Governance, Risk & Compliance A practical approach 14 October 2015 ISACA Curaçao Conference By: Paul Helmich
Topics today What is GRC? How much of all the GRC literature, tools, etc. do I need to study to deploy it successfully? How can we adapt the GRC concepts to the needs of local companies in the Dutch Caribbean? 2
GRC Governance, risk management and compliance An increasingly used umbrella term that covers these three areas of enterprise activities These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs. 3
GRC Definitions Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives. Governance is the combination of processes established and executed by the board of directors that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization to achieve its objectives. Compliance with the company's policies and procedures, laws and regulations, and adopted standards is considered key to an organization's success. 4
Interrelationships of GRC domains Governance Set and evaluate performance against objectives Authorize business strategy & model to achieve objectives Governance Culture Culture Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability Risk Management Identify, assess, and address potential obstacles to achieving objectives Identify / address violation of mandated and voluntary boundaries Compliance Encourage / require compliance with established policies and boundaries Detect non-compliance and respond accordingly 5
Types of GRC Literature used to distinguish between two main types of GRC: Enterprise GRC IT GRC However things have become increasingly complex and confusing. There is a multitude of standards, regulations, tools, and definitions. Several standards compete and overlap, e.g. COBIT, ISO 31000, COSO, OCEG and ISO 31100 6
A practical GRC model Governance Risk Management Compliance AO/IC Organization Code of Corporate Governance Regulator Financial Legal, Reputational Operational IT Regulatory Self adopted international standards Compliance is not just regulatory. There is also commercial compliance meaning things you need to have in place in order to do business with X. For example a SOC 1/2/3 statement (used to be SAS70), or an ISO certification. 7
GRC Requirements and Complexity SOX JSOX FDA Basel II EU Directives HIPAA GLBA U.S. Germany Japan Records Retention IT Governance Credit Risk Mgmt Strategic Alignment Workforce Governance Engineering Manufacturing Sales & Mktg U.K. France China Canada India Financial Reporting Compliance Market Risk Mgmt Audit Management Legal Discovery Data Privacy Operational Risk Mgmt Supply Chain Traceability Service Level Compliance Purchasing Service Finance Suppliers Customers Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications 8
GRC Framework GRC framework: Converging Requirements Basel OR- AMA Internal Controls Audit Info Security COBIT KYC RegNMS MiFiD AML Analytics & Reporting Capital Calculations Attestations Action Planning Case Management Behavior Detection Controls Testing RCSA KRI Events Management Process Maps, Reference Data, Oversight Library GRC Infrastructure 9
GRC platform vendor scoring Source: Forrester Research 10
Tools, analytics, dashboards Databases BI Dashboards Analytics Server Profitability / Risk Engine Data Warehouse Managing Risk, Performance & Profitability Across the Enterprise Profitability Performance Risk Management Compliance 11
12
Sample dashboard 13
But before you proceed Make use of nearly a decade of tips, pitfalls, and lessons learned. Many of the available tools and methodologies may prove to be a bridge too far. How well do the available tools and standards translate from the environments they were designed for, to your actual environment in the Dutch Caribbean? 14
Localize the solution To answer that question: how are your organizations different? Different from those that the tools and risk methodologies were developed for. Adapt the core essence of the GRC thinking to the specific needs of your company. Consider: Your size (e.g. headcount) Existing capabilities and training absorption limits Your compliance regime. (less complex and rigorous in the Dutch Caribbean, especially outside the Financial sector) Your risk management maturity level, needs felt at the top. 15
Tips You cannot buy an IT tool to get better at risk management. The tool automates a good process. So you need to have a good process first, in Excel, in emails etc. Understand the workflow. GRC tools all have the same functions, like surveys, asset management, policy library, risk registers, dashboards, etc. Start with a low-tech bottom-up approach. Steps & tools for that will be covered in part 2 of this presentation! 16
Risk Maturity Index First, it is advisable to self-assess how mature your current risk management is. One of the possible tools for this is the Aon Risk Maturity Index. It is an online diagnostic tool designed to evaluate an organization s self reported risk management practices against 10 characteristics of risk maturity. 1. Board Understanding & Commitment to Risk Management 2. Executive Level Risk Management Stewardship 3. Risk Communication 4. Risk Culture: Engagement & Accountability 5. Risk Identification 6. Stakeholder Participation in Risk Management 7. Risk Information & Decision Making Processes 8. Integrating Risk Management & Human Capital Processes 9. Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10.Risk Management Focus on Value Creation Source: Aon Risk Solutions. See http://www.aon.com/rmi/ 17
Risk Maturity Index 18
Risk Maturity Index How do you think your organization will score? Source: Aon Risk Solutions. See http://www.aon.com/rmi/ 19
Top 10 Global Risks Source: Aon Risk Solutions. See http://www.aon.com/2015globalrisk/default.jsp 20
Storytelling Let us side-step for a few minutes to another topic that may prove useful. The purpose of this is to aid those in Security, Risk, Compliance or Audit functions to get their messages across more effectively. A complement to dashboards. Credit for this section goes to the Gartner Security and Risk Management Summit 2015. 21
Storytelling is as old as humankind
What is Storytelling, and why tell stories? The conveyance of events in words and images using improvisation or embellishment There is much information available online on posture, tone, approach, tips, etc. 22
A story can go where quantitative analysis cannot, our hearts Data can persuade people, but it does not inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul. Focus on being interesting rather than complete. 24
A story about my neighbor's wife If your stakeholders do not get all the relevant information, bad decisions get made and you are left with exposure to risk! 25
Back to GRC What does ISACA have to offer when it comes to Governance, Risk & Compliance? Primarily COBIT 5, which is a framework for IT-GRC. However its concepts may be extended beyond IT and, up to a point, used at the level of Enterprise GRC. 26
ISACA and COBIT ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals. ISACA developed and maintains the internationally recognized COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business. 27
Risk Management in COBIT 5 Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.
Risk Management in COBIT 5 (cont.) 29
Five steps 1. Which scary threats may harm our objectives? 5. Measure effectiveness and adjust where needed. 2. How exposed are we to those threats? 4. Execute your chosen risk management actions. 3. Which risk treatment do we prefer? 30
Five steps Step 1. Identify Risk 2. Assess Risk 3. Plan action 4. Treat the risk 5. Measure effects & report Tools Risk register, risk scenarios Risk appetite threshold, Risk perceptions, Likelihood & Impact exercises, BIA s, Asset inventory, Business process mapping to assets (architecture), Control libraries, Residual risk. Risk treatment plan: Accept, Avoid, Transfer or Mitigate. Project management methodologies, formal acceptance forms, insurance policies purchased & logged, etc. Key Risk Indicators (KRI), Heatmaps, Dashboards. 31
Further reading Storytelling: Tips for IT practitioners to persuade and influence Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message Risk: The science and politics of fear. (By Dan Gardner, available at Amazon.com) 32
Questions 33
Contact us Novodiem specializes in: Risk Management Project Management Information Security & IT audit Paul Helmich, CISM, CISSP Tel: +5999-5218399 E: phelmich@novodiem-bv.com Web: www.novodiem-bv.com 34
Appendix Optional slides
Tool selection If you do decide to purchase an IT tool it will be essential to go through a thorough requirements definition process. Also analyze the need for having one platform versus point solutions per use case. Gartner sees 7 main GRC use cases (next slide). Only 4 vendors adequately cover 4 or more of those use cases in one single tool. Those vendors are RSA Archer, MetricStream, LockPath and Modulo. However the key to success is to build your own use cases and match the top 3 to tool functions. Model and document your OWN processes and workflow for those use cases. Involve your business owners. 36
Gartner's 7 main GRC use cases 37