th annual regional audit conference – abu dhabi · access control enforce access controls at the...

Governance, Risk & Compliance (GRC) TechnologyAbhisek Bhattacharyya, Principal, Risk Advisory Services, Deloitte & Touche (M.E.)

19th Annual Regional Audit Conference – Abu Dhabi

© 2019 Deloitte & Touche (M.E.). All rights reserved 2

Table of Contents

1 – Introduction to GRC

2 – GRC Technology Solution Overview

3 – GRC Products/Vendors Overview

3© 2019 Deloitte & Touche (M.E.).

Introduction to GRC


GRC Overview

What could GRC mean to an organization

What could GRC mean to an Organization?

Governance is the culture, policies,processes, laws, and institutionsthat define the structure by whichcompanies and functions aredirected and managed.

Risk (management) is the coordinatedset of activities to direct and control anorganization to realize opportunities whilemanaging negative events.

Compliance is the act ofadhering to, and demonstratingadherence to, external laws andregulations as well as corporatepolicies and procedures.

GRC Program Pillars

GOVERNANCE

• Identify external laws, rules & regulations that guide the conduct of the organization

• Internal policies and procedures to ensure compliance with external requirements and desired organization objectives

• Enable the boards and management teams to understand current risk and regulatory land scape

RISK MANAGEMENT

• Align and adapt risk management program to organization's business model and company culture

• Identify, analyze and evaluate internal and external risks

• Prioritize and optimize risk portfolio and risk treatments

• Continuously monitor, measure and adapt risk management program

COMPLIANCE

• Define obligation / requirements

• Develop and implement controls, processes and programs to ensure compliance with requirements

• Audit against controls and processes to measure effectiveness of implementation

• Monitor and measure compliance programs and adapt to changing conditions

Technology Platform - Enables and Automate GRC

Prog

ram

Ele

men

ts


Risk as a driver for GRC Technology

Scale and lack of integrationbetween cyber risk andcompliance activities

Inconsistent methodology for risk evaluation

Lack of robust incidentresponse capabilities

Reactive monitoring andintegration of technology risk

Misaligned cybersecurityexpectations betweenbusiness stakeholders

Lack of consolidation andcoordination of cyber riskmanagement activities across the organization.

Technology RiskInconsistent view of the auditable entities across the organization and other assurance functions

Decentralized resource allocation hinders appropriate planning and efficient audit assignment

Multiple repositories and organizational systems in use across the enterprise with no communication or linkage capabilities between them

Duplication of effort to address findings common across auditable entities due to an inability to effectively aggregate information

Inefficient, manual, and time-consuming issue follow-up processes hinder issue resolution and action planning

Internal Audit

Misalignment between operational risk management and business strategy

Lack of centralized, meaningful, value-driven data analysis and reporting

Too much time spent on risk administration instead of risk management

Lack of integrated view of risks and loss events hinders risk performance assessment

Disconnect between risk appetite, the operational risk framework, and other assurance functions

Operational Risk

Demonstrating compliancein a highly complex andconstantly changingregulatory environment

Inconsistent identificationand mapping of operationaland reputational risks toowners

Limited resources and time to allocate to issue management

Lack of transparent end-to-end insights on key risks combined with inconsistent risk rating across functions

Inconsistent risk aggregation between governance forums

Regulatory Risk


Enablers for GRC Technology

GRC Enablers

Internal Audit

IT Risk Management

Compliance Management

Business Resiliency

Third Party & Vendor Risk Management

Advanced Continuous Controls Monitoring

Enterprise Risk ManagementOperational Risk Management

GRC Use Cases


Internal Audit/CAE AT THE CENTER OF GRC LEADERSHIP

Articulate to the Audit Committee and Board why having a clear and conformed view of risk, including compliance risks, across the enterprise is critical to defining and achieving strategic objectives

Assist the Chief Executive Officer (CEO) in finding opportunities and preventing adverse effects from identified risks

Influence other key functional executives to support Internal Audit’s role in GRC strategy and the organization’s achievement of business objectives. Especially key is having critical conversations with the: • Chief Finance Officer (CFO) • Chief Ethics and Compliance Officer (CECO) • Chief Risk Officer (CRO) • Chief Information Officer (CIO)

KEY ASKS FOR CAECONVERSATION WITH THE AC & BOARD: “HOW CAN I HELP YOU GAIN TRANSPARENCY USING STANDARD, MEASURABLE PROCESSES?”

CONVERSATION WITH THE CEO: “HOW CAN I HELP YOU PLAN BY PROVIDING OBJECTIVE, MEASURABLE ASSURANCE ON THE GRC CAPABILITY?”

CONVERSATION WITH THE CFO: “HOW CAN I HELP YOU GROW AND PROTECT VALUE THROUGH AN INTEGRATED GRC FRAMEWORK?”

CONVERSATION WITH THE CECO: “HOW CAN I HELP YOU DEFINE AND IMPROVE THE USE OF METRICS AND OTHER ONGOING MEASUREMENT TOOLS?”

CONVERSATION WITH THE CRO: “HOW CAN I HELP YOU DRIVE ENTERPRISE RISK MANAGEMENT THROUGHOUT THE ORGANIZATION?”

CONVERSATION WITH THE CIO: “HOW CAN I HELP YOU IMPROVE THE IT INFRASTRUCTURE FOR GRC?”


GRC Technology Solution Overview


GRC Technology Solution – Market Direction

Use of spreadsheets to track regulatory compliance.

No centralized means of tracking risks.

Lack of consistent reporting around risk & complianceinitiatives.

Lack of accountability for risks and controls.

Lack of automation to improve efficiency and data collection.

Traditional GRC approach

Analytic tools to measure and monitor risk managementprocesses.

Best-in-class vendor solutions to replace GRC modules.

GRC platforms integrated with other best-in-class solutionsand analytics tools to provide common reporting and holisticview of the business environment.

Emerging GRC Trends

GRC solution typesA significant amount of organizations still depend on spreadsheets and office automation for GRC programs.

But more organizations are now using either stand-alone or integrated vendor platforms indicating a shift towards more consolidation.


GRC Technology Solution - Common Architecture

Enterprise Risk

Core GRC capabilities

Risk & control content

Business processes

GRC elements

Common GRC modules

Policy management

Risk & control self assessment

Incident & Issues

managementRemediation

planning

Compliance

IT Risk Third Party / Vendor Risk

Operational Risk

Business Resiliency

Audit

Financial Controls

DatabaseContent Workflow Reporting


IntegrationSeamlessly integrate cross-departmental systems

Application builderBuild applications to meet business requirements

Reports and dashboardsGain a real-time actionable reports and graphical dashboards

Access controlEnforce access controls at the system or field level

User experienceEase of end-user adoption

Content & Document ManagementStorage of content and documents

Workflows & Notifications Enables business processes workflow approvals

GRC Core Capabilities

GRC Technology Solution – Core Capabilities

RPA Friendly or RPA ‘Enabled’

AI & Cognitive Thinking ‘Embedded’

Analytics ‘Driven’


GRC Technology for Audit Management

Key Roles

Chief Audit Executive (CAE) or Internal audit Director (IAD)

Audit Committee Internal audit managers Lead auditor Internal auditor External auditor

Functional Architecture (How Audit Management Solution Works)

Process High Level Summary

Audit Management Team completes pre-audit activities:

Create the Audit Entity in the system by scopes the entity based on associated Business Processes, Applications, Devices, and Facilities. Assign audit and business ownership to each audit entity

Create the Audit Plan in the system , define start date and end date i.e. reviewers and approvers

Set-up the Program and procedure library in the system

Audit Management team defines a Plan Entity by linking it to the Audit Entity and Audit Plan

Audit user creates the Audit Engagement and selects the in scope audit programs

The audit user completes work papers generated by the system


Key Benefits of GRC Technology

Single repository of regulations to comply to by entity.

Workflow driven collaborative risk assessment for prioritization of actions & central planning dashboard

Comprehensive reporting capabilities related to compliance levels and risk exposure by business unit

Document risk mitigation, prioritize & track responses

Automate assessment and remediation processes

Full audit record of automated policy distribution and user acknowledgement through mobile applications

Automated monitoring sensitive controls, data and transactions within IT, finance and operations


GRC Products/Vendors Overview

© 2019 Deloitte & Touche (M.E.). 15

Sample ME GRC Vendors – Summary of Offerings

Archer SAP GRC Oracle GRC MetricStream BWise Thomson Reuters

Audit Management

Compliance Management

Enterprise Risk Management

Operational Risk Management

IT Risk Management including Cyber Security

Advanced Financial Controls Monitoring

Business Resiliency

Module offered by vendor in out-of-the-box solution

Module may not be out-of-the-box but consolidated with other modules

Module not offered by vendor out-of-the-box

Legend


Advanced Controls Monitoring Driven GRC Solution – SAP as an example

SAP Access Control


Enterprise GRC - RSA Archer GRC as an example

RSA Archer Audit Management

Transform your internal audit function from reactive and compliance focused to become a proactive and strategic enabler

of the business.

RSA Archer Business Resiliency

Automate business continuity and disaster recovery planning and execution to protect your organization from crisis

events.

RSA Archer Enterprise &

Operational Risk ManagementGain a clear, consolidated view of risk across your business by aggregating

disparate risk information in one central solution.

RSA Archer IT & Security

Risk ManagementCompile a complete picture of technology-and security-related risks and understand their financial impact to improve decision-

making.

RSA Archer Regulatory & Corporate

Compliance ManagementEstablish a sustainable, repeatable and

auditable regulatory compliance program by consolidating information from multiple

regulatory bodies.

RSA Archer Third Party Governance

Get an accurate picture of third-party risk while managing and monitoring the

performance of third-party relationships and engagements.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Deloitte & Touche (M.E.) is a member firm of DTTL and is a leading professional services firm established in the Middle East region with uninterrupted presence since 1926, providing audit, tax, consulting, and financial advisory services through 26 offices in 15 countries with more than 3,300 partners, directors and staff.

Copyright © 2018 Deloitte & Touche (M.E.). All rights reserved.

th annual regional audit conference – abu dhabi · access control enforce access controls at the...

Documents