Governance, Risk & Compliance

A practical approach

14 October 2015

ISACA Curaçao Conference

By: Paul Helmich

Topics today

What is GRC?

How much of all the GRC literature, tools, etc. do I need to study to deploy it successfully?

How can we adapt the GRC concepts to the needs of local companies in the Dutch Caribbean?

2

GRC

Governance, risk management and compliance

An increasingly used ‘umbrella term’ that covers these three areas of enterprise activities

These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.

3

GRC Definitions Governance, Risk Management, and Compliance (GRC)

are three pillars that work together for the purpose of assuring that an organization meets its objectives.

Governance is the combination of processes established and executed by the board of directors that are reflected in the organization's structure and how it is managed and led toward achieving goals.

Risk management is predicting and managing risks that could hinder the organization to achieve its objectives.

Compliance with the company's policies and procedures, laws and regulations, and adopted standards is considered key to an organization's success.

4

Interrelationships of GRC domains

5

Culture

Governance

Governance

• Set and evaluate performance against objectives

• Authorize business strategy & model to achieve objectives

Risk Management

• Identify, assess, and address potential obstacles to achieving objectives

• Identify / address violation of mandated and voluntary boundaries

Culture

• Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability

Compliance

• Encourage / require compliance with established policies and boundaries

• Detect non-compliance and respond accordingly

Types of GRC

Literature used to distinguish between two main types of GRC:

– Enterprise GRC

– IT GRC

However things have become increasingly complex and confusing.

There is a multitude of standards, regulations, tools, and definitions.

Several standards compete and overlap, e.g. COBIT, ISO 31000, COSO, OCEG and ISO 31100

6

A practical GRC model

Governance Risk

Management Compliance

7

Compliance is not just regulatory. There is also commercial compliance – meaning things you need to have in place in order to do business with X. For example a SOC 1/2/3 statement (used to be SAS70), or an ISO certification.

Financial

Legal, Reputational

Operational

IT

AO/IC

Organization

Code of Corporate

Governance

Regulator

Regulatory

Self adopted international

standards

GRC Requirements and Complexity

8

Apps Server

Manufacturing

Data Warehouse

Database Mainframes Mobile Devices Enterprise

Applications

Records Retention

IT Governance

Financial Reporting

Compliance

Workforce Governance

Data Privacy

Audit Management

Credit Risk

Mgmt

Market Risk

Mgmt

Operational Risk

Mgmt

Strategic Alignment

Legal Discovery

Supply Chain

Traceability

Service Level

Compliance

Service

Finance

Sales & Mktg

Purchasing

Suppliers

Customers

Engineering

SOX JSOX FDA Basel II EU

Directives HIPAA GLBA …

U.S.

Germany

Japan

U.K.

France

China

Canada

India

9

GRC framework: Converging Requirements

AM

L

MiF

iD

Reg

NM

S

KY

C

CO

BIT

Info

Se

cu

rity

Au

dit

Inte

rnal

Co

ntro

ls

Bas

el O

R-

AM

A

Analytics & Reporting

Capital Calculations

Attestations

Action Planning

Case Management

Behavior Detection

Controls Testing

RCSA

KRI

Events Management

Process Maps, Reference

Data, Oversight Library

GRC Infrastructure

GR

C F

ram

ewo

rk

GRC platform vendor scoring

10 Source: Forrester Research

Tools, analytics, dashboards

11

Compliance Risk

Management

Managing Risk, Performance & Profitability Across the Enterprise

Performance Profitability

Analytics Server BI Dashboards Profitability /

Risk Engine

Databases

Data Warehouse

12

Sample dashboard

13

But before you proceed…

Make use of nearly a decade of tips, pitfalls, and lessons learned.

Many of the available tools and methodologies may prove to be a bridge too far.

How well do the available tools and standards translate from the environments they were designed for, to your actual environment in the Dutch Caribbean?

14

Localize the solution

To answer that question: how are your organizations different ?

Different from those that the tools and risk methodologies were developed for.

Adapt the core essence of the GRC thinking to the specific needs of your company. Consider:

Your size (e.g. headcount)

Existing capabilities and training absorption limits

Your compliance regime. (less complex and rigorous in the Dutch Caribbean, especially outside the Financial sector)

Your risk management maturity level, needs felt at the top.

15

Tips

You cannot buy an IT tool to get better at risk management. The tool automates a good process.

So you need to have a good process first, in Excel, in emails etc. Understand the workflow.

GRC tools all have the same functions, like surveys, asset management, policy library, risk registers, dashboards, etc.

Start with a low-tech bottom-up approach. Steps & tools for that will be covered in part 2 of this presentation !

16

Risk Maturity Index

Source: Aon Risk Solutions. See http://www.aon.com/rmi/ 17

First, it is advisable to self-assess how mature your current risk management is. One of the possible tools for this is the Aon Risk Maturity Index.

It is an online diagnostic tool designed to evaluate an organization’s self reported risk management practices against 10 characteristics of risk maturity.

1. Board Understanding & Commitment to Risk Management 2. Executive Level Risk Management Stewardship 3. Risk Communication 4. Risk Culture: Engagement & Accountability 5. Risk Identification 6. Stakeholder Participation in Risk Management 7. Risk Information & Decision Making Processes 8. Integrating Risk Management & Human Capital Processes 9. Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10.Risk Management Focus on Value Creation

18

Risk Maturity Index

Risk Maturity Index

19

How do you think your organization will score?

Source: Aon Risk Solutions. See http://www.aon.com/rmi/

Top 10 Global Risks

20 Source: Aon Risk Solutions. See http://www.aon.com/2015GlobalRisk/default.jsp

Storytelling

21 Credit for this section goes to the Gartner Security and Risk Management Summit 2015.

Let us side-step for a few minutes to another topic that may prove useful.

The purpose of this is to aid those in Security, Risk, Compliance or Audit functions to get their messages across more effectively. A complement to dashboards.

Storytelling is as old as humankind

What is Storytelling, and why tell stories?

The conveyance of events in words and images using improvisation or embellishment

There is much information available online on posture, tone, approach, tips, etc.

22

A story can go where quantitative analysis cannot, our hearts

Data can persuade people, but it does not inspire them to act; to do that, you need to wrap your vision in a story that fires the imagination and stirs the soul.

24

Focus on being interesting rather than complete.

A story about my neighbor's wife

25

If your stakeholders do not get all the relevant information, bad decisions get made and you are left with exposure to risk !

Back to GRC

26

What does ISACA have to offer when it comes to Governance, Risk & Compliance?

Primarily COBIT 5, which is a framework for IT-GRC. However its concepts may be extended beyond IT and, up to a point, used at the level of Enterprise GRC.

ISACA and COBIT

27

ISACA actively promotes research that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals.

ISACA developed and maintains the internationally recognized COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.

Risk Management in COBIT 5

Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

29

Risk Management in COBIT 5 (cont.)

Five steps

30

1. Which scary threats may harm our objectives?

2. How exposed are we to those threats?

3. Which risk treatment do we prefer?

4. Execute your chosen risk management actions.

5. Measure effectiveness and adjust where needed.

Five steps

31

Step Tools

1. Identify Risk

2. Assess Risk

3. Plan action

4. Treat the risk

5. Measure effects & report

Risk register, risk scenarios

Risk appetite threshold, Risk perceptions, Likelihood & Impact exercises, BIA’s, Asset inventory, Business process mapping to assets (architecture), Control libraries, Residual risk.

Risk treatment plan: Accept, Avoid, Transfer or Mitigate.

Key Risk Indicators (KRI), Heatmaps, Dashboards.

Project management methodologies, formal acceptance forms, insurance policies purchased & logged, etc.

Further reading

• Storytelling: Tips for IT practitioners to persuade and influence

• Why Communication Fails: Five Reasons the Business Doesn't Get Security's Message

• Risk: The science and politics of fear. (By Dan Gardner, available at Amazon.com)

32

Questions

33

Contact us

Novodiem specializes in:

Risk Management

Project Management

Information Security & IT audit

Paul Helmich, CISM, CISSP

Tel: +5999-5218399

E: phelmich@novodiem-bv.com

Web: www.novodiem-bv.com

34

Appendix

• Optional slides

Tool selection

If you do decide to purchase an IT tool – it will be essential to go through a thorough requirements definition process. Also analyze the need for having one platform versus point solutions per use case.

Gartner sees 7 main GRC use cases (next slide). Only 4 vendors adequately cover 4 or more of those use cases in one single tool. Those vendors are RSA Archer, MetricStream, LockPath and Modulo.

However the key to success is to build your own use cases and match the top 3 to tool functions. Model and document your OWN processes and workflow for those use cases. Involve your business owners.

36

Gartner's 7 main GRC use cases

37