Governance, Risk and Compliance Management: Integrated Control of the GRC Process

1
Governance, Risk and ComplianceManagementInteg
rated Control of the GRC Process

• Stephen Hall
• Information Governance Limited

2
Governance, Risk Compliance...

• Governance - setting business strategy
  objectives, determining risk appetite,
  establishing culture values, developing
  internal policies and monitoring performance.
• Risk Management - identifying and assessing risk
  that may affect the ability to achieve
  objectives, applying risk management to gain
  competitive advantage and determine risk response
  strategies and control activities.
• Compliance - operating in accordance with
  objectives and ensuring adherence with laws and
  regulations, internal policies procedures, and
  stakeholder commitments.

3
GRC provides a framework and a methodology to
enable those people responsible for managing the
business to give confidence to those people who
are accountable to shareholders and to regulators
that corporate objectives are being met.
Governance, Risk Compliance...
4
Business drivers for an integrated approach to
Governance, Risk and Compliance
Increased complexity due to globalisation
Increased competitive pressures
Increasing regulations
Governance Risk and Compliance
Ethical and financial scandals
New technologies
Integrity-driven performance expectations
Transparency and accountability demands
Increased demands from stakeholders
5
GRC Challenges PwC/META Group Research
Strategic View Operational
Issues Future Trends

• Significant improvements are expected in the
  areas of data accuracy, quality of decision
  making, task redundancies, etc.
• Technology will be a critical GRC enabler
• Effective GRC can realise value in the areas of
  reputation and brand, employee retention and
  revenue

• Manual processes are instrumental to meet GRC
  requirements
• Most do not have real-time GRC capability 1/3
  of regulated organisations are not even close
• Growing investment area, but light on cost and
  value measurement
• Investment shifting towards technology

• See GRC as a value driver
• The need for connection among GRC is understood
  and valued although operational issues exist
• Exposure to substantial risk through
  insufficient commitment to risk management

6
Shifting from Defensive to Proactive Opportunity
Reduce compliance costs, Improve Efficiency,
Effectiveness and Confidence
Balance of Compliance and Performance Objectives
Look at other business commitments
Streamline controls, processes and procedures
Need to comply with Standards and Regulations
Focus on multitude of requirements
7
What Are the GRC Management Challenges?Enterprise
-Wide Responsibility
CFO / VP Finance
Chief Compliance Officer (CCO)
CIO
CFO / VP Finance
Chief Risk Officer (CRO)
Chief Risk Officer (CRO)

• Reducing the total cost of GRC
• Timely notification of control issues, material
  weaknesses and violations
• Accurate and comprehensive information on
  financial exposure, compliance and audit.

• Increasing efficiency consistency of
  compliance processes
• Reducing regulatory actions by reducing
  compliance violations
• Planning and oversight of compliance management
  resources
• Identifying and implementing optimal detective
  preventative controls

• Balancing the range of enterprise risks
• Evaluating business requirements and technical
  risk capabilities
• Reducing organizational cost of risk exposure
  and cost of mitigation or acceptance

• Ensuring Auditable secure information
• Automating GRC information risk management
• Eliminating multiple internal GRC solutions
• Implementing IT platform for GRC
  standardisation, simplification security

8
What Are the GRC Management Challenges?Enterprise
-Wide Responsibility
CFO / VP Finance
Chief Compliance Officer (CCO)
CIO
CFO / VP Finance
Chief Risk Officer (CRO)
Chief Risk Officer (CRO)
CEO

• Reducing the total cost of GRC
• Timely notification of control issues, material
  weaknesses and violations
• Accurate and comprehensive information on
  financial exposure, compliance and audit.

• Increasing efficiency consistency of
  compliance processes
• Reducing regulatory actions by reducing
  compliance violations
• Planning and oversight of compliance management
  resources
• Identifying and implementing optimal detective
  preventative controls

• Balancing the range of enterprise risks
• Evaluating business requirements and technical
  risk capabilities
• Reducing organizational cost of risk exposure
  and cost of mitigation or acceptance

• Ensuring Auditable secure information
• Automating GRC information risk management
• Eliminating multiple internal GRC solutions
• Implementing IT platform for GRC
  standardisation, simplification security