1

Governance, Risk & Compliance -GRC (Integrated Approach)

16th September 2014

Paul M Simidi

Introduction GRC component framework GRC Current status iGRC & goals iGRC Models iGRC & Technology Overall iGRC benefits Organization experiences

Overview

Governance …….setting business strategy & objectives, determining risks appetite, establishing culture and values, developing policies and monitoring performance……

Introduction

Risk Management …….identifying and assessing risks that may affect ability to achieve business objectives, applying risks management to obtain competitive advantage, and determine response strategies and control activities……

Introduction….cont

Compliance …..Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures and stakeholder commitments…..

Introduction…cont

GRC Component Frameworks

• Control Objectives for Information and Related

Technology - CoBIT Framework provides guidance for executive management to govern IT within the enterprise. It is an IT governance framework that bridges the gap between control requirements, technical issues and business risks

• Sarbanes–Oxley Act of 2002 - An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes

Governance - Examples

• Information Technology Infrastructure Library -

ITIL is the most widely adopted approach for IT Service Management in the world. It is a practical framework for identifying, planning, delivering and supporting IT services to the business.

Governance - Examples

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - A framework dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence)

Risk Management - Examples

• ISO 31000 -Provides principles and generic guidelines on principles and implementation of risk management. Can be applied to any kind of organization, risk type and is not specific to any industry or sector.

• ISO 31000:2009 is intended to be used by a wide range of stakeholders including those responsible for • Implementing risk management, • those who need to manage risk for the organization

as a whole or within a specific area or activity; • those needing to evaluate an organization's practices

in managing risk; • and developers of standards

Risk Management - Examples

Organizations Policies and Procedures IFRSs Legal & Regulatory Framework in Kenya

Company’s Act Capital Markets Authority Nairobi Stock Exchange Communications Authority of Kenya Central Bank Regulations Public Procurement Act Occupational Safety and Health Administration

Act 2007 (OSHA) etc

Compliance - Examples

• Basel Standards i.e. I, II and III – An international standard for Banking Regulators developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector.

• Total Quality Management (TQM)- Management methods used to enhance quality and productivity in business organizations

Compliance - Examples

Complexity

Lack of visibility

Duplication

Inflexibility Vulnerability

Poor Integration

Increased regulations

Poor Performance

High Costs

Silos

Wasted Information

Frauds

Wasted Resources

GRC Current Status

Public Sector Overview

Private sector Overview

• iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, effective information sharing and reporting, reduce cost and enhance performance.

ERM

ICT

iGRC Approach

Large, forward-thinking organizations believe that effective iGRC is a value driver and a source of competitive advantage.

Organizations that embrace effective iGRC are realizing significant value in the areas of reputation and brand, employee retention and profitability.

iGRC Trends

Significant improvements in the areas of accuracy, decision-making quality, timeliness and reductions in task redundancies as organization's move to an integrated iGRC environment.

Inclusion of iGRC in Corporate Performance Management

Increased Leverage on Technology

iGRC Trends

iGRC Goals

1. Awareness • Changes in internal & external environment, • Turn data into information that be analyzed. • Share information 2.Alignment • Support and inform business objectives • Strategic consideration to GRC information

iGRC Goals

3. Responsiveness • You cant react to something you

don’t sense • Greater awareness and

understanding of info that drives decisions and actions

iGRC Goals

4. Agile

• Decisions and actions that are quick,

coordinated and well thought out.

• Allow an entity to use risk to its advantages, grasp strategic opportunities and be confident in its ability to stay on course

iGRC Goals

5. Resilient • Ability to bounce back from changes in

the environment e.g. threats • Confidence to rapidly adopt and respond

to opportunities

6.Learn • Get rid of unnecessary duplication,

redundancies, misallocation of resources within GRC capability

• Examples of iGRC - OCEG-iGRC

• iGRC - synchronize information

and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps

ERM

ICT

iGRC Models

iGRC – OCEG Model ORGANIZE AND OVERSEE O1 – Outcomes and Commitment O2 – Roles and Responsibilities O3 – Approach and Accountability

INFORM AND INTEGRATE I1 – Information Management and

Documentation I2 – Internal and External Communication I3 – Technology and Infrastructure

ASSESS AND ALIGN A1 – Risk Identification A2 – Risk Analysis A3 – Risk Optimization

PREVENT AND PROMOTE P1 – Codes of Conduct P2 – Policies P3 – Preventive Process Controls P4 – Awareness and Education P5 – Human Capital Incentives P6 – Human Capital Controls P7 – Stakeholder Relations and

Requirements P8 – Preventive Technology Controls P9 – Preventive Physical Controls P10 – Risk Financing/Insurance

DETECT AND DISCERN D1 – Hotline and Notification D2 – Inquiry and Survey D3 – Detective Controls

MONITOR AND MEASURE M1 – Context Monitoring M2 – Performance Monitoring and Evaluation M3 – Systemic Improvement M4 – Assurance

CONTEXT AND CULTURE C1 – External Business Context C2 – Internal Business Context C3 – Culture C4 – Values and Objectives

RESPOND AND RESOLVE R1 – Internal Review and Investigation R2 – Third-Party Inquiries and Investigations R3 – Crisis Response and Recovery R4 – Remediation and Discipline

GRC & Technology Solutions -Examples

Solution Modules

1 SAP GRC Suit Process Control Access Control Risk Management Fraud Management Audit Management

2 ACL GRC Packages Data Analytics Compliance & Monitoring Dashboards Reporting

3 MetricStream GRC Platform

A Web-based platform built on J2EE architecture with Governance, Risk, Compliance and Quality programs.

Strategic Plan

Charter Mission, vision statement Responsibilities Performance Measurement Organization chart Human capital Financial plan Technology plan Assurance plan Implementation plan

GRC – Universal Outcomes

Achieve Business Objectives Enhanced organization culture towards GRC Increased stakeholder confidence Prevent, detect & reduce adversity Motivates, inspire desired conduct Improve responsiveness & efficiency Optimize economic & social value

Why is it working or not working in your organization ?

END

Paul Simidi Tel 0720-739-425

email – paulsimidi@yahoo.com