GRC Maturity. Benchmarking Your GRC Program. October 2014

Similar documents
GRC 3.0 is GRC by Design

INTELLIGENCE DRIVEN GRC FOR SECURITY

GOVERNANCE, RISK & COMPLIANCE CPD FOR MEMBERS IN COMMERCE & INDUSTRY AUGUST 2018

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

ACL Interpretive Visual Remediation

2017 GRC Maturity Survey

RSA Advanced Cyber Defence Summit

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

OPERATIONAL RISK MANAGEMENT: A GUIDE TO HARNESS RISK WITH ENTERPRISE GRC

Data Governance Quick Start

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

ServiceNow Indicator Based Continuous Control Management

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

2 The IBM Data Governance Unified Process

INTEGRATED COMPLIANCE & ETHICS METRICS TO CONNECT THE PIECES OF ORGANIZATIONAL INTEGRITY

Helping the C-Suite Define Cyber Risk Appetite. The executive Imperative

Implementing ITIL v3 Service Lifecycle

Heads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with

WHITE PAPER OCTOBER 2017 VMWARE ENTERPRISE RESILIENCY. Integrating Resiliency into Our Culture and DNA

Achieving effective risk management and continuous compliance with Deloitte and SAP

STEP Data Governance: At a Glance

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

Demystifying GRC. Abstract

TAKING COMMAND OF YOUR GRC JOURNEY WITH RSA ARCHER

Security in India: Enabling a New Connected Era

The University of Queensland

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Next Generation Policy & Compliance

A Disciplined Approach to Cyber Security Transformation

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

A Risk Management Platform

TRANSCANADA S AUDIT FOUNDATION FOR THE EXPANSION OF BUSINESS OPERATIONS

Why you should adopt the NIST Cybersecurity Framework

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Oracle Buys Automated Applications Controls Leader LogicalApps

White Paper. View cyber and mission-critical data in one dashboard

Enterprise GRC Implementation

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Losing Control: Controls, Risks, Governance, and Stewardship of Enterprise Data

WHITE PAPER. The truth about data MASTER DATA IS YOUR KEY TO SUCCESS

Making Security a Business Enabler

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Building a BC/DR Control Library and Regulatory Response Program

GRC TOOL IMPLEMENTATION RAEF MEEUWISSE CISA, FUNCTIONAL ARCHITECT, ADAPTIVEGRC

THE ESSENCE OF DATA GOVERNANCE ARTICLE

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

2017 RIMS CYBER SURVEY

MITIGATE CYBER ATTACK RISK

ACL Strategy Module. Technology Innovator in Strategy Management SOLUTIONPERSPECTIVE INNOVATOR. March 2018

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

To Audit Your IAM Program

MetricStream GRC Summit 2013: Case Study

Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program

Cybersecurity and Data Protection Developments

Symantec Data Center Transformation

Integrated Assurance Across the Three Lines of #CW2017

Securing Your Digital Transformation

Security Metrics Framework

The Business Value of including Cybersecurity and Vendor Risk in ERM

GDPR compliance. GDPR preparedness with OpenText InfoArchive. White paper

SAP: Speeding GRC Control Testing by 90% with SAP Solutions for GRC

TSC Business Continuity & Disaster Recovery Session

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

How To Reduce the IT Budget and Still Keep the Lights On

Driving Global Resilience

OVERVIEW BROCHURE GRC. When you have to be right

CISM Certified Information Security Manager

Cyber Resilience - Protecting your Business 1

Sustainable Security Operations

Rethinking Information Security Risk Management CRM002

Full file at

locuz.com SOC Services

SIEM: Five Requirements that Solve the Bigger Business Issues

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

FOR FINANCIAL SERVICES ORGANIZATIONS

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

How to Become a DATA GOVERNANCE EXPERT

Enabling Security Controls, Supporting Business Results

10 Hidden IT Risks That Might Threaten Your Business

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

LEADING WITH GRC. Approaching Integrated GRC. Knute Ohman, VP, GRC Program Manager. GRC Summit 2017 All Rights Reserved

Big data privacy in Australia

How a Federated Identity Service Turns Identity into a Business Enabler, Not an IT Bottleneck

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

AVOIDING SILOED DATA AND SILOED DATA MANAGEMENT

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

ESTABLISHING THE PILLARS. of a Successful Data Governance Program

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

Trillium Consulting. Data Governance. Optimizing Business Outcomes through Data and Information Assets

Cyber Security Maturity Model

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Industrial IT for cpmplus Collaborative Production Management. cpmplus Smart Client The seamless information display for System 800xA

Data Management and Security in the GDPR Era

Transcription:

GRC Maturity Benchmarking Your GRC Program October 2014 Michael Rasmussen, J.D., GRCP, CCEP The GRC Pundit @ GRC 20/20 Research, LLC OCEG Fellow @ www.oceg.org

Are you truly aware of your risks? Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof! E.J. Smith, Captain of the Titanic 2

Change impacts risk management in the context of business 3

... and we hope nothing fails Inability to gain clear view of risk dependencies; High cost of consolidating risk information; Difficulty maintaining accurate risk information; Failure to trend across risk assessment periods; Redundant approaches limit correlation, comparison and integration of risk information; and Lack of agility to respond timely to changing risks, regulations, laws, and situations. 4

Getting direction through the GRC wilderness... 5

The questions The questions organizations need to ask: ask: ü Does the organization have enough information to mak e decisions about the future of the company, when they don t have a clear view of risk that impacts critical business operations and processes? ü Does the organization know its risk exposure at the enterprise, business c process, and technology levels and how they interrelate? ü How does the organization know it is managing and mitigating risk effeti vel y in the context of the business to achie ve business goals? ü Can the organization accurately gauge the impact of risk on business strategy, objectives, and operations? ü Does the organization get the information it needs to tak e timely action to risk exposure to avoid or mitigate loss and situations of non-compliance? ü Does the organization monitor key risk indicators across key IT systems, processes, and information? ü Does the organization optimally measure and model risk in a business context? 6

What GRC is about...... a capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity... 7

GRC Architecture Approaches 8

Federated Governance 9

Federated Risk Management a layered approach to risk 10

Federated Compliance Management 11

Federated Audit Management 12

Federated 3 rd Party Management 13

The Federated GRC model delivers common components 14

Power of information drives GRC intelligence OBJECTIVES & GOALS ASSETS & RELATIONSHIPS RISK & ANALYSIS REGULATIONS & OBLIGATIONS CONTROLS & ASSESSMENT POLICIES & TRAINING INCIDENTS & ISSUES ROLES & RESPONSIBILITIES 15

GRC Maturity Model Self-Assessment Questions: 1 AD HOC GRC is reactive and focused on putting out individual fires of risk and compliance in scattered silos across the organization. Does risk and compliance lack clear owners and accountability within departments? Are assessments and controls put in place after the fact when the organization realizes it is exposed or someone is insisting? Is risk and compliance largely undocumented, or trapped in silos of spreadsheets and documents? Does the organization lack any process, information, and technology architecture to support risk and compliance? Does the department/business function have no ability to report and trend risk and compliance over time? Examples: No defined risk and compliance ownership Ad hoc & reactive assessments Document centric approaches Ad hoc approach Little technology in place No visibility, trending, analytics 16

GRC Maturity Model Self-Assessment Questions: 2 FRAGMENTED Are risk and compliance activities tactical and siloed? Does the organization lack an integrated risk and compliance approach and the department level? Is risk and compliance information scattered across various documents and technology sources? Is it difficult and time-consuming to track and trend risk and compliance information and reporting? GRC responsibilities are scattered and decentralized. Inconsistencies within departments. GRC actitivities are manual and rely on documents, spreadsheets and emails.. Examples: Tactical siloed approach to risk and compliance No integration or sharing of risk and compliance information Reliance on fragmented technology & lots of documents Measurement & trending is difficult 17

GRC Maturity Model Self-Assessment Questions: 3 MANAGED GRC is departmentspecific with limited coordination between department/function. Within a department, GRC activities tend to be well structured, organized, and use technology well to make GRC activities more efficient, effective, and agile. Does the organization have mature risk and compliance processes at a department level? Do individual departments have defined GRC information and technology architectures? Can the department readily report and trend on risk and compliance over time? Have departments removed the overhead of reactive document centric approaches? Is there clear accountability/responsibility for risk and compliance at a department level? Examples: Strategic approach within a department Mature processes at a department level Integrated information architecture Good reporting and trending at a department level 18

GRC Maturity Model Self-Assessment Questions: 4 INTEGRATED The organization has an enterprise GRC strategy that is trying to coordinate efforts, processes, and services across departments. Focus on enteprise reporting and working toward a common GRC platform with centralized GRC coordination. Does the organization have a GRC strategy that goes across departments? Are a majority of risk and compliance functions participating in the GRC strategy? Does the organization have shared processes for GRC? Does the organization have a shared information and technology architecture for GRC? Can the organization report and trend on GRC across departments? Can the organization aggregate and understand risk across the business? Examples: Strategic approach to GRC across departments Silos eliminated Common process, technology and information architecture across departments Trending and reporting across departments 19

GRC Maturity Model AGILE 5 GRC is integrated across the organization which has moved to an understanding of GRC architecture that aligns and integrates information and technologies across the organization. The organization is focused on a federated GRC architecture that allows for central coordination and shared services with distributed accountability and autonomy where it makes sense. Self-Assessment Questions: Is there a single GRC strategy for the entire organization that all departments participate it? Is GRC understood and monitored in the context of business performance? Is risk a key element in strategic planning? Can the organization monitor and trend GRC in the context of organization strategy, performance, and objective management? Does the organization have mature processes, information, and technology implementations to support GRC? Is there regular monitoring for improvement in GRC? Examples: GRC is integrated throughout the business GRC expectations are part of annual strategic planning Extensive measurement and monitoring of risk and compliance in the context of business 20

Strategy, Process, Information & Technology Architecture Alignment GRC 20/20 GRC Maturity Model 5 AD HOC FRAGMENTED 1 GRC responsibilities are scattered and decentralized. GRC is reactive and focused on putting out individual fires of risk and compliance in scattered silos across the organization. Inconsistencies within departments. GRC actitivities are manual and rely on documents, spreadsheets and emails.. 2 3 MANAGED GRC is departmentspecific with limited coordination between department/function. Within a department, GRC activities tend to be well structured, organized, and use technology well to make GRC activities more efficient, effective, and agile. 4 INTEGRATED The organization has an enterprise GRC strategy that is trying to coordinate efforts, processes, and services across departments. Focus on enteprise reporting and working toward a common GRC platform with centralized GRC coordination. AGILE GRC is integrated across the organization which has moved to an understanding of GRC architecture that aligns and integrates information and technologies across the organization. The organization is focused on a federated GRC architecture that allows for central coordination and shared services with distributed accountability and autonomy where it makes sense. Issue to Department to Enteprise Coordination & Integration 21

Effective GRC Management Benchmark Governance Technology Charter GRC Monitoring Resources Processes 22

Increasing GRC maturity through contextual risk awareness delivers... 1. Aware 2. Aligned 3. Responsive 4. Agile 5. Resilient 6. Lean Have a finger on the pulse of business Watch for change in internal & external environment Turn data into information that can be, and is, analyzed Share information in every relevant direction Support and inform business objectives Continuously align objectives and operations to risk of the entity Give strategic consideration to information from risk management enabling appropriate change You can t react to something you don t sense Gain greater awareness and understanding of information that drives decisions and actions Improve transparency, but also quickly cut through the morass of data to what you need to know to make the right decisions More than fast, nimble Being fast isn t helpful if you are headed in the wrong direction. Risk mgmt enables decisions and actions that are quick, coordinated and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities and be confident in its ability to stay on course. Be able to bounce back quickly from changes in context and threats with limited business impact Have sufficient tolerances to allow for some missteps Have confidence necessary to rapidly adapt and respond to opportunities Build the muscle, trim the fat Get rid of expense from unnecessary duplication, redundancy and misallocation of resources within the risk management Lean the organization overall with enhanced capability and related decisions about application of resources 23

Questions? Michael Rasmussen, J.D. Chief GRC Pundit & OCEG Fellow mkras@grc2020.com +1.888.365.4560 GRC 20/20 Newsletter LinkedIn: GRC 20/20 LinkedIn: Michael Rasmussen Twitter: GRCPundit Blog: GRC Pundit Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.oceg.org.

Join Navigating the Discussion Your GRC Online Journey #GRCSummitEU20 14 MetricStream, Inc. All Rights Reserved. 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback