PERFORM WITH INTEGRITY ™
Federal Home Loan Bank of Chicago – Maturing GRC
Ian Hardison-Sanchez, Governance Risk & Compliance Program Manager
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Agenda – Maturing GRC
• The Federal Home Loan Bank System
• Federal Home Loan Bank Chicago Overview
• GRC Program – Genesis and Challenges
• Escalating Regulatory Expectations
• Objective > Goals > Framework & Methodology
• Solution Components
• What Builds Our Integrated Risk and Controls Environment
• Integrated Risk and Control Management Infrastructure
• Challenges
• Accomplishments and the Road Ahead
• Lesson Learned
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Each FHLB is an SEC-registered, privately managed
cooperative owned by members* in its district
Each FHLB is governed by a separate board of directors, but regulated by a single regulator, Federal Housing Finance Agency
The 11 Home Loan Banks comprising the FHLB System provide liquidity and funding solutions to nearly 7,500 members
FHLBs are significant contributors to affordable housing and economic development initiatives across the nation
As a Government Sponsored Enterprise, the FHLB system has good access to capital markets which provides competitively priced funding
FHLB Chicago • Includes IL and WI
*Members include banks, thrifts, credit unions and insurance companies
The Federal Home Loan Bank System
FHLB Overview
June 5, 2019
3
Our mission is to partner with our member shareholders to provide them competitively priced funding, a reasonable return on their investment, and support for community investment activities.
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
FHLBC Overview
Federal Home Loan Bank of Chicago • Member owned. Member focused
4
FHLBC is a cooperative that partners with our member shareholders to provide products and solutions that support their business growth
$70 billion wholesale bank
Over 740 members in Illinois and Wisconsin
Our members are our shareholders
Value Proposition:
Low-cost funding and liquidity
Secondary mortgage market products
Grant programs to support community investment
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Genesis and Challenges
Integrated Risk & Control Re-engineering
Supervision - Increased supervision
- Increased pressure on regulators
and auditors
- Need for better documentation and
framework
Overhead - Cost of infrastructure
- Multiple Risk, oversight organizations
- Multiple impact on business leaders
- Large number of people
Regulation
- Increased regulatory burden
- Hard to focus on ‘Risk’ rather than
on ‘Compliance’
Business Change - New business activities
- SEC registration
- Flexibility to incorporate business changes
- Changing external risks
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Escalating Regulatory Expectations
Increased market complexity and performance needs necessitate further advancement in risk management
• Banks will have to demonstrate not just technical compliance, but also that their boards are capable of effectively
challenging management decisions
• These regulations have increased both director responsibility and potential liability
• Elevated responsibility may have some unintended consequences:
• 80 percent of financial sector nonexecutive directors surveyed1 said the risk committee is the most challenging.
• Three possible explanations: broad range of responsibilities, forward-looking nature of job, and technical nature
of regulatory compliance2
International United States
Federal
Reserve
Enhanced
Prudential
Standards
OCC
Heightened
Standards
CCAR –
Greater focus
on internal
controls
CRD IV
BCBS
Principles on
bank corporate
governance
1,2 Sir Howard Davies, “Audit is no longer the chore the board dreads most,” Financial Times, July 28, 2014
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Objective > Goals > Framework & Methodology
Implement a coordinated, efficient and effective framework for risk & compliance management across the enterprise
Improve risk management practices across the organization
Provide greater transparency and consistency to the risk and governance process
across the organization but particularly to managers, executives and the Board
Move the organizational culture from a solely compliance focused organization to an
integrated ‘Risk Management’ culture
Evangelized a philosophy of ownership and accountability for risk and control to line
management
Provide a cost effective infrastructure that integrated the governance framework of
the organization
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
STRATEGIC
Developed a collaborative relationship between all stake holders
Developed strong executive management support for a best in class Risk & Control framework
Solution Components Program Implementation
Identified
Key
stakeholder
s
Identified
core
objectives
Evaluated alternative
approaches OCEG,
CoBit, COSO etc
Developed
vision for the
framework
Prioritized and set up
multiple paths and a
maturity model
Envisaged a multi-year initiative
based on continuous refinement
and priorities
Develop
conceptual
framework
Implement individual
domains based on
business priorities
Implemented an
enterprise issue
management program
Implemented
consistent
reporting
Enhanced integration into the business
process (outside of the compliance &
governance organization)
TACTICAL
Finance Risk Compliance Audit External Audit
CEO CFO CCO CRO CAE Executive Management
Groups
Eliminate EUC as a data
repository and principle
reporting mechanism
Deliver transparency at
enterprise level and detailed
level of the status of risk / control
/ compliance
Provide a robust infrastructure
for governance and
management of the overall GRC
environment
MetricStream Enterprise GRC Platform
Core Technology Elements
Pro
ce
ss
Pe
op
le
Te
ch
no
log
y
COO
Operations
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
What builds up our INTEGRATED risk & control environment
Regulatory Compliance
•Compliance program
•New regulations
•Financial Controls (SOx)
•Prudential Standards
Operational Integrity
•Management Risk Assessments
•Fraud Reporting
•Event Reporting
•Technology incidents
•Risk/Control Change Requests
•Business Resumption/Continuity
Independent Reports
•Independent Security Officer Reviews
•Model Validations
•End User Computing
•Internal/External Audits
•FHFA Examinations
Internal Audit Department 6/5/2019
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Firs
t Li
ne
• WHERE THE ACTION IS
• Risk Assessment
• Testing controls
• Self Log Identified Issues
• Develop Remediation Plans
• Policy Attestation
• Incident Cases
• BCM - EMNS
• Whistleblowing
• Compliance- i.e. Background checks.
Seco
nd
Lin
e
• WHERE THE PROGRAM IS MANAGED
• Program Plan and Budget
• Governance
• GRC Libraries
• GRC Integration (Vul, CMDB)
• Risk, Audit & Compliance Schedule
• Evidence Review
• Policy and Procedures
• Building and SOPs
• Training Programs
• Executive/BoD Reporting
Thir
d L
ine
• WHERE RESULTS ARE AUDITED AND ASSURED
• Reviews Controls Tests completed by First Line
• Reviews Risk Assessment
• Creates Findings for Action by the First Line
Changing Roles in the 3 Lines of Defense
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
FHLBC Integrated Risks & Control Management
Infrastructure
Internal Audit Departme
Business Managers
Business Units
Compliance ORM/FIG
Management CommitteesCredit ALCo
Board & CommitteesAudit, Risk, O&T
Change ManagementVendorsSSAE16/SoC1
IncidentManagement
Our People
Integrated Infrastructure
Regulations FramworksCoBIT/COSO
Guidance
Policy & Procedure
ExecutiveManagement
CFO/CRO/CEO
Regulators &Auditors
Common
Platform
Market Controls
Credit Controls
Operational Controls
Technology Controls
Fraud Controls
Compliance Controls
Strategic Controls
Det
aile
d R
isks
General Ledger / Account
Assertions
SOx
Common
Platform
Segregationof
Duties
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Lending Mortgage Acquisition
Community Investment
Debt Issuance
& Liquidity
Balance Sheet Mgmt.
(Hedging)
Financial & Performance Reporting
Technology & Operations
Administration
Credit Risk Management
Market Risk Management
Operational Risk Management
Enterprise Strategy & Governance
Internal Audit
Defined Risk Geography
Common Platform
Operational Risk
• Event assessments and loss statistics
• Control Changes
• Enterprise Risk Assessment
• New Products/Processes
• Changes in Market & Credit Risk Framework
Financial Reporting
• Key Control Changes
• Impact of Events and Control Deficiencies on Financial Reporting
• New Accounting Rules
• New Products/Processes
• Uses Risk and Control information to design audit program
• Provides results of audit program to management to inform their risk assessment
• Provides feedback on proposed Control changes
• Evaluates and tracks significant issues and their resolution
Internal Audit
• Best Practices
• Leverage Management and Internal Audit work
• Understand Enterprise Control Environment
• Directly access enterprise key control status
External Audit/ Regulator
• Provides information on New Regulations
• Evaluates impact of regulations
• Evaluates gaps identified in the control environment
Compliance
Improved Collaboration
Products & Business Activities En
terp
rise
Se
rvic
es
& R
isk
Go
vern
ance
Creating a Single View into the Risk Organization
Solution
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Where are we going Mature Process Recently Implemented In implementation / Planned
Issue Management Model Validation EUC Object
Certification / Sox EUC Validation Model Object
Internal Audit Event tracking and reporting Other control frameworks
Continuous Monitoring IT assets
Continuous Audit Regulatory Reporting
Compliance Inventory Business Continuity
Internal Audit Departme
Stakeholders growing Requirements expanding USE cases expanding Data conflicts growing
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Challenges - Data We have cross referenced multiple data sources:
• How do we update
• Who maintains relationships
• What is the definitive source of Data • Mostly standing / reference data
• Currently supporting three models:
– Primary record
– Primary records + external enhanced data
– Secondary records
• Who develops and supports reporting • Subject Matter Experts
Internal Audit Department 6/5/2019
Process
Risks
Controls
etc
Technology
Models
End User Computing
Vendors
Facilities
Regulatory Reporting
IT Inventory
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Challenges – Stakeholders & Communication
GRC impacts multiple areas of the organization
• 25% of the organization uses the system monthly
• Business users have built their processes around the system
• Monthly Steering Group – 20 key stakeholders
• Smaller system stakeholder group
Internal Audit Department 6/5/2019
Principles and Discipline • Minimize customization • Maximize existing
functionality • Leverage proven
solutions
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Challenges – Implementations
Involving new business users
• Devoting adequate resources to the task
• Integrating into the culture of shared resource
• Corporate GRC Philosophy
• Vendor management
• Regression testing - All units involved
• Multiple project in parallel
• New interfaces
• Some Compromise!
Internal Audit Department 6/5/2019
Principles and Discipline • Minimize customization • Maximize existing
functionality • Leverage proven
solutions
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Challenges – Support
Internal Audit Department 6/5/2019
GRC
System Adminsitartion
Project Management
Project Coordinator
Vendor Management
Subject Matter Expert
• Multiple reporting requirements
• Multiple macro & micro projects on-going at one time
• Vendor management
• Production
• Implementation teams
• Coordination of activities
• Consistency
• User provisioning automated
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Technology Risk
Operational Risk
Financial Risk
Internal Audit
66.7%
62.5%
87.5%
28.5%
54.5% Savings From Human Capital Costs
Total 54.5%
Realized Benefits
• Created consistent risk evaluation
• Implemented common definitions and standard frameworks
• Delivered critical independent but comparable risk reporting
• Eliminated end user computing based processes
• Delivered risk assessment, issue tracking and control interface to all employees
• Provided a long term ‘Risk’ organization to baseline risk and control metrics and track performance
• Reduced resolution time for critical risk and compliance related issues
• Reduced the number of open risk and compliance issues
• Reduced human capital cost for managing the audit risk and compliance infrastructure
The Road Ahead
• Eliminate majority of remaining end user computing in the operational aspects of control and risk evaluation
• Implement an evergreen risk assessment program
• Integrate continuous monitoring for significant portion of key controls for operational risk, compliance and SOx
• Implement continuous audit practices
• Integrate with management core technology for continuous exception reporting
Accomplishments and the Road Ahead
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Lessons Learned Summary by Step (sample from mSIGs)
B
E
S
T
P
R
A
C
T
I
C
E
O
V
E
R
V
I
E
W
S
T
E
P
S
Step Lessons Learned
1. Business Value and CSFs: Driving the Right Priorities
• If you don’t show alignment to strategic initiative and the context (ex app, shared information)) without executive endorsement and pushing it, you may get push back from the silo’s
• Know the benefits and have executive reinforce the value (for example – GRC 101 or GRC Framework)
• Note that Maturity And Readiness (Step 2) reveals an opportunity for business value that Leadership is not aware of – so be flexible in your rollout plan
2. Maturity and Readiness: Sequencing for Value
• Be flexible - Eagerness to get on the system does not translate into Readiness! It takes more time to design and iterate when you are trying to deploy
• Be mindful of shared information from libraries – make sure it is actually ‘capturable’ – if you know where/when to go get it, the deployment will go more smoothly example: normalization of controls
• Make sure you sequence based on what process are well defined, if they can’t tell you what they do, in a well defined way (info on reports, approval process and contacts, for example), they aren’t ready
• If you are 30% sure of the process double the budget and timeline! There is an impact.
3. Rollout Scope: Prioritizing Use Cases with Lines of Defense
• Line 1 users will not get the full scope of benefits – reinforce the overall benefits for their management, leadership, the board – by getting the info right, everyone will appreciate more ‘what you do (even if it takes more time at first before it becomes BAU)
• Get the 1st line and local perspective and terminology right - Football analogy – US vs UK it’s different game !
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
B
E
S
T
P
R
A
C
T
I
C
E
O
V
E
R
V
I
E
W
S
T
E
P
S
Step Lessons Learned
4. Effective Rollout Plans: Leveraging Champions
• Beware that IT does not become ‘the rollout champion – the right people in the business need to really ‘own this for UAT, training, change management needs, information taxonomy, etc
• Make sure champions have the time allocated, and don’t get burnt out and transfer their knowledge to a local person who be the POC (region, LoB, etc)
• Invite Champions to participate in Working Groups – for example, Libraries Information Governance, Change Management, Future Enhancements
5. Organization Change Management: Being Proactive
• Champions and IT needs to be well enough informed to appropriate level of access to roles/people and the security user stories (increasingly important with GDPR and other Security/Cyber controls) – who in the organization is going to act as Administrator and Provisioner of new users? This is a new role and requires a handshake between the business and IT.
• Identify your governance process up front and adapt (or impose!) as you onboard new stakeholder group
• Create awareness and understanding of process alignment of upstream and downstream impacts from potential changes – optimizing in one area can cause a negative impact downstream! Bring people together (that may not work together normally) to really understand this – there can be a multiplier effect +/-.
• Make sure you and your users know the internal SLAs and support structure – when there is a problem or ticket, user satisfaction is tied to the speed of resolution – don’t let frustration set in. Don’t let perception distort app effectiveness – bad news travels faster than good news.
Lessons Learned Summary by Step (sample from mSIGs)
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
B
E
S
T
P
R
A
C
T
I
C
E
O
V
E
R
V
I
E
W
S
T
E
P
S
Step Lessons Learned
6.Communications: Celebrating Successful Adoption
• Adoption – make sure you tracking real usage and adoption and incidents. You don’t have success unless your end users are using the system and know where go when they have a question or a problem
• Reward the team! Toot your own horn! Make good news travel faster and wider!
• Really listen to what you users are saying – Use the Five Whys and Learn to Interpret complaints for the underlying root cause
7. Continuous Improvement: Agile Value Attainment
• Incremental improvements by tweak can have corresponding multiplier effects. “Horseshoe missing, hobbles the
warhorse, loses the King’s battle – For want a nail we lost the kingdom”.
• Schedule regular (at least quarterly) meetings and continue to conduct survey/interact to see how it is working
• Measure the value attained and continue to make incremental improvements to increase value.
• Don’t take criticism personally – they may be frustrated with the change, the process or the app, not you.
Lessons Learned Summary by Step (sample from mSIGs)
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY TM
June 5, 2019
EXTRA SLIDES YOU MAY WANT TO USE
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
What Have Achieved as Benefits?
300+ Users
GOALS Effectiveness Efficiency Operational Excellence
OUTCOMES
JOURNEY Risk based audit planning
and execution
Rationalized controls
Aligned Process Workflows
Qualitative and Quantitative risk
Assessments 54%
Human capital cost reduction
58% reduction in
issue resolution time
50% reduction in cost of
audit follow-ups
7 Apps ORM, Internal Audit, Policy,
Compliance, BCM
400+ employees
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
FHLB Risk Management Environment
People
Business Risks
Business
Units
Controls
Internal Audit Department 6/5/2019
operational risk
management
fig risk & control
compliance
internal audit
Support Units
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Components of our Environment
Regulations Financial Reporting
Control Environment
Regulatory Reporting
Operational Management
Business Process
Internal Audit Department 6/5/2019
market
credit
financial
operational
fraud
legal & regulatory
strategic
Risks
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Role & Alignment of Risk Management Functions
CHIEF EXECUTIVE OFFICER
CHIEF RISK OFFICER
CHIEF AUDIT EXECUTIVE
CHIEF COMPLIANCE OFFICER
CHIEF INFORMATION OFFICER
CHIEF OPERATING OFFICER
AUDIT COMMITTEE
BOARD OF DIRECTORS
CHIEF INFORMATION SECURITY OFFICER
CHIEF FINANCIAL OFFICER
Revenue Optimizing Risk Strategies
Issues and Actions affecting financial statements Ex SOX
Issues and Actions sub-optimizing processes and resources
Issues and Actions related to business resilience, 3rd parties, infrastructure
Risk Aware Decision Making Visibility and Accountability into Risk Profile
* This is an indicative organizational hierarchy only. Actual organizational hierarchies and reporting structures will vary from business to business
Issues and Actions related to losses, operations and creating opportunities
Issues and Actions related to Regulatory and Corporate obligations
Issue and Actions related to audits
Issues and Actions related to internal digital and emerging threats
BUSINESS HEADS
Issues and Actions raised in the first line
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
GRC Program Roadmap and Rollout – Sample Slide FY17 FY18 FY19
PMO – GRC Program Governance, Management and Communications of Progress, Organizational Change
GRC Program Plan
GRC Initiatives: Workstreams
Infolet Integrations: Data feeds
GRC Intelligence Content Feeds
P
R
O
G
R
A
M
P
R
O
C
E
S
S
&
T
E
C
H
N
O
L
O
G
Y
MetricStream Platform and GRC Foundation
Risk and Control Framework, Risk Reporting, Analytics and Governance
GRC Organization Hierarchy. Asset Integration
GRC Readiness Vendor risk Rollout (Wave 1, 2…)
GRC Readiness BCM Rollout (Wave 1, 2, 3)
GRC Readiness ERM Rollout (Wave 1, 2, 3…)
GRC Readiness Controls Testing Rollout (Wave 1, 2, 3…)
GRC Readiness Audit Rollout (Wave 1, 2, 3…)
GRC Readiness Policy Management Rollout (Wave 1, 2…)
P
H
A
S
E
1
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Agile auditing is designed to be flexible and iterative. This means that rather than rigid internal audit plans, there's a
continually-updated backlog of audits and projects, prioritized based on risks and company needs that can be undertaken
once resources are available.
Trends: Smart AUDITING of the Future
AI-powered audits enable proactive, intelligent, forward-looking assurance. By bringing together data, analytics and the
human decision making process, it helps identify future risks and opportunities, which ensures better & deeper audit coverage,
while increasing speed and efficiency.
Rigid, single-phase planning
Planning, fieldwork, review, and reporting stages may take up to eight weeks or more
Hierarchy of established roles
Insights the Audit’s end, after reporting and review
Iterative planning on an ongoing basis in “sprints
Three phases are completed in shorter-timeframe sprints. Every two to three weeks
Flat, but empowered roles
Audit’s attention on the insights, risks, and opportunities
Phase 1:
Rules and Correlation based on Metrics
Natural Language Processing
Autonomous AI
Phase 2:
Machine Learning
Robotic Process Automation
Phase 3:
Predictive & Prescriptive Analytics
Traditional Audits
Agile Audits
AI-Powered Audits
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
From Agile to AI – 3 Critical Foundational Processes - Summary
Today
Silo’d Risk Assessments
Traditional Audits
Basic Master Data and Information
Taxonomies
Crawl
Risk Framework
Agile Auditing
KPIs and Metrics
Walk
Risk Analytics
Continuous Auditing and RPA
Analytics
Run
Integrated Risk and Compliance
Intelligent Audits
Artificial Intelligence
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Issue Management Use Case Examples
Issue Management Raise/Trigger Issues from…. • Findings from Control Tests and Audits • Regulatory Examinations • Action Plans from Risk Assessments • Policy Exceptions • Access Control Exceptions • Complaints • Security Threats or Vulnerabilities Action Plan Creation and Collaboration • Assign owner action and due date • Use workflow for approvals, notifications and escalations • use dashboards to reduce cycle time and increase visibility Analytics and Insights • Use metrics and correlation to see what issues are being raised,
to help dig into Root Cause across common processes • Use insights to correct processes and continuously improve
First line user logs the issue
First line management reviews the Issue and sends it to the Second line Triage
team
The Triage team adds details and links to GRC library
information; assigns the Issue to the Issue owner
The Issue owner tracks the Issue to closure
Issue Management for the First Line of Defense – an example
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Issue Management Use Case Examples by Group Who What
CAE - Audit Observation, Finding, Issue with Action Plan
CCO - Compliance Regulatory Gap or Control Failure with Remediation Plan
CRO - Risk Risk Unacceptable, with Treatment Plan
CIO - Business Resilience Incident or Outage with Remediation Plan
CxO - Third Parties 3rd Party Policy Acceptance or incident with Action Plan
CIO - IT Risk IT Risk on apps, facilities, ITIL processes, with Remediation Plan
CCO - Policy Policy Exception, with Plan and timeframe for exception
CCO - Complaints Customer or internal Complaints, ex: whistle blowing with Response Plan
CCO - Ethics Violation or Conflict with Response Plan
CISO - Security Vulnerabilities in Infrastructure, with Remediation Plan
CISO - Cyber Threat with Remediation Plan
CQO - Quality Non-Conformance, with CAPA – Correction Action, Preventative Action Plan
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Do I have evidence of my work? Do I understand what I need to collect, or I just collect it all? Is my work organized to show consistent control test results regardless of the regulation? Rationalizing controls, reducing number of testing
Is my process efficient or costly? Biggest challenge – have we mapped controls to policies, risks and compliance requirements? Do we have orphan controls?
Do I have proper coverage
What about re-testing controls that failed?
Am I testing controls that are no longer
relied upon?
Do I have a process that enables the
control owners to inform me of changes? GRC language vs. business language makes it difficult for first line to complete forms Who is the owner of the common taxonomy? Should Audit be queried for the control and process library?
Is the right person testing the controls? Do we understand our controls? Is the control really a control? Adding new responsibilities: are they ready/trained? Does everyone in the business need to interact, or is there a point person—LOD 1.5 Are incentives aligned to promote this work as critical?
Are we testing at the right time? Are we assessing controls or testing controls? Performing work where it happens and when the user thinks about it (mobile enabled) Performing work as needed vs. scheduled.
Challenges in Controls Assessment and Testing
Are we testing the right controls? Performing work where it happens and when the user thinks about it (mobile enabled) Performing work as needed vs. scheduled.
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Control Testing Use Case Examples by Group Who What Examples
CAE - Audit Control Test sample during audit Cyber controls gap
CFO - Finance SOX Financial Controls Approvals
CCO - Compliance Regulatory Gap or Control Failure Training not taken
CRO - Risk Risk (Enterprise, Operational, …) Loss Event
CIO - Business Resilience Incident or Outage No Failover of Data Center (hurricane)
CxO - Third Parties 3rd Party Policy, Control, Certifications SOC1 for a Cloud Service Provider
CIO - IT Risk IT IL process for apps, facilities, services Access Controls based on Identity
CCO - Policy Policy and Procedure Review/ Acceptance Policy Exception
CCO - Ethics Customer Complaints, ex: whistle blowing Customer Complaint
CCO - Ethics Survey. Results Violation or Conflict Conflict of Interest of Senior Executive
CISO - Security Automated/Manual Controls App Firewall or Network Vulnerability
CISO - Cyber Digital Threat mitigation Anomaly or Virus blocking apps
CQO - Quality Quality Process controls Non-Conformance, with CAPA Plan
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Control Testing Use Case Examples
Compliance Assessments with Control Tests and Evidence • Compliance to Laws and Regulations (GDPR, SOX, FISMA, HIPAA…) • Compliance to Frameworks/Standards (COBIT, PCI, NIST….) • Compliance to Business SLAs • Compliance to Processes, Policies and Procedures • Integration with IT/Security monitoring systems • Mapping controls to Standards such as ISO27k or NIST 800.53 • Mapping controls to Regulations such as SOX 404/302, HIPPA and PCI • IT/Security Certifications such as SOC 1, 2 and 3 or ISO • Financial Control Certifications such as SOX
Issue Management • Dashboards reduce cycle time/increase visibility • Findings from Control Assessments and Audits • Assign owner action and due date • Action Plans from Control Testing results • Policy Exceptions • Access Control Exceptions
Example Measurements/Metrics 1. # Assessments/regions 2. # Failures by control 3. # Issues by control 4. % Testing complete by plan 5. # Controls by Area of Compliance 6. # Policy Exceptions 7. # Access Control Exceptions 8. # Action Plans completed 9. More…? 10. More…?
Controls across the enterprise, mapped to regs, frameworks, IT….and Issues…
Discussion: What are your top 10 Compliance Metrics?
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
PEO
PLE
•Lack of governance results in business developed controls, resulting in duplicates and orphans
•GRC language vs. business language makes it difficult for first line to complete forms
•Personalization of the landing page for each line of defense—what they each need to see differs
•Emerging role of the 1.5 line of defense
•Does everyone in the business need to interact, or is there a point person
•Performing work as needed vs. scheduled. Performing work where it happens and when the user thinks about it (mobile enabled)
PR
OG
RA
M
•Adding new responsibilities to the first line: are they ready/trained? Are incentives aligned to promote this work as critical?
•Do our deployments focus on the quick wins or expansive transformation?
•How can we drive end-user adoption? Gamification, visualizing outcomes
•Who is the owner of the common taxonomy? Should Audit be queried for the control and process library?
TEC
HN
OLO
GY
•User experience must be intuitive
•Capture data at the first point of entry
•No repetitive keystrokes
•Software design for ad hoc work (without 2LOD or 3LOD scheduling)
•Triggers driven by internal and external data
•Layering into 1LOD transaction systems
•Platform scalability and performance
•Mobility through native apps
Considerations for a Strong Compliance Controls program
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Compliance Program Metrics and Reporting
Scope and Use of Measurements/Metrics • What processes do you measure – ex. Assessment, RCSA, IT Compliance, Loss Events, Issues…? • What metrics must be tied explicitly to risk appetite and thresholds? • Does each metric have associated thresholds (risk appetites, watch, limits, tolerances)?
Escalation • What is your criteria for escalating metrics or issues to senior leaders, risk committees, or BoD? Reporting • Who uses metrics, and what decisions need to be made based on these metrics? • How do you use/report metrics with different audiences? • What information is contained in your executive-level compliance metrics reports
• Dashboard, Summary, Detail, Trends? • What is the format for these reports?
• MetricStream, PowerPoint, Excel, dashboards created on BI/data visualization software? Sustainability • What ‘meets min’ mappings must be made to ensure these analytics contextually relevant? • What processes do you have around establishing and refreshing your thresholds?
Some Key Considerations - Prioritizing and Rationalizing with Risk, Policy, Issues…
AoC
Control
Risk
Org
Ques/Proc
Requirement
Related to
Related to
Related to
Ap
plie
s to
Asset / Asset Class,
Process, Product
Discussion: What is your Compliance Metrics Program?
© 2019 GRC Summit All Rights Reserved. PERFORM WITH INTEGRITY ™
Function
Objective
Primary Assessable Entities
Product
Sample Library Model – Compliance
AoC
Control
Risk
Org
Asset Class
Asset
Standard
Ques/Proc
Reg Body Survey / Checklist
Financial Account
Legal Entity
Process
Regulation / Area of Compliance Focus
Location
Requirement
Thank You Continue the conversation on #GRCSummit
http://www.facebook.com/metricstreamhttp://www.linkedin.com/metricstreamhttp://www.twitter.com/metricstream