governance, risk & compliance - isaca...
TRANSCRIPT
Governance, Risk & Compliance
A practical approach
14 October 2015
ISACA Curaçao Conference
By: Paul Helmich
Topics today
What is GRC?
How much of all the GRC literature, tools, etc. do I need to study to deploy it successfully?
How can we adapt the GRC concepts to the needs of local companies in the Dutch Caribbean?
2
GRC
Governance, risk management and compliance
An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities
These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
3
GRC Definitions Governance, Risk Management, and Compliance (GRC)
are three pillars that work together for the purpose of assuring that an organization meets its objectives.
Governance is the combination of processes established and executed by the board of directors that are reflected in the organization's structure and how it is managed and led toward achieving goals.
Risk management is predicting and managing risks that could hinder the organization to achieve its objectives.
Compliance with the company's policies and procedures, laws and regulations, and adopted standards is considered key to an organization's success.
4
Interrelationships of GRC domains
5
Culture
Governance
Governance
• Set and evaluate performance against objectives
• Authorize business strategy & model to achieve objectives
Risk Management
• Identify, assess, and address potential obstacles to achieving objectives
• Identify / address violation of mandated and voluntary boundaries
Culture
• Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability
Compliance
• Encourage / require compliance with established policies and boundaries
• Detect non-compliance and respond accordingly
Types of GRC
Literature used to distinguish between two main types of GRC:
– Enterprise GRC
– IT GRC
However things have become increasingly complex and confusing.
There is a multitude of standards, regulations, tools, and definitions.
Several standards compete and overlap, e.g. COBIT, ISO 31000, COSO, OCEG and ISO 31100
6
A practical GRC model
Governance Risk
Management Compliance
7
Compliance is not just regulatory. There is also commercial compliance – meaning things you need to have in place in order to do business with X. For example a SOC 1/2/3 statement (used to be SAS70), or an ISO certification.
Financial
Legal, Reputational
Operational
IT
AO/IC
Organization
Code of Corporate
Governance
Regulator
Regulatory
Self adopted international
standards
GRC Requirements and Complexity
8
Apps Server
Manufacturing
Data Warehouse
Database Mainframes Mobile Devices Enterprise
Applications
Records Retention
IT Governance
Financial Reporting
Compliance
Workforce Governance
Data Privacy
Audit Management
Credit Risk
Mgmt
Market Risk
Mgmt
Operational Risk
Mgmt
Strategic Alignment
Legal Discovery
Supply Chain
Traceability
Service Level
Compliance
Service
Finance
Sales & Mktg
Purchasing
Suppliers
Customers
Engineering
SOX JSOX FDA Basel II EU
Directives HIPAA GLBA …
U.S.
Germany
Japan
U.K.
France
China
Canada
India
9
GRC framework: Converging Requirements
AM
L
MiF
iD
Reg
NM
S
KY
C
CO
BIT
Info
Se
cu
rity
Au
dit
Inte
rnal
Co
ntro
ls
Bas
el O
R-
AM
A
Analytics & Reporting
Capital Calculations
Attestations
Action Planning
Case Management
Behavior Detection
Controls Testing
RCSA
KRI
Events Management
Process Maps, Reference
Data, Oversight Library
GRC Infrastructure
GR
C F
ram
ewo
rk
Tools, analytics, dashboards
11
Compliance Risk
Management
Managing Risk, Performance & Profitability Across the Enterprise
Performance Profitability
Analytics Server BI Dashboards Profitability /
Risk Engine
Databases
Data Warehouse
But before you proceed…
Make use of nearly a decade of tips, pitfalls, and lessons learned.
Many of the available tools and methodologies may prove to be a bridge too far.
How well do the available tools and standards translate from the environments they were designed for, to your actual environment in the Dutch Caribbean?
14
Localize the solution
To answer that question: how are your organizations different ?
Different from those that the tools and risk methodologies were developed for.
Adapt the core essence of the GRC thinking to the specific needs of your company. Consider:
Your size (e.g. headcount)
Existing capabilities and training absorption limits
Your compliance regime. (less complex and rigorous in the Dutch Caribbean, especially outside the Financial sector)
Your risk management maturity level, needs felt at the top.
15
Tips
You cannot buy an IT tool to get better at risk management. The tool automates a good process.
So you need to have a good process first, in Excel, in emails etc. Understand the workflow.
GRC tools all have the same functions, like surveys, asset management, policy library, risk registers, dashboards, etc.
Start with a low-tech bottom-up approach. Steps & tools for that will be covered in part 2 of this presentation !
16
Risk Maturity Index
Source: Aon Risk Solutions. See http://www.aon.com/rmi/ 17
First, it is advisable to self-assess how mature your current risk management is. One of the possible tools for this is the Aon Risk Maturity Index.
It is an online diagnostic tool designed to evaluate an organization’s self reported risk management practices against 10 characteristics of risk maturity.
1. Board Understanding & Commitment to Risk Management 2. Executive Level Risk Management Stewardship 3. Risk Communication 4. Risk Culture: Engagement & Accountability 5. Risk Identification 6. Stakeholder Participation in Risk Management 7. Risk Information & Decision Making Processes 8. Integrating Risk Management & Human Capital Processes 9. Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10.Risk Management Focus on Value Creation
Risk Maturity Index
19
How do you think your organization will score?
Source: Aon Risk Solutions. See http://www.aon.com/rmi/
Top 10 Global Risks
20 Source: Aon Risk Solutions. See http://www.aon.com/2015GlobalRisk/default.jsp
Storytelling
21 Credit for this section goes to the Gartner Security and Risk Management Summit 2015.
Let us side-step for a few minutes to another topic that may prove useful.
The purpose of this is to aid those in Security, Risk, Compliance or Audit functions to get their messages across more effectively. A complement to dashboards.
What is Storytelling, and why tell stories?
The conveyance of events in words and images using improvisation or embellishment
There is much information available online on posture, tone, approach, tips, etc.
22
A story can go where quantitative analysis cannot, our hearts
Data can persuade people, but it does not inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul.
24
Focus on being interesting rather than complete.
A story about my neighbor's wife
25
If your stakeholders do not get all the relevant information, bad decisions get made and you are left with exposure to risk !
Back to GRC
26
What does ISACA have to offer when it comes to Governance, Risk & Compliance?
Primarily COBIT 5, which is a framework for IT-GRC. However its concepts may be extended beyond IT and, up to a point, used at the level of Enterprise GRC.
ISACA and COBIT
27
ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.
ISACA developed and maintains the internationally recognized COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
Five steps
30
1. Which scary threats may harm our objectives?
2. How exposed are we to those threats?
3. Which risk treatment do we prefer?
4. Execute your chosen risk management actions.
5. Measure effectiveness and adjust where needed.
Five steps
31
Step Tools
1. Identify Risk
2. Assess Risk
3. Plan action
4. Treat the risk
5. Measure effects & report
Risk register, risk scenarios
Risk appetite threshold, Risk perceptions, Likelihood & Impact exercises, BIA’s, Asset inventory, Business process mapping to assets (architecture), Control libraries, Residual risk.
Risk treatment plan: Accept, Avoid, Transfer or Mitigate.
Key Risk Indicators (KRI), Heatmaps, Dashboards.
Project management methodologies, formal acceptance forms, insurance policies purchased & logged, etc.
Further reading
• Storytelling: Tips for IT practitioners to persuade and influence
• Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message
• Risk: The science and politics of fear. (By Dan Gardner, available at Amazon.com)
32
Contact us
Novodiem specializes in:
Risk Management
Project Management
Information Security & IT audit
Paul Helmich, CISM, CISSP
Tel: +5999-5218399
Web: www.novodiem-bv.com
34
Tool selection
If you do decide to purchase an IT tool – it will be essential to go through a thorough requirements definition process. Also analyze the need for having one platform versus point solutions per use case.
Gartner sees 7 main GRC use cases (next slide). Only 4 vendors adequately cover 4 or more of those use cases in one single tool. Those vendors are RSA Archer, MetricStream, LockPath and Modulo.
However the key to success is to build your own use cases and match the top 3 to tool functions. Model and document your OWN processes and workflow for those use cases. Involve your business owners.
36