BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Transcription

1 BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS

2 Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC... 3 The OCEG Framework Practices and Components... 4 Culture and Context... 4 Organize and Oversee... 4 Assess and Align... 5 Prevent and Promote... 5 Detect and Discern... 6 Respond and Resolve... 6 Monitor and Measure... 7 Inform and Integrate... 7 The BPS Suite supports:... 7 Conclusion... 8 About BPS... 8 INTRODUCTION This white paper focuses on the practices and objectives for an integrated GRC (Governance Risk and Compliance) system and the BPS technology that helps achieve this integration. This article is organized around the central concepts presented in the OCEG (Open Compliance & Ethics Group) Red Book 1 which describes the GRC Capability Model and also provides a basic understanding of the principles and structure of the OCEG Framework. GRC ACTIVITIES When examining the approach to GRC, many companies have concluded that there are significant overlapping considerations, best practices, and internal and external forces. Most also agree that correctly addressing the sum of these parts is more effective and ultimately more valuable to the 1 OCEG is a non-profit think tank that helps organizations drive principled performance by providing standard tool and resources that enhance corporate culture and integrate governance, risk management, compliance, internal controls and ethics processes. The GRC Capability Model and the OCEG Framework are registered trade marks of OCEG. BPS Inc. 2009, Page 2 of 8

3 organization than any singular focus. Integrating GRC activities and strategies that are currently siloed within a company prevents duplication and potentially contradictory outcomes. For many enterprises these activities when viewed separately form an expansive list which includes: Audit and assurance Global trade compliance, supply chain, vendor and 3 rd party compliance Corporate social responsibility Financial controls management, filing and transaction monitoring Insurance and claims management Quality Planning, strategy and performance management Financial risk and operational risk Fraud Legal Business continuity (including change management, crisis management, and disaster recovery) Corporate compliance and ethics Environmental health and safety IT risk and compliance (including change management, access management and security) Privacy Business enterprises and organizations can no longer afford to view these GRC activities separately. Instead they must clearly define what they plan to achieve and how they will achieve objectives, while limiting risk and staying within their boundaries and policies, using one unified and holistic approach. BPS AND THE CAPABILITY MODEL FOR GRC One of the most commonly accepted frameworks to achieve a unified GRC approach is the GRC Capability Model (OCEG Red Book). The model views GRC as a single activity with a set of detailed practices and components, identified in Fig.1 2. The BPS Integrated GRC platform provides the technology to support many key elements of the GRC Capability Model and helps organizations achieve a common language and collaborative. Each of the practices and components in the Capability Model represent a critical aspect of a complete approach to GRC. These and their underlying components are described in detail in the OCEG Red Book. The following section offers a brief overview of the OCEG practices and how the BPS suite Figure 1: OCEG GRC Capability Model Elements View 2 Figure 1 OCEG Redbook 2.0, April 2009, Open Compliance & Ethics Group. BPS Inc. 2009, Page 3 of 8

4 of products helps its users address each one at a high level. THE OCEG FRAMEWORK PRACTICES AND COMPONENTS CULTURE AND CONTEXT Culture plays an integral role in GRC performance within an organization. GRC is no longer being viewed as an add-on to normal business activities but rather as a business philosophy that is infused into the culture and its operations. The BPS Suite allows the organization to focus on defining a balanced set of measurable business objectives that are aligned with vision and values: Powerful tools to identify and document key organizational structures, cross functional teams, key human capital and technology assets, as well as business processes, products and physical assets. The ability to cascade high-level business objectives, policies and requirements to assurance roles such as internal audit. Analytical reporting and assessment tools that support tone at the top rollups of the overall risk environment. The ability to set various indicators within the platform and help establish targets to ensure business objectives are met within defined tolerances. ORGANIZE AND OVERSEE For an organization to have a successful integrated GRC program it must communicate clear mission and objectives, define organizational roles and determine the implementation scope of the GRC system. BPS recognizes the importance of this practice and features a number of product capabilities that help promote GRC program transparency and accountability: A leading organizational modeling facility allows users to develop templates for communicating organization s objectives, vision and values. A single application with configurable modules fits the organization s implementation scope phased vs. enterprise wide while providing embedded project management and reporting and logging facilities. Key roles benefit from features such as: risk analysis and aggregation, compliance risk assessment, controls and internal application management and all related assurance activities such as Internal Audit. BPS Inc. 2009, Page 4 of 8

5 ASSESS AND ALIGN Assessing risks and aligning the GRC program with business processes is a central component of any GRC initiative. Defining a GRC process model and ensuring that it integrates with the existing business planning activities can accomplish this. The GRC system should offer a portfolio of initiatives, tactics and activities that relate to organization s moving parts and operational model. BPS Supports assessment and alignment through a number of features: Activities can be balanced and prioritized against corporate goals and regulatory requirements. Definition and categorization of risks and their impacts, as well as interrelationships across multiple aspects of the organization. Cross reference assessment programs to any part of the risk management or GRC framework. Define, schedule and link key risk data collection and assessment activities. Each set of activities can be rolled up into projects or initiatives that are tracked and visualized as a portfolio. Remediation and change management tools that are integrated to ensure that findings are actionable and that change is driven in an organized and prioritized fashion PREVENT AND PROMOTE By developing an integrated implementation and management plan GRC activities can be optimized to promote and motivate desirable conduct. These can also prevent undesirable events and activities using a mix of controls and incentives. Prevention and promotion in the BPS Suite: Create multiple planning templates that promote best practices and awareness, as well as aligning risks and controls with business policies and resources. The system provides a clear mapping of controls and risk coverage and how they relate to operational processes. Review, revisit and expire old policies and promote ones that address current risks and objectives. Link information to existing and proposed standards and guidance that affect the company s GRC requirements and track the activities related to these requirements. BPS Inc. 2009, Page 5 of 8

6 DETECT AND DISCERN Being proactive in detecting potential risks, losses and undesirable conduct is key for any organization. By providing streamlined methods of gathering data and analysis techniques, organizations can detect and diffuse potential concerns. BPS Suite support: Consolidate and visualize various many types of enterprise data. Analyze control and assessment findings, loss incidents and more through a rich library of reports and dashboards. Enterprise workflow technology ensures optimal information delivery and real-time notification capabilities helping maintain and prioritize focus. Integrated survey capability and self assessment tools. Create and manage information about detective controls across the company. RESPOND AND RESOLVE Process failures and loss events can occur in any organization. Having a nimble process, data, and the tools to analyze and understand root causes is crucial in order to resolve and prevent similar issues in the future. Users need to have confidence in the GRC system and process so that they can easily report and respond to issues effectively while ensuring the privacy and confidentiality of the data during the investigation and analysis phases. Strong process and project management functionality within BPS Suite support this practice: Capture and categorizes compliance exceptions, audit findings, control failures, risk indicators, incidents and loss events based on the client s specific set of corporate taxonomies. Streamline and manages the creation of action plans with full issue tracking capabilities while ensuring appropriate confidentiality of information through the use of a sophisticated roles and user privileges manager. Audit trails and detailed reporting provides the analytical insight to aid the organization in refining processes and corrective controls in order to resolve and mitigate future concerns. BPS is built to aid both internal investigations and those conducted by regulators and external auditors. Templates to support crisis response and disaster recovery scenarios. BPS Inc. 2009, Page 6 of 8

7 MONITOR AND MEASURE Organizations need to periodically evaluate and modify the GRC system to ensure it contributes to evolving business objectives while remaining effective, efficient and responsive to the changing environment. The architecture of the BPS product promotes rapid responses to changes in the context in which it operates, ensuring that risk exposure is minimized and key controls provide proper coverage: Assessment capability is used to survey business stakeholders providing feedback on the effectiveness of the GRC program as it relates to them. Standardized reports that help identify areas that have too heavy or too light a control paradigm. Facilities that enable test of design workflows. Support for advanced Extract, Transfer and Load (ETL) technology capable of importing and synchronizing external data (such as regulatory changes and new policy and guidelines) into the GRC framework. The most comprehensive internal assurance (internal audit management) and reporting tools available to enable feedback to the board and management on the effectiveness of the GRC program. Support for the principals and procedures available in the OCEG Burgundy Book. INFORM AND INTEGRATE At the center of the Capability Model is the ability to capture, document and manage information accurately across the organization as well as external stakeholders. The flow of information needs to efficiently cross functional areas and provide value to its targeted audience. The BPS Suite supports: A consolidated repository linking templates, risks, controls, assessments, and key artifacts across the organization. Flexible and secure workflow, notifications and data views promotes transparent flow of the data while ensuring that the appropriate stakeholders have access to the information they need. Organization modeling facilities that ensure the right person gets the right information at the right time. Comprehensive, time-proven reports that are the result of man-years of GRC implementation experience. BPS Inc. 2009, Page 7 of 8

8 CONCLUSION The increasing demand on organizations to meet their objectives while managing risks and staying within their regulatory boundaries is tremendous. GRC activities are fundamentally interconnected and integration is more than a process, it s a business philosophy. To stay ahead of the curve, GRC needs to be part of the organization s culture and processes. Encouraging transparency and collaboration among stakeholders within the organization and promoting a unified framework and common language throughout the organization can achieve this. Drawing from OCEG s Capability Model and using the BPS integrated GRC software, clients are achieving many of the mission critical elements of a successful GRC program. ABOUT BPS BPS is a leading provider of enterprise GRC and internal audit software solutions to the world s top organizations. BPS provides enterprise governance, risk & compliance software to many of the world s bestmanaged companies. BPS is the vendor of choice for internal audit, compliance and operational risk management systems. Each product in the award-winning BPS Suite has proven itself best-in-class in terms of completeness, functional depth, ease of use and technology quality. For more information about BPS and its products, visit or contact us at info@bpsinc.com BPS Inc. 2009, Page 8 of 8