Transcript Slide 1
A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG [email protected] Driving Principled Performance® 3/12/2009 (c) OCEG Our PURPOSE OCEG is the only nonprofit that helps organizations drive Principled Performance® by enhancing corporate culture and improving governance, risk management, internal control and compliance (GRC) capabilities via: Community – – – Interdisciplinary, Cross-Industry Benchmarking and Research Education, Webinars and Events Content – – – Standards & Guidelines (technical, process, content) Repositories of Laws, Regulations and Related Standards Media, Research and other Resources Certification – – 3/12/2009 Entire Programs or Components of a Program Solutions, Products and Services (c) OCEG But what exactly is Principled ® Performance ? 3/12/2009 (c) OCEG The Bottom Line an organization must clearly define WHAT it will achieve and how it UNCERTAINTY, PROTECTING VALUE and staying within BOUNDARIES will create value while addressing Principle Performance® depends on defining what is “right” for your company and doing the “right” things the “right” way – to achieve these goals. 3/12/2009 (c) OCEG What is GRC 3/12/2009 (c) OCEG Integration “Principled Performance®” requires the integration of a number of enterprise processes, most notably Governance, Risk Management & Compliance 3/12/2009 (c) OCEG What is New? Increased global footprint, increased executive liability, increased volume and velocity of mandates, increased pressure from stakeholders and other drivers are forcing organizations to… Do Things Differently 3/12/2009 (c) OCEG Trend or Fad? Just a Fad? 3/12/2009 (c) OCEG Market Need Forrester Research Briefing “GRC Software Platform Revenues Will Rise To $1.3 Billion In 2011” … “We estimate that the market is currently $36 billion, and we expect it to grow to $50 billion over the next three years” AMR Research Briefing “2007 GRC spending will hit $29.9B, growing 8.5% from last year; companies now expect to spend an additional 3.6%, or $31B, in 2008.” 3/12/2009 Gartner Research Briefing “By 2009, the annual worldwide total software spending for GRC will be about $14 billion.” (c) OCEG Most Important “We should adopt a consistent approach or methodology for similar activities in governance, risk and compliance” 90% Agree or Strongly Agree Source: 2007 OCEG Benchmark Series: GRC Strategy Study 3/12/2009 (c) OCEG Adverse Impact of failure to be consistent Increased general operating expenses Increased cost of reconciling disparate information Reduced margins Source: 2007 OCEG Benchmark Series: GRC Strategy Study 3/12/2009 (c) OCEG Higher cost from suppliers Higher cost of capital Red Book 2.0 3/12/2009 (c) OCEG OCEG GRC Capability Model Content Domains provide topical or industry-specific information that integrates with and assumes that the a capability is in place GRC Content Domains Capability Model describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance, ethics and internal control. GRC Capability Model (“Red Book 2.0”) Taxonomy & Technical Standards define key entities and systems that comprise a GRC “backbone” and interface standards so that these systems more easily and effectively integrate. GRC Taxonomy & Technical Standards 3/12/2009 (c) OCEG Component View of the OCEG GRC Capability Model 8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES Achieve Business Objectives ORGANIZE & OVERSEE MONITOR & MEASURE RESPOND & RESOLVE INFORM & INTEGRATE Enhance Organizational Culture Increase Stakeholder Confidence ASSESS & ALIGN Prepare & Protect the Organization Prevent, Detect & Reduce Adversity PREVENT & PROMOTE Motivate & Inspire Desired Conduct DETECT & DISCERN Improve Responsiveness & Efficiency Optimize Economic & Social Value 3/12/2009 (c) OCEG Element View of the GRC Capability Model 3/12/2009 (c) OCEG Element Contents • • • • • • 3/12/2009 Principles Common Sources of Failure Practices Related Requirements Key Deliverables Technology Modules from the GRC-IT Blueprint (c) OCEG 3/12/2009 (c) OCEG High-Performing Program Effective Program Effectiveness Effectiveness is a term of art • Design Effectiveness • Operating Effectiveness We want to keep it that way! Performance The law does not demand anything beyond effectiveness – BUT shareholders (stakeholders) expect more! High-Performance O U T C O M E S ACTIVITIES EFFECTIVE EFFICIENT RESPONSIVE Principles and Needs • • • • • 3/12/2009 IT for GRC Principles Integration – it is unlikely a single application can enable all GRC activities. Create a “GRC Backbone” of integrated parts Simplification – Simplify the architecture and use common components to enable multiple risk areas Reuse – Leverage existing investments and only buy when you must Automation – For repetitive or complex tasks, but sometimes human judgment is required Information – Sharing information about performance, risks, controls, incidents and resolution is fundamental to GRC. The ability to analyze this information alongside business information is the essence of GRC. (c) OCEG • • • • • • • • • • • • • Common IT Needs for GRC: Legal and regulatory requirements management Policy and procedure management Communication management Organization and responsibility management Process and control libraries or frameworks Risk libraries Training and attestations Risk and impact assessments Audit and assurance activities Incident and action plan management Alignment with the business Visibility for process owners Visibility at the business unit and enterprise levels The GRC-IT Blueprint The Blueprint defines 72 GRC Technology Modules and organizes and maps them in several ways as follows: • Within Nine Technology Arenas – Assurance and Audit Management – Business Intelligence – Business Process Management – Corporate Governance – Enterprise Content Management – Enterprise Resource Management – Enterprise Risk Management – Human Resources Management – Security Management • To Each of the Elements of the GRC Capability Model • Within Three Technology Levels – Business Applications – GRC Core Applications – Infrastructure 3/12/2009 (c) OCEG Sample Element Page 3/12/2009 (c) OCEG Next Steps for OCEG • Release of final Red Book 2.0 – March 2009 • Release of final GRC-IT Blueprint – March 2009 • Release of GRC-IT Roadmap (a process guide for maturing use of IT for GRC with self-evaluation tools) – June 2009 • Development of GRC-XML – ongoing through OCEG Technology Council • Launch of broader GRC-IT Community in OCEG site – June 2009 3/12/2009 (c) OCEG A few key take aways • The use of technology for GRC is not an option, it is a necessity • Using the OCEG Red Book and GRC-IT Blueprint can help you benchmark against an independent standard and other companies • There are barriers beyond budget – people like their spreadsheets; data hoarding has perceived benefits • But don’t attempt to boil the ocean – look for small quick wins and build support for more 3/12/2009 (c) OCEG OCEG Resources • For more information and to access some key OCEG resources, go to: https://www.oceg.org/subscribe/FEI • 15 days demo subscription • Download OCEG Illustrations (from the GRC Illustrated Series) – IT ROADMAP FOR GRC – How Do We Integrate IT to Enable GRC? – HOW DO I ASSESS RISK? • Download from the OCEG Whitepaper Series “Critical Conversations” - CFO AT THE CENTER 3/12/2009 (c) OCEG