delivering an engaging, mobile, and interactive grc ...€¦ · delivering an engaging, mobile, and...

(888) 519-9200 www.complianceweek.com

Sponsored by

Delivering an Engaging, Mobile, and Interactive GRC Experience to All Levels of the Organization

Welcome to Compliance Week’s Webcast on delivering an engaging, mobile, and interactive GRC experience to all levels of the organization

The Webcast will feature Michael Rasmussen, Principal Analyst with

GRC 20/20 Research

The discussion will be hosted by Compliance Week Executive Editor, Joseph McCafferty.

You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.


Sponsored by

This Webcast will last for 60 minutes

2:00 p.m. Introduction Joseph McCafferty, Compliance Week

2:05 p.m. Discussion Michael Rasmussen, GRC 20/20 Research

2:45 p.m. Q&A: Will be kept anonymous

3:00 p.m. Closing Remarks: From Compliance Week

Agenda for Today’s Webcast



Sponsored by

Introduction: The Series, Schedule & Instructions

Upcoming Webcasts:

Visit our website for future Webcast dates and topics www.complianceweek.com Instructions:

Use the “Ask A Question” function (left side of your screen) All questions will be anonymous. Please disable your pop-up blockers to access the automatic CPE exam presented at the webcast conclusion.


Please disable your pop-up blockers to access the CPE exam presented at the webcast conclusion.

http://events.complianceweek.com/


Sponsored by

Michael Rasmussen, Principal Analyst, GRC 20/20 Research • Well-known thought-leader, keynote speaker, author and

collaborator. • Noted for being the first analyst to define and model the GRC

market for products and professional services. • With more than 15 years of experience, Michael's objective is

to assist organizations in defining GRC processes that are sustainable, consistent, efficient, and transparent.


Today’s Presenter

Delivering an Engaging, Mobile, and Interactive GRC Experience

to All Levels of the Organization

September 2013

Michael Rasmussen, J.D.,

Chief GRC Pundit @ GRC 20/20 Research, LLC

OCEG Fellow @ www.OCEG.org

6 © 2013, all rights reserved, www.grc2020.com

Are you truly aware of your risks?

“Never in all history have we

harnessed such formidable

technology. Every scientific

advancement known to man

has been incorporated into its

design. The operational

controls are sound and

foolproof!”

E.J. Smith,

Captain of the Titanic

The modern organization is

encumbered by change.

The onslaught of changing

business, risk, and

regulatory environments

while keeping change in

sync is a significant

challenge for and

governance, risk

management, and

compliance (GRC). GRC

fails when it is addressed

as a system of parts that

do not integrate and work

as a collective whole.


Operational

Unit

Operational

Unit

Operational

Unit

Operational

Unit

Changing

business, risk,

and regulatory

environments

GRC Impacted From So Many Directions

Board

Line of

Business

Management

Employees

Assessment

Issues Procedures

Training

Policy

Testing

Controls

Issues

Issues

Policies

Issues

Policy Training

Issues

Assessment Issues


Email-based process with

disparate, documentation

and paper trails

Complex interfaces

Poor visibility and reporting

Files and documents out of

sync

Wasted resources and

spending

Overwhelming complexity

No accountability

Battling the Hydra of GRC


Too many formats and approaches are

inefficient, ineffective, and lack agility


The Winchester Mystery House

• 160 rooms

• 47 fireplaces

• 6 kitchens

• 10,000 windows

• 65 doors to blank walls

• 13 staircases abandoned

• 25 skylights – in floors

• 147 builders/no architects

• Built without a blueprint

• $5.5 million over 38 years

… confusing user experience


. . . and we are just hoping nothing fails

Inability to gain clear view of GRC

dependencies;

High cost of consolidating GRC

information;

Difficulty maintaining accurate GRC

information;

Failure to trend across assessment and

reporting periods;

Redundant approaches limit correlation,

comparison and integration of

information; and

Lack of agility to respond timely to

changing risks, regulations, laws, and

situations.


What GRC is all about . . .

BUSINESS MODEL

strategy, people, process, technology and

infrastructure in place to drive toward objectives

OPPORTUNITIES

OPPORTUNITIES

OPPORTUNITIES

MANDATORY BOUNDARY boundary established by external forces including

laws, government regulation and other mandates.

VOLUNTARY BOUNDARY boundary defined by management including organizational

values, contractual obligations, voluntary policies and other

promises.

OBJECTIVES

strategic, operational, customer,

process, compliance objectives

GRC is a capability that enables an

organization to reliably achieve

objectives while addressing uncertainty

and acting with integrity…


GRC 1.0

GRC 2.0

GRC 3.0

GRC 3.0 is about . . .

Bringing GRC to the ‘coal-face’ – the

frontlines of the organization

Mobility and engagement

Dynamic integration of actionable content

360° GRC contextual awareness

GRC Architecture

Operationalizing GRC

Evolution of GRC

GRC is a capability that enables an

organization to reliably achieve

objectives while addressing uncertainty

and acting with integrity…


GRC Engagement: Lack of Interactive Structure

User experience with GRC is typically poor in most organizations,

resulting in . . .

Time consuming and redundant processes that are

NOT EFFICIENT

A check-box mentality that sends off messages and

tasks that are NOT EFFECTIVE

Lack of central coordinated efforts for GRC

communications that hinder the organization to the

point where it is not NOT AGILE

Inefficient processes create critical resources constraints:

Multiple sources of policy, training, survey,

assessment, issue reporting/hotline, and interaction

consume human and financial capital resources

Employee interactions are inconsistently logged in

documents and spreadsheets – if they are logged at all

The organization lacks a consistent approach to GRC

communications and fails to prioritize action items

Emails fly about, slip through cracks, are not

responded to, simply forgotten

Not

Effective

Not

Efficient

Not

Agile


GRC Engagement: an Agile Approach

However, if organizations align and optimize processes supported

by technology that provides an intuitive interface for employee

engagement, GRC programs becomes . . .

Effective. The organization ensures that risk and

compliance is effectively monitored, and managed at

all levels of the organization. That policies are not only

read but understood, that employees are trained

properly, that they know how to ask questions when in

doubt, to report issues, and what to be alert for.

Efficient. GRC engagement provides efficiency and

savings in both human and financial capital resources

by providing access to the right information at the right

time for employees.

Agile. The organization is able to respond rapidly to

changes in the internal business environment as well

as the external environment and communicate to

employees GRC context to these changes. GRC

engagement is measured in the ability to identify and

react to events and issues.

Effective Efficient Agile


Employee GRC Engagement

Employee

GRC

Engagement

Interactive & Relevant Content

Mobility Analytics

Gamification Socialization & Collaboration

GRC needs to deliver interactive and

relevant content in the context of the user,

such as:

Policies & Training. Policies and training come

together into a unified employee experience.

Relevant resources are easily accessible and

provided in the same interface without hopping

between disconnected systems.

Issue Reporting. Employees can easily report

issues and in doing so can be provided with relevant

contextual information to see if what they are

reporting is an issue or not and helps educate them

as they engage in GRC.

Surveys & assessments. As employees answer

questions they can easily look up relevant policies

and other information in the context of the

assessment to be informed on context so their

answers are relevant.



Employee

GRC

Engagement


Mobility Analytics


GRC engagement is accomplished through

socialization and collaboration across the

organization that:

Gets questions answered. Employees should be

able to ask questions and get them answered quickly

with contextually relevant information and pathways.

Provides for two-way communication. Employees

have ideas and ways to improve GRC and have

feedback on values, code of conduct, policies,

trainings, risks, or incidents.

Shares information. Getting employees engaged is

about sharing information and allows the organization

to see what works and keeps employees engaged.

Connects the dots through collaboration. GRC

needs to allow for the collaboration on GRC across

broad geographic boundaries without the need for

everyone being in the same physical location.



Employee

GRC

Engagement


Mobility Analytics


There is an app for GRC! GRC engagement

through use of mobile technologies to make GRC

assessable as well as efficient through mobile:

Policies & training. Delivery of policies and training

on mobile devices which works particularly well in

environments where a tablet could be deployed as a

policy and training kiosk.

Surveys & assessments. Employees answer GRC

surveys and assessments and can use mobile

devices to get the job done. They can provide

pictures through integrated cameras to capture

information related to the assessment.

Issue reporting. Mobility allows for quick reporting

and integrated cameras can capture a visual of the

issue at the moment (e.g., health and safety hazard,

accident).

Investigations. Investigations can be done, evidence

photos attached, barcodes on evidence bags

scanned, and even interviews captured with

integrated audio and video.

Reporting. For executives, managers, and GRC

professionals, mobility provides an engaging

experience to get reports and drill into them wherever

and whenever needed.



Employee

GRC

Engagement


Mobility Analytics


Metrics and analytics become stronger through

employee engagement when risk boundaries,

ethics, and values helps the organizations measure

corporate integrity and improved corporate

culture. Consider the following:

Alignment. Employee engagement feeds into

analytics to ensure that the culture of the

organization, its values, and risk boundaries are

understood and supported across the organization.

Reception. It allows employees to rate policies and

training programs to determine what was well and

received and what was not. Did they understand the

policy?. Was the training interesting, appropriate,

and informative? Are there things around

policies/trainings that they still don't understand?

Organizations should focus on delivering engaging

GRC user experiences that align with the needs of

employees, integrates with organization

architecture and systems, and delivers relevant

content when needed wherever it is needed.



Employee

GRC

Engagement


Mobility Analytics


GRC engagement is about interactive experiences,

recognition, and rewards. It is not about trivializing

GRC, but using content and technology to engage,

communicate, and allow for broader participation.

GRC gamification includes:

Interactive content. Getting employees involved

through video, comedy, and games to educate on

risk, policy, and compliance. Games, puzzles, and

illustrations all help to answer questions, develop

skills, and communicate a point.

Recognition and awards. Employees can engage

GRC to gain points and achieve levels/badges.

Recognition can be given when people complete

assessment, discover and report issues, educate

others, and champion GRC in different ways.


The Role of Technology in Regulatory Change


Bringing it all Together: Value of Integrated GRC Information

REGULATIONS &OBLIGATIONS

RISK & ANALYSIS

OBJECTIVES& GOALS

INCIDENTS& ISSUES

ASSETS & RELATIONSHIPS

POLICIES &TRAINING

CONTROLS &ASSESSMENT

ROLES & RESPONSIBILITIES


Elements of GRC communication plan


Defensible and effective GRC communications

Questions? Michael Rasmussen, J.D.

Chief GRC Pundit & OCEG Fellow

[email protected]

+1.888.365.4560 GRC 20/20 Newsletter

LinkedIn: GRC 20/20

Blog: GRC Pundit

Twitter: GRCPundit

LinkedIn: Michael Rasmussen

Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy

slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

You can submit

questions to our

speaker by using the

“Ask a Question” button

on the left side of your

screen.

mailto:[email protected]


Sponsored by

Feedback Please send to: [email protected] Thanks Michael Rasmussen, Principal Analyst, GRC 20/20 Research

*CPE Credit

Please disable your pop-up blockers to access the automatic CPE exam presented at the conclusion of the webcast. The CPE test will appear in a separate window at the conclusion of the Webcast. If you have trouble accessing the test, please email us at [email protected]

CPE certificates will be emailed to you separately following completion of the exam


*

Thank You for Joining Us

delivering an engaging, mobile, and interactive grc ...€¦ · delivering an engaging, mobile, and...

Documents