Download - 2013 10 31_oceg_webinar 2013
INTEGRATING GRC TECHNOLOGY WITH STANDARDS
SPEAKERS: SAID TABET, SENIOR TECHNOLOGIST, EMC
YUJI FURUSHO , DEPUTY GENERAL MANAGER, FUJITSU
MASATOMO GOTO , MANAGER, FUJITSU
OCEG WEBINAR SERIES October 31, 2013
Housekeeping
Download slides at
http://www.oceg.org/event/integrating-grc-
technology-with-standards/
Answer all 3 polls
Certificates of completion (only for OCEG
Premium/Enterprise members and All-Access Pass
holders)
Evaluation survey at the close of the webinar
Archive at Recorded Events on OCEG site
Said Tabet Yuji Furusho Masatomo Goto
Our Panelists
Learning Objectives
Understand the goals and objectives of the
GRC-XML Working Group
Understand the core concepts and entities in a
GRC technology ecosystem
Understand how to apply GRC-XML to both
reporting and exchanging GRC information
Understand how XBRL technology is used in
GRC-XML
AGENDA
Introduction
What is OCEG? GRC and OCEG
Overview of the GRC XML Initiative
GRC-XML 1.0: where we started
GRC-XML 2.0: Current state and timeline
The OCEG Open Risk Universe
GRC-XML Technical Architecture
GRC-XML Taxonomy and Information Model
GRC-XML Extensions
Solvency II, Basel III, CRD IV
Summary and Takeaways
Framework & Standards – tell us what we should do
Process standards (key concepts, components and terminology)
Technical standards (key systems and integration points)
Developed by experts and publicly vetted to ensure quality
Evaluation Criteria & Metrics - tell us how we are doing
Effectiveness & performance evaluation (suitable criteria)
Tools & technologies to appropriately benchmark
Certification of GRC design and implementation
Community of Practice – share what everyone else is doing
Online education, tools & resources
Collaboration with peers in a number of professions
OCEG is a nonprofit think tank that helps organizations drive principled
performance® with a global community of skilled practitioners focused on improving
governance, risk management, and compliance (GRC) processes
What is OCEG?
Governance Risk Management Compliance Legal Human Capital Management Change Management Ethics Management Internal Audit Security Quality Management Project Management Information Technology Financial and Resource Planning
OCEG brings together disciplines and professions to collaborate and pursue a common
mission: to refine and improve GRC and drive Principled Performance®.
Mission: The Integration of Disciplines
GRC-XML
Current state…
OCEG GRC-XML Webinar Series, 2013
GRC architecture is predominantly silo-based, making sharing data
difficult and error-prone
A common language to represent Risks, Controls, Policies, Procedures
and Test of Controls can facilitate discussion, comparison, integration,
performance, and interchange
We are driving the development of GRC-XML to address this problem
GRC-XML is based on XBRL
Our Goal:
Enable highly efficient and agile Risk and Control Monitoring systems
in a format that is application-neutral and easy to integrate
Overview
• A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes
• Most organizations currently struggle with a common language of risk and control between their internal GRC silos
• There is no standard risk and control language for multiple information systems to communicate or pass information
The Business Case
System 3 System 1
Identificador de la Cuenta
Descripción Principal de la Cuenta
Monto Monetario
Fecha de Asignación/Ingreso
Fecha de evaluación
勘定科目番号
勘定科目説明文
金額
転記日付
評価日
Account#
Description
Amount
PostDate
EvaluationDate
System 2
accountMainID
accountMainDescription
amount
postingDate
TOE-Day
accountMainID
accountMainDescription
amount
postingDate
TOE-Day
accountMainID
accountMainDescription
amount
postingDate
TOE-Day
GRC-XML
GRC-XML
GRC-XML
Every GRC System as GRC-XML
GRC-XML 1.0 Taxonomy
Based on "INTERNAL CONTROL - INTEGRATED
FRAMEWORK - Evaluation Tools" published with
permission (AICPA)
• A “data set” of internal controls, containing
Control Objectives
Risks
(Sample) Control Activities
• Based on 25 company "Activities"
GRC-XML 1.0 Taxonomy: Activities
25 activities defined in COSO Evaluation Tool.
1/Activity : INBOUND
2/Activity : OPERATIONS
3/Activity : OUTBOUND
4/Activity : MARKETING AND SALES
5/Activity : SERVICE
6/Activity : PROCUREMENT
7/Activity : TECHNOLOGY DEVELOPMENT
8/Activity : HUMAN RESOURCES
9/Activity : MANAGE THE ENTERPRISE
10/Activity : MANAGE EXTERNAL RELATIONS
11/Activity : PROVIDE ADMINISTRATIVE
SERVICES
12/Activity : MANAGE INFORMATION TECHNOLOGY
13/Activity : MANAGE RISKS
14/Activity : MANAGE LEGAL AFFAIRS
15/Activity : PLAN
16/Activity : PROCESS ACCOUNTS PAYABLE
17/Activity : PROCESS ACCOUNTS RECEIVABLE
18/Activity : PROCESS FUNDS
19/Activity : PROCESS FIXED ASSETS
20/Activity : ANALYZE AND RECONCILE
21/Activity : PROCESS BENEFITS AND RETIREE
INFORMATION
22/Activity : PROCESS PAYROLL
23/Activity : PROCESS TAX COMPLIANCE
24/Activity : PROCESS PRODUCT COSTS
25/Activity : PROVIDE FINANCIAL AND MANAGEMENT
REPORTING
Copyright , OCEG 2010
Activities Objectives Risks Controls
TAXONOMY DEFINITION LINK VIEW
Extensibility
Risk frameworks – “plug and play” What’s your favourite framework?
COSO, COBIT, ISO 31000, PCI, AS/NZ 4360 , etc.
Companies can leverage the “X” to add elements to define their own specific "Activities", "Control Objectives", "Risks", or "Control Activities”
Based on these extensions, companies can evaluate their specific controls using a specific format and criteria
Risk Extension Taxonomy
30 October 2013 Marcus Spies and Said Tabet, OCEG 2011
Risk Extension Taxonomy: Instance Document View
30 October 2013 Marcus Spies and Said Tabet, OCEG 2011
Risk Instance Example <?xml version="1.0" encoding="UTF-8"?>
<xbrli:xbrl xmlns:oceg-risk="http://www.oceg.org/xbrl/risk_control/risk" xmlns:link="http://www.xbrl.org/2003/linkbase"
xmlns:iso4217="http://www.xbrl.org/2003/iso4217" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xbrli="http://www.xbrl.org/2003/instance" xmlns:xlink="http://www.w3.org/1999/xlink">
<link:schemaRef xlink:type="simple" xlink:href="risk.xsd"/>
<xbrli:context id="FY2009-4Q">
<xbrli:entity>
<xbrli:identifier scheme="risk">oceg</xbrli:identifier></xbrli:entity>
<xbrli:period> <xbrli:instant>2009-12-21</xbrli:instant> </xbrli:period>
</xbrli:context>
<oceg-risk:titleOrName contextRef="FY2009-4Q">Improper capitalization of expenses</oceg-risk:titleOrName>
<oceg-risk:identifier contextRef="FY2009-4Q">R-FIN-0100</oceg-risk:identifier>
<oceg-risk:status contextRef="FY2009-4Q">In progress</oceg-risk:status>
<oceg-risk:owner contextRef="FY2009-4Q">CFO</oceg-risk:owner>
<oceg-risk:likelihood contextRef="FY2009-4Q">Low</oceg-risk:likelihood>
<oceg-risk:impact contextRef="FY2009-4Q">Serious</oceg-risk:impact>
<oceg-risk:netControlEffectiveness contextRef="FY2009-4Q">Strong</oceg-risk:netControlEffectiveness>
<oceg-risk:dateOpened contextRef="FY2009-4Q">2001-01-12</oceg-risk:dateOpened>
<oceg-risk:activeFlag contextRef="FY2009-4Q">true</oceg-risk:activeFlag>
</xbrli:xbrl>
CONTROL Instance Example <?xml version="1.0" encoding="UTF-8"?>
<xbrli:xbrl xmlns:oceg-control="http://www.oceg.org/xbrl/risk_control/control" xmlns:link="http://www.xbrl.org/2003/linkbase"
xmlns:iso4217="http://www.xbrl.org/2003/iso4217" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xbrli="http://www.xbrl.org/2003/instance" xmlns:xlink="http://www.w3.org/1999/xlink">
<link:schemaRef xlink:type="simple" xlink:href="control.xsd"/>
<xbrli:context id="FY2009-4Q">
<xbrli:entity> <xbrli:identifier scheme="control">oceg</xbrli:identifier> </xbrli:entity>
<xbrli:period> <xbrli:instant>2009-12-21</xbrli:instant> </xbrli:period>
</xbrli:context>
<oceg-control:titleOrName contextRef="FY2009-4Q">Manual Accounting Entry Controls</oceg-control:titleOrName>
<oceg-control:identifier contextRef="FY2009-4Q">CTA.090</oceg-control:identifier>
<oceg-control:status contextRef="FY2009-4Q">Active</oceg-control:status>
<oceg-control:state contextRef="FY2009-4Q">Failed but remediated</oceg-control:state>
<oceg-control:natureOfControl contextRef="FY2009-4Q">Detective</oceg-control:natureOfControl>
<oceg-control:owner contextRef="FY2009-4Q">John Jones</oceg-control:owner>
<oceg-control:dateImplemented contextRef="FY2009-4Q">2001-01-14</oceg-control:dateImplemented>
<oceg-control:dateLastUpdated contextRef="FY2009-4Q">2001-03-03</oceg-control:dateLastUpdated>
<oceg-control:externalApprovalFlag contextRef="FY2009-4Q">true</oceg-control:externalApprovalFlag>
<oceg-control:internalApprovalFlag contextRef="FY2009-4Q">true</oceg-control:internalApprovalFlag>
</xbrli:xbrl>
GRC-XML illustrated Scenario
GRC Applications & Systems
Enterprise GRC, Operational GRC, IT GRC, etc.
Controls Testing & Monitoring
Risk & Controls Repository
GRC XML Data
Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys, Sampling
Risk models Controls documentation Organization / Process Test Procedures Test Results
GRC XML Data
GRC XML Dictionary
GRC-XML
2.0
GRC-XML 2.0
Support for conversion and versioning between available frameworks (COSO,
COBIT, ITIL, PCI, NIST, UCF, Basel2, etc.)
Provide guidance and enable tooling and solutions to demonstrate how standard libraries
can be integrated and translated to GRC-XML
Support tagging and traceability from data level to business/process level
and in between
Integrate the Open Risk Universe
GRC-XML for external reporting
Support for Solvency II ORSA and RMORSA reporting
GRC-XML for the Cloud
GRC-XML to provide guidance and enable GRC information to be shared and
exchanged between providers, end users/consumers, regulators and auditors
GRC-XML Open Risk Universe
ERM – Definition & Process
ERM - is a decision-making process to manage uncertainties
and to give policy and resource allocation decisions a
defensible basis.
Corporate
Level
1)Corporate policy
- Risks to manage
- Risk appetite
Business Unit Level
2)Risk evaluation
3)Risk integration (Heat Mapping) & Mitigation strategy
4)Risk mitigation
planning/action
25
ERM Data Flow Summary
Corporate Policy
Risk Definition
Risk Universe
Company Extension
Company specific definition
of “significant risks” mapped
to risks defined in Risk
Universe
Corporate Policy
Risk Appetite
Definition of
corporate-wide
risk criteria and
tolerance level for
each risks defined
Risk Evaluation
& Integration
Evaluation at
each location
Integration
Risk Mitigation
Mitigation
Strategy
Mitigation
Planning at
each location
for each risks that
exceed Company’s
risk tolerance
26
Monitored
KRI’s
26
Summary of Risk/other elements 27
Risk
Category
Risk
Risk
(extended)
Risk Criteria
Risk
Tolerance
Location A Location B
Evaluation A Evaluation B
Evaluation
(total)
KRI’s
(automated)
KRI’s
(automated)
KRI’s
(automated)
Each risk is evaluated along
with locations, and finally
consolidated as a corporate.
Each risk is evaluated
according to risk criteria, such
as frequency and severity ;
level 1 to 5, etc..
Automatically captured KRI’s
may be able to be used as
“evaluation”
Mitigation
Strategy
Mitigation
Plan Mitigation considered where
risk evaluation exceeds risk
tolerance.
Copyright , OCEG 2012
Exte
rnal
Inte
rnal
Macro Environment Micro Environment
Process
Culture People/Organization Technology
Nature Natural disaster
Weather
Pandemic
Society Social requests
Demographic
Regulations Cross-border
Cross-sector
Politics Change of
administration
Legislation
Public policy
Economics Business condition
Price of goods
Price of materials
Market condition (currency, interest rate, etc.)
Technology Energy technology
innovation
Production
Innovation
IT innovation
Environment technology
innovation
Competition
Customers/Consumers
Investors/Lenders
Trading partners
Affiliates
Government
Reputation Brand Image
Stakeholder relationship
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
Corporate culture
Ethical behavior
Effectiveness of
the board
Labor capability
Labor sincerity
Authority/Limit
Intellectual property
Effectiveness/Efficiency Quality/Customer satisfaction
Business disruption
Product development
Production capacity
Product/service deficiency
Operation error
Financial Liquidity
Credit
Compliance Law violation
Privacy protection
Information control
Social Imperative
Reporting Financial reporting
Tax reporting
Environment conservation
Regulator reporting
Decision Making Governance Management Oversight
Strategy Vision/Mission
Competence assessment
Capability/Capacity assessment
Alliance
Merger & acquisition
Planning
OCEG Open Risk Universe
Example of Insurance ERM
Target Risks
[Quantitative Risks]
Market Risk (Interest rate, Stock price, R.E., Products, etc.)
Credit Risk (Debtor, Reinsurer, Security issuer, etc.)
Insurance Risk Underwriting Risk
Loss Reserve Risk, etc.
Operational Risk
[Qualitative Risks]
Strategy Risk
Reputational Risk
Compliance Risk
Liquidity Risk How to integrate Risk Management Process as well as Risk Reporting…
29
GRC-XML 2.0 Architecture
GRC-XML 2.0 Information Model
GRC data supply chain
National Service Agency Supervisor
HQ Syndicate
Supervisor for supervisors
Line of business National Service Agency
Line of business
Aggregated/summarized data
Further aggregated/ Summarized data
Managing Consistency
Full set of data
Amount of information (in a report)
Internal Reporting ERM External Reporting / Regulation eSupervision eSupervision
ERM Supervision System
Extension Taxonomy
(Company wide)
System B
System A
1 data definition 2 data format in ERM area
External Reporting Taxonomy
Internal reporting taxonomy or schema (system wide data exchange format)
Regulators
Inside a company
GRC-XML data point taxonomy
Data point definition (OCEG and Industry wide)
GRC for Internal and External Reporting
Taxonomy Architecture #1
GRC-XML data point taxonomy
All data points are defined here as dimension in the taxonomy
Risk, Control, Objectives … etc
Various relationship are defined by relationship over definition linkbase with
appropriate arcrole.
GRC reporting taxonomy
Define reporting bucket elements for each data point.
Define supplemental elements for other data
Test score, Link to compensation, Explanatory information.
GRC exchange taxonomy (schema)
Define referencing attribute pointing each data point in GRC-XML taxonomy.
Define element which need to be exchanged among ERM systems.
Taxonomy Architecture #2
Extensibility
GRC-XML data point taxonomy
Need to be able to extended in a proper manner and understandable for
supervisor
GRC reporting taxonomy
Single reporting format is possible
GRC exchange taxonomy (schema)
Single reporting format is enough
It does not need to be XBRL. Could be XML.
Harmonization
Need to align with other taxonomy?
Ex. Solvency II pillar 1,2 and 3.
Physical GRC Taxonomy Structure
GRC Data Point Taxonomy
GRC Data Point Industry
Extension Taxonomies
GRC Data Point Undertaking
Extension Taxonomy
GRC External Reporting Taxonomy
GRC Internal Exchange Taxonomy
Data Point Browsing
Entry Point Taxonomy
xsd L R P C D
xsd L R P C D
xsd L R P C D
Data Point Taxonomy
External Reporting Terms Taxonomy
xsd L R P C D
Internal Exchange Terms Taxonomy
xsd L R P C D
xsd
L R
P
C
D
F
V
xsd
L R
P
C
D
F
V
xsd
L R
P
C
D
F
V
Reporting Taxonomy
Taxonomy Owner (Ex. Solvency II)
GRC Data Point Taxonomy
GRC Data Point Industry
Extension Taxonomies
GRC Data Point Undertaking
Extension Taxonomy
GRC External Reporting Taxonomy
GRC Internal Exchange Taxonomy
Data Point Browsing
Entry Point Taxonomy
xsd L R P C D
xsd L R P C D
xsd L R P C D
Data Point Taxonomy
External Reporting Terms Taxonomy
xsd L R P C D
Internal Exchange Terms Taxonomy
xsd L R P C D
xsd
L R
P
C
D
F
V
xsd
L R
P
C
D
F
V
xsd
L R
P
C
D
F
V
Reporting Taxonomy
?
Integration
Elevation from business units to top down approach
Integration of different areas: Security risk, IT risk, Financial risk, Operational risk, and others – many areas, one language
Visibility across islands of automation
Reduction of redundancies and duplications
Standardization, simplification
Reduced information friction to facilitate (more) continuous monitoring and audit of controls
Summary and Conclusion
Thank You!
Questions?