The Role of Governance, Risk and Compliance in a Firm



Similar documents
Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Process Control Optimisation with SAP

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

INFORMATION TECHNOLOGY FLASH REPORT

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

A Practical Guide to Information Governance in Microsoft SharePoint 2013

White Paper. An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

Managing Supply Disruptions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Pulling it all together: Integrated Solutions for Governance, Risk and Compliance

Applying ITIL v3 Best Practices

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

How To Improve Your Business

Fortune 500 Medical Devices Company Addresses Unique Device Identification

Comply, Improve, Transform: Regulatory Compliance Management for Software Development. Jim Duggan

SARBANES- OXLEYPlaybook. A comprehensive guide for managing compliance by CIOs for CIOs

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

PROTIVITI FLASH REPORT

Internal Auditing is an Asset for Small Companies as well as Large Ones

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Global Headquarters: 5 Speen Street Framingham, MA USA P F

executive white paper

Combine ITIL and COBIT to Meet Business Challenges

Capital Projects and Construction: Building in Risk Management and Project Controls

BPM IN F&A THE DIGITAL CFO PARTNERING THE BUSINESS IN GROWTH. xchanging.com BUSINESS PROCESS MANAGEMENT 1

Blending Corporate Governance with. Information Security

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

IT Transformation. Moving Beyond Service Management to a Strategic Business Role. August kpmg.com

Telecommunications Is Strategic: Executive Sponsors Secure Competitive Advantage for Enterprises

Avanade Point of View. Getting it right with a project and portfolio management solution

ITIL's IT Service Lifecycle - The Five New Silos of IT

Certified Identity and Access Manager (CIAM) Overview & Curriculum

How Perforce Can Help with Sarbanes-Oxley Compliance

Making Compliance Work for You

Compared to other industries, banks do quite

10 Best-Selling Modules For Home Information Technology Professionals

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Implement a unified approach to service quality management.

How IT Can Help Companies Make Better, Faster Decisions

Address IT costs and streamline operations with IBM service desk and asset management.

How To Standardize Itil V3.3.5

How To Understand And Understand The Concept Of Business Architecture

How To Improve Your Career At Csu, Chico

Office of the Chief Information Officer

Table of contents. Standardizing IT Service Management. Best practices based on HP experience in ITSM consolidation. White paper

Improving Service Asset and Configuration Management with CA Process Maps

Software-as-a-Service: Managing Key Concerns and Considerations

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Public Cloud and Managed Communications Services: Right Time, Right Place?

Business Service Management Cyril Gobrecht Business Solutions Manager Halim Belkhatir Regional Manager. 17 December 2008

Proactive Risk Management with SAP BusinessObjects

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

The Government Cloud Protection Program: Disaster Recovery Services Transformed for the Perfect Storm

Framework for Enterprise Risk Management

How To Consolidate A Data Center

FINANCIAL SERVICES FLASH REPORT

BSM Transformation through CMDB Deployment. Streamlining the Integration of Change and Release Management

Adopting Quality Management for Business Success

Why Change Your Job Scheduler? Today s business environments demand event-driven, enterprise-wide job scheduling unsupportable by legacy tools.

Addressing Internal Controls in Your ERP Implementation - Working with Your System Integrator to Engineer Compliance By John Folk, Protiviti Inc.

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

The future of application outsourcing: making the move from tactical to strategic

Optimizing the Data Center for Today s Federal Government

10 Steps to a Successful Digital Asset Management Implementation by SrIkAnth raghavan, DIrector, ProDuct MAnAgeMent

IT Governance: framework and case study. 22 September 2010

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Customer Data and Reputational Risk in the Pharmaceutical Industry

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

Module 6 Essentials of Enterprise Architecture Tools

How To Understand The Role Of Enterprise Architecture In The Context Of Organizational Strategy

Optimizing the Data Center for Today s State & Local Government

Release Management: Effective practices for IT delivery

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting

ITSM 101. Patrick Connelly and Sandeep Narang. Gartner.

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Agile enterprise content management and the IBM Information Agenda.

Actionable Security Intelligence: Preparing for the Next Threat with a Proactive Strategy

IT Governance Overview

Delivering peace of mind in outsourcing

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

Harness Enterprise Risks With Oracle Governance, Risk and Compliance

Business Architecture Scenarios

Cloud Computing in a Regulated Environment

Introduction. What is ITIL? Automation Centre. Tracker Suite and ITIL

Governance, Risk, Compliance and Beyond: The Emergence of Strategic IT Risk Management

High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

How Technology Supports Project, Program and Portfolio Management

The IBM Solution Architecture for Energy and Utilities Framework

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Transcription:

Technology Investment: Achieving Balance Between Business Requirements and Regulatory Compliance

Over the past decade, IT organizations have endured a historic pendulum swing, from reckless IT development to painstaking entrenchment and control. As businesses operate in 2007, chief information officers (CIOs) face a vital challenge: how to swing that pendulum back without entering a second phase of uncontrolled IT activity. It is an important question. The boomtown era of the late 1990s saw unprecedented IT growth as companies raced to build out information infrastructure with little regard to IT controls or governance. New systems were deployed, new technologies were adopted, and often, unproven practices were implemented before top executive management could integrate them under a coherent framework. By 2002, the post-boom period had turned the information management world on its ear. Organizations faced a host of regulatory requirements, including the Sarbanes-Oxley Act, designed to increase visibility into corporate operations and information structures. And almost overnight, compliance emerged as the top priority for most IT shops. Today, with most enterprises having achieved initial compliance, the effort is shifting toward a critical phase: Companies now strive to maintain ongoing compliance while working to drive down cost and improve overall business performance. The result is a critical three-pronged challenge for the CIO: Achieve and maintain regulatory compliance Implement rapid improvements in technology Maintain and leverage the existing infrastructure In short, the mission for CIOs has shifted, from one focused on governance and control to one built on balance. Today, the effective CIO must strive to balance aspects of IT growth, business alignment, risk mitigation, operational efficiency and compliance. The Imperative for Governance, Risk and Compliance Achieving balance requires a robust management tool kit that integrates technology operations, business management and compliance activities into a coherent whole. Enter Governance, Risk and Compliance (GRC), an umbrella concept that integrates corporate and IT governance, risk management and compliance activities into a single framework. The thrust of GRC is to lift executive management out of the realm of point solutions and one-off processes to adopt a holistic approach toward these three interrelated concepts. GRC is not exclusive to any one level of the organization; instead, it demands complementary activities across the enterprise. Simply deploying IT architecture components is not enough. Deployments must address processes and workflows while respecting the global standards, metrics, goals and activities of the organization. It has been said that experience is the best teacher, and nowhere is this more true than in the area of GRC. Since 2000, business and technology executives have plowed enormous resources into making business processes and IT systems fully compliant. But having seen the difficulty in aligning disparate departments and practices, these executives are looking now for ways to streamline, optimize, automate and unify ongoing GRC management activities. What is more, the goal has evolved from simply meeting regulatory targets, which can put a drag on business performance, to improving and streamlining business processes and activities. The result is a holistic effort in which the IT organization applies GRC at multiple levels of the technology environment. These levels are: Entitywide This is the whole earth view : objectives, standards, metrics and activities that permeate the organization and apply to all of its IT environments and activities. The entitywide level applies generally to each of the specific tools, applications and systems that comprise an organization s technology environment. Process/Workflow These are the specific activities in the IT organization that process the demands of the business and deliver services to it. Examples include user access management, change management and help desk. In many organizations, these activities are defined within policies and procedures, and are enabled by workflow solutions that standardize, automate and monitor the execution of the activities in a consistent manner. These activities also are evaluated for effective and efficient performance. Process and 1

workflow comprise the set of activities that enable specific technology devices and applications to meet the needs of the organization. IT Architecture This is the set of technology tools, components and devices that comprise the technical architecture of the business. The IT architecture provides the environment for the process and workflow to operate, and also to monitor and report the process workflow. IT architecture consists of hardware, software, networks and operating systems, and includes both physical and logical devices. The Role of IT in GRC Traditionally, the CIO has been a key factor in the risk mitigation activities of the business entity. Information security, privacy and business continuity have long been important functions within most IT organizations to identify and mitigate risks. As technology increasingly has become involved in a myriad of other critical business activities, the effective CIO has improved the ability of the organization to mitigate risk. Compliance activities have helped position the IT organization as a key player in risk identification. The roles of audit, risk and compliance have increased in importance within the IT organization. In addition, the business has seen the ability of IT to improve the awareness of risks within business activities, as well as identify and validate the operation of controls designed to mitigate business and technology risks. By expanding from a compliance-centric viewpoint to incorporate concepts of governance and risk, the CIO can better leverage IT investments and improve the alignment of business requirements and technology capabilities. The CIO has an important role in the definition of each component of GRC. The entity-level measures are defined across the organization, but they must align with the IT architecture the ability of the organization to monitor, measure and report results. Also, the workflow and processes in the IT organization must align with the entity-level requirements, as defined and supported by the enabling technology environment. It is this linkage of entity goals, risks, performance requirements and enablement with technology that mandates the CIO be an integral member of the GRC program within an organization. Utilizing GRC to Deliver Business Value Using GRC as a framework, the CIO can evaluate investment decisions that enable alignment of the IT organization with the expanding requirements of the business while leveraging compliance-related focus and IT investment. For instance, during Sarbanes-Oxley compliance efforts, the organization normally focuses on the financial reporting risks and related processes and activities. In addition, the business enhances its awareness of the process activities. The result: significantly improved validation and mitigation of critical financial reporting risks. In the evolution to GRC, the organization must enhance the compliance activities and then relate them to the pervasive business risks and activities. In this manner, and enabled by the CIO, the organization achieves the following: Understands and documents additional risks of the business Documents processes that impact those risks Defines IT enablers of the business processes Improves both business and IT effectiveness and efficiency Confirms process effectiveness and efficiency Monitors alignment with enterprise requirements One of the most important aspects of GRC evolution revolves around improving business processes and the ability to confirm the real impact of these improvements. A virtuous cycle, which enhances the efficiency of IT activities, quickly develops. 2

Three Legs of GRC The Open Compliance and Ethics Group (OCEG), a not-for-profit organization that provides a framework for integrating governance, compliance, risk management and integrity into business practices, offers a succinct analogy for GRC. To wit: The fastest cars have the best brakes. To understand how GRC can improve business performance and ensure compliance, it is important to comprehend the underlying concepts. While IT governance, IT risk management and IT compliance are each unique disciplines in their own right, the three activities must be carefully orchestrated to enable a corporate environment that balances productivity and IT progress with effective control and management. Governance, Risk and Compliance (GRC) (Graphic courtesy of the Open Compliance and Ethics Group) Inside IT Governance Effective IT governance, at its heart, is about business alignment. CIOs must have visibility into operations and the tools to manage them. From defining requirements, return, value and quality to driving guidance and development of key policies and procedures, IT governance ensures that the technology serves the business. It sets the tone for the day-to-day management of constantly changing business requirements and resource allocations, and drives the measurement of processes against expected outcomes. IT governance includes: A definition of the acceptable risks within the IT environment Cost guidelines and expectations Key measures and metrics that monitor IT effectiveness Periodic reporting and measurement against expectations and agreements A framework for decision-making and changes to the operational plan Key policies and procedures Regarding IT Risk Management IT risk management is a program that identifies, sources and mitigates the many aspects of business operation that may cause objectives not to be achieved. Notably, the arena of risk management has widened, from gauging hazard and credit risks to a more global view that examines and assesses operational risks within and beyond the organization. Contemplating IT Compliance Management IT compliance management addresses all the regulatory requirements of business operation. From well-known and far-reaching compliance targets like Sarbanes- Oxley to a host of industry- and location-specific rules, laws and regulations, companies must ensure that they monitor and achieve shifting compliance targets. Compliance activities run the gamut, from IT infrastructure and business processes to human factors impacted by training and management. 3

For example, as the IT organization improves the rollout of business requirements and executes the activities efficiently, the business can operate with reduced risk of failure and increased confidence. This enables new business requirements that further drive down risk and drive up confidence. As these improvement activities are evaluated and measured in the GRC framework, the CIO can identify areas for investment, which can demonstrate returns that extend beyond the traditional view of ROI. Prioritization of IT Initiatives As the GRC framework is established, the next challenge is to determine the priority of new initiatives required to support and enable the business. Each new initiative creates potential changes to the existing GRC framework, establishes new requirements for services, and impacts existing resource capabilities and services. And again, the benefits of these initiatives can extend well beyond traditional ROI. New measures for determining the business value of these initiatives must be formulated this activity demands the involvement of stakeholders within the business. Is There a Single Solution to GRC Evolution? In the world of technology hardware and software, there is a constant stream of new services, capabilities and solutions. As technical capability improves, companies are faced with investment decisions. CIOs will be tempted to purchase tools to improve the IT architecture aspect, but these investments also must consider the entitywide and process aspects. It is critical for CIOs to see the entire picture before making investment decisions. Data storage offers an interesting case in point. Falling costs and improving architectures and software have compelled many businesses to invest in storage solutions. However, companies that expand the storage infrastructure without updating IT activities and processes to leverage it are asking for trouble. Not only can the new build-out impact existing network performance and complicate procedures like backup, but also the value of the updated infrastructure remains locked up until better information management capabilities can be deployed. In addition, companies have purchased additional storage as a means to address ongoing compliance issues related to records management. Despite the need for additional storage to house the electronic records to comply with regulatory issues, the storage must be a component of a broader initiative that includes identification of the risk and the processes related to governance that enable the storage to address the regulatory needs. One mechanism CIOs can use to gain insight into technology needs is compliance technology. GRC software that enhances and enables compliance processes has made dramatic strides in functionality and stability, and is able to automate the manual processes developed for Sarbanes-Oxley and other compliance initiatives. Also improved over the past few years are the tools used to automate IT processes, such as change management and user administration. These tool sets can dramatically reduce cycle times and increase adherence to stated policies and procedures. The Impact of IT Processes on Quality, Cost and Compliance As we consider the three aspects of GRC entitywide, process and IT architecture the focus remains firmly on process. Experience remains the best teacher, and early experience with Sarbanes-Oxley revealed the critical importance of quality IT processes. Many IT shops struggled with initial Sarbanes-Oxley compliance because their IT processes were immature, lacked standardization and were loosely implemented. What s more, many businesses lacked the ability to monitor the performance of these processes. As a result, IT leaders often learned that employees were handling IT processes more as suggested approaches, rather than as repeatable methods for performing activities. There is growing evidence that mature IT processes can produce impressive returns to the business. And within these processes, evidence mounts that investments in IT governance and internal controls can turn average IT shops into highly successful ones. For example, the IT Process Institute recently released the IT Controls Performance Study, which details a number of compelling findings, including: The best practices outlined by the Information Technology Infrastructure Library (ITIL) and CobiT do broadly improve performance. 4

Twenty-one Foundational Controls have been identified with the largest impact on operations, security and audit performance. In comparing organizations, high performers enjoy the following compelling benefits: - Report 12 percent to 37 percent lower rates of unplanned work - Support 2.5 to 5 times the number of servers per administrator - Experience losses from security events 29 percent to 84 percent less frequently - Authorize and support 5 to 14 times the number of IT changes An August 2006 Baseline magazine article commenting on the IT Process Institute study stated: The verdict is in: the greater the adherence to controls, the better-run the information-technology shop. In other words, careful compliance controls can be good for your company. Balancing the Pendulum of IT Focus IT leaders should consider the following key actions to address this balancing act: 1. Increase the understanding of business requirements for the IT organization. 2. Use IT governance as a platform to leverage the investment in compliance. 3. Incorporate risk identification into the decision-making process for IT investment (e.g., include risk impact in the ROI model). 4. Take a comprehensive view of GRC to strengthen the efforts to prioritize the demands of the business on IT. IT stands at a critical crossroads. Many IT leaders seek a state of balance that allows IT to align with the business without losing sight of the investments poured into compliance. Effective IT leaders recognize that failing to address both IT business alignment and ongoing compliance threatens to produce another swing of the pendulum. The good news is IT leaders have an opportunity to regain control of their project portfolio. Projects delayed by the crush of Sarbanes-Oxley activities can be addressed now. The task at hand is to identify how exactly to move forward in a balanced fashion that improves business performance while maintaining focus on compliance. In short, CIOs must weigh investment decisions while respecting all three critical aspects of the technology environment entitywide, process and IT architecture. We recommend implementing GRC as a framework for permeating the decision-making process in an organization. The implementation of an integrated environment to improve governance, manage risk and enable compliance will provide the CIO with the tools to drive improved business alignment, and ultimately, business value. In the end, IT leaders who take advantage of the investments in compliance, while balancing the governance and risk processes, will be able to make future decisions that better enable alignment with the business requirements of technology. About Protiviti Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal audit services. We provide consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring. We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti, which has 60 locations in the Americas, Asia-Pacific and Europe, is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. This white paper is sponsored by: 5

Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal audit services. We provide consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring. We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, co-sourcing, technology and tool implementation, and quality assessment and readiness reviews. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. protiviti.com 1.888.556.7420 2007 Protiviti Inc. All rights reserved. An Equal Opportunity Employer. PRO-0907-103015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information