grc overview sweden - september 2016
TRANSCRIPT
2© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Agenda
Background & History with Archer
What GRC Enablement Looks Like
Typical GRC Use Cases
Introduction
GRC Transformation Journey
From GRC 1.0 to 2.0
Adoption Challenges
GRC Technology Pyramid
Lessons Learned
3© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
KPMG and RSA Relationship
— KPMG is an Archer
customer, giving us
unique insight into the
opportunities and
challenges of running
Archer to support key
business processes.
— We have implemented
the solutions in our own
environment, worked
through the controlled
change management
processes, and
managed the
development lifecycle.
We share our
experiences with our
clients.
— Archer engaged KPMG to
help developed the
product content library,
review and develop the
Business Continuity,
Crisis Management, and
Disaster Recovery
solutions.
— We assisted Archer by
leveraging our knowledge
of the regulatory
environment, leading
practices, and the Archer
Framework to help
improve the product and
content that is available
today.— KPMG is a strong partner to RSA Archer
in providing services to RSA Archer
customers.
— KPMG utilizes the strength of our alliance
relationship to provide product related
best practices or to address issues to
assist our clients prior, during or post
implementation.
RSA Archer
is KPMG’s
Client
KPMG has
a strong alliance
relationship with
RSA Archer
KPMG is
an RSA
Archer
Customer
4© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Our experience serving in multiple industries brings lesson learned and experience from past client engagement & partner with our
clients to co-develop GRC programs, organizational structures and processes, proactively transitioning knowledge to client professionals
for sustainable uptake of the implementation
A brief representation of the multiple industries we have served: A brief representation of our key clients where we have done
similar work:Global
consumer
products
Global
business
services
Large
plastics,
chemicals
& refining
Global
financial
services
Global
insurance
Telecommunications
Global
software
Retail
drugs
Global
agricultural
biotech
products
Global
investment
management
Gaming &
wagering
Oil & gas
Global
retail
Leading
global
transaction
processing
Global
online
payment
processing
Global
internet
companies
Clients & Industries Served
5© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Business Groups ServedOur experiences in helping organizations shape GRC strategies and implementation services spans across the four key domains: IT,
Operations, Legal and Finance, while IT represents the largest area of GRC-related activities. Strong collaboration across all GRC
functional areas eliminates organizational barriers to centrally implementing and achieving GRC objectives:
Operations
Human
Resources
Legal Finance
Corporate
Services
Information
Security & Risk
Management
Information
Technology
Executive Committee
Enterprise Risk
Management
Internal Audit
6© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Typical GRC Use Cases
General Risk ManagementCompliance
Management
Regulatory Change
ManagementPolicy Management Issue Management
• Issue identification
• Action plan identification
• Issue and action remediation
tracking
• Aggregated issue reporting
• Control identification
• Control testing
• Issue/gap identification
• Risk assessment
• Key risk indicators
• Risk scoring
• Risk mitigation activities
• Policy central storage
• Policy versioning and publication
• Policy to regulation, risk and
control mapping
• Policy certification
• Reg to business, policy and
control mapping
• Regulatory change identification
• Reg change impact assessment
• Compliance changes required
tracking
• Foundational structure (drives
common language, storage,
ownership, and access)
• Workflow & alerts
• Reporting & dashboarding
• Online & mobile access
7© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
What GRC Enablement Looks Like
Desired
State
Legal EntitiesGeographical Regions
Au
dit
Pro
du
ct D
eve
lop
me
nt
IT
Le
ga
l a
nd
Reg
ula
tory
Hum
an
Reso
urc
es
Sh
are
d S
erv
ice
s a
nd
Su
pp
ort
Fin
an
ce
Op
era
tio
ns
Sa
les a
nd
Ma
rke
tin
g
Business
and
Controls
ERM
Compliance
- SOX, Reg
Change
Internal
Audit
Other
Assurance
Groups
Business and Risk Management Information
Internal External
Board/
Committees
Executive/
Senior
Management
Stakeholders Auditor RegulatorRating
Agency
Business and Risk Management Information
Internal External
Board/
Committees
Executive/
Senior
Management
Stakeholders Auditor RegulatorRating
Agency
Legal Entities
Au
dit
Pro
du
ct D
eve
lop
me
nt
IT
Le
ga
l a
nd
Reg
ula
tory
Hum
an
Reso
urc
es
Sh
are
d S
erv
ice
s a
nd
Su
pp
ort
Fin
an
ce
Op
era
tio
ns
Sa
les a
nd
Ma
rke
tin
g
CONTROL
REPORTS
ERM
REPORTS
COMPLIANCE
REPORTS
AUDIT
REPORTS
ISSUE
MANAGEMENT
REPORTS
QUARTERLY
DEFICIENCY
SOX
REPORTING
QUARTERLY
ASSESSMENT
FIRM RCM
Law-Reg to
Process
Mapping
AUDIT PLAN
AUDIT
COMMITTEE
OPEN ISSUES
PAST DUE
ISSUES
CLOSED ISSUESEXTERNAL AUDIT
REPORT
eGRC Foundation Transformation
Geographical Regions
8© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
GRC Technology Pyramid
9© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
GRC Transformation Journey GRC Vision (short & long term)
Guiding Principles
Executive Buy-in
Functional Commitment &
Prioritization of technology
enablement capabilities
Roadmap
1
GRC
Considerations
Strategy
Convergence
& Foundational
Elements
Program
Management
People &
Change
Vendor
Selection
Technology
Enablement
Foundational Elements & Common
Language
Future State Process Design / Process
Flow Documentation
Convergence Opportunities, Alignment
of Shared Functionality, and Integration
Points with GRC Tool
High-level Business, Functional, and
Technical Requirements Definition
3
2
45
6
Project Governance
Project Planning and Monitoring
Budget Management
Scope Management
Project Risks/Issue Tracking
Project Resource Management
Stakeholder Analysis
Roles and Responsibilities
Communication Plan
Learning, Development and
Training
Adoption Plan/Roll-out
GRC Business Case
Development
Tool Selection, RFI/RFP
Vendor Demonstrations,
RFP Scoring
Link between Business
Requirements and
Business Process Design
Requirements to System
Mapping /Proof of Concept
Data Conversion
System Configuration
Testing Strategy,
Performance and User
Acceptance Testing
10© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Adoption ChallengesThere are many different terms and approaches in use across the enterprise today – the GRC journey forces us to consider
how these terms and approaches converge across a number of key areas.
Organizational
Structure
Internal Audit
• High
• Medium
• Low
Information Security
• Critical
• High
• Medium
• Low
ERM
• Critical
• Major
• Moderate
• Minor
• Insignificant
SOX
• Material
Weakness
• Significant
Deficiency
• Deficiency
Compliance
• Reportable
• Non-Reportable
• Process
Improvement
User Group Issue Terminology
11© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
From GRC 1.0 to 2.0
Risk Metrics
Risk Quantification
IT Risks
Enterprise RisksEnvironmental
or Safety Impact
System Destruction
Business Impact
Assessments
Control Test Results
Automated Scan Results
Self Assessments
Internal Audit Results
Exposure
Vulnerabilities Findings
Third Party Assessments
Performance / SLAs
12© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
From GRC 1.0 to 2.0
Example
Drill-Down
Example
Drill-Down
Example Drill-
Down
13© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 581684
Lessons LearnedEstablish a clear change management plan: Keep the cultural shift required top-of-mind
(i.e., to move from the mentality of managing in silos to sharing or converging risk/compliance
information across the enterprise) and manage this throughout the program.1
GRC doesn’t stop at the back office: There may need to be other organizational
or process changes made outside of the risk areas to facilitate GRC. An
example of this would be consideration of GRC representatives in various
lines of business. Keep these in mind and consider additional changes
2
Leverage out-of-the-box capabilities: Archer represents crowd-sourced processes for management of risk and
compliance activities; organizations should evaluate the fit of the standard use case automations versus their specific
needs, making sure to leverage the standard capabilities whenever possible.3
Develop simple and easy to read reports: Use only the most
viewed reports in dashboards. Do not clutter dashboards with more
reports than necessary. Do not clutter workspaces with more
dashboards than required.
4
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. NDPPS 581684
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although
we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough
examination of the particular situation.
kpmg.com/socialmedia
Gavin Mead
Principal, Advisory
KPMG Cyber
+1 404-353-3179
For more information on KPMG Archer Services, please contact one of our practitioners or visit us at www.kpmg.com/cybersecurity
Thank you!