delivering an engaging, mobile, and interactive grc ...€¦ · delivering an engaging, mobile, and...
TRANSCRIPT
(888) 519-9200 www.complianceweek.com
Sponsored by
Delivering an Engaging, Mobile, and Interactive GRC Experience to All Levels of the Organization
Welcome to Compliance Week’s Webcast on delivering an engaging, mobile, and interactive GRC experience to all levels of the organization
The Webcast will feature Michael Rasmussen, Principal Analyst with
GRC 20/20 Research
The discussion will be hosted by Compliance Week Executive Editor, Joseph McCafferty.
You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.
(888) 519-9200 www.complianceweek.com
Sponsored by
This Webcast will last for 60 minutes
2:00 p.m. Introduction Joseph McCafferty, Compliance Week
2:05 p.m. Discussion Michael Rasmussen, GRC 20/20 Research
2:45 p.m. Q&A: Will be kept anonymous
3:00 p.m. Closing Remarks: From Compliance Week
Agenda for Today’s Webcast
You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.
(888) 519-9200 www.complianceweek.com
Sponsored by
Introduction: The Series, Schedule & Instructions
Upcoming Webcasts:
Visit our website for future Webcast dates and topics www.complianceweek.com Instructions:
Use the “Ask A Question” function (left side of your screen) All questions will be anonymous. Please disable your pop-up blockers to access the automatic CPE exam presented at the webcast conclusion.
You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.
Please disable your pop-up blockers to access the CPE exam presented at the webcast conclusion.
(888) 519-9200 www.complianceweek.com
Sponsored by
Michael Rasmussen, Principal Analyst, GRC 20/20 Research • Well-known thought-leader, keynote speaker, author and
collaborator. • Noted for being the first analyst to define and model the GRC
market for products and professional services. • With more than 15 years of experience, Michael's objective is
to assist organizations in defining GRC processes that are sustainable, consistent, efficient, and transparent.
You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.
Today’s Presenter
Delivering an Engaging, Mobile, and Interactive GRC Experience
to All Levels of the Organization
September 2013
Michael Rasmussen, J.D.,
Chief GRC Pundit @ GRC 20/20 Research, LLC
OCEG Fellow @ www.OCEG.org
6 © 2013, all rights reserved, www.grc2020.com
Are you truly aware of your risks?
“Never in all history have we
harnessed such formidable
technology. Every scientific
advancement known to man
has been incorporated into its
design. The operational
controls are sound and
foolproof!”
E.J. Smith,
Captain of the Titanic
The modern organization is
encumbered by change.
The onslaught of changing
business, risk, and
regulatory environments
while keeping change in
sync is a significant
challenge for and
governance, risk
management, and
compliance (GRC). GRC
fails when it is addressed
as a system of parts that
do not integrate and work
as a collective whole.
7 © 2013, all rights reserved, www.grc2020.com
Operational
Unit
Operational
Unit
Operational
Unit
Operational
Unit
Changing
business, risk,
and regulatory
environments
GRC Impacted From So Many Directions
Board
Line of
Business
Management
Employees
Assessment
Issues Procedures
Training
Policy
Testing
Controls
Issues
Issues
Policies
Issues
Policy Training
Issues
Assessment Issues
8 © 2013, all rights reserved, www.grc2020.com
Email-based process with
disparate, documentation
and paper trails
Complex interfaces
Poor visibility and reporting
Files and documents out of
sync
Wasted resources and
spending
Overwhelming complexity
No accountability
Battling the Hydra of GRC
9 © 2013, all rights reserved, www.grc2020.com
Too many formats and approaches are
inefficient, ineffective, and lack agility
10 © 2013, all rights reserved, www.grc2020.com
The Winchester Mystery House
• 160 rooms
• 47 fireplaces
• 6 kitchens
• 10,000 windows
• 65 doors to blank walls
• 13 staircases abandoned
• 25 skylights – in floors
• 147 builders/no architects
• Built without a blueprint
• $5.5 million over 38 years
… confusing user experience
11 © 2013, all rights reserved, www.grc2020.com
. . . and we are just hoping nothing fails
Inability to gain clear view of GRC
dependencies;
High cost of consolidating GRC
information;
Difficulty maintaining accurate GRC
information;
Failure to trend across assessment and
reporting periods;
Redundant approaches limit correlation,
comparison and integration of
information; and
Lack of agility to respond timely to
changing risks, regulations, laws, and
situations.
12 © 2013, all rights reserved, www.grc2020.com
What GRC is all about . . .
BUSINESS MODEL
strategy, people, process, technology and
infrastructure in place to drive toward objectives
OPPORTUNITIES
OPPORTUNITIES
OPPORTUNITIES
MANDATORY BOUNDARY boundary established by external forces including
laws, government regulation and other mandates.
VOLUNTARY BOUNDARY boundary defined by management including organizational
values, contractual obligations, voluntary policies and other
promises.
OBJECTIVES
strategic, operational, customer,
process, compliance objectives
GRC is a capability that enables an
organization to reliably achieve
objectives while addressing uncertainty
and acting with integrity…
13 © 2013, all rights reserved, www.grc2020.com
GRC 1.0
GRC 2.0
GRC 3.0
GRC 3.0 is about . . .
Bringing GRC to the ‘coal-face’ – the
frontlines of the organization
Mobility and engagement
Dynamic integration of actionable content
360° GRC contextual awareness
GRC Architecture
Operationalizing GRC
Evolution of GRC
GRC is a capability that enables an
organization to reliably achieve
objectives while addressing uncertainty
and acting with integrity…
14 © 2013, all rights reserved, www.grc2020.com
GRC Engagement: Lack of Interactive Structure
User experience with GRC is typically poor in most organizations,
resulting in . . .
Time consuming and redundant processes that are
NOT EFFICIENT
A check-box mentality that sends off messages and
tasks that are NOT EFFECTIVE
Lack of central coordinated efforts for GRC
communications that hinder the organization to the
point where it is not NOT AGILE
Inefficient processes create critical resources constraints:
Multiple sources of policy, training, survey,
assessment, issue reporting/hotline, and interaction
consume human and financial capital resources
Employee interactions are inconsistently logged in
documents and spreadsheets – if they are logged at all
The organization lacks a consistent approach to GRC
communications and fails to prioritize action items
Emails fly about, slip through cracks, are not
responded to, simply forgotten
Not
Effective
Not
Efficient
Not
Agile
15 © 2013, all rights reserved, www.grc2020.com
GRC Engagement: an Agile Approach
However, if organizations align and optimize processes supported
by technology that provides an intuitive interface for employee
engagement, GRC programs becomes . . .
Effective. The organization ensures that risk and
compliance is effectively monitored, and managed at
all levels of the organization. That policies are not only
read but understood, that employees are trained
properly, that they know how to ask questions when in
doubt, to report issues, and what to be alert for.
Efficient. GRC engagement provides efficiency and
savings in both human and financial capital resources
by providing access to the right information at the right
time for employees.
Agile. The organization is able to respond rapidly to
changes in the internal business environment as well
as the external environment and communicate to
employees GRC context to these changes. GRC
engagement is measured in the ability to identify and
react to events and issues.
Effective Efficient Agile
16 © 2013, all rights reserved, www.grc2020.com
Employee GRC Engagement
Employee
GRC
Engagement
Interactive & Relevant Content
Mobility Analytics
Gamification Socialization & Collaboration
GRC needs to deliver interactive and
relevant content in the context of the user,
such as:
Policies & Training. Policies and training come
together into a unified employee experience.
Relevant resources are easily accessible and
provided in the same interface without hopping
between disconnected systems.
Issue Reporting. Employees can easily report
issues and in doing so can be provided with relevant
contextual information to see if what they are
reporting is an issue or not and helps educate them
as they engage in GRC.
Surveys & assessments. As employees answer
questions they can easily look up relevant policies
and other information in the context of the
assessment to be informed on context so their
answers are relevant.
17 © 2013, all rights reserved, www.grc2020.com
Employee GRC Engagement
Employee
GRC
Engagement
Interactive & Relevant Content
Mobility Analytics
Gamification Socialization & Collaboration
GRC engagement is accomplished through
socialization and collaboration across the
organization that:
Gets questions answered. Employees should be
able to ask questions and get them answered quickly
with contextually relevant information and pathways.
Provides for two-way communication. Employees
have ideas and ways to improve GRC and have
feedback on values, code of conduct, policies,
trainings, risks, or incidents.
Shares information. Getting employees engaged is
about sharing information and allows the organization
to see what works and keeps employees engaged.
Connects the dots through collaboration. GRC
needs to allow for the collaboration on GRC across
broad geographic boundaries without the need for
everyone being in the same physical location.
18 © 2013, all rights reserved, www.grc2020.com
Employee GRC Engagement
Employee
GRC
Engagement
Interactive & Relevant Content
Mobility Analytics
Gamification Socialization & Collaboration
There is an app for GRC! GRC engagement
through use of mobile technologies to make GRC
assessable as well as efficient through mobile:
Policies & training. Delivery of policies and training
on mobile devices which works particularly well in
environments where a tablet could be deployed as a
policy and training kiosk.
Surveys & assessments. Employees answer GRC
surveys and assessments and can use mobile
devices to get the job done. They can provide
pictures through integrated cameras to capture
information related to the assessment.
Issue reporting. Mobility allows for quick reporting
and integrated cameras can capture a visual of the
issue at the moment (e.g., health and safety hazard,
accident).
Investigations. Investigations can be done, evidence
photos attached, barcodes on evidence bags
scanned, and even interviews captured with
integrated audio and video.
Reporting. For executives, managers, and GRC
professionals, mobility provides an engaging
experience to get reports and drill into them wherever
and whenever needed.
19 © 2013, all rights reserved, www.grc2020.com
Employee GRC Engagement
Employee
GRC
Engagement
Interactive & Relevant Content
Mobility Analytics
Gamification Socialization & Collaboration
Metrics and analytics become stronger through
employee engagement when risk boundaries,
ethics, and values helps the organizations measure
corporate integrity and improved corporate
culture. Consider the following:
Alignment. Employee engagement feeds into
analytics to ensure that the culture of the
organization, its values, and risk boundaries are
understood and supported across the organization.
Reception. It allows employees to rate policies and
training programs to determine what was well and
received and what was not. Did they understand the
policy?. Was the training interesting, appropriate,
and informative? Are there things around
policies/trainings that they still don't understand?
Organizations should focus on delivering engaging
GRC user experiences that align with the needs of
employees, integrates with organization
architecture and systems, and delivers relevant
content when needed wherever it is needed.
20 © 2013, all rights reserved, www.grc2020.com
Employee GRC Engagement
Employee
GRC
Engagement
Interactive & Relevant Content
Mobility Analytics
Gamification Socialization & Collaboration
GRC engagement is about interactive experiences,
recognition, and rewards. It is not about trivializing
GRC, but using content and technology to engage,
communicate, and allow for broader participation.
GRC gamification includes:
Interactive content. Getting employees involved
through video, comedy, and games to educate on
risk, policy, and compliance. Games, puzzles, and
illustrations all help to answer questions, develop
skills, and communicate a point.
Recognition and awards. Employees can engage
GRC to gain points and achieve levels/badges.
Recognition can be given when people complete
assessment, discover and report issues, educate
others, and champion GRC in different ways.
21 © 2013, all rights reserved, www.grc2020.com
The Role of Technology in Regulatory Change
22 © 2013, all rights reserved, www.grc2020.com
Bringing it all Together: Value of Integrated GRC Information
REGULATIONS &OBLIGATIONS
RISK & ANALYSIS
OBJECTIVES& GOALS
INCIDENTS& ISSUES
ASSETS & RELATIONSHIPS
POLICIES &TRAINING
CONTROLS &ASSESSMENT
ROLES & RESPONSIBILITIES
23 © 2013, all rights reserved, www.grc2020.com
Elements of GRC communication plan
24 © 2013, all rights reserved, www.grc2020.com
Defensible and effective GRC communications
Questions? Michael Rasmussen, J.D.
Chief GRC Pundit & OCEG Fellow
+1.888.365.4560 GRC 20/20 Newsletter
LinkedIn: GRC 20/20
Blog: GRC Pundit
Twitter: GRCPundit
LinkedIn: Michael Rasmussen
Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy
slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.
You can submit
questions to our
speaker by using the
“Ask a Question” button
on the left side of your
screen.
(888) 519-9200 www.complianceweek.com
Sponsored by
Feedback Please send to: [email protected] Thanks Michael Rasmussen, Principal Analyst, GRC 20/20 Research
*CPE Credit
Please disable your pop-up blockers to access the automatic CPE exam presented at the conclusion of the webcast. The CPE test will appear in a separate window at the conclusion of the Webcast. If you have trouble accessing the test, please email us at [email protected]
CPE certificates will be emailed to you separately following completion of the exam
You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.
*
Thank You for Joining Us