Date post: | 09-Aug-2015 |
Category: |
Documents |
Upload: | paul-simidi |
View: | 54 times |
Download: | 0 times |
Introduction GRC component framework GRC Current status iGRC & goals iGRC Models iGRC & Technology Overall iGRC benefits Organization experiences
Overview
Governance …….setting business strategy & objectives, determining risks appetite, establishing culture and values, developing policies and monitoring performance……
Introduction
Risk Management …….identifying and assessing risks that may affect ability to achieve business objectives, applying risks management to obtain competitive advantage, and determine response strategies and control activities……
Introduction….cont
Compliance …..Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures and stakeholder commitments…..
Introduction…cont
• Control Objectives for Information and Related
Technology - CoBIT Framework provides guidance for executive management to govern IT within the enterprise. It is an IT governance framework that bridges the gap between control requirements, technical issues and business risks
• Sarbanes–Oxley Act of 2002 - An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes
Governance - Examples
• Information Technology Infrastructure Library -
ITIL is the most widely adopted approach for IT Service Management in the world. It is a practical framework for identifying, planning, delivering and supporting IT services to the business.
Governance - Examples
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - A framework dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence)
Risk Management - Examples
• ISO 31000 -Provides principles and generic guidelines on principles and implementation of risk management. Can be applied to any kind of organization, risk type and is not specific to any industry or sector.
• ISO 31000:2009 is intended to be used by a wide range of stakeholders including those responsible for • Implementing risk management, • those who need to manage risk for the organization
as a whole or within a specific area or activity; • those needing to evaluate an organization's practices
in managing risk; • and developers of standards
Risk Management - Examples
Organizations Policies and Procedures IFRSs Legal & Regulatory Framework in Kenya
Company’s Act Capital Markets Authority Nairobi Stock Exchange Communications Authority of Kenya Central Bank Regulations Public Procurement Act Occupational Safety and Health Administration
Act 2007 (OSHA) etc
Compliance - Examples
• Basel Standards i.e. I, II and III – An international standard for Banking Regulators developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector.
• Total Quality Management (TQM)- Management methods used to enhance quality and productivity in business organizations
Compliance - Examples
Complexity
Lack of visibility
Duplication
Inflexibility Vulnerability
Poor Integration
Increased regulations
Poor Performance
High Costs
Silos
Wasted Information
Frauds
Wasted Resources
GRC Current Status
• iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, effective information sharing and reporting, reduce cost and enhance performance.
ERM
ICT
iGRC Approach
Large, forward-thinking organizations believe that effective iGRC is a value driver and a source of competitive advantage.
Organizations that embrace effective iGRC are realizing significant value in the areas of reputation and brand, employee retention and profitability.
iGRC Trends
Significant improvements in the areas of accuracy, decision-making quality, timeliness and reductions in task redundancies as organization's move to an integrated iGRC environment.
Inclusion of iGRC in Corporate Performance Management
Increased Leverage on Technology
iGRC Trends
iGRC Goals
1. Awareness • Changes in internal & external environment, • Turn data into information that be analyzed. • Share information 2.Alignment • Support and inform business objectives • Strategic consideration to GRC information
iGRC Goals
3. Responsiveness • You cant react to something you
don’t sense • Greater awareness and
understanding of info that drives decisions and actions
iGRC Goals
4. Agile
• Decisions and actions that are quick,
coordinated and well thought out.
• Allow an entity to use risk to its advantages, grasp strategic opportunities and be confident in its ability to stay on course
iGRC Goals
5. Resilient • Ability to bounce back from changes in
the environment e.g. threats • Confidence to rapidly adopt and respond
to opportunities
6.Learn • Get rid of unnecessary duplication,
redundancies, misallocation of resources within GRC capability
• Examples of iGRC - OCEG-iGRC
• iGRC - synchronize information
and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps
ERM
ICT
iGRC Models
iGRC – OCEG Model ORGANIZE AND OVERSEE O1 – Outcomes and Commitment O2 – Roles and Responsibilities O3 – Approach and Accountability
INFORM AND INTEGRATE I1 – Information Management and
Documentation I2 – Internal and External Communication I3 – Technology and Infrastructure
ASSESS AND ALIGN A1 – Risk Identification A2 – Risk Analysis A3 – Risk Optimization
PREVENT AND PROMOTE P1 – Codes of Conduct P2 – Policies P3 – Preventive Process Controls P4 – Awareness and Education P5 – Human Capital Incentives P6 – Human Capital Controls P7 – Stakeholder Relations and
Requirements P8 – Preventive Technology Controls P9 – Preventive Physical Controls P10 – Risk Financing/Insurance
DETECT AND DISCERN D1 – Hotline and Notification D2 – Inquiry and Survey D3 – Detective Controls
MONITOR AND MEASURE M1 – Context Monitoring M2 – Performance Monitoring and Evaluation M3 – Systemic Improvement M4 – Assurance
CONTEXT AND CULTURE C1 – External Business Context C2 – Internal Business Context C3 – Culture C4 – Values and Objectives
RESPOND AND RESOLVE R1 – Internal Review and Investigation R2 – Third-Party Inquiries and Investigations R3 – Crisis Response and Recovery R4 – Remediation and Discipline
GRC & Technology Solutions -Examples
Solution Modules
1 SAP GRC Suit Process Control Access Control Risk Management Fraud Management Audit Management
2 ACL GRC Packages Data Analytics Compliance & Monitoring Dashboards Reporting
3 MetricStream GRC Platform
A Web-based platform built on J2EE architecture with Governance, Risk, Compliance and Quality programs.
Strategic Plan
Charter Mission, vision statement Responsibilities Performance Measurement Organization chart Human capital Financial plan Technology plan Assurance plan Implementation plan
GRC – Universal Outcomes
Achieve Business Objectives Enhanced organization culture towards GRC Increased stakeholder confidence Prevent, detect & reduce adversity Motivates, inspire desired conduct Improve responsiveness & efficiency Optimize economic & social value