonzalo Cuatrecasas
Dan French
GRC Practice Leader
CEO
Former Head IT Audit -
Consider Solutions
Colgate Palmolive
2
solutions for world class finance
3
solutions for world class finance
For this Session
GRC
4
solutions for world class finance
Who should “Own” GRC in the Organization?
(Choose one)
1. Chief Operating Officer
2. Chief Information Officer
3. Chief Financial Officer
4. Internal Audit
5. Other
© 2013 Consider Solutions
All rights reserved
5
solutions for world class finance
GRC Complexity
Corporate Governance
Risk Management
Policy Management
Internal Control
Compliance
Systems
Security / IM
A lot of software
“External Influences often
drive GRC initiatives”
Finance
Community
IT Department
Internal Audit
Internal Controls
Legal
Operations
Community
6
solutions for world class finance
Gartner’s compliance and risk management
research
Governance
The processes by which policies are set and decision making is
executed.
Risk Management
The process for ensuring that important business processes
and behaviors remain within the tolerances associated with
those policies and decisions, going beyond which creates an
unacceptable potential for loss.
Compliance
The process of adherence to policies and decisions. Policies
can be derived from internal directives, procedures and
requirements, or external laws, regulations, standards and
agreements.
7
solutions for world class finance
Open Compliance and Ethics Group
A system of people, processes, and
technology that enables an organization to:
Understand and prioritize stakeholder expectations.
Set business objectives that are congruent with values and
risks.
Achieve objectives while optimizing risk profile and protecting
value.
Operate within legal, contractual, internal, social, and ethical
boundaries.
Provide relevant, reliable, and timely information to
appropriate stakeholders.
Enable the measurement of the performance and
effectiveness of the system.
8
solutions for world class finance
GRC Evangelists
Norman Marks –
‐ GRC it’s about “how we can optimize outcomes and
performance, addressing uncertainty and acting with
integrity”.
Michael Rasmussen –
‐ “GRC maturity is highly dependent on technology…
…you cannot buy GRC — GRC is something you do”.
Carole Switzer –
‐ “Today’s boards and executive management are
increasingly cognizant of the need for an integrated
approach that is proactive, effective, and
organization-wide”
9
solutions for world class finance
Vendors
Business and IT management can get caught-up in
the GRC vendor jumble
Do not assume the vendor is talking about the same
‘GRC’ as you!
Vendors tend to define GRC to suit the strengths of their
offerings – they all have their ‘sweet spots’
No single vendor has a solution that integrates
capabilities for every GRC process
Managers should ensure that vendors focus on business
processes and how they address business goals and
current maturity level
10
solutions for world class finance
GRC Landscape
“GRC” Components & Related Services
Corporate Reporting
Governance Layer
Align Performance With
Corporate Objectives
Risk/Compliance Layer
‘eGRC’ Documentation / Alignment / Rationalization
Enterprise
Risk
Policy
Management.
Audit
Management
E-Discovery
Establish The Rules For
Business Operations
Control Execution & Risk Monitoring
Business/Performance Layer
Assure That Operations Follow
Set Policies and Expectations
Continuous Monitoring Layer
Provide Insight & Perform
Specialized Functions
Policy, procedure & control definition
ERP
Finance
HR
Sales
Supply
Chain
Manuf.
Ops.
LOB
Pharma
Retail
Healthcare
Transportation
Manufacturing
Financial
Services
Energy
SOX
Basel II
HIPPA
FCPA
J-SOX
PCI
Others.
Automated testing
Application
Configuration
(CCM-AC)
IT Infrastructure Layer
Assure That Information Is
Properly Controlled
User Access
(CCM-SOD)
Master Data
(CCM-MD)
Transactions
(CCM-T)
IT Control Monitoring, Testing & Enforcement
Networks
Web
E-mail
Servers
Storage
solutions for world class finance
Business Value
GRC Maturity Model
Predictive
Operational Effectiveness
Business Efficiency
Continuous
Ongoing Monitoring
Process Improvement
Integrated
Consistent Financial and
Operational Controls
Common Risk Management
Framework
Repeatable
Mandated
Defined Risk/Control
Framework
Simple Compliance
Monitoring (SoD)
Ad-Hoc
Only Legal Obligations
No Risk Management
Framework
External Stakeholder
“How Much GRC is Enough?”
Internal Stakeholder
12
solutions for world class finance
Discussion 1 (4min)
What comes to mind with reference to the
proposed GRC Maturity Model?
13
solutions for world class finance
Governance, bigger need than its ever been!
Internal Environment
Objective Setting
Legal
CobiT 5
IT
Operations
GRC
Finance
& Control
ITIL
Audit
ITval
14
solutions for world class finance
Growing Risk Complexity
Event Identification
Risk Assessment
Risk Response
Legal
Technology risk
IT
Operations
GRC
Finance
& Control
Mobile / Social
Audit
Credit risk
15
solutions for world class finance
The society and regulatory entities demand
more Compliance
Control Activities
Stakeholder Communication
Transaction Monitoring
Legal
Basel III
IT
Operations
GRC
HIPAA
Finance
& Control
Audit
EU 8th Directive
16
solutions for world class finance
Convergence of GRC Value
Governance
Built on principles of
ethics,
independence,
transparency,
integrity and
accountability.
Compliance
Encompassing
internal as well as
external compliance
requirements rather
than external
requirements only
Risk Management
Mechanisms to
identify, assess and
mitigate risk while
seizing business
opportunity and
protecting
reputation
GRC capability
integrity-driven
business
performance
17
solutions for world class finance
Discussion 2 (4 Min)
Do your Stakeholders believe that there is
an opportunity to add value to the business
from GRC initiatives?
What examples can you share?
18
solutions for world class finance
In which business area do you think GRC initiatives can
add more value? (Chose up to 3)
Risk management
Process standardization
Information timeliness/consistency
Process efficiency/effectiveness
Information availability
Exception Handling
19
solutions for world class finance
GRC Maturity & Business Performance Value
Risk management
Process standardization
Information timeliness/consistency
Process efficiency/effectiveness
Information availability
Exception Handling
20
solutions for world class finance
Process Efficiency /
Effectiveness
Exception Handling
ERP is configured to only allow GR if PO exists, however…
Truck drops off
shipment,
but no PO
exists
Warehouse
calls up
Purchasing to
create a PO
Purchasing
creates
PO for
Shipment
GR is created
against PO
21
solutions for world class finance
GRC Maturity and Domain Value
Legal
GRC
IT GRC
GRC Domains
Governance
Reporting
Security
Controls
Anti-fraud
Anti-Bribery
Anti-Corruption
System
Controls
Legal
Data
Protection
Operational
GRC
IDM
IT
Operations
Manufacturing
GRC
Finance
GRC
Audit
Finance
& Control
GRC
Audit
HR Systems
Management
Representation
ICFR
Whistleblower
SoD/ST
Corporate Risk
Management
KEI
22
PO
Management
and
Procurement
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
GRC 2.0 - A Business Friendly Framework
Complia
nCompli
an
Legal
GRC Domains
Operations
IT
Finance
&
Control
Audit
GRC Context
23
solutions for world class finance
Stakeholder Oriented
Risk focused, and business deep
Business process friendly
Quick wins
Manageable projects
Parallel initiatives
Legal
Easy to prioritize
Ops
Measurable ROI
GRC Domains
GRC 2.0 - Stakeholder Focus & Prioritization
IT
Finance
&
Control
Audit
GRC Context
24
solutions for world class finance
Discussion 3 (4 Min)
How should GRC initiatives be prioritized?
ROI,
Business Risk,
Business Value,
Audit comment
Who should approve the GRC initiatives?
Ad-hoc by dept / business need,
Central GRC Program,
Steering Committee…
25
solutions for world class finance
The COSO Situation
(Example 1)
COSO Framework
‐ Reliance as “suitable framework” for statutory
compliance.
‐ Helps provide “reasonable assurance” over IC
New 2013 COSO guideline
‐ Supersedes current framework (Dec 15, 2014)
‐ Enhanced coverage and adapted scope
‐ High level awareness (CEO,CFO)
Opportunity
‐ Simplify and Streamline IC activities
‐ Performance of Business Operations
‐ Revisit Anti-Fraud Measures
26
solutions for world class finance
Core Differences
Broadening Scope
‐ Operations - All operational and financial goals
‐ Reporting – (Non-)Financial reporting to various
internal and external stakeholders
‐ Compliance – Incorporating evolution in laws,
regulations and accounting standards
5 Components
Clarifying Requirements
17 Principles
‐ Explicit Principles of effective internal control
Points of Focus
‐ Optional Points of Focus
Controls
Providing updated Context
‐ Approaches and Examples that illustrate how to apply
27
solutions for world class finance
Transition Challenges
Increased Role of Technology
‐ Relevant Principles: #11 and #13
‐ Increased focus on quality of control documentation
‐ Consider utilizing recognised frameworks (e.g. CobiT)
Anti-Fraud Focus
‐ Relevant Principles: #8
‐ Explicit focus on Anti-fraud measures and programs
Risk-Assessment Process
‐ Relevant Principles: All 17
‐ The Framework still emphasises a top-down risk-based
approach.
‐ The slavish following of principles might lead to a
control-based approach rather than risk-based
28
solutions for world class finance
COSO Transition Opportunities (Example 1)
Stakeholder Focus & Prioritization
‐
Board Awareness, COSO Deadline
‐
Select one/two business areas of C Level concern
Risk focused, and business deep
‐
Business like (Points of Focus)
Automate Control Activities
Broader application scope
Improve Anti-fraud Measures
Enhance Risk & Assurance Coverage
GRC Domains
Attest Manual Controls & Monitoring
Legal
Ops
Business process friendly
‐
COSO framework evolution
Quick wins
‐
ICFR, Fraud coverage
IT
Finance
&
Control
Audit
GRC Context
29
solutions for world class finance
Which controls framework do you rely upon
for GRC management? (choose one)
1. CobiT
2. COSO
3. ISO/IEC
4. GAO Green Book
5. CoCo
6. Any Combination
30
solutions for world class finance
Survey - The Landscape over Financial
Controls (example 2)
Control Testing Approach
Control Activity
Manual
%
IT Dependent Automated
%
%
Owner
ITGC
Process
Entity Level
Owner Distribution of ICFR ?
Level of Automation ?
31
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
The Survey: Breakdown of ICFR controls
The majority (59%)
felt that Entity Level
Controls (ELCs)
accounted for less
than 25%
50% of respondents
stated that their IT
General Controls
accounted for 25%
or less overall
44% of respondents
felt that the majority
of their ICFR controls
are process level
controls
32
© 2014 Consider Solutions
0%
25-50%
75-100%
<25%
50-74%
I don't know
60
50
40
30
20
10
0
*Entity
Level
Controls
**IT
***Process
General
Controls
Controls
(ITGC)
All rights reserved
solutions for world class finance
The Survey: Entity Level Controls and
Automation
70% of respondents
stated that less than
25% of ELCs are
automated
33% said zero
percent of ELCs are
automated
0%
25-50%
75-100%
<25%
50-74%
I don't know
60
50
40
30
20
10
0
*Automated
**Manual
***IT dependent / hybrid
33
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
The Survey: ITGCs and Automation
50% of respondents
stated that less than
25% of ITGCs are
automated
0%
<25%
25-50%
50-74%
75-100%
I don't know
60
50
40
30
20
10
0
*Automated
**Manual
***IT dependent / hybrid
34
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
The Survey: Process Controls and Automation
65% of respondents
stated that less than
25% of Process
Controls automated
0%
25-50%
75-100%
<25%
50-74%
I don't know
60
50
40
30
20
10
0
*Automated
**Manual
***IT dependent / hybrid
35
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
Survey Results – Conclusions & Insights
There was a broad distribution of responses
Despite common frameworks, the taxonomy of
controls is still imprecise
Large scale ERP / systems implementation has
not raised the level of automated control
significantly
Even the majority of IT General Controls are not
automated, which might sound counter-intuitive
The majority of controls are not benefitting from
automation either in terms of implementation or
testing
ELC largely ignored by automation
36
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
Potential Reasons for low penetration of
automated controls
1. Incomplete ERP implementation
2. Automation plans underway
3. Diverse landscape of financial systems with complex
interfaces
4. Insufficient benefit from automation
5. Need for management oversight & attestation
37
‐
Entity Level Controls & Policies
‐
Approvals, Authorizations and Verifications
‐
Reconciliations
‐
Reviews of Performance
‐
Security of Assets
‐
Controls over Information Systems
© 2014 Consider Solutions
All rights reserved
solutions for world class finance
Management Oversight Automation
(Example 2)
Stakeholder Focus & Prioritization
‐
Protect the board from both criminal as well as civil liability.
Risk focused, and business deep
‐
Reputational focus
Business process friendly
‐
Automation of existing attestation
‐
SoX 404(b) compliance
GRC Domains
Quick wins
Legal
Ops
IT
Finance
&
Control
Audit
GRC Context
38
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
Discussion 4 (4min)
Do you believe that companies only “react”
to external governance & control
requirements (such as COSO migration,
Fraud incidents or Data security breaches)?
What can be done so that companies are
genuinely seeking to deliver business value
from GRC initiatives?
39
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
Integrated GRC Portfolio Management
The Cube as the Framework for
Stakeholder Focus & Prioritization
Execute strategic interests
Manage the GRC totality
Evaluate using consistent criteria
40
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
How to Prioritize Quick Wins
Identify Stakeholders
Develop GRC needs assessment
Map to strategic reference model
Assess returns by initiative
Prioritize actions
Act
Review & Refine
Repeat
41
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
Key Takeaways
Strategy is critical
‐ Maturity model defines appetite
& achievement
Execution is everything
‐ Alignment needs common
understanding
Planning ensures performance
‐ Workshop assesses status & future
initiatives
42
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
Questions?
Gonzalo Cuatrecasas
&
[email protected]
Dan French
[email protected]
Experiences & Observations . . .
http://www.consider.biz/thinking
43
© 2013 Consider Solutions
All rights reserved
solutions for world class finance
solutions for world class finance
GRC 2.0
A Business Friendly Framework
© 2014 Consider Solutions
All rights reserved.