INTEROP                    Mumbai   October 09, 2009




THE ROLE OF GRC
AND
CREATING A RISK ASSURED FRAMEWORK

AJAY K. DH...
Governance, Risk & Compliance...

  Governance - setting business strategy & objectives,
  determining risk appetite, esta...
Governance, Risk & Compliance...




   GRC provides a framework and a methodology to enable
   those responsible for mana...
Business drivers for an integrated
approach to Governance, Risk and Compliance


                             Increased
  ...
Risk
•




    In simplified Chinese the word risk is composed by
    two characters; one represents danger, and the
    o...
Definition of Risk

  “Risk is a measure of future uncertainties in achieving
  program performance goals and objectives w...
Enterprise Risk and Compliance-Drivers and Trends

  Drivers:
   • Multiplicity of risk and regulations
   • Distributed o...
Risk Sensors

 Risk Sensors can provide automated inputs from low level data;
    to demonstrate compliance to legislation...
Example of Sensors
 Sensors to detect events
    System monitors
     • Vulnerability assessment, configuration and policy...
What Are the GRC Management Challenges?
Enterprise-Wide Responsibility


     CFO // /VP
      CFO VP
     CFO VP         ...
What Are the GRC Management Challenges?
 Enterprise-Wide Responsibility

        CFO // /VP
         CFO VP
        CFO VP...
GRC – What are the objectives?

  Governance
   • Ultimately, Governance determines what the Board is responsible
     for...
Today’s organizations are concerned about:

  Risk Management
  Governance
  Control
  Assurance
Enterprise Risk Management
      PROTECT                         OPTIMIZE                           GROW
“How Do I Reduce ...
Primary Drivers for Implementing ERM


      Rank   Driver                          Percent
             Corporate governa...
Highest Priority ERM Objectives

   Ensure risk issues are explicitly considered in
                                      ...
The Growing Influence of Risk Management

A majority of companies are choosing ERM…    …and ERM is seen as an increasingly...
Enterprise Risk Management — An Integrated Framework




    An ERM framework defines essential components,
      suggests...
The ERM Framework


    Entity objectives can be viewed in the
    context of four categories:

    •   Strategic
    •   ...
The ERM Framework


   ERM considers activities at all levels
   of the organization:

        Enterprise-level
        Di...
The ERM Framework

The eight components
of the framework
are interrelated …
ERM Roles & Responsibilities

    Management

•   The board of directors

•   Risk officers

•   Internal auditors
Key Implementation Factors


  1.   Organizational design of business
  2.   Establishing an ERM organization
  3.   Perfo...
Getting glasses: how GRC software platforms help
organizations regain control

     Frequently, individuals or departments...
What is a GRC software platform and what does it do ?



     The GRC software platform is the technology heart of the GRC...
Usage varies across:
    Business executives. Executives use the software to monitor the
    state of risk and compliance,...
The technical support GRC software platforms need
to succeed
     Achieving integration across the four capability areas t...
GRC software platforms — four capability areas
Recommendations

  Define your risk and compliance architecture.
   • A GRC software platform is not a silver bullet to
  ...
Common Pitfalls



    Unclear or ‘moving goalpost’ objectives
    Different ‘agendas’
    Too much detail to analyse
    ...
Risk and compliance landscape
About JSL

 JSL Limited, set up in 1970 by the steel visionary Mr. O.P. Jindal, has
 grown from an indigenous single-unit ...
JSL’s Integrated ERM Framework

 Integrate ERM in Corporate Compliance and
 Governance Activities

                       ...
JSL’s ERM Process

Determine priorities for ERM via Risk Review Group and Board
  Identify Executive Sponsor in area to be...
FY 2009 - 2010 ERM Objectives

Enhance understanding of risks affecting the Group
& the drivers of those risks
Raise the l...
Thank You
Upcoming SlideShare
Loading in …5
×

Ajay Dhir - The Role of GRC and Creating a Risk Assured Framework - Interop 2009

2,719 views

Published on

In today's increasingly sophisticated, complex and demanding corporate environment, it is not only important but in fact becoming mandatory for corporates to have a well-defined policy and mechanism for corporate governance, risk mitigation and compliance. Recent corporate scandals have exposed the basic lack of a systems framework, governance mechanism and the need to focus on systemic improvements and strengthening in-built controls. The CIO has to play a very important role in this process by not just technology-enabling the system, but working closely with key stakeholders and the CEO to create an IT landscape which uses a framework of risk assurance. This presentation will focus on the various challenges posed by statutory regulations and regulatory authorities, discuss the various frameworks available and showcase how a CIO can deliver value to the Board and the organization

1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
2,719
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
233
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Ajay Dhir - The Role of GRC and Creating a Risk Assured Framework - Interop 2009

  1. 1. INTEROP Mumbai October 09, 2009 THE ROLE OF GRC AND CREATING A RISK ASSURED FRAMEWORK AJAY K. DHIR GROUP CIO JSL LIMITED ajay.dhir@jindalsteel.com
  2. 2. Governance, Risk & Compliance... Governance - setting business strategy & objectives, determining risk appetite, establishing culture & values, developing internal policies and monitoring performance. Risk Management - identifying and assessing risk that may affect the ability to achieve objectives, applying risk management to gain competitive advantage and determine risk response strategies and control activities. Compliance - operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures, and stakeholder commitments.
  3. 3. Governance, Risk & Compliance... GRC provides a framework and a methodology to enable those responsible for managing the business to give confidence to those who are accountable to shareholders and to regulators that corporate objectives are being met.
  4. 4. Business drivers for an integrated approach to Governance, Risk and Compliance Increased complexity due to globalisation Increased Increasing competitive regulations pressures Governance New Ethical and technologies Risk and financial Compliance scandals Integrity-driven Transparency and performance accountability expectations demands Increased demands from stakeholders
  5. 5. Risk • In simplified Chinese the word risk is composed by two characters; one represents danger, and the other represents opportunity.
  6. 6. Definition of Risk “Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule, and performance constraints.”[1] “...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.” [2] [1] Risk Management Guide for DoD Acquisition, Sixth Edition DoD, DAU, August 2006 [2] Project Management Institute PMBOK®, 2008, Fourth Edition Likelihood of an event occurring. The consequence if such an event occurs.
  7. 7. Enterprise Risk and Compliance-Drivers and Trends Drivers: • Multiplicity of risk and regulations • Distributed operations and relationships • Interdependency of risk • Increased accountability • Fragmentation and duplication of effort 2009 – 2010 trends: • Establishment of risk and compliance architecture • Development of risk intelligence • Implementation of GRC platforms • Centralized communication and training on corporate policies and procedures • Continued evolution of the CxO responsible for GRC
  8. 8. Risk Sensors Risk Sensors can provide automated inputs from low level data; to demonstrate compliance to legislation and regulation (and non-compliance) to demonstrate working controls (and not working controls) to highlight risks / threats to identify incidents to highlight possible data leakage identify potential reputation damage + many more……
  9. 9. Example of Sensors Sensors to detect events System monitors • Vulnerability assessment, configuration and policy compliance Network traffic monitors • Intrusion detection, Intrusion prevention, Firewalls, Routers, Access and identity monitors • Failed logins, privilege escalation, Bio-metric identities Web site monitors • Pages visited, referred from, End point monitoring • Data leakage • Anti-virus, anti-phishing, Malware detection Others • Event and Audit log collection – OS, Infrastructure, applications • CMDB systems • Incident management • Backup software, Business continuity management • IT Security Information (intelligence feeds) Emerging • Virtualised environments / ‘Cloud’ computing
  10. 10. What Are the GRC Management Challenges? Enterprise-Wide Responsibility CFO // /VP CFO VP CFO VP Chief Compliance Chief Risk Chief Risk CIO Finance Finance Finance Officer (CCO) Officer (CRO) Officer (CRO) Reducing the total Increasing efficiency & Balancing the range of Ensuring Auditable cost of GRC consistency of enterprise risks secure information compliance processes • Reducing regulatory • Timely notification • Evaluating business • Automating GRC actions by reducing of control issues, requirements and information risk compliance violations material weaknesses technical risk management and violations • Planning and oversight capabilities • Eliminating multiple of compliance • Accurate and • Reducing internal GRC solutions management resources comprehensive organizational cost of • Implementing IT information on • Identifying and risk exposure and cost platform for GRC financial exposure, implementing optimal of mitigation or standardisation, compliance and detective & preventative acceptance simplification & audit. controls security
  11. 11. What Are the GRC Management Challenges? Enterprise-Wide Responsibility CFO // /VP CFO VP CFO VP Chief Compliance Chief Risk Chief Risk CIO Finance Finance Finance Officer (CCO) Officer (CRO) Officer (CRO) C • Reducing the total • Increasing efficiency & • Balancing the range • Ensuring Auditable E cost of GRC consistency of of enterprise risks secure information O compliance processes • Reducing regulatory • Timely notification • Evaluating business • Automating GRC actions by reducing of control issues, requirements and information risk compliance violations material weaknesses technical risk management and violations • Planning and oversight capabilities • Eliminating multiple of compliance • Accurate and • Reducing internal GRC solutions management resources comprehensive organizational cost of • Implementing IT information on • Identifying and risk exposure and cost platform for GRC financial exposure, implementing optimal of mitigation or standardisation, compliance and detective & preventative acceptance simplification & audit. controls security
  12. 12. GRC – What are the objectives? Governance • Ultimately, Governance determines what the Board is responsible for and to what degree it entrusts day-to-day administration to the CEO, the management team and perhaps below. Knowledge Management • In creating a shared governance, risk and compliance environment, software supports performance objectives by regulation, standards and policy to whatever degree the Board wants. Process • Crucially, software enables linkage of roles, processes and assets. Plan, Do, Check. Act (PDCA) processes should be effectively managed in a single framework, so the organization as a whole is better governed Technology • Convergence of data, status, actions and incidents must be easily monitored, providing visibility and control to the business.
  13. 13. Today’s organizations are concerned about: Risk Management Governance Control Assurance
  14. 14. Enterprise Risk Management PROTECT OPTIMIZE GROW “How Do I Reduce Business “Is my current Risk level in “How Do I take more Risk?” control?” Intelligent Risks ?” Risk Analysis Business Risk Monitoring Disciplined Decision Making Risk Assessment Risk Responsiveness Risk Timing Business Continuity Planning Tolerance Business & Technology Business Resilience •Controllable Risks Innovation •Non-Controllable Risks Increased Shareholder Value Industry Leadership Corporate Strategy ERM
  15. 15. Primary Drivers for Implementing ERM Rank Driver Percent Corporate governance 1 66% requirements Greater understanding of 2 60 strategic and operating risks 3 Regulatory pressures 53 4 Board request 51 5 Competitive advantage 41
  16. 16. Highest Priority ERM Objectives Ensure risk issues are explicitly considered in 44% decision making Avoid surprises and “predictable” failures 40 Align risk exposures and 24 mitigation programs Institute more rigorous risk measurement 19 Integrate ERM into other corporate practices 17 like strategic planning
  17. 17. The Growing Influence of Risk Management A majority of companies are choosing ERM… …and ERM is seen as an increasingly important responsibility Have Preparing/ rejected Developing/ Board 29% 36% 35% 9% Implementing CEO 39% 29% 32% 35% 56% CFO 46% 38% 16% Positively disposed Internal 50% 30% 19% audit Degree of Importance Very high Significant Somewhat or less
  18. 18. Enterprise Risk Management — An Integrated Framework An ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
  19. 19. The ERM Framework Entity objectives can be viewed in the context of four categories: • Strategic • Operations • Reporting • Compliance
  20. 20. The ERM Framework ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes
  21. 21. The ERM Framework The eight components of the framework are interrelated …
  22. 22. ERM Roles & Responsibilities Management • The board of directors • Risk officers • Internal auditors
  23. 23. Key Implementation Factors 1. Organizational design of business 2. Establishing an ERM organization 3. Performing risk assessments 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management
  24. 24. Getting glasses: how GRC software platforms help organizations regain control Frequently, individuals or departments get bogged down in one area of compliance, such as Sarbanes-Oxley (SOX) or privacy laws, but fail to realize that compliance is an octopus-like challenge. Managing this many-tentacled beast requires that an organization establish a technology architecture for Governance, Risk, and Compliance (GRC). What is the value of the GRC software platform? • The GRC software platform enables an enterprise risk and compliance strategy; the software is not a strategy itself. GRC software platforms must be: • Sustainable • Consistent • Efficient
  25. 25. What is a GRC software platform and what does it do ? The GRC software platform is the technology heart of the GRC architecture — it provides a single system of record for defining, maintaining, and monitoring Governance, Risk and Compliance. GRC platforms create centralized systems of record for the entire business in four areas: 1. Policy, procedure, and control documentation maintenance and communication 2. Risk and control assessment processes 3. Risk analytics, modeling, and reporting 4. Loss, event collection, and investigations management.
  26. 26. Usage varies across: Business executives. Executives use the software to monitor the state of risk and compliance, as well as to monitor corporate losses — driving strategic decisions and management of the organization. Risk and compliance officers/managers. These executives typically represent the heaviest users of the software and are focused on the day-to-day management of risk and compliance content and processes. Business unit and process managers. These executives must use the software to answer risk and control assessments and monitor the state of risk and compliance to individual areas of responsibilities. Employees, contractors, consultants, and temporary workers. The system helps every member of the firm read, acknowledge, and receive training on policies and compliance issues that pertain to their individual responsibilities. Business partners. Business partners (e.g., suppliers, contractors, outsourcers) work with the system in conducting contract and control assessments to attest to their performance to contractual requirements.
  27. 27. The technical support GRC software platforms need to succeed Achieving integration across the four capability areas that is considered essential for governance, risk, and compliance software platforms — policies/controls, assessment, analytics, and loss/investigations — requires that GRC software platforms have four integrated areas of technical functionality to deliver on these features Enterprise content management. GRC starts as a content problem. As organizations struggle to manage an assortment of risk assessment and compliance examination documentation, organizations first look for content management capabilities to categorize, store, retain, and manage access to this sensitive information. Business process management. After gaining control of content, organizations then look to drive efficiency into their GRC processes through process management and workflow technologies. Specifically, they require a platform that provides collaboration and automation of risk and compliance processes. Enterprise applications. Next, organizations look for further automation of control monitoring and enforcement alongside the monitoring and measurement of risk by gathering information directly from enterprise applications. Business intelligence/business analytics. Finally, after solving the content, process, and enterprise integration challenges of risk and compliance comes the reporting and communication requirements delivered through business intelligence and analytic features.
  28. 28. GRC software platforms — four capability areas
  29. 29. Recommendations Define your risk and compliance architecture. • A GRC software platform is not a silver bullet to manage risk and compliance — no technology is. • Start with defining your GRC vision. • Develop your long-term strategy for GRC. • Be selective in the platform you choose. • Get your feet wet first ! ! !
  30. 30. Common Pitfalls Unclear or ‘moving goalpost’ objectives Different ‘agendas’ Too much detail to analyse Too much effort or insufficient knowledge Insufficient resource, takes too much time Answers lead to more questions Can’t articulate benefits to the business
  31. 31. Risk and compliance landscape
  32. 32. About JSL JSL Limited, set up in 1970 by the steel visionary Mr. O.P. Jindal, has grown from an indigenous single-unit steel plant in Hisar, Haryana to the present multi-billion, multi-national and multi-product steel conglomerate. The organization is still expanding, integrating, amalgamating and growing A ISO: 9001 & ISO: 14001 company, it is the flagship company of the Jindal Organization. Total Revenue (FY 2008- 2009) : USD 2 billion Manufacturing Plants • Hisar (Haryana) • Vizag (Andhra Pradesh) • Indonesia • Kalinganagar, Orissa – the largest, integrated, green field project in Stainless Steel, globally Hisar Plant : At Hisar, JSL has India's only composite stainless steel plant for the manufacture of Stainless Steel Slabs, Blooms, Hot Rolled and Cold Rolled Coils, 60% of which are exported worldwide. • Slabs • Blooms • HR & CR Coils • Precision Strips • Blade Steel • Coin Blanks The present production capacity of plant is 6,00,000 TPA which is expanded to 7,20,000 TPA. With the commissioning of the Plant in Orissa in 2010, the capacity will be approximately 12 million tpa. An exclusive complex for manufacturing stainless steel for razor and surgical blades has been created. A coin blanking line has also been installed. The major export destinations are China, Bangladesh, Vietnam, South Africa, Russian Federation, Ukraine, Belgium, Italy, Greece, UK, and USA
  33. 33. JSL’s Integrated ERM Framework Integrate ERM in Corporate Compliance and Governance Activities Internal Controls • Integrate key risk processes (ICS) and systems • Understand our risk appetite • Sustain a risk-based approach to Sarbanes Risk improving and managing Corporate Oxley Management compliance and governance (SOX) (RM) • Use Risk Review Group to increase multi-disciplinary risk education, awareness and information sharing Finance Planning and Analysis (FP&A)
  34. 34. JSL’s ERM Process Determine priorities for ERM via Risk Review Group and Board Identify Executive Sponsor in area to be assessed Interview key executives in multiple functional areas re: their perceptions of key risks facing the company and their quantification of the probability, severity and current management effectiveness at managing the risk – the discussion is the most important aspect Consolidate interview results, identify key risks and report back to Executive Sponsor and collect feedback Share final report with Corporate Executive Sponsors and Audit Committee Facilitate discussions/workshops with risk owners wrt decisions re: identified key risks Track progress via Ops Reviews, Risk Review Group, Internal Audit Schedule and integrate with business planning
  35. 35. FY 2009 - 2010 ERM Objectives Enhance understanding of risks affecting the Group & the drivers of those risks Raise the level of ERM awareness & education within JSL & externally Integrate risk management with existing processes – investment management, strategic planning & business development Continue to integrate risk management with line management processes
  36. 36. Thank You

×