Title: Governance, Risk and Compliance Management: Integrated Control of the GRC Process
1Governance, Risk and ComplianceManagementInteg
rated Control of the GRC Process
- Stephen Hall
- Information Governance Limited
2Governance, Risk Compliance...
- Governance - setting business strategy
objectives, determining risk appetite,
establishing culture values, developing
internal policies and monitoring performance. - Risk Management - identifying and assessing risk
that may affect the ability to achieve
objectives, applying risk management to gain
competitive advantage and determine risk response
strategies and control activities. - Compliance - operating in accordance with
objectives and ensuring adherence with laws and
regulations, internal policies procedures, and
stakeholder commitments.
3GRC provides a framework and a methodology to
enable those people responsible for managing the
business to give confidence to those people who
are accountable to shareholders and to regulators
that corporate objectives are being met.
Governance, Risk Compliance...
4Business drivers for an integrated approach to
Governance, Risk and Compliance
Increased complexity due to globalisation
Increased competitive pressures
Increasing regulations
Governance Risk and Compliance
Ethical and financial scandals
New technologies
Integrity-driven performance expectations
Transparency and accountability demands
Increased demands from stakeholders
5GRC Challenges PwC/META Group Research
Strategic View Operational
Issues Future Trends
- Significant improvements are expected in the
areas of data accuracy, quality of decision
making, task redundancies, etc. - Technology will be a critical GRC enabler
- Effective GRC can realise value in the areas of
reputation and brand, employee retention and
revenue
- Manual processes are instrumental to meet GRC
requirements - Most do not have real-time GRC capability 1/3
of regulated organisations are not even close - Growing investment area, but light on cost and
value measurement - Investment shifting towards technology
- See GRC as a value driver
- The need for connection among GRC is understood
and valued although operational issues exist - Exposure to substantial risk through
insufficient commitment to risk management
6Shifting from Defensive to Proactive Opportunity
Reduce compliance costs, Improve Efficiency,
Effectiveness and Confidence
Balance of Compliance and Performance Objectives
Look at other business commitments
Streamline controls, processes and procedures
Need to comply with Standards and Regulations
Focus on multitude of requirements
7What Are the GRC Management Challenges?Enterprise
-Wide Responsibility
CFO / VP Finance
Chief Compliance Officer (CCO)
CIO
CFO / VP Finance
Chief Risk Officer (CRO)
Chief Risk Officer (CRO)
- Reducing the total cost of GRC
- Timely notification of control issues, material
weaknesses and violations - Accurate and comprehensive information on
financial exposure, compliance and audit.
- Increasing efficiency consistency of
compliance processes - Reducing regulatory actions by reducing
compliance violations - Planning and oversight of compliance management
resources - Identifying and implementing optimal detective
preventative controls
- Balancing the range of enterprise risks
- Evaluating business requirements and technical
risk capabilities - Reducing organizational cost of risk exposure
and cost of mitigation or acceptance
- Ensuring Auditable secure information
- Automating GRC information risk management
- Eliminating multiple internal GRC solutions
- Implementing IT platform for GRC
standardisation, simplification security
8What Are the GRC Management Challenges?Enterprise
-Wide Responsibility
CFO / VP Finance
Chief Compliance Officer (CCO)
CIO
CFO / VP Finance
Chief Risk Officer (CRO)
Chief Risk Officer (CRO)
CEO
- Reducing the total cost of GRC
- Timely notification of control issues, material
weaknesses and violations - Accurate and comprehensive information on
financial exposure, compliance and audit.
- Increasing efficiency consistency of
compliance processes - Reducing regulatory actions by reducing
compliance violations - Planning and oversight of compliance management
resources - Identifying and implementing optimal detective
preventative controls
- Balancing the range of enterprise risks
- Evaluating business requirements and technical
risk capabilities - Reducing organizational cost of risk exposure
and cost of mitigation or acceptance
- Ensuring Auditable secure information
- Automating GRC information risk management
- Eliminating multiple internal GRC solutions
- Implementing IT platform for GRC
standardisation, simplification security