fv&y—©3&m’&w’&mzzsvoceg fellow @ €¦ · grc solutions are free to ask grc...
TRANSCRIPT
2017 GRC Market Drivers, Trends, Personas & Profiles
January 2017Michael Rasmussen, J.D., GRCP, CCEP
GRC Economist & Pundit @ GRC 20/20 Research, LLCOCEG Fellow @ www.OCEG.orgLicensed Subscriber Use Only, Do Not Distribute
2© GRC 20/20 Research, LLC • www.GRC2020.com
ü GRC 20/20 Research Briefings are copyrighted and protected material. Content cannot be reused or distributed without written permission from GRC 20/20 Research, LLC.
ü GRC Advisor Enterprise Subscribers get access to live and recorded Research Briefings for all employees for INTERNAL use only through the GRC 20/20 website. If they wish to have a recording to host internally there is a fee for this.
ü GRC Basic Subscribers pay for either individual access to specific GRC 20/20 Research Briefings. Individual access is for the individual only and slides or login are not to be shared with others or viewed as a group.
Terms & Conditions . . .
Licensed Subscriber Use Only, Do Not Distribute
3© GRC 20/20 Research, LLC • www.GRC2020.com
Two Things to Note . . .
§ Organizations evaluating or considering GRC solutions are free to ask GRC 20/20 on our understanding and comparison of solutions in the market to meet your GRC requirements.
§ Inquiries are single focused questions that can be answered in under 30 minutes.
§ Complimentary inquiry is only available to organizations evaluating or considering GRC solutions for their internal use.
Complimentary Inquiry
§ GRC 20/20 has an extensive library of RFP requirements across a range of GRC capability areas presented in this presentation.
§ GRC 20/20 can be engaged in RFP development and support projects to streamline your process, gain perspectives learned from other organizations, and to keep solution providers honest in their responses.
RFP Development & Support
Licensed Subscriber Use Only, Do Not Distribute
4© GRC 20/20 Research, LLC • www.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
1) GRC Market Definition, Overview & Segmentation
2) GRC Market Drivers & Trends
3) Personas
4) Technology Profiles
Our Objectives . . .
Licensed Subscriber Use Only, Do Not Distribute
5© GRC 20/20 Research, LLC • www.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
GRC is the integrated collection of capabilities that enable an organization to:
G) reliably achieve objectives R) while addressing uncertainty and C) acting with integrity.
SOURCE: OCEG GRC Capability Model
The Official Definition of GRC . . .
Licensed Subscriber Use Only, Do Not Distribute
6© GRC 20/20 Research, LLC • www.GRC2020.com
Realize that everything connects to everything else.Leonardo da Vinci
Licensed Subscriber Use Only, Do Not Distribute
7© GRC 20/20 Research, LLC • www.GRC2020.com
The Organization Has to be Able to See . . . q The Tree. The individual area of riskq The Forest. The interconnectedness of risk
Licensed Subscriber Use Only, Do Not Distribute
8© GRC 20/20 Research, LLC • www.GRC2020.com
Change is the Greatest Challenge Impacting GRC Management
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
011100111001010100
External Risk ChangeMonitor change in the external risk environment to determine how uncertainty in economic, geo-political, environmental, industry, societal, and market forces affect current and needed policies.
MARKET FORCES
INDUSTRY
TECHNOLOGY
COMPETITIVEFORCESGEO-POLITICAL
SOCIETAL FORCES
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
$
Internal Risk/Business ChangeMonitor changes to the internal environment to identify how changes to strategy, mergers & acquisitions, processes, technology, business relation-ships, and employees affect current and needed policies.
MERGERS &ACQUISITIONS
STRATEGY
PROCESSES
IT
EMPLOYEES
FINANCIALPOSITION
BUSINESSRELATIONSHIPS
contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series
Regulatory/Legal ChangeMonitor change in the legal and regulatory environment to determine how pending legislation, court decisions, new/changing regulations, and enforcement actions affect current and needed policies.
COURT RULINGS
ENFORCEMENT
LEGISLATION
REGULATIONS
MONITOR
Licensed Subscriber Use Only, Do Not Distribute
9© GRC 20/20 Research, LLC • www.GRC2020.com
Inevitability of Failure: Too Many Approaches There are too many departments sending too many communications in different formats. GRC management is buried in documents, spreadsheets & emails.
Ø Wasted resources through redundancy & overlapØ Excessive emails, documents, and paper trailsØ Poor visibility & reportingØ Files and documents out of syncØ Overwhelming complexityØ Lack of accountability
Licensed Subscriber Use Only, Do Not Distribute
10© GRC 20/20 Research, LLC • www.GRC2020.com
Varying Levels of GRC Management
Top-down federated GRC management strategy across the entire organization.Enterprise
Division or business unit management strategy
Management being done at a department, function, or process level
DepartmentFunctionProcess
Managed in context of a specific focus, regulation, or issues
RiskRegulation
Issue
Division Business Unit
Licensed Subscriber Use Only, Do Not Distribute
11© GRC 20/20 Research, LLC • www.GRC2020.com
What is Your Approach to GRC Management?
§ An integrated approach that balances GRC management centralization with distributed participation and collaboration
Federated GRC Management
§ Disconnected departments managing GRC related activities in different ways with little or no collaboration with other departments
Distributed GRC Management
Licensed Subscriber Use Only, Do Not Distribute
12© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Strategy Within Organizations
GRC Strategy
GRC Technology
GRC Information
GRC Process
Licensed Subscriber Use Only, Do Not Distribute
13© GRC 20/20 Research, LLC • www.GRC2020.com
360° GRC Contextual Analytics & Intelligence Capabilities
Integrated and mapped together to provide context
Analyzed to understand relationships
Action Items
Distributed & DisconnectedGRC Data PointsLicensed Subscriber Use Only, Do Not Distribute
14© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Information Architecture Provides 360° Contextual Intelligence
Strategic
Financial
Operational
Preventive
Corrective
Detective
Complaint
Investigation
Event
Strategic
Process
Department
Regulatory
Values
Contractual
Code of Conduct
Training & Awareness
Policies & Procedures
Owner
Employee
Subject Matter Expert
Controls
Risks
Issues
Roles
Objectives
Policies
Obligations
OrganizationEntity
Asset
Process
process optimizationAll non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation.
better capital allocationIdentifying areas where there are redundancies or inefficiencies allows financial and human capitalto be allocated more effectively.
higher quality informationIntegrating GRC information allows management to make more intelligent decisions, more rapidly.
.
protected reputationReputation is protected and enhanced because risks are managed more effectively.
improved effectivenessOverall effectiveness is improved as gaps are closed, unnecessary redundancy is reduced, and GRC activities are allocated to the right individuals and departments.
reduced costsReduced costs help to improve return on investments made in GRC activities.
Licensed Subscriber Use Only, Do Not Distribute
15© GRC 20/20 Research, LLC • www.GRC2020.com
The GRC Market: Technology, Information,& Professional Services
843 technology solution providers that offer solutions related to GRC
GRC Technology Solutions
112 providers with 384 content/intelligence solutions across a range of GRC areas
GRC Intelligence & Content Solutions
1,000+ professional service firms offering services related to GRC
GRC Professional Services Solutions
Licensed Subscriber Use Only, Do Not Distribute
16© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Segment Description
Enterprise GRC Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture.
Audit Management Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics..
Automated Control Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
Business Continuity Management Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
Compliance Management Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report.
Environmental Management Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
Health & Safety Management Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace,
Internal Control Management Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
IT GRC Management Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance.
Issue Reporting & Management Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
Legal Management Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
Physical Security Management Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property..
Policy & Training Management Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities.
Quality Management Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
Risk Management Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects.
Strategy & Performance Management Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
Third Party Management Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.
GRC Technology Market Segment Definitions
Licensed Subscriber Use Only, Do Not Distribute
17© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Intelligence Segment Description
Audit Content & Intelligence Content providers of audit templates, forms, and intelligence.
Business Continuity Content & Intelligence Content providers of business continuity templates, forms, and intelligence
Compliance Content & Intelligence Content providers of regulatory libraries, regulatory intelligence, compliance forms and templates.
Environmental Content & Intelligence Content providers of environmental intelligence, forms, and templates.
Health & Safety Content & Intelligence Content providers of health & safety libraries, content, forms, and templates.
Internal Control Content & Intelligence Content providers of internal control libraries, forms, and templates.
IT GRC Content & Intelligence Content providers of IT GRC/security control libraries, threat and vulnerability intelligence, forms, and templates.
Legal Content & Intelligence Content providers of legal databases, libraries, legislation tracking, forms, templates, and spend intelligence.
Policy & Training Content & Intelligence Content providers of policy libraries, training courses, and policy and training related content, forms, and templates.
Risk Management Content & Intelligence Content providers of risk intelligence feeds, risk libraries, loss data, risk forms, and templates.
Third Party Management Content & Intelligence Content providers of third party management intelligence, due diligence, watch lists, negative news, ratings, monitoring, forms, and templates
Issue Specific Content & Intelligence Content providers of content and intelligence related to specific issues, regulations, and risks (e.g., bribery/corruption, conflict minerals, labor)
Industry Specific Content & Intelligence Content providers of industry specific content and intelligence.
GRC Intelligence Market Segment Definitions
Licensed Subscriber Use Only, Do Not Distribute
18© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Professional Services Segment Description
Audit Services Services focused on external audits as well as internal audit staffing and management.
Consulting Services Services focused on GRC related management and strategy consulting.
Legal Services Services focused on legal matters and advice related to GRC.
Outsourced Services Services that are outsourced such as specific GRC functions, monitoring, certification, etc.
Systems Integration Services Services focused on implementation, build out, and development of GRC related information and technology architecture and solutions.
GRC Professional Services Market Segment Definitions
Licensed Subscriber Use Only, Do Not Distribute
19© GRC 20/20 Research, LLC • www.GRC2020.com
Platforms
SolutionsTools
GRC Technology Market: Types of Technology
Platforms provide a breadth of capabilities that span solution areas in a segment enabling them to be a platform to manage a GRC segment extensively.
Platforms
Solutions are technologies that are more focused in what they do. They tend to solve specific problems and come at a segment from a narrower perspective. They can compliment a platform or run independently from it.
Solutions
ToolsTools are technologies that assist or enable a segment, but do not fit adequately in any of the definitions for platforms or solutions. Every GRC segment has a Miscellaneous Tools category to catch all the related technologies that assist and add value, but do not have enough market presence in a segment to get their own solution or platform identification.
Licensed Subscriber Use Only, Do Not Distribute
20© GRC 20/20 Research, LLC • www.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
1) GRC Market Definition, Overview & Segmentation
2) GRC Market Drivers & Trends
3) Personas
4) Technology Profiles
Our Objectives . . .
Licensed Subscriber Use Only, Do Not Distribute
21© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Enterprise GRC Platforms & Architecture
Enterprise GRC Platform & Architecture
Enterprise GRC Platforms
GRC Data Integration Solutions
GRC Analytics & Reporting Solutions
Enterprise GRC Platforms & Architecture technologiesdeliver a range of cross-department functionality across GRC functional areas into an integrated technology ecosystem. For some this is single GRC platform for the entire organization. For others it is an integrated architecture in which there can be a core platform but often extends and integrates into a range of other solutions and data sources.
To be an Enterprise GRC Platform requires a single platform architecture that has multi-department (e.g., enterprise wide) use across the following areas, at a minimum:
– Enterprise/Operational Risk Management, – Compliance Management– Internal Control Management– Issue Management (e.g., incident, case, investigations) – NOTE: most Enterprise GRC Platforms offer a range of
additional module beyond these.
Organization & Process Modeling Solutions
Miscellaneous GRC Platform & Architecture Tools
Licensed Subscriber Use Only, Do Not Distribute
22© GRC 20/20 Research, LLC • www.GRC2020.com
Four Critical Capabilities Areas that Define an Enterprise GRC Platform
Risk Management
Internal ControlManagement
Issue Reporting & Management
ComplianceManagement
Enterprise
GRCLicensed Subscriber Use Only, Do Not Distribute
23© GRC 20/20 Research, LLC • www.GRC2020.com
AuditManagement
Business Continuity
Management
Compliance Management
Health & Safety Management
?IT
GRC
InternalControl
Management
IssueManagement
AutomatedControls
Policy Management
Quality Management
RiskManagement
Third Party Management
What Are the Critical Components of Your GRC Platform?
EnvironmentalManagement
LegalManagement
Physical Security
Management
Strategy & PerformanceManagement
???
????
100%of Enterprise GRC RFPs
1 to 49%of Enterprise GRC RFPs
50 to 99%of Enterprise GRC RFPs
Licensed Subscriber Use Only, Do Not Distribute
24© GRC 20/20 Research, LLC • www.GRC2020.com
Basic Enterprise GRC PlatformsBasic Enterprise GRC Platforms focus on the workflow, forms, and tasks of enterprise GRC. The value focus is on automation by getting rid of the inefficiencies of documents, spreadsheets, and emails and replacing this with a solution that can collect information, manage workflow and tasks, and simplify reporting.Value = tends to be the lower cost solutions to acquire, focus is more on the small to medium sized enterprise deployments
Basic Enterprise GRC Platforms
Capabilitiesü Core Enterprise GRC modules of risk, compliance, internal
control, & issue managementü Workflowü Task managementü Survey & assessmentü Forms managementü Reportingü Often has other modules, but capilities are limited to those
defined above
LimitationsØ Tends to have a flat view of risk in which the entire
enterprise is mapped into one risk model and assessment process
Ø Lacks risk normalization and aggregation capabilities
Ø Limited capabilities to integrate with other systemsØ Reporting is rigid and unflexibleØ Lacks depth in risk analytics and modeling capabilitiesØ Often difficult to adapt to your environment
Licensed Subscriber Use Only, Do Not Distribute
25© GRC 20/20 Research, LLC • www.GRC2020.com
Common Enterprise GRC PlatformsCommon Enterprise GRC Platforms have the range of features commonly found in Enterprise GRC RFPs. They build upon the foundation of workflow, tasks, surveys, and forms with features to provide greater integration with other systems, analytics, and reporting.
Common Enterprise GRC Platforms
Capabilitiesü Core Enterprise GRC modules of risk, compliance, internal
control, & issue management and a range of other GRC modules
ü Has workflow, task, survey, assessment, forms, and reporting capabiliteis of Basic solutions
ü Has capabilities for risk normalizaiton, aggregation, and supports more risk analysis methodologies
ü Integrates easily into broader IT environmentü Advanced reporting
LimitationsØ Often does not fit the needs of more advanced risk
management programsØ Solution offers some content feeds, but does not have a
strong array of content offerings across areas of GRC
Licensed Subscriber Use Only, Do Not Distribute
26© GRC 20/20 Research, LLC • www.GRC2020.com
What Differentiates Basic, Common & Advanced GRC Solutions?
Characteristics: Advanced Enterprise GRC PlatformsAdvanced Enterprise GRC Platforms are Common Platforms that have distinguished themselves from competitors by offering advanced capabilities in different areas.
Areas of Advanced Capabilities (note, a solution might have one or more of these):ü Enterprise Architecture & Business Process Modeling. Ability to visually layout business processes in a GRC context and
for GRC documentation.ü Risk Analytics & Modeling. Advanced risk analytics and modeling supporting a range of methodologies and quantificationü GRC Mobility. Mobile architecture capabilities that easily extends new GRC applications and interfaces to mobile devicesü GRC Content & Intelligence. An array of GRC content and intelligence offerings integrated as part of the platformü Easy to Configure & Extend. The solution is highly extensible and can be built out to support new GRC processes without
coding, and does not require a high degree of IT expertise. ü Risk Normalization & Aggregation. The solution supports advanced capabilities to normalize and aggregate risk across the
environmentü Robust Data Analytics & Reporting. The solution has a strong data warehouse architecture and can aggregate and report on
a range of GRC risk and reporting needs involving data gathering and analysis across disparate systems.Licensed Subscriber Use Only, Do Not Distribute
27© GRC 20/20 Research, LLC • www.GRC2020.com
Driv
ers
Drivers & Trends: GRC
Exponential growth in regulatory, risk and business change is making scattered GRC processes and information constantly behind and exposing the organization.
1Constant Change
The growing array of 3rd party relationships with increased regulatory and risk exposure is bearing down on organizations to include in GRC strategies.
2Growing Relationships
Many organizations still find they are encumbered by silos of information that is disconnected, and often have several disconnected GRC platforms in different areas.
3Scattered Information& Platforms
Those that have implemented a GRC platform in the past decade are often finding that the solution is out of date and cumbersome to use when compared to the new generation of solutions.
4Growing Beyond Initial GRC Platforms
There is growing demand and need for the integration of external content and intelligence feeds into the GRC architecture.
5Need for External GRC Content
Tren
ds No platform does everything. Organizations are looking toward an information and technology architecture that integrates GRC, though there often is one central core platform.
1GRC Architecture
Enterprise GRC Platforms are no longer self-contained solutions to manage GRC workflow and tasks, they require strong integration capabilities into a range of business systems.
2
Integration
In a GRC architecture approach, organizations are looking toward a common hub and core for Enterprise GRC but allow for best of breed solutions where they make sense.
3Best of Breed Where it Makes Sense
There is growing demand in RFPs for GRC solutions to have business process modeling capabilities to visually layout and document how business processes function in a GRC context.
4Business Process Modeling
Enterprise GRC is no longer for the back-office, but needs to be intuitive and easy to use for the front-office. New releases are showing improved user interface and mobility options.
5GRC Mobility & Engagement
Licensed Subscriber Use Only, Do Not Distribute
28© GRC 20/20 Research, LLC • www.GRC2020.com
34%C o m p l i a n c e
28%R i s k M a n a g e m e n t
11%I T
5%O t h e r
GRC 20/20 Inquiries by Role
16%A u d i t
Licensed Subscriber Use Only, Do Not Distribute
29© GRC 20/20 Research, LLC • www.GRC2020.com
EUROPE
28%
41%8%
6%
6%
8%
GRC 20/20 Inquiries by Geography
NORTH AMERICA
CENTRAL/SOUTH AMERICAMIDDLE EAST
OCEANIA
ASIA
3%
AFRICA
Licensed Subscriber Use Only, Do Not Distribute
30© GRC 20/20 Research, LLC • www.GRC2020.com
Preference of SaaS or Traditional Software for GRC
30
S31% Prefer SaaS
39% Do Not Prefer
3% Unsure21% Neutral
9% Don’t Know
Do you prefer SaaS GRC (hosted externally) or traditional software (internally hosted)?
All Responses
45% Prefer SaaS
27% Do Not Prefer
3% Unsure22% Neutral
6% Don’t Know
Those Leading GRC Strategy
290 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
31© GRC 20/20 Research, LLC • www.GRC2020.com
Top 8 Criteria Looking for in New GRC Purchases
Ease of Use
Price
Functionality
Configurability
53%
41%
40%
39%
Industry Focus
Customer Service
Integration Capabilities
Company Stability/Viability
26%
23%
21%
16%
290 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
32© GRC 20/20 Research, LLC • www.GRC2020.com
Level of GRC Integration
10%
25%
37%
28%
We have integrated processes and technology across many or all organizational silos of operation
We have integrated processes across many organizational silos, but we have not yet completely addressed integrating technology that supports these processes
We have standardized some processes and use of technology but not across the entire enterprise
Our processes and technologies
remain largely siloed
Pick the statement that best describes your organization's state of integration of GRC capabilities. (The more integrated you are, the more you share information and use standardized approaches to how you manage and provide assurance about performance, risk and compliance.)
571 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
33© GRC 20/20 Research, LLC • www.GRC2020.com
Level of GRC Integration Compared to 3 Years Back
23%
44%
22%
11% Yes, substantially more
Yes, somewhat more
No, but it is planned
No, and we have no current plans
for change
Is there greater GRC integration in your organization today than there was three years ago?
571 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
34© GRC 20/20 Research, LLC • www.GRC2020.com
Satisfaction of GRC Integration from those Who Integrated
22%
67%
11%Provided benefits that exceeded expectations
Provided benefits that met expectations
Failed to meet expectations
Where your organization has integrated processes for governance, assurance and/or management of performance, risk and compliance (GRC), the results have:
571 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
35© GRC 20/20 Research, LLC • www.GRC2020.com
Reduced gaps in risk and compliance processes (70%)1
Reduction in redundant or duplicative activities (59%)2
Greater ability to repeat processes in a consistent manner (54%)3
Greater ability to gather information quickly and efficiently (54%)4
Reduced impact on operations from siloed and uncoordinated risk assessments (52%)5
Greater ability to present consolidated, meaningful information and analyses (46%)6
Reduced costs of GRC processes (42%)7
Reduced impact on operations from siloed training on compliance requirements (32%)8
Beneficial outcomes from those who have integrated GRC processes
571 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
36© GRC 20/20 Research, LLC • www.GRC2020.com
No established strategy for integration (46%)1
Inability to secure program/department cooperation (38%)2
Lack of champions (37%)3
Belief it is too complex to undertake integration (36%)4
Lack of a compelling business case or method to demonstrate ROI (31%)5
Inability to secure necessary budget (20%)6
Not knowing how to start or implement (19%)7
Available technology/software not aligned with GRC needs (16%)8
Greatest barriers to integrated GRC in siloed organizations
571 respondents from organization using or considering GRC solutions/technology
Licensed Subscriber Use Only, Do Not Distribute
37© GRC 20/20 Research, LLC • www.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
1) GRC Market Definition, Overview & Segmentation
2) GRC Market Drivers & Trends
3) Personas
4) Technology Profiles
Our Objectives . . .
Licensed Subscriber Use Only, Do Not Distribute
38© GRC 20/20 Research, LLC • www.GRC2020.com
Internal Audit
§ American Institute of Certified Public Accountants
§ Assoc. of Certified Fraud Examiners§ Assoc. of Chartered Certified
Accountants§ CPA Canada§ Financial Executives International§ Institute of Internal Auditors§ Institute of Management Accountants§ Information Systems Audit & Control
Association
Industry Specific Associations:§ Assoc. of College and
University Auditors§ Assoc. of Credit Union Auditors§ Assoc. of Healthcare Internal Auditors§ Assoc. of Local Government Auditors§ National Assoc. of Financial Services
Auditors
§ Audit Planning§ Documenting Risks and Internal Controls§ Planning & Preliminary Fieldwork§ Audit Scope§ Audit Execution & Fieldwork§ Sampling & Testing§ Workpapers & Record/Time Keeping§ Audit Findings & Reporting§ Risk Assessment
RELATED HATS (SOMETIMES AUDIT DOES THESE AS WELL):§ Compliance§ Ethics§ Fraud§ Investigations§ Risk management
§ Audit is often struggling to manage audits in spreadsheets,documents and emails.
§ They then begin looking for an overall solution to manage audits in an integrated audit management platform to manage audit planning, scheduling, resources, workpapers, execution and reporting.
§ About 50% of audit departments desire their own segregated audit management platform and the other 50% look to have audit management as part of a broader GRC platform.
§ With the number of new audit solutions available in the market there has been a lot of churn in the market and some moving from more established legacy players.
§ Audit analytics is a growing area of audit solutions.
The Internal Audit role in a organization provides independent and objective assurance of business activities and processes with a goal to improve an organization's operations. Internal Auditors monitor, assess, and analyze organization risk and controls as well as review and confirm compliance with policies, procedures, and laws. Internal audit provides the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective.
1) Audit Management Platforms2) Audit Analytics3) Risk Management Solutions4) Internal Control Management5) Automated / Continuous Control Monitoring
NETWORKING: BIG PICTURE: WHAT INTERNAL AUDIT DOES PURCHASING BEHAVIOR:
OVERVIEW: TOP GRC SOLUTION AREA NEEDS:
Licensed Subscriber Use Only, Do Not Distribute
39© GRC 20/20 Research, LLC • www.GRC2020.com
Corporate Compliance & Ethics
Industry Associations:§ Association of Certified Fraud
Examiners§ Ethics & Compliance Association§ Open Compliance & Ethics Group§ Society for Corporate Compliance &
Ethics
§ Anti-Bribery & Corruption. § Regulatory Change Management. Keeping up with business and regulatory
change.§ Policies & Training. Keeping policies current and delivering effective training.§ Regulatory Exams. Increased regulatory scrutiny in context of regulatory
examinations with focus on role of board of directors plays in overseeing compliance.
§ Vendor Risk Management. Increased regulatory requirements on vendor risk management, particularly US OCC requirements across the entire lifecycle of third party relationships.
§ Consumer Protection. Need to enhance compliance infrastructure to support aggregating and reporting on customer data as well as manage customer complaints and reporting.
§ Corporate compliance and ethicsdepartments tend to have a legalbackground and are not as tech savvy as other areas of GRC.
§ They are challenged with many issues, regulations, that are constantly changing.
§ As a result, they tend to focus on the immediate problem at hand and do not always think big picture. Much of their buying is on tactical solutions to solve very specific problems.
§ This has led to a lot of redundancy and overlap.
§ Solution providers need to know how to sell to the tactical issues they face, but need to be able to help educate compliance roles to how a broader information and technology architecture for compliance can benefit them.
The Corporate Compliance (& Ethics) role is tasked with addressing the major compliance issues the organization faces. This role reports into Legal in about ½ of organizations and it reports outside of legal, typically to the CEO and Board, in others. This function is typically led by a Chief Compliance Officer (CCO) or Chief Compliance & Ethics Officer (CECO) and primarily responsible for major compliance issues as well as coordinating compliance across other organization functions.
1) Compliance Management Platform2) Regulatory Change Management Solutions (Content & Technology)3) Enterprise Policy & Training Management Solutions4) Issue Reporting (Hotlines) & Management5) Customer Complaint Management6) Compliance Forms & Reporting7) Third Party Management
NETWORKING: BIG PICTURE: WHAT KEEPS THEM UP AT NIGHT PURCHASING BEHAVIOR:
OVERVIEW: TOP GRC SOLUTION AREA NEEDS:
Licensed Subscriber Use Only, Do Not Distribute
40© GRC 20/20 Research, LLC • www.GRC2020.com
Information Security
Industry Associations:§ Association of Information Security
Professionals§ Information Security Forum§ Information Systems Audit & Control
Association§ Information Systems Security
Association§ ISC2§ The SANS Institute
§ Regulatory Growth & Change. The volume and pace of regulatory changehas CISO’s stretched thin in trying to keep pace. This comes with an increase in regulatory exams and interactions.
§ Vendor Risk Management. There is growing requirements to oversee vendor risk management in financial services (e.g., OCC in banking in the US) which falls directly on the CISO role to lead.
§ Managing Security Incidents, Identity Theft & Fraud. The variety, complexity, and growth in identity theft and fraud has CISO’s stretched thin in discovering, responding to, and containing IT security incidents.
§ Cloud Computing. While financial services has been more reluctant than other industries to embrace the broad trend in cloud computing there has been no holding it at bay and it requires the CISO role to govern.
§ Confusing Reporting Lines. Many CISOs in financial services find themselves in confusing lines of reporting often with dual reporting into IT and operational risk management.
§ Mobility. The growth in financial services mobility apps has CISOs challenged to ensure that new mobile platforms and apps are appropriately secure.
§ The CISO role has been a coreleader in enterprise GRC strategyand platforms.
§ This is often the case because IT security has implemented an IT GRC platform that they desire to see grow into an Enterprise GRC platform.
§ About 75% of Enterprise GRC platform RFPs have an IT GRC component to them.
§ The core capabilities in IT GRC that the CISO looks for are vulnerability / threat management, IT asset management, policy management, risk management, compliance management, and vendor management.
§ IT audit is also a very important focus, and while reporting into IT audit it works closely with the information security department in providing assurance to the organization.
The Information Security role is led by the Chief Information Security Officer (CISO). This role sometimes has a dual reporting responsibility to both IT and operational risk management. The role is tasked with managing risk to information and technology systems and complying with regulations that impact information and technology. The role works closely on privacy with the Chief Privacy Officer, and the role of CISO and CPO are combined in some organizations.
1) IT GRC2) Information Security Architecture3) Policy Management4) Third Party Management (Vendor Risk Management)5) Enterprise GRC6) Incident Management7) Business Continuity
NETWORKING: BIG PICTURE: WHAT KEEPS THEM UP AT NIGHT PURCHASING BEHAVIOR:
OVERVIEW: TOP GRC SOLUTION AREA NEEDS:
Licensed Subscriber Use Only, Do Not Distribute
41© GRC 20/20 Research, LLC • www.GRC2020.com
Risk Management
Industry Associations:§ Global Association of Risk Professionals§ Institute of Risk Management§ Professional Risk Managers
International Association
§ Risk Normalization & Aggregation. Enterprise & operational risk manage-ment is complex with a variety of methodologies and analysis techniques. Risk managers are challenged as they seek to implement risk models that work at functional levels but provide objective risk insight when aggregated and rolled up across the organization.
§ Risk Modeling & Analytics. Risk officers and managers are constantly revising their modeling techniques and capabilities.
§ Model Risk Management. There is growing regulatory concern and requirements in managing the risk to the variety of models being used across the organization.
§ Information Security. Risk managers in financial services have information security risks as one of their top priorities and challenges.
§ Risk Interrelationships. With the complexity of risk areas and segmentation there is a concern that a view of risk becomes myopic and not taking into full consideration the cascading impact and interconnectedness of risk.
§ Risk management is a leadingadopter of GRC platforms togather a range of risk data and analytics in a single platform.
§ However, there is growing awareness for a broader risk architecture or GRC architecture as there are many risk solutions that are very specialized that a single platform cannot adequately address.
§ It is critical to discuss the core needs of an enterprise risk/operational risk platform as well as the distributed needs and how all of the components work together.
The Risk Management function is a complex set of oversight that involves the Chief Risk Officer at the top and lines of strategic, treasury (e.g., credit, market risk), and operational risk management. Within insurance it becomes very confusing as the Chief Risk Officer role is most likely focused on actuarial and not a broad enterprise and operational understanding of risk. Risk management requires a high degree of collaboration across many islands of risk scattered across the financial services organization.
1) Enterprise & Operational Risk Management2) Model Risk Management3) Risk Modeling & Analytics4) Loss Collection & Analytics5) Information Risk Management & IT GRC
NETWORKING: BIG PICTURE: WHAT KEEPS THEM UP AT NIGHT PURCHASING BEHAVIOR:
OVERVIEW: TOP GRC SOLUTION AREA NEEDS:
Licensed Subscriber Use Only, Do Not Distribute
42© GRC 20/20 Research, LLC • www.GRC2020.com
Procurement
Industry Associations:§ Association of CAUCUS Technology
Acquisition Professionals§ Association of Certified Procurement &
Operations Professionals§ American Purchasing Society§ Chartered Institute of Procurement &
Supply
§ Growing Regulations on Vendor Risk Management. Procurement professionals find that they are under scrutiny by regulators and have to respond to a growing array of regulatory requirements (e.g., OCC vendor risk management, anti-bribery & corruption).
§ Collaborating or Competing With IT Security. The lines of responsibility for vendor risk management are often confusing and procurement finds itself working with IT security and at times is in conflict in approach and platform needs.
§ Conducting Due Diligence. The demand as well as breadth of due diligence requirements has procurement tasked with figuring out how to scope and provide a comprehensive approach to 3rd party due diligence and be able to do so on a regular basis, not just onboarding.
§ Vendor Portal & Onboarding. With a growing number of third party relationships, procurement is trying to find ways to manage these relationships when it is not being given more resources to do so. This includes implementing vendor portals that include self-registration and automation capabilities.
§ The needs of procurement and IT security often find themselvesat odds with each other as they look for solutions with different capabilities.
§ IT often comes into vendor risk management mandating their choice of platform without considering the needs of procurement.
§ Successfully approaching third party management requires a collaboration with procurement, security, compliance, legal, and business operations.
The Procurement role has become critical to GRC strategies with the growing demands of vendor and supplier risk and compliance being put on organizations by the regulators, particularly the OCC in the United States. This role is often tasked with shared vendor risk management responsibilities alongside information security as well as compliance/legal.
1) Third Party Management2) Due Diligence Content & Services3) Vendor / Third Party Portals4) Policy Communication, Training & Attestation5) Compliance Forms Management
NETWORKING: BIG PICTURE: WHAT KEEPS THEM UP AT NIGHT PURCHASING BEHAVIOR:
OVERVIEW: TOP GRC SOLUTION AREA NEEDS:
Licensed Subscriber Use Only, Do Not Distribute
43© GRC 20/20 Research, LLC • www.GRC2020.com
Titelmasterformat durch Klicken bearbeiten
1) GRC Market Definition, Overview & Segmentation
2) GRC Market Drivers & Trends
3) Personas
4) Technology Profiles
Our Objectives . . .
Licensed Subscriber Use Only, Do Not Distribute
44© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Audit Management & Analytic
Audit Management & Analytic
Audit Management Platforms
Audit Analytic Solutions
Miscellaneous Audit Tools
Audit Management & Analytic technologies are used by auditors to manage and perform audits.
– Audit management solutions are used to manage audit cycles – this includes audit planning, resource scheduling/calendaring, work paper management, audit execution, audit process management, and audit reporting. They also support a risk-based approach to audit planning to prioritize audits based on the risk to the business.
– Audit analytic solutions utilize data analytics and and continuous auditing (automated control enforcement & monitoring) to extract insights from operational and financial data to assist in audits and provide assurance.
Licensed Subscriber Use Only, Do Not Distribute
45© GRC 20/20 Research, LLC • www.GRC2020.com
Audit Management Capabilitiesq Audit planningq Risk-based approach to auditsq Workpaper managementq Audit calendaring & resource schedulingq Audit executionq Audit reportingq Mapping of risk and control objectivesq Branch/store audit supportq Mobility apps for audit (e.g., tablets, smartphones)q Offline audit capabilitiesq Business process management capabilitiesq User interfaceq Embedded audit analyticsq Internal control managementq Risk managementq Compliance management
Audit Analyticsq Integration into environmentq Ease of scriptingq Integration into audit platformq Testing & samplingq Analysis scripts and authoring environmentq Architectureq Support for different processesq Visualizationq Validationq Integrating external data sourcesq Continuous auditing supportq Reporting
Anatomy of an Audit RFP
NOTE: these are just a selection of some common elements from GRC 20/20’s RFP template containing over 200 requirements for Audit Platforms
Licensed Subscriber Use Only, Do Not Distribute
46© GRC 20/20 Research, LLC • www.GRC2020.com
Miscellaneous Environmental Tools
GRC Technology Market: Environmental Management
Environmental Management
Environmental Management Platforms
Air, Water, Waste Management Solutions
Energy & Carbon Management Solutions
Environmental Management technologies help monitor, analyze, record, and report organizational activity focused on compliance with environmental laws and regulations, related corporate policy related to managing environmental controls and conditions, and assessing the environmental impact of the corporation’s operations, strategies, and plans.
Land Use & Permit Solutions
Sustainability & Environmental Reporting Solutions
Chemical Management Solutions
Health & Safety Management
Health & Safety Management Platforms
Health & Safety Forms & Document Solutions
Occupational Safety Solutions
Health & Safety technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impacted by an organization’s activities.
Health & Safety Incident Solutions
Hazard Analysis Solutions
Chemical Management & Labeling Solutions
Miscellaneous Health & Safety Tools
Licensed Subscriber Use Only, Do Not Distribute
47© GRC 20/20 Research, LLC • www.GRC2020.com
EH&S Management
EH&S technologies manage the regulatory and policy-based guidelines and processes for protecting and reporting on the workforce, workplace, resources-under-management and external environment impact of an organization’s activities. This enables organizations to manage:§ EH&S management process of projects, staff, resources,
projects/assessments, compliance risk, reporting, as well as related compliance forms & workflow.
§ Obligation management to document EH&S compliance obligations (e.g., regulations, contracts, values) and manage change to obligations and their impact on the organization.
§ Assess, document, and report on EH&S through compliance and reporting.
§ Provide a defensible record of EH&S compliance of who did what, when, how, and why at any given point in time.
§ Document issues and managing issues through to resolution.
Solution Area Definition
q Manage overall EH&S management program planning, staff, projects/assessments, and activities
q Maintain a register of all EH&S compliance obligations that is mapped to policies, risks, controls, subject matter experts.
q Manage change to obligations as regulations, enforcement actions, standards, and related sources change.
q Provide for assessments and evidence of EH&S complianceq Model and manage EH&S riskq Have a defensible audit trail of EH&S compliance to
demonstrate an effective programq Track EH&S compliance attestations and regulatory
reportingq Document regulatory and stakeholder interactionsq Manage and process EH&S related formsq Provide regulatory intelligence feedsq Report & remediate issues of EH&Sq Manage exceptions and exemptions
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
48© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Compliance Management
Compliance Management
Compliance Management Platforms
Compliance Assessment Solutions
Stakeholder & Regulatory Interaction Solutions
Compliance Management technologies support the overall coordination of legal, regulatory, contractual, values, ethics, and corporate obligations and responsibilities with associated compliance documentation, assessments, tasks, and records. This includes the ability to monitor, document, and manage changes to the regulatory environment and other obligations; to document all obligations of the organization; to perform compliance assessments against obligations; manage regulator and stakeholder interactions on compliance; and report on the state of compliance to regulators and stakeholders.
Compliance Forms, Reporting & Filing Solutions
Social Responsibility & Reporting Solutions
Regulatory Change Management Solutions
Miscellaneous Compliance Tools
Licensed Subscriber Use Only, Do Not Distribute
49© GRC 20/20 Research, LLC • www.GRC2020.com
Compliance Management
Compliance Management solutions provide the capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report. This enables organizations to manage:§ Compliance management process of projects, staff,
resources, projects/assessments, compliance risk, reporting, as well as related compliance forms & workflow.
§ Obligation management to document compliance obligations (e.g., regulations, contracts, values) and manage change to obligations and their impact on the organization.
§ Assess, document, and report on compliance through compliance assessments and reporting.
§ Provide a defensible record of compliance of who did what, when, how, and why at any given point in time.
§ Integrate with policy and issue management as these are core areas of a compliance program.
Solution Area Definition
q Manage overall compliance management program planning, staff, projects/assessments, and activities
q Maintain a register of all compliance obligations that is mapped to policies, risks, controls, subject matter experts.
q Manage change to obligations as regulations, enforcement actions, standards, and related sources change.
q Provide for assessments and evidence of complianceq Model and manage compliance riskq Have a defensible audit trail of compliance to demonstrate a
effective compliance programq Compliance attestations and regulatory reportingq Document regulatory and stakeholder interactionsq Manage and process compliance related formsq Provide regulatory intelligence feedsq Remediate issues of non-complianceq Manage compliance exceptions and exemptions
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
50© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Policy & Training Management
Policy & Training Management
Policy & Training Management Platforms
Policy Management Solutions
Policy Forms & Disclosure Solutions
Policy & Training Management technologies mange the development, approval, distribution, communication, forms, maintenance, and records of organization policies, standards, procedures, guidelines and related training and communication awareness activities. This includes solutions used to train individuals on policy and risk areas to employees and extended business relationships. Elements of gamification, eLearning, learning management, document/content management are part of this segment from a GRC perspective. Forms and disclosure management solutions (e.g., conflict of interest, gifts & entertainment/hospitality) are included in this segment as they relate and support organization policies.
Training Management Solutions
Training & Gamification Solutions
Miscellaneous Policy & Training Mgmt Tools
Licensed Subscriber Use Only, Do Not Distribute
51© GRC 20/20 Research, LLC • www.GRC2020.com
Policy Management: Critical Capabilities
Policy management solutions provide the capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities. This enables organizations to manage:§ Policy management process of development, approval,
communication, monitoring, and maintenance. This includes workflow, task management, and content management capabilities with version control
§ Policy portal for individuals to be able to access policies relevant to their role and responsibilities, access related resources and forms, and complete tasks related to policies and training.
§ Policy evidence to provide a system of record and audit trail of all interactions, development, approvals, communications, training, exception, exemptions related to policies.
Solution Area Definition
q Manage policy lifecycle from development through maintenance and policy retirement
q Workflow, task management, and content managementq Integration w/ HR systems & business systems to identify
change where policies/training need to be communicatedq Policy portal for individuals to access policies, training,
forms, and related tasksq Forms development and management for forms related to
policiesq Editing capabilities and version control of policy contentq Ability to map policies to other GRC content and recordsq Regulatory change management to keep policies currentq Exception/exemption management of policiesq Integration of training and LMS capabilitiesq Audit trail of evidence of all policy interactionsq Mobility capabilities
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
52© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Issue Reporting & Management
Issue Reporting & Management
Incident/Investigations Management Platforms
Hotline & Issue Intake Solutions
Complaint Management Solutions
Issue Reporting & Management technologies provide issue intake and investigations management. Issue reporting solutions (e.g. hotline, whistleblower) provide a confidential, independent resource for individuals to report observations related to issues as well as potential acts of fraud, theft, inappropriate or illegal behavior, negligence or other impropriety. Investigations management solutions are used to manage investigations, issues, incidents, events, or cases: they specifically provide consistent documentation and processes for the management of events — from reporting, to managing and documenting the investigation, to recording the loss and business impact.
Corrective Action/Preventive Action Solutions
Forensics & Evidence Collection Solutions
Impact & Loss Analysis Solutions
Miscellaneous Issue Reporting & Mgmt Tools
Licensed Subscriber Use Only, Do Not Distribute
53© GRC 20/20 Research, LLC • www.GRC2020.com
Enterprise GRC Core: Issue Reporting & Management
Issue Reporting & Management solutions provide the capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases. These solutions enable companies to manage:§ Issue management and resolution processes across the
organization (e.g., legal, compliance, HR, security, health & safety, quality) from the intake through the investigation and resolution.
§ Issue intake and consolidation through hotlines, management reporting, surveys, and other notification pathways.
§ Issue history to collect incidents over time and the details and analysis of business impact to feed into risk models.
§ Investigation management to manage the lifecycle and process of incidents, investigations, and processes.
§ Incident analysis for root cause and CAPA.
Solution Area Definitionq Map issues to risks, policies, objectives, obligations, and
controls to show relationships and impact of issuesq Provide issue intake (anonymous and non-anonymous) as
well as a portal to collect issues reported to managementq Structured and legally defensible investigation process and
documentationq Issue escalation when investigation grows beyond what
originally thoughtq Manage investigative resources, skills, and utilizationq Collect a detailed history of issues, particularly frequency
and impactq Conduct remediation and CAPA in context of issues and
findingsq Loss analytics and root cause analysisq Variety of templates and interfaces for managing
different types of issues
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
54© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Internal Control Management
Internal Control Management
Internal Control Management Platforms
Financial Close & Reporting Solutions
Miscellaneous Internal Control Tools
Internal Control Management technologies provide the ability to define, document, map, monitor, test, assess, and report on controls within the organization, including process and systems documentation. These solutions document internal controls, provide control assessments/self-assessments, and manage this through workflow, tasks, and reporting. Internal Control Reporting Solutions
Licensed Subscriber Use Only, Do Not Distribute
55© GRC 20/20 Research, LLC • www.GRC2020.com
Internal Control Management
Internal Control Management solutions provide the capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization. This enables organizations to manage:§ Internal control program of staff, projects, resources,
assessments, and reporting§ Central register of internal controls in which controls are
mapped to risks and obligations so a single control can be implemented to address similar requirements.
§ Control assessments to query areas of the organization on control effectiveness and attestations
§ Automated controls established for continuous detective, and preventive controls.
§ Exceptions, exemptions and corrective controls so documentation is in place and does not get missed.
§ Remediation process related to weak or missing controls
Solution Area Definition
q Central control register that can be mapped to objectives, risks, policies, issues, obligations, and organization hierarchy.
q Survey and assessment capability to query state of controls across organization and record attestations.
q Exception and exemption process to document control and manage process.
q Business process modeling and documentation to visually layout business processes with identified controls in process.
q Reporting on controls, including deficiencies and weaknesses
q Document control testing and findingsq Support or integrate with automated control solutionsq Remediation management to address control
issues
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
56© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: IT GRC Management
IT GRC Management
IT GRC Platforms
Asset Discovery & Management Solutions
Vulnerability & Threat Management Solutions
IT GRC Management technologies are used to govern and direct information and technology (IT) strategies in the context of business. The governance function of IT is the alignment, strategy, and direction of IT to support the business. A core component of IT GRC Solutions is the ability to manage and monitor security, risk, and compliance across IT systems throughout the organization and across significant business relationships.
IT Project, Change & Service Delivery Solutions
IT Incident & Event Management Solutions
Security Event & Information Mgmt Solutions
IT Security Solutions
Miscellaneous IT GRC Tools
Licensed Subscriber Use Only, Do Not Distribute
57© GRC 20/20 Research, LLC • www.GRC2020.com
Critical Capabilities that Define an IT GRC Platform
Ability to catalog and manage IT physical and logical assets in context of IT and the business.
Ability to assess and manage IT risks in context of the business, and present risk exposure to risk owner for acceptance or mitigation.
Ability to document, assses, and provide an evidence trail of IT
controls and compliance to standards and regulations impacting IT and manage
compliance in context of changing obilgations and a changing IT
environment.
IT Risk Mgmt IT Control Mgmt
IT Asset MgmtAbility to discover and remediate
vulnerabilities and related threats across IT physical and logical assets, often
through integration into security tools/architecture.
IT Vulnerability Mgmt
ITGRC
IT Incident Management
IT Policy Management
Vendor Risk Management (3rd Party)
Business Continuity & Disaster Recovery
IT Audit Management
Additional Capabilities Often Are:
The scope of capabilities in the components of IT GRC will depend if your strategy is focused on IT security management or a broader understanding of IT GRC.
Four Critical Capability Areas that Define an IT GRC Platform:
Security Architecture Integration
Licensed Subscriber Use Only, Do Not Distribute
58© GRC 20/20 Research, LLC • www.GRC2020.com
Risk Management
Risk Management
Enterprise & Operational Risk Mgmt Platforms
Finance & Treasury Risk Management Solutions
Risk Management technologies support the identification, assessment, evaluation and response, and monitoring of risks and opportunities of risk across the organization. This includes the ability to monitor changes in the external and internal contexts to alert an organization to changing risk conditions (e.g., geo-political, economic, competitor, technology, and natural disaster) that can impact business. These systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations or assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This category includes enterprise risk management systems, operational risk management systems, as well as specialized risk applications. Finance/Treasury Risk Management - involves an array of applications and systems used to identify and manage the risk factors, causes and response procedures in an organization’s financial and treasury management. These include risk technology focused on specific areas such as liquidity, credit, market, and commodity risk management that help identify risk and execute historical review, simulation, interpretation and projection of impacts on an organization’s financial assets given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously.
Risk Assessment Solutions
Insurance Risk & Claims Management Solutions
Risk Analytics & Modeling Solutions
Model Risk Management Solutions
Project Risk Management Solutions
Loss Collection & Analytic Solutions
Miscellaneous Risk Management Tools
Licensed Subscriber Use Only, Do Not Distribute
59© GRC 20/20 Research, LLC • www.GRC2020.com
Risk Management
Risk Management solutions provide the capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects. This enables organizations to manage:§ Risk management process of risk identification,
assessment, quantification, treatment and monitoring activities in context of objectives, including the overall management of the continual, cyclic, as well as dynamic processes of risk assessment, analysis, decision making, and response (e.g., acceptance, mitigation, transfer, avoidance).
§ Risk monitoring on changes in external and internal contexts to alert the organization to conditions that can impact objectives.
§ Risk evaluation to identify specific causes and evaluate historical review, simulation, interpretation and projection of impacts on an objectives and assets.
Solution Area Definitionq Manage overall risk management program planning,
staff, projects/assessments, and activitiesq Support for multiple risk management frameworks,
methodologies, and analysis techniquesq Set and map objectives and context (e.g., internal,
external) of riskq Enable the organization to identify, categorize, map,
and show risk relationships in registersq Enable the organization to gather information and
assessment of risks in a variety of approachesq Analyze risk from different perspectives and implement
risk treatmentq Provide monitoring and reporting on risk, including risk
normalization and aggregation enterprise reportingq Ability to analyze scenarios and evaluate risk losses
and events, and revise risk models as necessaryq Dashboarding and metrics (e.g., KRIs) on risk
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
60© GRC 20/20 Research, LLC • www.GRC2020.com
GRC Technology Market: Third Party Management
Third Party Management
Third Party Management Platforms
Procurement & ERP Third Party Solutions
Third Party Management technologies provide organizations the ability to govern third party relationships (e.g., vendor, supplier, contractor, consultant, service provider, outsourcers, agent) and the lifecycle of onboarding, contracts, due diligence screening, performance monitoring, risk management, compliance management, quality and service level management, and off-boarding. The third party GRC specific solutions record, and maintain the communication, attestation, and assessment of policies, contractual compliance, risk and compliance assessments, and audits across extended business relationships. Third party screening solutions are used to vet third parties and validate them against databases such as politically exposed persons, watch lists, social accountability, and more.
Third Party Risk Management Solutions
Screening & Due Diligence Solutions
Miscellaneous Third Party Management Tools
Licensed Subscriber Use Only, Do Not Distribute
61© GRC 20/20 Research, LLC • www.GRC2020.com
3rd Party Management: Critical Capabilities
3rd Party Management solutions provide capabilities to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring.This enables organizations to manage:§ 3rd party management process of onboarding,
approval, due diligence, communications, assessment, evaluation, issue management, and off-boarding. This includes workflow, task management, and content management capabilities.
§ 3rd party portal for 3rd parties to be able to submit and share information, take assessments, provide attestations, and other related requests and forms, to complete tasks.
§ Provide evidence to provide a system of record and audit trail of all interactions, assessments, audits/inspections, and interactions with 3rd parties.
Solution Area Definitionq Onboarding process to register suppliers and have
them submit necessary documentationq Due diligence process during onboarding and
periodically or continually thereafterq Risk assessment and analysis of 3rd party relationshipsq Policy communication & attestation to 3rd partiesq Training & awareness of 3rd paritiesq Compliance assessment and analysis of 3rd party
relationshipsq Issue management through issue
reporting/identification, response/investigation, and resolution.
q Forms & disclosure management for 3rd parties to fill out forms and submit information
q Audit & inspection management of 3rd parties in context of right to audit clauses
q Management of the off-boarding process
Critical Capabilities
Licensed Subscriber Use Only, Do Not Distribute
62© GRC 20/20 Research, LLC • www.GRC2020.com
Two Things to Note . . .
§ Organizations evaluating or considering GRC solutions are free to ask GRC 20/20 on our understanding and comparison of solutions in the market to meet your GRC requirements.
§ Inquiries are single focused questions that can be answered in under 30 minutes.
§ Complimentary inquiry is only available to organizations evaluating or considering GRC solutions for their internal use.
Complimentary Inquiry
§ GRC 20/20 has an extensive library of RFP requirements across a range of GRC capability areas presented in this presentation.
§ GRC 20/20 can be engaged in RFP development and support projects to streamline your process, gain perspectives learned from other organizations, and to keep solution providers honest in their responses.
RFP Development & Support
Licensed Subscriber Use Only, Do Not Distribute
Questions?Michael Rasmussen, J.D.The GRC Pundit & OCEG [email protected]+1.888.365.4560
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.
GRC 20/20 NewsletterLinkedIn: GRC 20/20
Blog: GRC Pundit
Twitter: GRCPundit
LinkedIn: Michael Rasmussen
Licensed Subscriber Use Only, Do Not Distribute