GRC Program Best Practices & Lessons Learned



Similar documents
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

RSA ARCHER AUDIT MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Enterprise Risk Management & Information Technology

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

Using Enterprise Governance, Risk, And Compliance (EGRC) Tools For Improved Management Of Security And Privacy. June 23, 2015

RSA Archer Training. Governance, Risk and Compliance. Managing enterprise-wide governance, risk and compliance through training and education

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

Advancing Analytics in Your Organization

Symantec Consulting Services

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Outperform Financial Objectives and Enable Regulatory Compliance

Governance, Risk, Compliance and Beyond: The Emergence of Strategic IT Risk Management

SESSION 709 Wednesday, November 4, 9:00am - 10:00am Track: Strategic View

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Fortune 500 Medical Devices Company Addresses Unique Device Identification

Visual Enterprise Architecture

Paisley Enterprise GRC Audit Profile. Linda Bergs

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

IT Risk Management Life Cycle and enabling it with GRC Technology

RSA Archer Risk Intelligence

Risk & Audit Committee California Public Employees Retirement System

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Process-Based Business Transformation. Todd Lohr, Practice Director

Module 6 Essentials of Enterprise Architecture Tools

COBIT Helps Organizations Meet Performance and Compliance Requirements

BUSINESS INTELLIGENCE COMPETENCY CENTER (BICC) HELPING ORGANIZATIONS EFFECTIVELY MANAGE ENTERPRISE DATA

Beyond risk identification Evolving provider ERM programs

Enterprise in the Cloud. Consolidating 21 systems into an enterprise system using Cloud Services. March 8, 2011

XBRL & GRC Future opportunities?

How RSA has helped EMC to secure its Virtual Infrastructure

Pulling it all together: Integrated Solutions for Governance, Risk and Compliance

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Client Onboarding Process Reengineering: Performance Management of Client Onboarding Programs

SPEAKER: Harry van Huyssteen

How To Improve Your Business

Lessons from McKesson s Approach to Maintaining a Mature, Cost-Effective Sarbanes-Oxley Program

Guide to Going Paperless in the Cloud. IDEAL.com, Parklawn Drive, Rockville, MD IDEAL -

Begin Your BI Journey

Banking Application Modernization and Portfolio Management

1/8/2012. Gordon Shevlin, Allgress, Founder, CEO Kyle Starkey, CISO, Early Warning Services. Effectively Communicating IT Risk to Senior Management

Successful Outsourcing of Data Warehouse Support

How To Transform It Risk Management

IT UNIFICATION Vision, Impact & Strategy. May 2015

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

Global Headquarters: 5 Speen Street Framingham, MA USA P F

EMA Service Catalog Assessment Service

KPMG s Financial Management Practice. kpmg.com

Enterprise Level Change Control: A Life Science Business Imperative. Presented by: Carl Ning Solutions Delivery Manager Sparta Systems

Agile Master Data Management A Better Approach than Trial and Error

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

I N D U S T R Y D E V E L O P M E N T S A N D M O D E L S. I D C M a t u r i t y M o d e l : P r i n t a n d D o c u m e n t M a n a g e m e n t

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Building for the future

White Paper March Government performance management Set goals, drive accountability and improve outcomes

SIMATIC IT Production Suite Answers for industry.

Auditing IT Governance Steve Hunt October 11, 2012

Driving Business Value. A closer look at ERP consolidations and upgrades

Implementing a Data Governance Initiative

TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR

Introducing Strategic Meetings Management Solutions

Increasing Efficiency across the Value Chain with Master Data Management

EMC HYBRID CLOUD FOR SAP

Big Data Industry Approaches to Operational Excellence

The Role of the Board in Enterprise Risk Management

Global Headquarters: 5 Speen Street Framingham, MA USA P F

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Governance, Risk, and Compliance (GRC) White Paper

Improving Financial Performance, Governance and Compliance

Manage Compliance with External Requirements

HR Technology Strategies that Work in Healthcare. Background

Symantec Control Compliance Suite. Overview

Supporting Compliance Management with Technology

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Critical Steps to Help Small and Mid-Sized Businesses Ensure CRM Success

Cross-Domain Service Management vs. Traditional IT Service Management for Service Providers

through an automated service catalog

building a business case for governance, risk and compliance

Quality Takes Lead in MOM Software Deployments and Performance Benefits

How To Make The Most of Your Customer Reference Program

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

The Rising Opportunity for CMO-CIO Collaboration in the Pharmaceutical Industry

How To Choose A Test Maturity Assessment Model

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

An Overview of the Convergence of BI & BPM

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into

How can Identity and Access Management help me to improve compliance and drive business performance?

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

10 Steps to a Successful Digital Asset Management Implementation by SrIkAnth raghavan, DIrector, ProDuct MAnAgeMent

How To Manage Data In Real Time

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

Steel supply chain transformation challenges Key learnings

BI STRATEGY FRAMEWORK

Transcription:

GRC Program Best Practices & Lessons Learned Steps to Establishing and Maturing a GRC program Carl Sawicki, American Express Kathleen Randall, RSA Archer 1

Abstract In today s world, few organization s contest the value of a GRC tool to increase the efficiency and effectiveness of their programs. But getting budget approval, organization buy-in and executing on a successful implementation can be daunting tasks to take on. How do you measure the cost and ROI of an implementation, so that you can present the case to management? How do you identify the maturity and design of your GRC program, and plan on an appropriate GRC implementation given your current state? This presentation will guide you through these questions to help you determine if what it takes to have a successful GRC implementation at your organization. 2

Today s Speakers Carl Sawicki American Express, Director of Technical Delivery Carl is responsible for delivering technical solutions that have a focus around the areas of Operational Risk and Information Security for American Express. With his 33 years of experience in various technical roles and 23 of those years at his current company, Carl works with a variety of business partners across the enterprise to deliver solutions and support their needs for GRC (Governance, Risk & Compliance). With the ever changing landscape of complex regulatory demands for the Financial & Banking Industry, Carl and his team have to be ready to understand, support and deliver to this demand with a variety of GRC platforms and custom solutions that he is responsible for. Kathleen Randall RSA Archer, Senior GRC Account Manager As a Senior Account Manager specializing in the RSA Archer egrc product suite, Kathleen is responsible for managing Archer s strategic customer accounts located in the southwest U.S. region. Kathleen has domain expertise in risk, audit, compliance and security domains, and has earned the CISSP, CISA, and GSNA designations. Prior to joining RSA, Kathleen was a part of the Deloitte & Touche s Enterprise Risk Services group. She has led enterprise risk assessments, internal audit projects, and global risk and audit assessments for Fortune 500 organizations. She was also formerly the Regional Director of ControlPath, a GRC software solution acquired by Trustwave, responsible for channel and direct sales. Kathleen has served as a SANS course reviewer and course contributor, and has spoken several ISACA and IIA events. 3

Today s Agenda Opportunities Where you are now? Next Steps Recommendations to get you there Ideal State Definition Where you want to go? 4

Maximizing Return What to Consider Set Requirements and Design Key Stakeholders Engaged Define Process, Content & Infrastructure Program Strategy 5

What is GRC Tool ROI? Project definition ROI = View of implementation plan (short-run VS long-run) + Costs Cross-domain strategy Technology Bridging people, process and technology Program Sponsorship 6

GRC Tool ROI Spectrum Where do you see your organization? Basic Use-cases identified Customer Profile Focused use-cases Single domain Largely compliance focused Defined All Basic elements plus Current state objectives and use-cases identified Processes identified Requirements documented plans developed team identified Customer Profile Use-cases largely align to out-of-the-box Single domain Foundational All Defined elements plus Forward-looking objectives set and coordinated Integrated, streamlined processes and content for a single domain Scalable infrastructure plan Key stakeholders trained Customer Profile Mix of out-of-the-box as well as unique use-cases Single domain Compliance and risk focused Leading All Foundational elements plus egrc vision, scope, and strategy considered Enterprise-wide adoption Integrated, streamlined processes and content across domains Understanding of business risk Complete content taxonomy and visibility Fully enabled stakeholders Customer Profile Many unique and/or industry specific use-cases Multiple domains Governance, risk and compliance focused Largely compliance focused 7

GRC Tool ROI Spectrum Moving from Basic to Defined : Return Drivers ROI = Project definition View of implementation plan (short-run VS long-run) Cross-domain strategy Technology Bridging people, process and technology Program sponsorship + Costs Return Drivers Project definition View of implementation plan (short-run versus long-run) Ability to bridge people, process and technology Technology leverage Cross-domain strategy Program consideration 8

GRC Tool ROI Spectrum Moving from Basic to Defined : Recommended Steps Step 1: Align current state use cases Step 2: Identify process and content Step 3: Develop implementation project plans Step 4: Identify implementation team 9

GRC Tool ROI Spectrum Moving from Defined to Foundational ROI = Project definition View of implementation plan (short-run VS long-run) Cross-domain strategy Technology Bridging people, process and technology Program sponsorship + Costs Return Drivers Project definition View of implementation plan (short-run VS long-run) Ability to bridge people, process and technology Technology leverage (full suite of modules) Cross-domain strategy Program consideration 10

GRC Tool ROI Spectrum Moving from Defined to Foundational Step 1: Identify future state use-case and objectives across domains Step 2: Document, benchmark and optimize process and content for a single domain Step 3: Evaluate success metrics Step 4: Introduce convergence of processes Step 5: Engage & alignment of stakeholders to program vision 11

GRC Tool ROI Spectrum Moving from Foundational to Leading ROI = Project definition View of implementation plan (short-run VS long-run) Cross-domain strategy Technology Bridging people, process and technology Program sponsorship + Costs Return Drivers Project definition View of implementation plan (short-run VS long-run) Ability to bridge people, process and technology Technology leverage (full suite of modules) Cross-domain strategy Program stakeholders 12

GRC Tool ROI Spectrum Moving from Foundational to Leading Step 1: Formalize egrc program (Framework, Vision, Scope) Step 2: Document, benchmark and optimize process and content for multiple domains Step 3: Identify data gaps and consolidate siloes of information (common taxonomy) Step 4: Fully enable and align stakeholders continuously reviewing 13

GRC Tool GRC Maturity Spectrum What s next? Risk Identification & Reaction Silo d, fragmented information Get it done mentality No/minimal dedicated resources Risk Awareness & Anticipation Efficiency and automation Basic governance and strategy Increased accountability Key risk appetites known Risk Integration & Collaboration Continuous monitoring and improvement Enterprise objectives set and coordinated Complete content taxonomy and visibility Integrated, streamlined processes GRC Optimization & Intelligence Risks identified Risk posture understood Aggregated, prioritized view managing key performance indicators Active governance Automated, integrated systems 14

Questions? Comments? Carl Sawicki carl.a.sawicki@aexp.com 602.766.7338 Kathleen Randall Kathleen.randall@rsa.com 310.318.4883 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information