OCEG GRC Fundamentals - Financial Executives
Download
Report
Transcript OCEG GRC Fundamentals - Financial Executives
Competitive Advantage of
Principled Performance and GRC
The imperative for integrating governance, assurance and
management of performance, risk, and compliance
Scott L. Mitchell, OCEG Chair
[email protected]
http://www.twitter.com/mitchell360
http://www.linkedin.com/in/mitchell360
My Bias
› Audit / Finance
› IT / Systems Integration / Software
› Venture Capital / Angel Investing
My Bias
› Audit / Finance
› IT / Systems Integration / Software
› Venture Capital / Angel Investing
› OCEG
My Bias
› Audit / Finance
› IT / Systems Integration / Software
› Venture Capital / Angel Investing
› OCEG
25% / 25% / 50%
And…
› Cloud
› Big Data
› Analytics
What is OCEG?
OCEG is a non-profit think tank that helps organizations drive Principled
Performance® by improving the governance, assurance and management of
performance, risk and compliance via:
Framework & Standards
• Process standards (key concepts, components and terminology)
• Technical standards (key systems and integration points)
• Open Source
Capability Evaluation Criteria & Metrics
• Effectiveness & Performance Evaluation
• Tools for Assessing and Benchmarking
• Certification of Design and Operation
Education & Certification
• GRC Fundamentals
• GRC Professional Certification
Agenda
1. Understand the key concepts related to
Principled Performance
2. Understand drivers for, and implications of
applying Principled Performance to your
business
3. Understand how GRC is related to Principled
Performance
4. 10 Takeaways
Context…
increased
STAKEHOLDER
DEMANDS
increased
VOLUME, VELOCITY
and COMPLEXITY
Opportunities
Threats
Requirements
increased
COSTS
Opportunities
Threats
Requirements
Past Few Years
S&P 500 Performance
Past Few Years
Massive Ethics and
Integrity Risks
Materialize
S&P 500 Performance
Past Few Years
Massive Ethics and
Integrity Risks
Materialize
S&P 500 Performance
Massive Interrelated
and Systemic Risks
Materialize
Past Few Years
Integrity
S&P 500 Performance
Uncertainty
don’t forget about
PERFORMANCE
Takeaway #1
The past decade provided the perfect
storm to drive change
- demanding stakeholders
- increased volume and complexity of risks
- high costs
+
- lousy economy
- visible failures
Big Picture
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OBJECTIVES
strategic, operational,
customer, process and
other objectives
Big Picture
UNCERTAINTY
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OBJECTIVES
strategic, operational,
customer, process and
other objectives
Big Picture
OPPORTUNITIES
OBJECTIVES
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OPPORTUNITIES
strategic, operational,
customer, process and
other objectives
Big Picture
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OPPORTUNITIES
OBSTACLES
OPPORTUNITIES
OBJECTIVES
strategic, operational,
customer, process and
other objectives
Big Picture
MANDATORY BOUNDARY
boundary established by external forces
including laws, government regulation and
other mandates.
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OPPORTUNITIES
OBSTACLES
OPPORTUNITIES
OBJECTIVES
strategic, operational,
customer, process and
other objectives
Big Picture
MANDATORY BOUNDARY
boundary established by external forces
including laws, government regulation and
other mandates.
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OBSTACLES
OPPORTUNITIES
OBJECTIVES
strategic, operational,
customer, process and
other objectives
OPPORTUNITIES
VOLUNTARY BOUNDARY
boundary defined by management including
organizational values, contractual obligations,
voluntary policies and other promises.
Big Picture
MANDATORY BOUNDARY
boundary established by external forces
including laws, government regulation and
other mandates.
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OBJECTIVES
strategic, operational,
customer, process and
other objectives
VOLUNTARY BOUNDARY
boundary defined by management including
organizational values, contractual obligations,
voluntary policies and other promises.
Principled Performance
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
Principled Performance
reliable achievement
WHAT of objectives
while addressing uncertainty
and acting with integrity
Principled Performance
reliable achievement
WHAT of objectives
while addressing uncertainty
HOW
and acting with integrity
Takeaway #2
What’s and How’s
Principled Performance
4
1
reliable achievement of objectives
2
while addressing uncertainty
3
and acting with integrity
Principle #1: Reliable Achievement of Objectives
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
1
Achievement of Objectives
Intentional
Objectives are stated and
not accidental.
Measured
Visible
Performance is measured.
Performance is transparent
to stakeholders.
Principle #2: Addressing Uncertainty
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
2
Addressing Uncertainty
Holistic
Uncertainty about the
future includes both risk
and reward.
Proactive
You must proactively
manage the pursuit of
reward mindful of the risk.
Rigorous
You can be wrong … but
must be thoughtful and
rigorous.
Principle #3: Acting with Integrity
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
3
Acting with Integrity
Mandatory
Honor mandatory promises
compelled by stakeholders.
Voluntary
Honor voluntary promises
made to stakeholders.
Realistic
Clean up the mess if a
promise is broken.
Principle #4: Reliable
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
4
Reliable
Disciplined
Consistent
Ensure that the organization
manages, governs and
provides assurance.
Achievement of objectives
is consistent and with
relatively few surprises.
Accurate
Information is reasonably
free from error and bias
and can be trusted.
Takeaway #3
Principled Performance is a modern
approach for the modern economy
ELABORATE
Illustration 1: Good Intentions
Good
Intentions
Principled
Performance
Just because an organization articulates objectives and promises that you agree
with does NOT make them a principled performer
Illustration 2: Disagreement
Disagreement
Principled
Performance
You may disagree with an organization’s objectives and promises,
but they may INDEED be a principled performer
POSITIVE
vs
NORMATIVE
Objective & Testable
POSITIVE
vs
NORMATIVE
Objective & Testable
POSITIVE
vs
NORMATIVE
Based on Preferences
Objective & Testable
POSITIVE
vs
NORMATIVE
Takeaway #4
Principled Performance is POSITIVE
and testable approach
Big Picture
MANDATORY BOUNDARY
boundary established by external forces including laws,
government regulation and other mandates.
OPPORTUNITIES
OBJECTIVES
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
strategic, operational,
customer, process,
compliance objectives
OPPORTUNITIES
VOLUNTARY BOUNDARY
boundary defined by management including
organizational values, contractual obligations,
voluntary policies and other promises.
reliable achievement of objectives
while addressing uncertainty
and acting with integrity
INTEGRATION &
ORCHESTRATION
Requires Integration & Orchestration
Governance
Risk
Management
Performance
Management
Principled
Performance
Control &
Audit
Management
Compliance
Management
Ethics &
Culture
Management
5-10% of enterprise processes
5-10% of enterprise processes
however
they are pervasive & costly
CRM
Takeaway #5
Integration, not consolidation
Transformational Opportunity
Current State
Future State
•
Managed in silo’s
•
Enterprise approach
•
Reactive
•
Proactive
•
Project or program approach
•
Systemic approach
•
Separate from mainstream processes and
decision-making
•
Embedded within mainstream processes and
decision-making
•
Necessary evil
•
Value-added
•
Fragmented use of technology
•
Architected solutions
Why Integrate & Orchestrate?
COST
CONFUSION
COMPLEXITY
EFFECTIVENESS
EFFICIENCY
AGILITY
Takeaway #6
Nothing New … Totally Revolutionary
GRC
“means to the end”
YAFM?
“yet another framework”
GRC Capability Defined
a capability that enables an organization to
reliably achieve objectives while addressing
uncertainty and acting with integrity
GRC Capability Defined
a capability that enables an organization to
reliably achieve objectives while addressing
uncertainty and acting with integrity
…including the integrated governance,
assurance and management of performance,
risk, and compliance.
what does this
capability look like?
High Level View
Management
Performance
Risk
Compliance
High Level View
Management
PRIMARILY
Performance
Risk
Compliance
opportunities
threats
requirements
High Level View
Management
MEASURES
Performance
Risk
Compliance
opportunities
threats
requirements
reward
risk
conformance
High Level View
Management
Performance
Risk
Compliance
opportunities
threats
requirements
reward
risk
conformance
UNCERTAIN
CERTAIN
High Level View
Governance
Management
Performance
Risk
Compliance
High Level View
Governance
Management
Assurance
Performance
Risk
Compliance
Principled
Performance
Takeaway #7
Integrate the governance, assurance
and management of performance, risk
and compliance
Takeaway #8
Finance and the Office of the CFO are
really in the driver’s seat of this
integration
Positioned for Competitive Advantage
Governance
Management
Performance
Risk
Compliance
Assurance
Principled
Performance
MORE
EFFECTIVE
MORE
LEAN
MORE
AGILE
Plenty of Frameworks and Standards
NACD, OECD, King 3
Domain-Specific Governance (IT, Project, etc.)
Governance
Management
Performance
Risk
COSO ERM
ISO 31000 / BSI 31100
UK Orange Book
IRM / ALARM / Airmic
Domain-Specific (BASEL)
Compliance
Assurance
COSO
CoCo
Turnbull
PCAOB
Balanced Scorecard
Strategic Planning
Business Intelligence
Decision Science
Quality Management
US FSG
AS 3806
Quality Management
Domain-Specific
Principled
Performance
Takeaway #9
Many, many, many standards and
frameworks
Takeaway #10
There are free tools to make all of this
easier and less expensive
Red Book – Makes it Easier and Better
Governance
Management
Assurance
Performance
Risk
Compliance
OCEG Red Book
GRC Capability
Model
Principled
Performance
GRC Body of Knowledge
› Open Source
› Quality Controlled
› Complete
• 8 Major Components
• 40 Major Practices
• 100s Sub-Practices
OCEG Red Book – an integrated GRC Capability Model
8 INTEGRATED COMPONENTS
8 UNIVERSAL OUTCOMES
Achieve Business Objectives
Enhance Organizational Culture
ORGANIZE
Increase Stakeholder Confidence
MEASURE
ASSESS
Prepare & Protect the Organization
INTERACT
RESPOND
PROACT
Prevent, Detect & Reduce Adversity
Motivate & Inspire Desired Conduct
DETECT
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
Capability Model: Elements
INTERACT
CONTEXT
I1 – Info Management
I2 – Communication
I3 – Technology
C1 – External Context
C2 – Internal Context
C3 – Culture
C4 – Objectives
ORGANIZE
O1 – Commitment
O2 – Roles
O3 – Accountability
MEASURE
ASSESS
M1 – Context Monitoring
M2 – Performance Monitoring
M3 – Systemic Improvement
M4 – Assurance
A1 – Identification
A2 – Analysis
A3 – Planning
RESPOND
O
M
R
I
D
A
P
R1 – Responsive Actions & Controls
R2 – Internal Investigation
R3 – 3rd Party Investigation
R4 – Crisis Response
R5 – Remediation
DETECT
R6 – Rewards
D1 – Detective Actions & Controls
D2 – Notification
D3 – Inquiry
PROACT
P1 – Proactive Actions & Controls
P2 – Codes of Conduct
P3 – Policies
P4 – Education
P5 – Incentives
P6 – Stakeholder Relations
P7 – Risk Financing
GRC Body of Knowledge
› Agreed Upon Procedures
(AUPs) for Evaluating a GRC
Capability
› Assessing Red Book
implementation
› Criteria for satisfaction
•
To evaluate design
•
To determine design effectiveness
•
To provide reports to the Board and
Senior Management
› Opportunity for OCEG
Certification
GRC Technology Solutions
› Untangle the GRC
technology
landscape
The GRC Fundamentals Training Course
› A series of self-directed
recorded courses
addressing Principled
Performance and each
aspect of the GRC
Capability Model
› Prepare for the GRC
Professional Certification
test offered by
www.grccertify.org
› Coming soon in Spanish
The GRC Professional Certification
Coming soon
Coming soon
www.grccertify.org
Coming soon
www.oceg.org
Competitive Advantage of
Principled Performance
The imperative for integrating governance, assurance and
management of performance, risk, and compliance
Scott L. Mitchell, OCEG Chair
http://www.twitter.com/mitchell360
http://www.linkedin.com/in/mitchell360