grc overview sweden - september 2016

Enterprise Governance, Risk and Compliance

An Overview

14 September 2016

2© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International

Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684

Agenda

Background & History with Archer

What GRC Enablement Looks Like

Typical GRC Use Cases

Introduction

GRC Transformation Journey

From GRC 1.0 to 2.0

Adoption Challenges

GRC Technology Pyramid

Lessons Learned



KPMG and RSA Relationship

— KPMG is an Archer

customer, giving us

unique insight into the

opportunities and

challenges of running

Archer to support key

business processes.

— We have implemented

the solutions in our own

environment, worked

through the controlled

change management

processes, and

managed the

development lifecycle.

We share our

experiences with our

clients.

— Archer engaged KPMG to

help developed the

product content library,

review and develop the

Business Continuity,

Crisis Management, and

Disaster Recovery

solutions.

— We assisted Archer by

leveraging our knowledge

of the regulatory

environment, leading

practices, and the Archer

Framework to help

improve the product and

content that is available

today.— KPMG is a strong partner to RSA Archer

in providing services to RSA Archer

customers.

— KPMG utilizes the strength of our alliance

relationship to provide product related

best practices or to address issues to

assist our clients prior, during or post

implementation.

RSA Archer

is KPMG’s

Client

KPMG has

a strong alliance

relationship with

RSA Archer

KPMG is

an RSA

Archer

Customer



Our experience serving in multiple industries brings lesson learned and experience from past client engagement & partner with our

clients to co-develop GRC programs, organizational structures and processes, proactively transitioning knowledge to client professionals

for sustainable uptake of the implementation

A brief representation of the multiple industries we have served: A brief representation of our key clients where we have done

similar work:Global

consumer

products

Global

business

services

Large

plastics,

chemicals

& refining

Global

financial

services

Global

insurance

Telecommunications

Global

software

Retail

drugs

Global

agricultural

biotech

products

Global

investment

management

Gaming &

wagering

Oil & gas

Global

retail

Leading

global

transaction

processing

Global

online

payment

processing

Global

internet

companies

Clients & Industries Served



Business Groups ServedOur experiences in helping organizations shape GRC strategies and implementation services spans across the four key domains: IT,

Operations, Legal and Finance, while IT represents the largest area of GRC-related activities. Strong collaboration across all GRC

functional areas eliminates organizational barriers to centrally implementing and achieving GRC objectives:

Operations

Human

Resources

Legal Finance

Corporate

Services

Information

Security & Risk

Management

Information

Technology

Executive Committee

Enterprise Risk

Management

Internal Audit



Typical GRC Use Cases

General Risk ManagementCompliance

Management

Regulatory Change

ManagementPolicy Management Issue Management

• Issue identification

• Action plan identification

• Issue and action remediation

tracking

• Aggregated issue reporting

• Control identification

• Control testing

• Issue/gap identification

• Risk assessment

• Key risk indicators

• Risk scoring

• Risk mitigation activities

• Policy central storage

• Policy versioning and publication

• Policy to regulation, risk and

control mapping

• Policy certification

• Reg to business, policy and

control mapping

• Regulatory change identification

• Reg change impact assessment

• Compliance changes required

tracking

• Foundational structure (drives

common language, storage,

ownership, and access)

• Workflow & alerts

• Reporting & dashboarding

• Online & mobile access



What GRC Enablement Looks Like

Desired

State

Legal EntitiesGeographical Regions

Au

dit

Pro

du

ct D

eve

lop

me

nt

IT

Le

ga

l a

nd

Reg

ula

tory

Hum

an

Reso

urc

es

Sh

are

d S

erv

ice

s a

nd

Su

pp

ort

Fin

an

ce

Op

era

tio

ns

Sa

les a

nd

Ma

rke

tin

g

Business

and

Controls

ERM

Compliance

- SOX, Reg

Change

Internal

Audit

Other

Assurance

Groups

Business and Risk Management Information

Internal External

Board/

Committees

Executive/

Senior

Management

Stakeholders Auditor RegulatorRating

Agency

Business and Risk Management Information

Internal External

Board/

Committees

Executive/

Senior

Management

Stakeholders Auditor RegulatorRating

Agency

Legal Entities

Au

dit

Pro

du

ct D

eve

lop

me

nt

IT

Le

ga

l a

nd

Reg

ula

tory

Hum

an

Reso

urc

es

Sh

are

d S

erv

ice

s a

nd

Su

pp

ort

Fin

an

ce

Op

era

tio

ns

Sa

les a

nd

Ma

rke

tin

g

CONTROL

REPORTS

ERM

REPORTS

COMPLIANCE

REPORTS

AUDIT

REPORTS

ISSUE

MANAGEMENT

REPORTS

QUARTERLY

DEFICIENCY

SOX

REPORTING

QUARTERLY

ASSESSMENT

FIRM RCM

Law-Reg to

Process

Mapping

AUDIT PLAN

AUDIT

COMMITTEE

OPEN ISSUES

PAST DUE

ISSUES

CLOSED ISSUESEXTERNAL AUDIT

REPORT

eGRC Foundation Transformation

Geographical Regions



GRC Technology Pyramid



GRC Transformation Journey GRC Vision (short & long term)

Guiding Principles

Executive Buy-in

Functional Commitment &

Prioritization of technology

enablement capabilities

Roadmap

1

GRC

Considerations

Strategy

Convergence

& Foundational

Elements

Program

Management

People &

Change

Vendor

Selection

Technology

Enablement

Foundational Elements & Common

Language

Future State Process Design / Process

Flow Documentation

Convergence Opportunities, Alignment

of Shared Functionality, and Integration

Points with GRC Tool

High-level Business, Functional, and

Technical Requirements Definition

3

2

45

6

Project Governance

Project Planning and Monitoring

Budget Management

Scope Management

Project Risks/Issue Tracking

Project Resource Management

Stakeholder Analysis

Roles and Responsibilities

Communication Plan

Learning, Development and

Training

Adoption Plan/Roll-out

GRC Business Case

Development

Tool Selection, RFI/RFP

Vendor Demonstrations,

RFP Scoring

Link between Business

Requirements and

Business Process Design

Requirements to System

Mapping /Proof of Concept

Data Conversion

System Configuration

Testing Strategy,

Performance and User

Acceptance Testing



Adoption ChallengesThere are many different terms and approaches in use across the enterprise today – the GRC journey forces us to consider

how these terms and approaches converge across a number of key areas.

Organizational

Structure

Internal Audit

• High

• Medium

• Low

Information Security

• Critical

• High

• Medium

• Low

ERM

• Critical

• Major

• Moderate

• Minor

• Insignificant

SOX

• Material

Weakness

• Significant

Deficiency

• Deficiency

Compliance

• Reportable

• Non-Reportable

• Process

Improvement

User Group Issue Terminology



From GRC 1.0 to 2.0

Risk Metrics

Risk Quantification

IT Risks

Enterprise RisksEnvironmental

or Safety Impact

System Destruction

Business Impact

Assessments

Control Test Results

Automated Scan Results

Self Assessments

Internal Audit Results

Exposure

Vulnerabilities Findings

Third Party Assessments

Performance / SLAs



From GRC 1.0 to 2.0

Example

Drill-Down

Example

Drill-Down

Example Drill-

Down



Lessons LearnedEstablish a clear change management plan: Keep the cultural shift required top-of-mind

(i.e., to move from the mentality of managing in silos to sharing or converging risk/compliance

information across the enterprise) and manage this throughout the program.1

GRC doesn’t stop at the back office: There may need to be other organizational

or process changes made outside of the risk areas to facilitate GRC. An

example of this would be consideration of GRC representatives in various

lines of business. Keep these in mind and consider additional changes

2

Leverage out-of-the-box capabilities: Archer represents crowd-sourced processes for management of risk and

compliance activities; organizations should evaluate the fit of the standard use case automations versus their specific

needs, making sure to leverage the standard capabilities whenever possible.3

Develop simple and easy to read reports: Use only the most

viewed reports in dashboards. Do not clutter dashboards with more

reports than necessary. Do not clutter workspaces with more

dashboards than required.

4

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with

KPMG International Cooperative (“KPMG International”), a Swiss entity.

All rights reserved. NDPPS 581684

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although

we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or

that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough

examination of the particular situation.

kpmg.com/socialmedia

Gavin Mead

Principal, Advisory

KPMG Cyber

+1 404-353-3179

[email protected]

For more information on KPMG Archer Services, please contact one of our practitioners or visit us at www.kpmg.com/cybersecurity

Thank you!