Governance, Risk & Compliance

Transcription

1 Governance, Risk & Compliance ERM enabled by ARIS Workshop Sistemi IT per la Compliance 30 giugno 2011 Lorenzo Fornai Lorenzo Capozza

2 Software AG at a glance Revenue over 1 billion Global Leader for Process & Integration Solutions 10,000 enterprise & public customers Over 5,600 employees worldwide 3,500 services consultants 850 R&D staff Offices in 70+ countries Software AG Foundation

3 Software AG's development (in mn. ) 1,

4 Software AG from 2003 to 2011 EUR 120 Stock price webmethods takeover IDS Scheer takeover Goal: 1 bn. 20 Financial crisis

5 Introduction How ARIS enables COSO II ERM & Compliance Management Conclusions and project examples 5

6 Influence on organizations interest in GRC convergence Source: The convergence challenge, Feb. 2010, KPMG in cooperation with the Economist Intelligence unit. 6

7 Successful GRC Management is about maintaining balance Manage your risk Ensure compliance Disclosure by reports 7

8 ARIS GRC Recognized by Analysts (October 2010) Largest BPM vendor delivering a GRCM solution on a robust platform. Business process analysis capabilities enable mapping of processes against risks and controls aligning risks with process steps and enabling business process improvements. Useful for organizations with a strategic approach and seeking to align GRC activities to business processes and objectives. Positioned in the Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms 8

9 Introduction How ARIS enables COSO II ERM & Compliance Management Conclusions and project examples 10

10 ARIS Software to support GRC activities DESIGN EXECUTION MONITORING Modelling Test Mngt and documentation Survey Management Sign-off Management Flexible Dashboard/ Mashups Publishing (Op.) Risk Management Loss & Incident Management Issue Management Administration / Reporting Deficiency Management ABICS

11 Esempi di metodologia applicata 14

12 Il tracciato ABICS in ARIS Content (COSO e.g.) Methodology Governance (workflow) Software Organigrammi Processi Riferimenti Rischi Controlli Aggiornamenti via Web services Azioni correttive ABICS Tassonomia processi Legal inventory id_processo id_disposizione responsabile argomento fonte descrizione riferimento flag_rischio flag_rischio flag_rischio sanzione_detentiva altre_sanzioni pubbl_quotidiano descrizione rischio sanzione amministrativa sanzione civile 15

13 La legal inventory in ARIS 16

14 La legal inventory in ARIS 17

15 La matrice di trasposizione tassonomia ABILAB - Azienda 18

16 La gestione degli aggiornamenti: il versioning ARIS 19

17 Dai riferimenti normativi ai rischi 20

18 La valutazione dei rischi 21

19 La repostistica standard: office Report di sintesi Report di dettaglio 22

20 La repostistica con ARIS MashZone 23

21 Compliance Management Regulation Interpretation of regulation / norms Covered regulations Implemented control in processes

22 Internal Environment Questionnaires to check and ask for commitment concerning Internal Environment topics 26

23 Objective setting Define Strategy (Balanced Score Card) Strategic Objectives (Objective diagram) Identify Risks that avoid goal achievement (Risk Tree) Operationalize KPI s (KPI Alloc. Diagram) 27

24 Risk Assessment Define Strategy (Balanced Score Card) Strategic Objectives (Objective diagram) Identify Risks that avoid goal achievement (Risk Tree) Risk Assessment data 28 Identify process(es) where the Risk occurs

25 Risk Assessment Risk Planning based on Risk Management data Execute Risk Assessment (after notification) Instructies voor Risk Assessment Risk Assessment instructions Review approval on Risk Assessment Gross & Residual Kwantitatieve aanduiding Quantitative evaluation of the Risk Verwachte bruto en netto schade (kwantit.) wordt Automatically automatisch uitgerekend calculated losses Kwalitatieve Gross & Residual aanduiding Qualitative evaluation of the Risk 29

26 Risk Assessment Risk Monitoring Qualitatively Quantitatively Risk Assessment results Risk History Risk Mitigation by an implemented Control 30

27 Risk Response Reaching a Threshold of Risk Value Notification to Risk Owner Automated action/issue created Management Action Report High Occurence frequency Reduce Accept Avoid Share Low Amount of Damage High 31

28 Issue Management workflow Issue Creator Create Issue Document weakness/ defect Issue Management Issue Owner Receive issue Initiate/Exec improvements Document results Issue Reviewer New Receive review task Document evaluation/ Closure In progress Owner On hold Reviewer To be approved Closed Approved Not possible Not approved 32

29 Control Activities Execute control assessments Review and follow up Closed audit trail 33

30 Design reports ARIS reports for SAS 70, Solvency, SOx 404, 262, 231, Risk & Control matrices, etc. 34

31 Questionnairs 35

32 Monitoring Risk Monitoring Control Monitoring 36

33 Monitoring 37

34 ARIS Solution for GRC How ARIS enables COSO II ERM & Compliance Management Conclusions and project examples 39

35 Standard workflow Risk & Compliance Objectives Regulations Risks Control system Execution of Control Assessments Results Sign-off Risk Control Test case Test definition Survey & Questionair Risk assessment Risk assessment case Issue Management Issue Monitoring Risk review 40

36 Governance of Roles with tasks & responsibilities Company role ARIS Role Tasks & Responsibilities BU Mngr/BoD (accountable of all processes) ARCM client Sign-off Monitor Risk & Control Assessmnt results Internal Control / QM (independent controller of process & content) Sign-off Mngr Issue Mngr Test & Risk Reviewer Initiate & monitor sign-off Monitor Issues Initiate and review Risk Assessmnt Judge not-effective test cases Process Owners (responsible for own risks and mitigation) Process Reviewer Risk Owner Issue Owner Approve/Reject new processes Execute Risk Assessments Solve Issues within your process Process Tester (responsible for testing) End User (responsible for tasks) Tester (control assessments) Reading ARIS Business Publisher 41 Executing test of design & effectiveness Execute business tasks

37 Integrated approach for Compliancy and ERM This solution: - Brings several GRC activities together (risk, control, compl., performance) - Different regulation covered by one requirement: less controls, less testing - One repository integrated with ABICS2 results in transparency, efficiency and improved quality - Higher acceptance by clear governance and excellent dashboard and reporting 42

38 Key arguments & Business Benefits Process-driven GRC is success factor ARIS market leader in BPM Seamless integration between Processes, Risks & Controls, Organization Transparency Mapping of Risk & Controls Ownership of Risk and Controls Consistency By common approach for Control testing & risk assessment Common data structures Easy disclosure of information to different target groups Central repository Closed loop for business improvements: Objectives, KPI s, Processes, Risks,.. Cost reductions (~30%) by: Reuse of items & topics Less alignment needed Lower TCO Higher effectiveness by: Standardization Adaptation to new regulations Quality improvement by: Less errors in data maintenance and administration Easier cooperation of IT, Business & Corporate Functions Fact based decision making Lower Enterprise Risks by: Better Governance due to clear ownership Unified methodology Source: customer evaluations

39 Governance, Risk & Compliance Management Check our References! 44

40 Governance, Risk & Compliance ERM enabled by ARIS Lorenzo Fornai Lorenzo Capozza