GRC - GOVERNANCE, RISK MANAGEMENT, AND COMPLIANCE

"Governance, Risk Management, and Compliance Governance : Combination of processes established and

executed by the BOD and how it is managed and led towards achieving goals. 

Risk management : Identify, analyse and manage risks that could hinder the organization from achieving its objectives. 

Compliance : Conforming to company's policies, procedures, laws and regulations .

GOVERNANCE The system of rules, practices and processes by which a

company is directed and controlled. Involves balancing the interests of the many stakeholders in a

company. Also provides the framework for attaining a company's

objectives. Action plans and internal controls to performance

measurement and corporate disclosure.

Governance Principles Rights and equitable treatment of shareholders Interests of other stakeholders Roles and responsibilities of the board Integrity and ethical behaviour Disclosure and transparency

RISK MANAGEMENT

Identify , assess , prioritize , control, exploit , finance and monitor risks.

Coordinated and economical application of resources .

To minimize, monitor and control the probability and/or impact of unfortunate events .

Eliminates uncertainties.

RISK MANAGEMENT vs GOVERNANCE

Are they same ?

RISK TYPES

Hazard risk

Liability torts, Property damage, Natural catastrophe

Financial risk

Asset risk, Currency risk, Liquidity risk

Operational risk

Customer satisfaction, Product failure, Integrity, Reputational risk, Knowledge drain.

Strategic risks

Competition, Social trend, Capital availability.

RISK MANAGEMENT PROCESS

1. Establishing Context.

2. Identifying Risks.

3. Analysing/Quantifying Risks.

4. Integrating Risks.

5. Assessing/Prioritizing Risks.

6. Treating/Exploiting Risks.

7. Monitoring and Reviewing.

COMPLIANCE

Conforming to a rule, such as a specification, policy, standard or law.

Compliance audit :

Review of an organization's adherence to regulatory guidelines.

Organization must be able to demonstrate compliance by producing an audit trail.

Auditors review security polices, user access controls and risk management procedures

CIOs, CTOs and IT administrators answers a series of pointed questions over the course of an audit.

Event log managers and robust change management software allows tracking and documentation of authentication and controls in IT systems.

Some prominent regulations, standards :

Sarbanes-Oxley Act (SOX) of 2002: To protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.

Can Spam Act of 2003: Requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out.

Payment Card Industry Data Security Standard (PCI DSS):  Created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions.

Information Security Management System (ISMS : ISO 27001): Design, implement and maintain a coherent set of policies, processes and systems to manage risks to the information assets.

COBIT (CONTROL OBJECTIVES FOR INFORMATION AND RELATED

TECHNOLOGY)

Created by ISACA (Information Systems Audit and Control Association)

Bridge the gap between control requirements, technical issues and business risks.

More comprehensive definition of roles and responsibilities

PRINCIPLES

ENABLERS

GOVERNANCE X MANAGEMENT

Governance

EDM (Evaluate , Direct and Monitor)

Management

PBRM (Plan, Build, Run, Monitor )

OTHER STANDARDS

Risk Management Standards : ISO/IEC 27005 : Information security risk

management  ISO 31000 NIST 800-30 Risk IT by ISACA

NIST SP 800 - 30

THANK YOU