LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

Transcription

1 LEADING WITH GRC Approaching Integrated GRC Knute Ohman, VP, GRC Program Manager

2 Agenda 1. Organization Overview: Vision, Key Facts and Needs 2. GRC Program Governance, Challenges and Community 3. Implementation Approach 4. GRC Program Project Management 5. Business Value and Realized Benefits 6. Key Learnings and Best Practices 7. Audience Questions and Discussion

3 Organization Overview and Needs Organization s Vision Where possible, eliminate redundant applications with similar functionality to reduce costs Normalize taxonomy across the organization so all business units are speaking the same language Increase report generation efficiency Enhance and streamline processes through standardization and procedural structure Challenges Multiple business units operating independent of each other with individualized reporting terminology, inputs, outputs, etc. Moving from spreadsheets and word documents to a structured workflow format Normalization of meta data and data elements Timelines, resources, administration, application support, training, user adoption the list is long

4 Organization Overview and Needs GRC Needs and Scope TCF needed to develop a GRC program to provide the business with a single source of truth for business units to operate cohesively across the organization Each use case was examined with the implementation goal of replicating the current activities performed, with continued examination post-implementation for expanded use cases Measurable objectives of the GRC program Successful development of centralized organizational structure, libraries, and normalized data elements Successful implementation of specific module with follow-up on operational activities to ensure user adoption and review enhancement opportunities Successful automation of previously manual processes Reduction of report generation timing

5 GRC Program Governance Model and Decision Making among Stakeholders TCF created a GRC Program function to act as system administration, application support, implementation facilitators, future state visionaries, data analytics, and process consultants Centralized change management for all aspects of the application to ensure changes requested by one business unit had little to no impact on other business units utilizing the application Established a cross-functional GRC Working Forum (governing body that meets at least quarterly) and GRC Working Group (SMEs using the application that meets at least monthly) for key configuration decisions, pain points discussion, and sharing of success stories Challenges People Business Unit SME resource constraints, GRC Program availability Processes Introducing structure that did not previously exist Systems Moving business units from established applications and ad hoc, manual processes to a new application

6 Implementation Approach Implemented MetricStream Modules and Libraries: Issues Management Policy and Document Management System Compliance Audit, Scheduling, and Time Sheet Management Operational Risk Management Established Libraries: Risk, Areas of Compliance, Products, Requirements, Functions, Regulatory Bodies Implementation Roadmap: Information Technology Risk Management Vendor Risk Management Compliance/BSA/AML specific risk assessment and information gathering Libraries under development: Controls, Processes, Evidence, Framework Reference, Asset Classes, Assets, Objectives

7 Implementation Approach Implementation Rollout Strategy and Tactics: Project tracking in consolidated spreadsheet reported to management Pre-work prior to engaging the MetricStream implementation team to ensure complete understanding of business use case, data elements, and reporting needs Weekly/Monthly meetings with SMEs to ensure user adoption and discuss future changes to workflow, reporting, info centers, etc. Quarterly GRC Working Forum meetings to ensure corporate support and buy-in as well as governance and approval of changes to strategies, libraries, modules, etc. Monthly GRC Working Group meetings to discuss current pain points and possible modifications to ease user interaction

8 GRC Program Project Management

9 Business Value and Realized Benefits Key Process Improvements and Efficiencies Gained: Issues Management Reduction in monthly report generation timing from 1 weeks to 1-2 hours Issues Management Incorporated monthly report into landing page eliminating the need for external spreadsheet macro Issues Management Automated manual review and approval process creating reportable audit trail and automated notifications Policy Management Created central policy repository for all business unit and support function policies Policy Management Automated policy approval process reducing turnaround time by 60% with reportable audit trail Policy Management Research time reduction from 50+ hours to minutes and eliminated versioning issues Policy Management Developed an integration point between Active Directory and MetricStream for autoprovisioning and end-dating for all TCF employees (all 6,000 + TCF employees have auto-provisioned read access to the PDMS module for Policy review) Operational Risk Management (RCSA) Introduced automated Risk Assessment process to eliminate external spreadsheet format and potential retention and versioning issues

10 Key Learnings and Best Practices Progression over Perfection: You will NEVER be able to implement the perfect GRC solution out of the gate. Start with a defined use case and feature set, knowing you will be able to expand on it in the future. This will significantly reduce scope creep. Define Roles and Responsibilities: Established team(s) responsible for administrative activities and support functions. Assigned resource must be able to allocate the majority of their time to these activities. This must be accounted for in your budget/resource request. Configuration vs. Customization (Code Changes): Stay true to the out-of-the-box solution as much as possible, but acknowledge that some functionality needs to be developed. Explore all configurations and have discussions with the Professional Services and Support teams to exhaust options before requesting development activities. Keep customizations to a minimum and track them fastidiously.

11 Q&A

12 Thank You! Continue the conversation online #GRCSummit