it governance risk and compliance grc

7/30/2019 IT Governance Risk and Compliance GRC

1/30

ITGRCWORKSHOP


2/30

ITGOVERNANCE,RISK&COMPLIANCE

BRINGINGITALLTOGETHER


3/30

WhatisGovernance,Risk&Compliance?

ITGovernance,Risk&Compliance

EnterpriseGovernance,Risk&Compliance

ITControlFrameworks

InformationProtectionManagementDiv.1

2

3

4

5

PRESENTATIONOUTLINE


4/30

WHATISGOVERNANCE,RISK&

COMPLIANCE?

GENERALPERSPECTIVE


5/30

GovernancevIstheprocessbywhichpoliciesaresetanddecisionmakingisexecuted.

RiskManagementvIstheprocessofiden:fica:on,analysisandeitheracceptanceor

mi:ga:onofuncertaintyindecision-making.

CompliancevIstheprocessofadherencetopoliciesanddecisions.

GOVERNANCE,RISK,ANDCOMPLIANCE


6/30

Risk Compliance

GRC

Governance

INTERRELATIONSHIPBETWEENGOVERNANCE,RISK,ANDCOMPLIANCE

Governancemanagesthe

strategicdirec7vesacompany

wantstofollow.

Complianceisthetac7cal

ac7ontomi7gaterisk.

Riskmanagement

assessestheareasof

exposureandpoten7al

impacts.


7/30

WHYFOCUSONGRCNOW?

Riskshavebecomemorediverseandinterrelated.Lawsandregula:onshavebecomemorecomplicated.

Boards,execu:vesandmanagementhavebecomemoreaccountable.

Thisputsorganiza:onsatgreaterriskandmakesitdifficult

andcostlyforManagementtodotheirjobseffec:vely.


8/30

PROBLEMSFACEDBYORGANIZATIONS

ToomuchriskforthereturnwearegeJngTooliKlevaluefrombusiness-ITinvestments

Slowdecisionmaking

Projectoverrunsanddelays

Lackofstability,availability,protec:onandrecoverability


9/30

GRCSPECIFICPROBLEMSFACEDBYORGANIZATIONS

GRCac:vi:esandcontrolsarefragmentedandmanagedinsilos

Organiza:onsusereac:ve,one-offapproachestoaddresscomplianceissues

Riskandcomplianceconsidera:onsarenotintegratedintocorebusinessprocessesandmainstreamdecision-making

Leadersoenlackanenterpriseviewofrisks

ITassetsarenotwellalignedwithriskorcompliancemanagementneeds

Managementdoesnothavethehigh-qualityinforma:ontheyneed


10/30

IMPROVINGEFFICIENCYANDEFFECTIVENESSREQUIRESIMPROVEMENTINTHREEASPECTSOFGRC

A?en7on

Awareness&People

Effec7veness

Governance&Processes

Efficiency

Automa:on&Tools

Improvementsaredependentonprogressinotherareas.


11/30

ESSENTIALELEMENTSOFAGRCPROGRAM

Centralized repository of policies and controlsIntegrated database of major regulations, standards and best practicesComprehensive policy management with awareness campaigns and attestationControls management and reporting

Governance

Risk management, including key risk indicators and risk dashboardsRisk

Compliance assessment, monitoring and reportingCompliance


12/30

BENEFITSOFINTEGRATINGGRC

Makerisk-informedstrategicdecisions.Analyzeriskbasedonquan:ta:vedata.

Managecompliance.

Priori:zeremedia:onac:vi:es.


13/30

ENTERPRISEGOVERNANCE,RISK&

COMPLIANCE

TOUNDERSTANDITGRCYOUMUSTFIRST

UNDERSTANDENTERPRISEGRC


14/30

ENTERPRISEGRC

Governance

Strategy

Planning

RiskManagement

Assessment

Mitigation

Compliance

Assessment Reporting


15/30

EnterpriseGRCPlatform

Auditors

RiskManagement

AuditManagement

Risk&ControlsMatrix

Boards

ComplianceManagement

RemediationManagement

PolicyManagement

PROCESSES

PEO

PLE

MANAG

EMEMT

ANENTERPRISEGRCPLATFORM


16/30

ITGOVERNANCE,RISK&COMPLIANCE

TOESTABLISHMOREACCOUNTABLEAND

EFFECTIVEITFUNCTIONS


17/30

ITGRCTIESTOGETHERTHEPROGRAMSOF..

ITGovernancev AnITgovernanceprogramtoleveragethedevelopedrisk-basedop:onsin

supportofanorganiza:onsdecision-makingprocess.

ITRiskmanagementv AnITriskmanagementprogramperformsriskassessmenttodevelopand

priori:zeop:onsforremedia:on

ITCompliancev AnITcomplianceprogramtomeasurethelevelofcompliancewithinanIT

environment


18/30

IT-GRC


19/30

ITstrategy

ITservices

Systemsinfrastructure

Informa:onmanagement

Informa:onsecurity

Resourceavailability(hardware,soware&data)

Dataintegrity

Technologyrisk

Legalandregulatorycompliance

ITGRCMEANSMANAGING


20/30

GRCMATURITYMODELCurrentIT-GRCMaturity. NextPhase


21/30

REACTIVE,FRAGMENTEDIMPLEMENTATIONPHASE

GRCac:vi:esarelargelymanual,notstandardizedandnotwellintegratedintocorebusinessprocesses

GRCac:vi:eshavenotreceivedasmuchaKen:oninthepast

Mostorganiza:onshavetreatedgovernance,riskandcomplianceasdiscreteac:vi:es,separatefrommainstreambusinessprocessesanddecisionmaking

Exis:ngITinfrastructures,applica:onsandprocessesdonotprovidesufficientsupportforeffec:veriskmanagementandefficient

compliance


22/30

ITGRCMUSTBEDRIVENFROMTHETOP-DOWN

CorporateGRCisanimportantinputfordefiningITGRC. ITGRCrequiresseniorbusinesspar:cipa:on,especiallyatthe

boardlevel.


23/30

ITCONTROLFRAMEWORKS

COBIT

CONTROL

OBJECTIVES

FOR

INFORMATION

ANDRELATEDTECHNOLOGY


24/30

COBITANDOTHERITMANAGEMENTFRAMEWORKS


25/30

WHEREDOESCOBITFIT?


26/30

THECOBITFRAMEWORKWASDESIGNEDTOPROVIDE..

Acomprehensivecontrolframeworktocover

ITorganiza:on

ITusers ITprofessionals ITgovernance ITrisks ITprocesses


27/30

SUMMARY

ITGRCisasubsetofCorporateGovernance

ITGRCcomprisesofvITGovernancevITRiskvITCompliance

Withoutoneyoucannothavetheother..vGovernance,RiskandComplianceare

interrelated

GRC

Risk Compliance

Governance


28/30

DOYOUHAVE

ANYQUESTIONS?


29/30

Thankyou!


30/30

BREAK

it governance risk and compliance grc

Documents