Governance, Risk und Compliance (GRC) in der Cloud die richtige Entscheidung rechtzeitig - in einer komplexen und unsicheren Geschäftswelt 9. Sicherheitstag der BSI Allianz für Cybersicherheit Frank Dieter Heinzelmann Senior Solution Specialist Risk Analytics GRC DACH Lead GRC, GRC Team Europa IBM Analytics Frankfurt, den 16. Juni 2015
Das Umfeld in dem wir heute Geschäfte abwickeln ist komplexer denn je und durchdrungen von Unsicherheiten 2
Warum jetzt GRC? when a large financial institution failed to assess known risks on its derivatives in its models 1 cost of average retail banking attack 2 since 2007 have been boundary events 3 as of Q1 2014, vs. 9 as of 2007 5 Vertrauensverlust nicht quantifizierbar Cyber Attacke auf den Deutschen Bundestag eine ITKatastrophe 6 credit and debit cards compromised in a retail cyber attack 4 3 1 Protiviti Global Consulting, Model Governance and Effective Risk Management, 2012 2 Ponemon study of Retail Banking, 2012 3 IBM Algo FIRST Database 4 IBM Algo FIRST Database 5 IBM Algo FIRST Database 6 FAZ.Net, 14. Juni 2015,
Fragmentierung und ihre Konsequenzen - Sichten auf Risiken sind nicht nachhaltig - Kein gemeinsames Verständnis von Risiken über Bereiche hinweg und - Keine risiko-basierten, ganzheitlichen Entscheidungen Data privacy risk IT risk Strategic risk Compliance CRO CFO CIO CCO Model risk Operational risk 4 Fraud risk
Essentiell ist es, sämtliche Risiko- und Compliancedaten zentral zu halten, um integriert Entscheiden und Handeln zu können. Better insight through business intelligence Reduce likelihood of unexpected business events React quickly to risk and regulatory challenges Risikomanagement hat sich zur Strategischen Funktion entwickelt, die einen Wettbewerbsvorteil verschafft 5
Grundsätze unternehmensweiter GRC-Funktion Integrate multiple areas of risk and compliance and provide connectivity to operational systems with a centralized framework for oversight, reporting, accountability and analytics Integrate Align Visualize Adapt Visualize the state of risk enterprisewide with interactive dashboards, scalable reporting, centralized social collaboration, and visual and predictive analytics Adapt to regulatory change with a programmatic approach to managing regulatory requirements, regulator interaction and the end-to-end policy lifecycle Align risk and compliance across the enterprise to build an ecosystem of process, technology and content to drive performance and add value to the business 6
Modernes GRC bedeutet integrierte Business Intelligence, mit integriertem Reporting, Dashboards, Workflow und Security Operational Risk Management Identify, manage, monitor, and analyze operational risk across the enterprise in a single integrated solution IT Governance Manage internal IT controls and risk according to the business processes they support Policy and Compliance Management Consolidate the policy and compliance management process in a single solution and manage regulatory change and regulator interaction Financial Controls Management Provide transparency into the state of financial controls and assurance that compliance demands are being met Internal Audit Management Automates internal auditing procedures and provides independent assessment of risk and compliance performance 7
Auf sämtlichen Ausgabegeräten dieselbe risiko-basierte Entscheidungsgrundlage, effizient, flexibel und jederzeit verfügbar 8
Advantages of a leading edge flexible enterprise GRC solution with lower total cost of ownership and fast time to deployment Flexible and configurable Quickly adopt pre-configured best practices based on IBM's domain expertise or adapt your risk management framework to meet your existing methodology. Expand to meet changing requirements, while minimizing the impact on your business operations. Allow individual teams to handle risk domains as they need to, then normalize that data for an enterprise view giving you the opportunity to scale into a enterprise-wide approach to GRC. Lowers total cost of ownership Modular framework and unique configuration capabilities allows companies to leverage existing investments in risk and compliance while building a fully integrated GRC system that derives meaning and context from risk data all without the need for custom code. Fast time to deployment Patented metadata driven application framework provides unparalleled configuration to support rapid implementation at a fraction of the time compared with custom development approaches. It also embeds out-of-the-box capabilities based on industry best practices and IBM domain expertise. 9
GRC Maturity Model Wo stehen Sie mit Ihrem GRC-Programm? Optimized??? Unaware Businesses at this stage do not understand the interdependencies of governance, risk and compliance, and few if any IT resources are allocated. No defined risk and compliance ownership Ad hoc & reactive assessments Document centric approaches Ad hoc approach Little technology in place No visibility, trending, analytics Fragmented Some interdependencies are in place, but do not benefit from an integrated approach. Tactical siloed approach to risk and compliance No integration or sharing of risk and compliance information Reliance on fragmented technology & lots of documents Measurement & trending is difficult Integrated Individual business areas at this stage see the need for an integrated approach to GRC within their area. Strategic approach within a department Mature processes at a department level Integrated information architecture Good reporting and trending at a department level Aligned Aligning and leveraging GRC to realize business benefits across departments on an integrated level. Strategic approach to GRC across departments Silos eliminated Common process, technology & information architecture across departments Trending and reporting across departments Departmental Initiatives Enterprise GRC Using common enterprise approach to GRC integration of GRC and performance management. GRC is integrated throughout the business GRC expectations are part of annual strategic planning Extensive measurement and monitoring of risk and compliance in the context of business 10 Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12
Ein integriertes Vorgehen führt zu einem gemeinsamen Verständnis von Risiken über Fachbereiche hinweg, hilft bei regulatorischen Herausforderungen und unterstützt die Business Performance At the operational level Streamlined operational processes and common risk technology platforms enable business governance, policy compliance and risk management across lines of business At the strategic level Comprehensive views with dashboards, innovative data visualization and advanced analytics, enable senior management to make business planning decisions with risk intelligence At the point of impact Real-time, risk-aware, decisions making process improves business performance, drives profitability and become a source of competitive advantage 12
Zusammenhänge visualisiert 13
Vorteile einer integrierten GRC-Lösung Flexibel Datenmodel, Workflows, Formulare und Reports Integrate Im Kontext capabilities across virtually all aspects of governance, risk and compliance Align Visualize Adapt Integriertes Reporting sowie Analytische Funktionen und Visualisierung Mächtig Ein Ökosystem relevanter Risiko-, Compliance- und Business Prozess-Komponenten 14
Research und Erkenntnisse Was spricht für einen integrierten GRC-Ansatz?
GRC für Energy & Utilities 56% of Energy and Resources companies do not have a risk management tool in place to support the ERM process* Extend your current risk and compliance methodology with a best of breed solution Automate risk assessment, identification, reporting, monitoring and mitigation processes Integrate risk and compliance silos across Audit, Compliance, process management, EHS, performance, etc. Manage compliance and regulator interactions across environmental, safety, security and privacy, financial reporting, and more Adapt to new and emerging risk and compliance challenges 16 *Deloitte. Risk Intelligence in the Energy & Resources Industry: Enterprise Risk Management Benchmark Survey. 2014 http://www2.deloitte.com/content/dam/deloitte/global/documents/energy-and-resources/gx-er-erm-survey.pdf
GRC für Telekommunikation The Communications ecosystem is in transition and faces a rapidly changing global environment Extend your current risk and compliance methodology Automate risk assessment, identification, reporting, monitoring and mitigation processes Embed revenue assurance into enterprise-wide processes and culture Integrate risk and compliance silos across Audit, Compliance, process management, performance, etc. Manage compliance and regulator interactions across environmental, safety, security and privacy, financial reporting, and more Adapt to new and emerging risk and compliance challenges Source: 2012 IBV CEO Study; Q1 What are the most important external forces that will impact your organization over the next 3 to 5 years? (Global n=1709) (Telecommunications n=74) 17
GRC in der Cloud Customer Value und Business Benefits
Governance, Risk und Compliance (GRC) hat markt-transformierende Bedeutung und erhöht den Customer Value Empowers LOB executives and C-suite decision makers direct business ownership of the solution Delivers pre-configured, best-of-breed applications on one integrated GRC platform (best-practice) Flexible deployment options meets the wide variety of needs in the marketplace Builds business value with increased efficiency and cost savings (better time to value) Designed for business. Built for speed. 19
Governance, Risk und Compliance Management on Cloud direkt am Business, Agilität, kosteneffizient und rapid deployment Business Benefits Direkte Ownership im Business erleichtert - Standardisierung und Vereinfachung end2end in den Prozessen/Workflows, Datenstrukturen und Reports, sowie die - Einführung neuer Funktionen Höhere Agilität bei - regulatorischen Änderungen - neuen Formen von Risiken - Änderungen der Methodik Betriebliche Sicht Reduktion der Kosten - Managed Service steigern die Flexibilität und senken die Cost of Ownership Rasches Deployment basierend auf Industry Best Practices /(Business/Technologie) Effektivere Innovation und Adaption von Veränderungen in der Technologie 20
Governance, Risk und Compliance Management on Cloud build for rapid deployment Fragen? Frank Dieter Heinzelmann Senior Solution Specialist Governance Risk and Compliance GRC Lead DACH, GRC Team Europe IBM Switzerland Ltd., Vulkanstr.106, 8048 Zurich +41 79 746 62 97 frank.heinzelmann@ch.ibm.com Thomas E. Herbott Client Executive IBM Deutschland GmbH +49 171 33 43 728 herbott@de.ibm.com 21