COPENHAGEN?=! CO?=! MPLIANCE T o p i c a l a n d T i m e l y Riskability GRC Controllers Governance, Risk & Compliance COPENHAGEN?=! CHARTER Bribery, Fraud & Corruption GRC SURVEY RESULT. Please indicate your profession 5 6 7 8 9 Financial Services Manufacturing Health care Consultancy, Training and Education Communications/Media Audit and Legal Government IT Other 0.5 5. 7.69 7.95 0.00 0.5 7.69 7.69.8 Please indicate your profession Financial Services Health care Communications/Media Government Other 0 5 6 7 8 9
. Please indicate your position Board of Directors Senior Management GRC Officer Manager.50 7.50 0.00 0.00 Please indicate your position Board of Directors Senior Management GRC Officer Manager 0 6 8 0
. What is your top GRC business priority in 0? Attaining a consolidated view of risks and staying on top of new 6.59 regulations and track costs associated with risk and compliance. Controlling that the rd party, outsourced and vendors risks are in.0 compliance with mandates and policies. Determine the GAP(s) between the significant risk and compliance.0 challenges. Furnish the organization with a consolidated view of all compliance and 9.5 risk factors and provide effective GRC services. 5 Get a grip on risk and compliance with a IT platform that delivers 7. integrated risk and regulatory reports. 6 Inadequate current GRC solution/process to provide the ability to. generate automatic assessments. 7 An evaluation of the risk and compliance department s overall 9.76 effectiveness. What is your top GRC business priority in 0? Attaining a consolidated view of risks and staying on top of new regulations and Controlling that the rd party, outsourced and vendors risks are in compliance with Determine the GAP(s) between the significant risk and compliance challenges. Furnish the organization with a consolidated view of all compliance and Get a grip on risk and compliance with a IT platform that delivers integrated risk and Inadequate current GRC solution/process to provide the ability to generate An evaluation of the risk and compliance department s overall effectiveness. 0 6 8 0 6
. How will you best describe your company's approach and effort to put into practice the GRC issues? Leader. We have an reasonable GRC strategy in place, and.08 we are proactively executing the GRC plan each year. Strategist. We are getting better to determining the 0.6 appropriate GRC strategy, and the drive to executing our GRC plan seems to be in order. Methodological. We are working on improving the 8. information required to establish and determine the GRC strategy, but we are getting the GRC things done. Unstructured. We do not have an strong GRC strategy in 8.6 place, and we are typically in a reactive mode when it comes to monitoring the GRC processes How will you best describe your company's approach and effort to put into practice the GRC issues? Leader. We have an reasonable GRC strategy in place, and we are proactively Strategist. We are getting better to determining the appropriate GRC Methodological. We are working on improving the information required to Unstructured. We do not have an strong GRC strategy in place, and we are 0 6 8 0 6
5. What does GRC mean to you and your organisation? GRC is: The need for governance, risk management, and compliance functions to 5.00 work together. It is not about optimizing performance, managing risks, and remaining in.50 compliance, but more to fulfill stakeholder requirements. We use it as a solution for managing access to our ERP system(s) We use it as a risk and compliance management plus policy and audit.50 7.50 management system. 5 It is just another hype like BPR, for consultants and vendors to sell services 5.00 or products. 6 The use of GRC as a term in our company is so vast that we use it to include 0.00 a variety of areas, processes, policies and controls, tests, reports, disclosures and technology. 7 To us GRC refers to a combination of solutions, specifically risk 7.50 management, compliance management, audit management, and policy management. What does GRC mean to you and your organisation? GRC is: The need for governance, risk management, and compliance functions It is not about optimizing performance, managing risks, and We use it as a solution for managing access to our ERP system(s) We use it as a risk and compliance management plus policy and audit It is just another hype like BPR, for consultants and vendors to sell services The use of GRC as a term in our company is so vast that we use it to include a variety To us GRC refers to a combination of solutions, specifically risk 0 6 8 0 6
6. The most important in order to deal with the pressures of regulatory compliance More GRC staff..6 A new compliance organization/officer. 8. More information and guidance from external sources on 5.79 how to understand and implement the requirements of new regulation. Wall-to-wall technology/it for automated Compliance.05 controls. (Information solutions, documentation and workflow software, disclosure). 5 Inconsistencies and Inefficiencies in the current policies,.58 processes and procedures need to be updated. The most important in order to deal with the pressures of regulatory compliance More GRC staff. A new compliance organization/officer. More information and guidance from Wall-to-wall technology/it for Inconsistencies and Inefficiencies in the 0 6 8 0
7. Do you measure the effectiveness of your compliance (or GRC) program? We do not attempt to measure the compliance programs, we. just comply We do not attempt to measure the company s return on. investment in compliance (GRC) costs. We have defined our (GRC and) compliance plan and. established specific compliance (GRC) objectives We need to specify the key performance indicators for Risk 7.78 Management 5 6 We need to specify the key performance indicators for Good Governance We have defined the key performance indicators for Compliance (GRC) and how to measures the performance effectively.78.78 Do you measure the effectiveness of your compliance (or GRC) program? We do not attempt to measure the We do not attempt to measure the We have defined our (GRC and) We need to specify the key performance We need to specify the key performance We have defined the key performance 0 6 8 0
8. The most important function of Compliance 5 6 7 8 Anti-corruption laws and enforcement Bribery and Fraud efforts Compliance and Ethics training Gifts and Entertainment Oversight of privacy and confidentiality Regulatory oversight on effective compliance Security risks Whistleblower incentives.89.78 5.00.78 5.56. 5.56 0.00 The most important function of Compliance Anti-corruption laws and enforcement Compliance and Ethics training Oversight of privacy and confidentiality Security risks 0 6 8 0 6 8
9. We use the following tools to measure the GRC programs 5 Audit the compliance program Employee training data Employee evaluations and feedback data Hotline activity Stakeholder evaluations of compliance and ethics program 9.7.05 0.5.6 6. We use the following tools to measure the GRC programs Audit the compliance program Employee training data Employee evaluations and feedback data Hotline activity Stakeholder evaluations of compliance 0 6 8 0 6
0. When incidents do occur, the most likely impact to the business is: 5 6 7 Brand/reputation compromised Extortion Fraud Financial losses Intellectual property theft Loss of shareholder value Legal exposure / lawsuit.59 5..56.08 0.00.56.08 When incidents do occur, the most likely impact to the business is: Brand/reputation compromised Extortion Fraud Financial losses Intellectual property theft Loss of shareholder value Legal exposure / lawsuit 0 6 8 0 6 8
. Which ERM framework do you use? Choice Description % 5 COSO ITIL Own design None Other..7 0.00. 9.7 Which ERM framework do you use? COSO ITIL Own design None Other 0 5 6 7 8 9. What is the frequency of security-related breaches in your organisation? Choice Description % <0 incidents >0 incidents >50 incidents 78.95 0.5 0.5 <0 incidents >50 incidents What is the frequency of securityrelated breaches in your organisation? 0 6 8 0 6
. What is the impact that cloud computing has on IT security risks? Proximity of your information to someone else's Inadequate training and IT auditing Uncertain ability to execute provider site security policies Questionable restricted access control at source site 7.50. 8. 0.8 What is the impact that cloud computing has on IT security risks? Proximity of your information to someone else's Inadequate training and IT auditing Uncertain ability to execute provider site security policies Questionable restricted access control at source site 0 6 8 0