th annual regional audit conference – abu dhabi · access control enforce access controls at the...
TRANSCRIPT
Governance, Risk & Compliance (GRC) TechnologyAbhisek Bhattacharyya, Principal, Risk Advisory Services, Deloitte & Touche (M.E.)
19th Annual Regional Audit Conference – Abu Dhabi
© 2019 Deloitte & Touche (M.E.). All rights reserved 2
Table of Contents
1 – Introduction to GRC
2 – GRC Technology Solution Overview
3 – GRC Products/Vendors Overview
4© 2019 Deloitte & Touche (M.E.).
GRC Overview
What could GRC mean to an organization
What could GRC mean to an Organization?
Governance is the culture, policies,processes, laws, and institutionsthat define the structure by whichcompanies and functions aredirected and managed.
Risk (management) is the coordinatedset of activities to direct and control anorganization to realize opportunities whilemanaging negative events.
Compliance is the act ofadhering to, and demonstratingadherence to, external laws andregulations as well as corporatepolicies and procedures.
GRC Program Pillars
GOVERNANCE
• Identify external laws, rules & regulations that guide the conduct of the organization
• Internal policies and procedures to ensure compliance with external requirements and desired organization objectives
• Enable the boards and management teams to understand current risk and regulatory land scape
RISK MANAGEMENT
• Align and adapt risk management program to organization's business model and company culture
• Identify, analyze and evaluate internal and external risks
• Prioritize and optimize risk portfolio and risk treatments
• Continuously monitor, measure and adapt risk management program
COMPLIANCE
• Define obligation / requirements
• Develop and implement controls, processes and programs to ensure compliance with requirements
• Audit against controls and processes to measure effectiveness of implementation
• Monitor and measure compliance programs and adapt to changing conditions
Technology Platform - Enables and Automate GRC
Prog
ram
Ele
men
ts
5© 2019 Deloitte & Touche (M.E.).
Risk as a driver for GRC Technology
Scale and lack of integrationbetween cyber risk andcompliance activities
Inconsistent methodology for risk evaluation
Lack of robust incidentresponse capabilities
Reactive monitoring andintegration of technology risk
Misaligned cybersecurityexpectations betweenbusiness stakeholders
Lack of consolidation andcoordination of cyber riskmanagement activities across the organization.
Technology RiskInconsistent view of the auditable entities across the organization and other assurance functions
Decentralized resource allocation hinders appropriate planning and efficient audit assignment
Multiple repositories and organizational systems in use across the enterprise with no communication or linkage capabilities between them
Duplication of effort to address findings common across auditable entities due to an inability to effectively aggregate information
Inefficient, manual, and time-consuming issue follow-up processes hinder issue resolution and action planning
Internal Audit
Misalignment between operational risk management and business strategy
Lack of centralized, meaningful, value-driven data analysis and reporting
Too much time spent on risk administration instead of risk management
Lack of integrated view of risks and loss events hinders risk performance assessment
Disconnect between risk appetite, the operational risk framework, and other assurance functions
Operational Risk
Demonstrating compliancein a highly complex andconstantly changingregulatory environment
Inconsistent identificationand mapping of operationaland reputational risks toowners
Limited resources and time to allocate to issue management
Lack of transparent end-to-end insights on key risks combined with inconsistent risk rating across functions
Inconsistent risk aggregation between governance forums
Regulatory Risk
6© 2019 Deloitte & Touche (M.E.).
Enablers for GRC Technology
GRC Enablers
Internal Audit
IT Risk Management
Compliance Management
Business Resiliency
Third Party & Vendor Risk Management
Advanced Continuous Controls Monitoring
Enterprise Risk ManagementOperational Risk Management
GRC Use Cases
7© 2019 Deloitte & Touche (M.E.).
Internal Audit/CAE AT THE CENTER OF GRC LEADERSHIP
Articulate to the Audit Committee and Board why having a clear and conformed view of risk, including compliance risks, across the enterprise is critical to defining and achieving strategic objectives
Assist the Chief Executive Officer (CEO) in finding opportunities and preventing adverse effects from identified risks
Influence other key functional executives to support Internal Audit’s role in GRC strategy and the organization’s achievement of business objectives. Especially key is having critical conversations with the: • Chief Finance Officer (CFO) • Chief Ethics and Compliance Officer (CECO) • Chief Risk Officer (CRO) • Chief Information Officer (CIO)
KEY ASKS FOR CAECONVERSATION WITH THE AC & BOARD: “HOW CAN I HELP YOU GAIN TRANSPARENCY USING STANDARD, MEASURABLE PROCESSES?”
CONVERSATION WITH THE CEO: “HOW CAN I HELP YOU PLAN BY PROVIDING OBJECTIVE, MEASURABLE ASSURANCE ON THE GRC CAPABILITY?”
CONVERSATION WITH THE CFO: “HOW CAN I HELP YOU GROW AND PROTECT VALUE THROUGH AN INTEGRATED GRC FRAMEWORK?”
CONVERSATION WITH THE CECO: “HOW CAN I HELP YOU DEFINE AND IMPROVE THE USE OF METRICS AND OTHER ONGOING MEASUREMENT TOOLS?”
CONVERSATION WITH THE CRO: “HOW CAN I HELP YOU DRIVE ENTERPRISE RISK MANAGEMENT THROUGHOUT THE ORGANIZATION?”
CONVERSATION WITH THE CIO: “HOW CAN I HELP YOU IMPROVE THE IT INFRASTRUCTURE FOR GRC?”
9© 2019 Deloitte & Touche (M.E.).
GRC Technology Solution – Market Direction
Use of spreadsheets to track regulatory compliance.
No centralized means of tracking risks.
Lack of consistent reporting around risk & complianceinitiatives.
Lack of accountability for risks and controls.
Lack of automation to improve efficiency and data collection.
Traditional GRC approach
Analytic tools to measure and monitor risk managementprocesses.
Best-in-class vendor solutions to replace GRC modules.
GRC platforms integrated with other best-in-class solutionsand analytics tools to provide common reporting and holisticview of the business environment.
Emerging GRC Trends
GRC solution typesA significant amount of organizations still depend on spreadsheets and office automation for GRC programs.
But more organizations are now using either stand-alone or integrated vendor platforms indicating a shift towards more consolidation.
10© 2019 Deloitte & Touche (M.E.).
GRC Technology Solution - Common Architecture
Enterprise Risk
Core GRC capabilities
Risk & control content
Business processes
GRC elements
Common GRC modules
Policy management
Risk & control self assessment
Incident & Issues
managementRemediation
planning
Compliance
IT Risk Third Party / Vendor Risk
Operational Risk
Business Resiliency
Audit
Financial Controls
DatabaseContent Workflow Reporting
11© 2019 Deloitte & Touche (M.E.).
IntegrationSeamlessly integrate cross-departmental systems
Application builderBuild applications to meet business requirements
Reports and dashboardsGain a real-time actionable reports and graphical dashboards
Access controlEnforce access controls at the system or field level
User experienceEase of end-user adoption
Content & Document ManagementStorage of content and documents
Workflows & Notifications Enables business processes workflow approvals
GRC Core Capabilities
GRC Technology Solution – Core Capabilities
RPA Friendly or RPA ‘Enabled’
AI & Cognitive Thinking ‘Embedded’
Analytics ‘Driven’
12© 2019 Deloitte & Touche (M.E.).
GRC Technology for Audit Management
Key Roles
Chief Audit Executive (CAE) or Internal audit Director (IAD)
Audit Committee Internal audit managers Lead auditor Internal auditor External auditor
Functional Architecture (How Audit Management Solution Works)
Process High Level Summary
Audit Management Team completes pre-audit activities:
Create the Audit Entity in the system by scopes the entity based on associated Business Processes, Applications, Devices, and Facilities. Assign audit and business ownership to each audit entity
Create the Audit Plan in the system , define start date and end date i.e. reviewers and approvers
Set-up the Program and procedure library in the system
Audit Management team defines a Plan Entity by linking it to the Audit Entity and Audit Plan
Audit user creates the Audit Engagement and selects the in scope audit programs
The audit user completes work papers generated by the system
13© 2019 Deloitte & Touche (M.E.).
Key Benefits of GRC Technology
Single repository of regulations to comply to by entity.
Workflow driven collaborative risk assessment for prioritization of actions & central planning dashboard
Comprehensive reporting capabilities related to compliance levels and risk exposure by business unit
Document risk mitigation, prioritize & track responses
Automate assessment and remediation processes
Full audit record of automated policy distribution and user acknowledgement through mobile applications
Automated monitoring sensitive controls, data and transactions within IT, finance and operations
© 2019 Deloitte & Touche (M.E.). 15
Sample ME GRC Vendors – Summary of Offerings
Archer SAP GRC Oracle GRC MetricStream BWise Thomson Reuters
Audit Management
Compliance Management
Enterprise Risk Management
Operational Risk Management
IT Risk Management including Cyber Security
Advanced Financial Controls Monitoring
Business Resiliency
Module offered by vendor in out-of-the-box solution
Module may not be out-of-the-box but consolidated with other modules
Module not offered by vendor out-of-the-box
Legend
© 2019 Deloitte & Touche (M.E.). 16
Advanced Controls Monitoring Driven GRC Solution – SAP as an example
SAP Access Control
© 2019 Deloitte & Touche (M.E.). 17
Enterprise GRC - RSA Archer GRC as an example
RSA Archer Audit Management
Transform your internal audit function from reactive and compliance focused to become a proactive and strategic enabler
of the business.
RSA Archer Business Resiliency
Automate business continuity and disaster recovery planning and execution to protect your organization from crisis
events.
RSA Archer Enterprise &
Operational Risk ManagementGain a clear, consolidated view of risk across your business by aggregating
disparate risk information in one central solution.
RSA Archer IT & Security
Risk ManagementCompile a complete picture of technology-and security-related risks and understand their financial impact to improve decision-
making.
RSA Archer Regulatory & Corporate
Compliance ManagementEstablish a sustainable, repeatable and
auditable regulatory compliance program by consolidating information from multiple
regulatory bodies.
RSA Archer Third Party Governance
Get an accurate picture of third-party risk while managing and monitoring the
performance of third-party relationships and engagements.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Deloitte & Touche (M.E.) is a member firm of DTTL and is a leading professional services firm established in the Middle East region with uninterrupted presence since 1926, providing audit, tax, consulting, and financial advisory services through 26 offices in 15 countries with more than 3,300 partners, directors and staff.
Copyright © 2018 Deloitte & Touche (M.E.). All rights reserved.