Pulling it all together: Integrated Solutions for Governance, Risk and Compliance



Similar documents
Integrating GRC with Performance Management Demands Enterprise Solutions

Moving Forward with IT Governance and COBIT

How Insurance Companies Can Beat the Talent Crisis

Data Governance Implementation

Data Governance Implementation

Consulting. PMOver Transforming the Program Management Office into a Results Management Office

Fortune 500 Medical Devices Company Addresses Unique Device Identification

Convercent Predictive Analytics

Take the right steps 9 principles for building the Risk Intelligent Enterprise

IT Transformation. Moving Beyond Service Management to a Strategic Business Role. August kpmg.com

The heart of your business*

Customer effectiveness

Services for the CFO Financial Management Consulting

Big Data Industry Approaches to Operational Excellence

CFO Insights: Gaining fi nancial visibility into your project portfolio

04 Executive Summary. 08 What is a BI Strategy. 10 BI Strategy Overview. 24 Getting Started. 28 How SAP Can Help. 33 More Information

treasury risk management

Deloitte and SuccessFactors Workforce Analytics & Planning for Federal Government

SAP Thought Leadership Business Intelligence IMPLEMENTING BUSINESS INTELLIGENCE STANDARDS SAVE MONEY AND IMPROVE BUSINESS INSIGHT

Turning Information into Knowledge in a post-bradley Environment Monish Paul & Bhavesh Chavda

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

How To Understand The Business Case For An Analytics Firm

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

Human resources benchmark for insurance Overview

Medicaid Enterprise Data Governance Approach. MESConference August 21, 2012 Rashmi Menon, Deloitte Consulting LLP

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

Creating Requirements Specification for Asset Management Dashboards Norman A. Pugh-Newby, CPPA

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Cybersecurity: Mission integration to protect your assets

Building a Roadmap to Robust Identity and Access Management

Thought Leadership White Paper Strategies for Effective Job Scheduler Consolidation

Talent Management in U.S. Financial Services: Attracting and Engaging Generation Y

Identity and Access Management Point of View

Unlock your digital marketing potential

Enterprise Risk Management

Clinical TOTAL CLINICAL THE COMPLETE CLINICAL CLOUD. Clinical on the Cloud. Total. Clinical Data Management. Operations. Clinical

Is business ready to grow? How human capital and talent technology are influencing global business

GRC Program Best Practices & Lessons Learned

Agile enterprise content management and the IBM Information Agenda.

Software Industry KPIs that Matter

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Financial close, consolidation, and reporting Leveraging process alignment and Oracle Hyperion EPM Tools

CFO Insights How CFOs Can Own Analytics

Empower your talent with learning

Using business intelligence to drive performance through accuracy in insight

Release Management: Effective practices for IT delivery

The ROI of Data Governance: Seven Ways Your Data Governance Program Can Help You Save Money

Tapping the benefits of business analytics and optimization

Enterprise contact center A strategic opportunity for health care providers

Lowering business costs: Mitigating risk in the software delivery lifecycle

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

Management consulting services. Consulting, 2015

perspective Progressive Organization

Framing the future of corporate governance Deloitte Governance Framework

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Risk Intelligence series. Creating a Risk Intelligent infrastructure Getting Risk Intelligence done

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Building and Sustaining a Strong Organization Amid Challenge And Change KPMG LLP

Supplier Relationship Management (SRM) Redefining the value of strategic supplier collaboration

Make information work to your advantage. Help reduce operating costs, respond to competitive pressures, and improve collaboration.

Finding the Sweet Spot. Using analytics to combine Fraud and AML

HR AS A SERVICE: Driving Workforce Competitive Advantage. Drive Workforce Competitive Advantage with HR as a Service

Putting it all together Using technology to drive tax business processes

Outperform Financial Objectives and Enable Regulatory Compliance

Information Life Cycle Management (ILM)

Corporate Secretarial Services Your guide to corporate compliance

Planning, Budgeting and Forecasting

Strategies for optimizing your cash management

FINANCE TRANSFORMATION CHALLENGES

Product Lifecycle Management in the Food and Beverage Industry. An Oracle White Paper Updated February 2008

Effective Model Risk Management for Financial Institutions: The Six Critical Components

Mergers and Acquisitions Operational Synergies Perspectives on the Winning Approach

Finance Division. Strategic Plan

Customer Service Analytics: A New Strategy for Customer-centric Enterprises. A Verint Systems White Paper

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

building a business case for governance, risk and compliance

Deloitte s Preconfigured SAP on HANA Service offering for Life Sciences

Managing the Shadow Cloud

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Transcription:

Customer Practice Profile Pulling it all together: Integrated Solutions for Governance, Risk and Compliance The business case for a new enterprise approach to GRC

Integrated solutions for Governance, Risk and Compliance Today, certain member firms of Deloitte Touche Tohmatsu ( Deloitte member firms ) see an increasing focus on the important role of information technology to enable corporate governance, risk management and compliance (GRC). However, we believe that the full capabilities of technology have not yet been leveraged to enable effective GRC, and that existing technology is not well aligned with current and potential challenges. That s why Deloitte member firms and SAP are working together to bring insight, experience, products and services that can help to enhance effectiveness and efficiency through the strategic adoption of IT for GRC. We are working together to deliver comprehensive products and services for GRC, to assist organizations protect and enhance value. Organizations of all types are under intensifying pressure to govern themselves more effectively, achieve high levels of performance, comply with regulatory requirements, and manage diverse risks all of which add up to executives and board members being held more accountable. These converging factors have created an urgent imperative to improve and integrate GRC into core business processes and decision-making. While the concepts of governance, risk and compliance are often spoken of in the same breath, Deloitte member firms have found that the connections among them and how they relate to performance management are rarely leveraged efficiently and effectively: governance is too often seen as separate from mainstream business processes and information flows; risk management is too often based on siloed assessments and disconnected efforts within individual business units or functional areas; compliance too often translates into a labyrinth of oneoff approaches with redundant, manual controls and duplicative reporting on top of core business activities and decision-making. And, while performance management often receives focused attention, we have found that it is too often seen as completely unrelated to GRC. Deloitte member firms believe that the current, fragmented approach to various facets of GRC is error prone, time-consuming, risky and costly. And perhaps most alarming, decision-makers often don t know what they don t know. Due to gaps and redundancies across regulatory requirements, they frequently do not have the information they need to determine if they are in compliance or not. Similar blind spots may occur in pursuit of a new strategy that creates new performance risks or takes the organization out of compliance risks that should be addressed and managed through an integrated approach that incorporates governance, risk, and compliance objectives, combined with effective performance management. Deloitte member firms and SAP believe that the way to meet the imperative for more effective and less costly GRC is for companies to use a comprehensive approach one that integrates GRC into strategic and operational processes and decision-making. In this way, companies can leverage common information, processes and systems to help them integrate governance, risk, and compliance with performance management so they no longer take divergent and inefficient evolutionary paths. Today, we are working together to develop and deliver comprehensive products and services to this vexing issue. Copyright 2007 Deloitte Development LLC. All rights reserved.

Compliance week illustrated series: Building the business case Current State In some organizations, the current state of governance, risk and compliance processes is disorganized, unnecessarily complex and fragmented. Adapted from the GRC Illustration that appeared in Compliance Week, sponsored by Deloitte Consulting, SAP and OCEG Compliance week illustrated series: Building the business case Future State As with any enterprise process, we believe it is possible to realize a future state.organizations that accomplish this can Copyright 2007 Deloitte Development LLC. All rights reserved. 2

Why integrated GRC makes sense GRC is an enterprise issue that we believe should be important to the highest levels of the organization. It is not just the realm of the finance department or of compliance and risk management groups, if they exist. GRC has multiple stakeholders throughout the organization, ranging all the way from the Board of Directors to the front-line workforce. However, within most organizations today, we have found that GRC metrics and activities are designed, developed, and implemented in a fragmented manner with little understanding about how GRC impactsthe management and execution of core business processes. An integrated approach to GRC can offer companies a framework for improving the quality of information necessary for performance, compliance, and associated risk management making it available to stakeholders throughout the organization in a timely and relevant fashion. Comprehensive GRC can offer companies several advantages: It can help them to overcome the inertia of functional, process and technology silos; it can help them to focus on anticipating issues rather than reacting to them; and, it can enable improved recognition, understanding and prioritization of risks which is critical to more effective decision-making and performance management. We believe that these advantages can translate into several bottom-line benefits: Integrated risk management. Improved information sharing, increased process alignment, and the effective use of technology can reduce the chances of important risks falling through the cracks, while higher-quality information can provide a more solid basis for risk-based planning scenarios, more effective decisions, and more executable strategies. Lower costs. Increased communication and collaboration can mean less duplication of effort and resources, both human and technological. IT systems can be set up to allow key information to be centrally stored and used to address a variety of needs, reducing, and possibly eliminating, the need for the same information to be entered multiple times by multiple people which increases the chance of error. Process and control automation can also reduce costs by decreasing the need for employees to perform these activities. Improved business performance. Enhanced risk management, lower costs, and higher-quality information can all translate into improved business performance. Reduced costs can help drive increased profitability and give companies more resources to invest in long-term objectives, while more effective information can give executives and Boards improved confidence in their strategic decisions. Overcome fragmentation, gain transparency with a comprehensive integrated approach Board, Audit Committees Evidence for decisions & directives Executives & Managers Increased Confidence in Business Results Compliance / Risk Office Integrated Risk Analysis IT Operations Secure IT Infrastructure Procurement Anti-Terrorist Trade Practices Finance Global Financial Reporting Compliance Human Resources Environmental Health & Safety Compliance Sales, Service Balanced Credit Profile Copyright 2007 Deloitte Development LLC. All rights reserved.

An integrated approach is linked to improved decisions and more effective business performance Why IT is necessary for GRC IT should play a central role in GRC because the data needed to support it most often resides in the IT systems. The challenge lies in architecting and implementing the systems so they can convert this data into useful information that helps decision-makers make informed decisions based on insight as opposed to what most are doing now: Making educated guesses about what is happening within their organizations. 1 Our research suggests that the challenge of converting data into useful information is pervasive. IQ Matters, a Deloitte Consulting LLP (Deloitte Consulting) sponsored survey conducted by CFO Research Services in 2005 issued a broad challenge regarding the state of information quality in today s organizations, and pointed to disparate, non-integrated systems and processes as the root cause. Fewer than half of senior IT and finance executives surveyed believe they have achieved their information quality objectives, and 61 percent believe they need to do a more effective job of simply generating financial information that accurately reflects the performance of their organizations. Another survey, conducted by Deloitte Consulting in cooperation with the Economist Intelligence Unit, also uncovered corporate frustrations with information quality and management. Entitled In the Dark: What the Board and Executives Don t Know About the Health of Their Businesses, this survey of nearly 250 executives and Board members of large organizations around the world revealed that only a slight majority of respondents (65 percent) said that information provided to the Board was excellent or good with respect to the quality of the company s governance and management processes. 2 The two information categories of highest quality were financial results (92 percent, although only 59 percent of respondents said it was excellent ) and operational performance (58 percent, although only 21 percent said it was excellent ). Based on these findings and others, GRC is likely to drive new IT priorities and projects for years to come. IT is critical to GRC because can be the enabler of high-quality information that the Board needs for good governance and that senior management needs to effectively manage the balancing of performance, risk, and compliance. But many companies have found that their IT platforms 1 IQ Matters: Senior Finance and IT Executives Seek to Boost Information Quality, A survey report prepared by CFO Research Services in collaboration with Deloitte Consulting LLP, November 2005. 2 In the Dark: What Boards and Executives Don t Know About the Health of Their Businesses, IT Needs a Helping Hand, a survey conducted by Deloitte Consulting LLP in cooperation with the Economist Intelligence Unit, 2004. Copyright 2007 Deloitte Development LLC. All rights reserved.

are simply incapable of meeting their informational objectives. This situation is often due to gaps in existing IT architectures or to a maze of point solutions that create barriers to extracting enterprise information. While there is a wide-spread recognition that technology must become an enabler of more effective governance, enterprise risk management and efficient compliance, determining how to take an integrated approach to GRC and deciding how to more effectively leverage technology to enable an enterprise GRC program can seem like an overwhelming task. Automating and standardizing processes and controls, establishing common systems and platforms, and establishing strong governance around the people elements of information management are all critical components and are all good places to begin. But we believe that it s neither necessary nor feasible to do everything at once: the important thing is to get started somewhere. To support you in taking the first steps toward integrated GRC, Deloitte member firms and SAP can help you with: Defining the path forward Determining the most effective place to start Formulating a plan and establishing priorities Increasing the use of existing assets and investments Implementing enterprise solutions products and services for GRC Why SAP and GRC Deloitte member firms believe achieving an effective, integrated approach to GRC depends heavily on leveraging a company s IT investment to its fullest. But when it comes to IT for GRC, there is no killer application. Solutions will need to be architected to leverage existing and new IT assets. Accordingly, an effective, comprehensive GRC solution requires an integrated enterprise platform that can provide many entry points and growth paths into a comprehensive GRC solution. SAP can provide the enterprise platform, including an architecture for an integrated approach to GRC. Deloitte member firms can provide comprehensive consulting services that can help a company in their efforts to integrate the management of performance, risk and compliance at their corporate, business-unit and businessprocess-management levels. The SAP GRC roadmap outlined below provides a framework for the delivery of integrated products and services for Risk Management, Process Control, Access Control, and Industry-specific Regulatory Compliance. Deloitte member firms have found that when organizations consider comprehensive GRC, they are often thinking about reducing costs and managing risks more effectively. That s why cobbling together a series of solutions that may further complicate the IT environment is not an efficient long-term answer to achieving effective and sustainable GRC. Improving the existing IT platform and filling in gaps with products and services that can support an enterprise vision for GRC can offer a much more direct and cost-effective means for an organization to align their IT assets to support proactive risk management and compliance in adherence with standards and policies. Strategic adoption of IT for GRC takes time, as the Integrated GRC Maturity Model below makes clear. Integrated framework Governance, Risk & Compliance Copyright 2007 Deloitte Development LLC. All rights reserved. 5

GRC maturity model 1 2 3 4 5 Unaware Businesses at this stage do not understand the interdependencies of governance, risk and compliance and few if any IT resources are allocated to GRC. Fragmented Businesses at this stage see some of the interdependencies between governance, risk and compliance, but do not provide a common platform for GRC. Integrated Businesses at this stage see the need to integrate GRC systems to provide better information and results. A common GRC platform and approach is in place. Aligned Businesses at this level align and leverage the GRC platform to realize not only GRC benefits, but also general business such as growth, profitability and asset utilization. Optimized Businesses at this level use a common language and set of metrics to continuously improve the platform year over year. The path to comprehensive GRC Deoitte member firms have found that the risk of poor business performance, the spiraling cost of compliance, and the inability to know about problems in time to do something about them are all common pain points associated with incomplete or ineffective GRC information and activities. Due to increasing regulatory pressures and shareholder expectations, companies today cannot allow these chronic conditions to persist. Based on our research, the current approach to GRC is marked by two sets of problems: highly fragmented business processes and systems that compound the cost of managing risk and compliance; and difficulties in identifying and mapping a phased approach to comprehensive GRC. As a fully integrated, multi-disciplinary professional services firm, we can help organizations in their efforts to overcome both of these common hurdles. We do this by drawing upon the full breadth and resources of the Deloitte member firms to offer an enterprisewide multidisciplinary approach to GRC. We have access to capabilities that span strategy, operations, risk management, tax, compliance, human capital, SAP enterprise implementations, and technology integration all supported by industry specialists. Our objective is to help you in your efforts to develop integrated GRC programs that can help reduce risks, costs and complexity while increasing executive, Board and stakeholder confidence. Deloitte member firms can start by helping you develop a comprehensive GRC vision and roadmap that: Provides a vision for how GRC integrates into your core business processes Identifies where risk and compliance management procedures can be automated Assesses the capabilities of your current enterprise systems and identifies how they can be better utilized Analyzes gaps in your current enterprise systems and suggests possible solutions and architectural frameworks for filling them Presents ways to establish strong, ongoing GRC practices that are seen and managed as an integral part of the company s day-to-day activities Identifies areas where technology can enable truly proactive risk management Suggests how you can enhance the security and integrity of critical systems and information Addresses how you can more easily produce, manage and improve the quality of GRC information. Copyright 2007 Deloitte Development LLC. All rights reserved. 6

A unique GRC alliance SAP delivers an enterprise-wide GRC vision and solution path SAP delivers enterprise class solutions integrating the management of performance, risk, and compliance at the corporate, BU, and business process levels SAP delivers control monitoring designed into integrated solutions for Access Controls, Process Controls, Risk Management, and Regulatory Compliance SAP delivers the multitude of entry points and growth paths into a holistic GRC solution Only Deloitte member firms have the full set of competencies to realize the GRC vision Only Deloitte member firms have the cross-functional know-how and industry experience to realize the GRC vision Take Control Deloitte member firms and SAP are ready to work together to help you in your efforts to take control of your GRC issues via an enterprise approach that protects and enhances value. We are assisting many organizations today to help them balance the needs of multiple stakeholders, design and implement the integration of GRC into core business processes, and to leverage enterprise solutions to make these processes more efficient and effective. To learn more about our products and services for GRC and how we can help you establish proactive, integrated GRC at your organization, please contact: GLOBAL & US CANADA EUROPE ASIA-PACIFIC Lee Dittmar Lead, GRC Consulting Deloitte Consulting LLP +215-446-3692 ldittmar@deloitte.com Bob Hansen Global Leader Control Assurance Deloitte & Touche LLP +203-708-4256 bohansen@deloitte.com Vince Siemens GRC Consulting +514-393-7869 vsiemens@deloite.ca John Heaton Enterprise Risk Services +416-643-8225 jheaton@deloitte.ca Chris Norman Partner, Consulting & Risk Services.+33-1-55-61-47-72 cnorman@deloitte.fr Walter Vanherle GRC Consulting +32-2-749-59-26 wvanherle@deloitte.com Uantchern Loh Enterprise Risk Services +65 6216 3282 uloh@deloitte.com JAPAN Bruce Daly Executive Officer +81-3-4218-7284 brdaly@deloitte.com Jeoung Oh Consulting and Enterprise Risk Services +415-783-4558 jeoh@deloitte.com This publication contains general information only and Deloitte Consulting LLP is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Consulting LLP, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. Copyright 2007 Deloitte Development LLC. All rights reserved. 7

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 135,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than 80 percent of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu or other related names. Copyright 2007 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information