Transcript Slide 1
A Technology Blueprint for Governance,
Risk Management and Compliance
Carole Stern Switzer, Esq.
President, OCEG
[email protected]
Driving Principled Performance®
3/12/2009
(c) OCEG
Our PURPOSE
OCEG is the only nonprofit that helps organizations drive Principled Performance® by
enhancing corporate culture and improving governance, risk management, internal
control and compliance (GRC) capabilities via:
Community
–
–
–
Interdisciplinary, Cross-Industry
Benchmarking and Research
Education, Webinars and Events
Content
–
–
–
Standards & Guidelines (technical, process, content)
Repositories of Laws, Regulations and Related Standards
Media, Research and other Resources
Certification
–
–
3/12/2009
Entire Programs or Components of a Program
Solutions, Products and Services
(c) OCEG
But what exactly is
Principled
®
Performance ?
3/12/2009
(c) OCEG
The Bottom Line
an organization must clearly define WHAT it will achieve and how it
UNCERTAINTY,
PROTECTING VALUE and staying within BOUNDARIES
will create value while addressing
Principle Performance® depends on defining what is “right” for your company
and doing the “right” things the “right” way – to achieve these goals.
3/12/2009
(c) OCEG
What is GRC
3/12/2009
(c) OCEG
Integration
“Principled Performance®” requires the integration
of a number of enterprise processes, most notably
Governance, Risk Management & Compliance
3/12/2009
(c) OCEG
What is New?
Increased global footprint, increased executive
liability, increased volume and velocity of
mandates, increased pressure from stakeholders
and other drivers are forcing organizations to…
Do Things Differently
3/12/2009
(c) OCEG
Trend or Fad?
Just a Fad?
3/12/2009
(c) OCEG
Market Need
Forrester Research Briefing
“GRC Software Platform Revenues Will Rise To $1.3 Billion In
2011” … “We estimate that the market is currently $36 billion,
and we expect it to grow to $50 billion over the next three
years”
AMR Research Briefing
“2007 GRC spending will hit $29.9B,
growing 8.5% from last year;
companies now expect to spend an
additional 3.6%, or
$31B, in 2008.”
3/12/2009
Gartner Research Briefing
“By 2009, the annual worldwide total
software spending for GRC will be
about $14 billion.”
(c) OCEG
Most Important
“We should adopt a consistent approach or
methodology for similar activities in governance,
risk and compliance”
90%
Agree or Strongly Agree
Source: 2007 OCEG Benchmark Series: GRC Strategy Study
3/12/2009
(c) OCEG
Adverse Impact of failure to be consistent
Increased
general
operating
expenses
Increased
cost of
reconciling
disparate
information
Reduced
margins
Source: 2007 OCEG Benchmark Series: GRC Strategy Study
3/12/2009
(c) OCEG
Higher cost
from
suppliers
Higher cost
of capital
Red Book 2.0
3/12/2009
(c) OCEG
OCEG GRC Capability Model
Content Domains provide topical or
industry-specific information that
integrates with and assumes that the
a capability is in place
GRC Content Domains
Capability Model describes common
elements of an effective program that
integrates the principles of good
corporate governance, risk management,
compliance, ethics and internal control.
GRC Capability Model
(“Red Book 2.0”)
Taxonomy & Technical Standards define
key entities and systems that comprise a
GRC “backbone” and interface standards
so that these systems more easily and
effectively integrate.
GRC Taxonomy
& Technical Standards
3/12/2009
(c) OCEG
Component View of the OCEG GRC Capability Model
8 INTEGRATED COMPONENTS
8 UNIVERSAL OUTCOMES
Achieve Business Objectives
ORGANIZE &
OVERSEE
MONITOR &
MEASURE
RESPOND &
RESOLVE
INFORM &
INTEGRATE
Enhance Organizational Culture
Increase Stakeholder Confidence
ASSESS &
ALIGN
Prepare & Protect the Organization
Prevent, Detect & Reduce Adversity
PREVENT &
PROMOTE
Motivate & Inspire Desired Conduct
DETECT &
DISCERN
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
3/12/2009
(c) OCEG
Element View of the GRC Capability Model
3/12/2009
(c) OCEG
Element Contents
•
•
•
•
•
•
3/12/2009
Principles
Common Sources of Failure
Practices
Related Requirements
Key Deliverables
Technology Modules from the GRC-IT
Blueprint
(c) OCEG
3/12/2009
(c) OCEG
High-Performing
Program
Effective Program
Effectiveness
Effectiveness is a term of art
• Design Effectiveness
• Operating Effectiveness
We want to keep it that way!
Performance
The law does not demand
anything beyond effectiveness
– BUT shareholders
(stakeholders) expect more!
High-Performance
O U T C O M E S
ACTIVITIES
EFFECTIVE
EFFICIENT
RESPONSIVE
Principles and Needs
•
•
•
•
•
3/12/2009
IT for GRC Principles
Integration – it is unlikely a single
application can enable all GRC activities.
Create a “GRC Backbone” of integrated
parts
Simplification – Simplify the architecture
and use common components to enable
multiple risk areas
Reuse – Leverage existing investments and
only buy when you must
Automation – For repetitive or complex
tasks, but sometimes human judgment is
required
Information – Sharing information about
performance, risks, controls, incidents and
resolution is fundamental to GRC. The
ability to analyze this information
alongside business information is the
essence of GRC.
(c) OCEG
•
•
•
•
•
•
•
•
•
•
•
•
•
Common IT Needs for GRC:
Legal and regulatory requirements
management
Policy and procedure management
Communication management
Organization and responsibility
management
Process and control libraries or
frameworks
Risk libraries
Training and attestations
Risk and impact assessments
Audit and assurance activities
Incident and action plan
management
Alignment with the business
Visibility for process owners
Visibility at the business unit and
enterprise levels
The GRC-IT Blueprint
The Blueprint defines 72
GRC Technology
Modules and organizes
and maps them in
several ways as follows:
• Within Nine Technology
Arenas
– Assurance and Audit
Management
– Business Intelligence
– Business Process
Management
– Corporate Governance
– Enterprise Content
Management
– Enterprise Resource
Management
– Enterprise Risk Management
– Human Resources
Management
– Security Management
• To Each of the Elements of
the GRC Capability Model
• Within Three Technology
Levels
– Business Applications
– GRC Core Applications
– Infrastructure
3/12/2009
(c) OCEG
Sample Element Page
3/12/2009
(c) OCEG
Next Steps for OCEG
• Release of final Red Book 2.0 – March 2009
• Release of final GRC-IT Blueprint – March 2009
• Release of GRC-IT Roadmap (a process guide for
maturing use of IT for GRC with self-evaluation
tools) – June 2009
• Development of GRC-XML – ongoing through
OCEG Technology Council
• Launch of broader GRC-IT Community in OCEG
site – June 2009
3/12/2009
(c) OCEG
A few key take aways
• The use of technology for GRC is not an option, it is a
necessity
• Using the OCEG Red Book and GRC-IT Blueprint can help
you benchmark against an independent standard and
other companies
• There are barriers beyond budget – people like their
spreadsheets; data hoarding has perceived benefits
• But don’t attempt to boil the ocean – look for small
quick wins and build support for more
3/12/2009
(c) OCEG
OCEG Resources
• For more information and to access some key OCEG resources, go
to: https://www.oceg.org/subscribe/FEI
• 15 days demo subscription
• Download OCEG Illustrations (from the GRC Illustrated Series)
– IT ROADMAP FOR GRC
– How Do We Integrate IT to Enable GRC?
– HOW DO I ASSESS RISK?
• Download from the OCEG Whitepaper Series “Critical
Conversations” - CFO AT THE CENTER
3/12/2009
(c) OCEG