GRC - Isaca Training 16.9.2014

1
Governance, Risk & Compliance -GRC
(Integrated Approach)
16th September 2014
Paul M Simidi

 Introduction
 GRC component framework
 GRC Current status
 iGRC & goals
 iGRC Models
 iGRC & Technology
 Overall iGRC benefits
 Organization experiences
Overview

Governance
…….setting business strategy & objectives,
determining risks appetite, establishing
culture and values, developing policies
and monitoring performance……
Introduction

Risk Management
…….identifying and assessing risks that
may affect ability to achieve business
objectives, applying risks management to
obtain competitive advantage, and
determine response strategies and control
activities……
Introduction….cont

Compliance
…..Operating in accordance with
objectives and ensuring adherence with
laws and regulations, internal policies &
procedures and stakeholder
commitments…..
Introduction…cont

• Control Objectives for Information and Related
Technology - CoBIT Framework provides guidance for
executive management to govern IT within the enterprise.
It is an IT governance framework that bridges the gap
between control requirements, technical issues and
business risks
• Sarbanes–Oxley Act of 2002 - An Act to protect
investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws,
and for other purposes
Governance - Examples

• Information Technology Infrastructure Library -
ITIL is the most widely adopted approach for IT
Service Management in the world. It is a practical
framework for identifying, planning, delivering and
supporting IT services to the business.
Governance - Examples

 The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) - A framework dedicated
to providing thought leadership through the development of
frameworks and guidance on enterprise risk management,
internal control and fraud deterrence)
Risk Management - Examples

• ISO 31000 -Provides principles and generic guidelines
on principles and implementation of risk management.
Can be applied to any kind of organization, risk type and
is not specific to any industry or sector.
• ISO 31000:2009 is intended to be used by a wide range
of stakeholders including those responsible for
• Implementing risk management,
• those who need to manage risk for the organization
as a whole or within a specific area or activity;
• those needing to evaluate an organization's practices
in managing risk;
• and developers of standards
Risk Management - Examples

 Organizations Policies and Procedures
 IFRSs
 Legal & Regulatory Framework in Kenya
 Company’s Act
 Capital Markets Authority
 Nairobi Stock Exchange
 Communications Authority of Kenya
 Central Bank Regulations
 Public Procurement Act
 Occupational Safety and Health Administration
Act 2007 (OSHA)
 etc
Compliance - Examples

• Basel Standards i.e. I, II and III – An
international standard for Banking Regulators
developed by the Basel Committee on Banking
Supervision, to strengthen the regulation, supervision
and risk management of the banking sector.
• Total Quality Management (TQM)- Management
methods used to enhance quality and productivity in
business organizations
Compliance - Examples

Complexity
Lack of visibility
Duplication
InflexibilityVulnerability
Poor Integration
Increased regulations
Poor Performance
High Costs
Silos
Wasted Information
Frauds
Wasted Resources
GRC Current Status

• iGRC - synchronize information
and activity across governance,
risk management and compliance
in order to create efficiency,
effective information sharing and
reporting, reduce cost and
enhance performance.
ERM
ICT
iGRC Approach

 Large, forward-thinking organizations believe that
effective iGRC is a value driver and a source of
competitive advantage.
 Organizations that embrace effective iGRC are
realizing significant value in the areas of
reputation and brand, employee retention and
profitability.
iGRC Trends

 Significant improvements in the areas of accuracy,
decision-making quality, timeliness and reductions
in task redundancies as organization's move to an
integrated iGRC environment.
 Inclusion of iGRC in Corporate Performance
Management
 Increased Leverage on Technology
iGRC Trends

iGRC Goals
1. Awareness
• Changes in internal & external environment,
• Turn data into information that be analyzed.
• Share information
2.Alignment
• Support and inform business objectives
• Strategic consideration to GRC information

iGRC Goals
3. Responsiveness
• You cant react to something you
don’t sense
• Greater awareness and
understanding of info that drives
decisions and actions

iGRC Goals
4. Agile
• Decisions and actions that are quick,
coordinated and well thought out.
• Allow an entity to use risk to its
advantages, grasp strategic opportunities
and be confident in its ability to stay on
course

iGRC Goals
5. Resilient
• Ability to bounce back from changes in
the environment e.g. threats
• Confidence to rapidly adopt and respond
to opportunities
6.Learn
• Get rid of unnecessary duplication,
redundancies, misallocation of resources
within GRC capability

• Examples of iGRC - OCEG-iGRC
• iGRC - synchronize information
and activity across governance,
risk management and compliance
in order to create efficiency,
enable more effective information
sharing and reporting and avoid
wasteful overlaps
ERM
ICT
iGRC Models

iGRC – OCEG Model
ORGANIZE AND OVERSEE
O1 – Outcomes and Commitment
O2 – Roles and Responsibilities
O3 – Approach and Accountability
INFORM AND INTEGRATE
I1 – Information Management and
Documentation
I2 – Internal and External Communication
I3 – Technology and Infrastructure
ASSESS AND ALIGN
A1 – Risk Identification
A2 – Risk Analysis
A3 – Risk Optimization
PREVENT AND PROMOTE
P1 – Codes of Conduct
P2 – Policies
P3 – Preventive Process Controls
P4 – Awareness and Education
P5 – Human Capital Incentives
P6 – Human Capital Controls
P7 – Stakeholder Relations and
Requirements
P8 – Preventive Technology Controls
P9 – Preventive Physical Controls
P10 – Risk Financing/Insurance
DETECT AND DISCERN
D1 – Hotline and Notification
D2 – Inquiry and Survey
D3 – Detective Controls
MONITOR AND MEASURE
M1 – Context Monitoring
M2 – Performance Monitoring and Evaluation
M3 – Systemic Improvement
M4 – Assurance
CONTEXT AND CULTURE
C1 – External Business Context
C2 – Internal Business Context
C3 – Culture
C4 – Values and Objectives
RESPOND AND RESOLVE
R1 – Internal Review and Investigation
R2 – Third-Party Inquiries and Investigations
R3 – Crisis Response and Recovery
R4 – Remediation and Discipline

GRC & Technology Solutions -Examples
Solution Modules
1 SAP GRC Suit  Process Control
 Access Control
 Risk Management
 Fraud Management
 Audit Management
2 ACL GRC Packages Data Analytics
Compliance & Monitoring
Dashboards Reporting
3 MetricStream GRC
Platform
A Web-based platform built on J2EE
architecture with Governance, Risk,
Compliance and Quality programs.

Strategic Plan
 Charter
 Mission, vision statement
 Responsibilities
 Performance Measurement
 Organization chart
 Human capital
 Financial plan
 Technology plan
 Assurance plan
 Implementation plan

GRC – Universal Outcomes
 Achieve Business Objectives
 Enhanced organization culture towards GRC
 Increased stakeholder confidence
 Prevent, detect & reduce adversity
 Motivates, inspire desired conduct
 Improve responsiveness & efficiency
 Optimize economic & social value

Why is it working or not working in your
organization ?

END
Paul Simidi
Tel 0720-739-425
email – paulsimidi@yahoo.com

GRC - Isaca Training 16.9.2014

More Related Content

What's hot (20)

Similar to GRC - Isaca Training 16.9.2014 (20)

GRC - Isaca Training 16.9.2014