Governance Risk Compliance
          A Luxury Good in Hard Times?
2/10/10
Why the GRC emphasis in the last 5-10
years?

• Lots of reasons:
  – Worldwide complexity and
    specialization. Risk is ...
Is GRC really a luxury good?


• Risks don’t decrease in hard times.
• Cost management is always in style.
• If there was ...
Frameworks & Tools


• Frameworks: mental constructs – not
  dependent on time, place or
  technology. Mostly words.

• To...
Select the framework(s) that fits. No need
to use all of it. Mix & match OK




                                5
Frameworks often sound like bureaucrat-speak,
but when properly implemented, they work ….




                            ...
CobiT

             Common IT framework,
             accepted by the “Big 4” and
             other auditing firms as a
 ...
A Plethora of Governance Mechanisms




Information Systems Control Journal, volume 2, 2008, p. 25   8
GRC Maturity Model




                     9
Match your framework(s) to your IT
strategy/architecture – layer by layer




                                  10
Match your framework(s) to your IT
strategy/architecture – layer by layer


    -Network management/monitoring:           ...
GRC is the glue that keeps the architecture
together




                                12
PMO




                               13
The Effective CIO, CRC Press
SDLC – “Post it” Notes for
Governance




                             14
Let the SDLC anchor your governance
processes for projects




                             15
Risk Models for Projects




                           16
Annual risk assessment




                         17
PMO challenges
• Changing the culture.
• Making projects & progress visible to the right people.
• Prevents use of “enhanc...
PMO Dashboard




                19
PMO History




              20
GRC serves IT, general business processes
or both




                              21
GRC focus areas




                  22
GRC Packages – Narrow Focus/vertical


Examples:

• Applicant tracking system. Office of Federal
  Contract Compliance Pro...
GRC packages …. A few suggestions

• GRC touches so many groups
  -- the chances of duplication
  are high.

• Make sure y...
GRC package selection is no different from
other software – do your due diligence




                                 25
GRC Package Examples

1




2




                       26
One off governance examples
  Example 1




  Example 2




                        27
Governance using packages augmented
with in-house developed tools

• Reporting and
  enforcement tightly
  coupled with
  ...
Metrics are the raw fuel of good governance




                                29
WIP …..




          30
Some examples of improving GRC “on the
cheap”

• Use your accounting system to improve
  granularity of expenditure report...
GRC tools include not only software/consulting from
 providers but also in-house documents and strategies.
 You can do a l...
Another in-house example

• Security turnaround
  document – send an
  access rights listing to
  supervisors and have
  t...
Active Management of Contracts




                         34
Actively Manage Contracts – a win/win in
  the long run
• Note that contracts from large vendors are not necessarily fixed...
Actively Manage Contracts – Work with
your vendors to:
• Build mutually satisfactory caps on maintenance
  increases.
• Ke...
Actively manage contracts

• Routinely include non-disclosure
  agreements in your contracts (works both
  ways).
• Work w...
Some GRC issues are really close to
home




                          38
www.bsa.org
Getting in front of your auditors
• GRC, including self audits, lets
  you know where you stand
  before the audit.
• Asid...
Wrap up. In difficult times:
• Don’t let GRC go
• Do your homework (formal analysis) and acquire the tools
  that fit your...
Thank You.   Questions?




                          41
Upcoming SlideShare
Loading in …5
×

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

265
-1

Published on

Information Week Virtual Trade Show. Topic: Governance, Risk, Compliance. Keynote speech.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
265
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

  1. 1. Governance Risk Compliance A Luxury Good in Hard Times? 2/10/10
  2. 2. Why the GRC emphasis in the last 5-10 years? • Lots of reasons: – Worldwide complexity and specialization. Risk is less “bounded.” – Global trend of transparency for both emerging and industrialized nations. – The usual suspects, Enron, World Com, Madoff, etc. widely reported; stakeholders demand more accountability. – Changing structure of work. Industrial management models do not fit today’s less hierarchical, more distributed structures. Appropriate GRC systems provide flexibility while keeping risk in check. – Higher accountability for the Board of Directors. – Calls for increased regulation and control spawned by recession. 2
  3. 3. Is GRC really a luxury good? • Risks don’t decrease in hard times. • Cost management is always in style. • If there was ever a bad time for a major project to fail, that time is now. • Could be a CLM. Auditors are quick to note declines in governance and they report to the BOD. • GRC tools are growing in power and value every day, but “home grown” is better than nothing. 3
  4. 4. Frameworks & Tools • Frameworks: mental constructs – not dependent on time, place or technology. Mostly words. • Tools: programs, databases and other artifacts that allow the framework to be realized. 4
  5. 5. Select the framework(s) that fits. No need to use all of it. Mix & match OK 5
  6. 6. Frameworks often sound like bureaucrat-speak, but when properly implemented, they work …. 6
  7. 7. CobiT Common IT framework, accepted by the “Big 4” and other auditing firms as a reliable framework. Source: CobiT 4.1, Information Systems Auditing and Control Association 7
  8. 8. A Plethora of Governance Mechanisms Information Systems Control Journal, volume 2, 2008, p. 25 8
  9. 9. GRC Maturity Model 9
  10. 10. Match your framework(s) to your IT strategy/architecture – layer by layer 10
  11. 11. Match your framework(s) to your IT strategy/architecture – layer by layer -Network management/monitoring: iCIMS’ Applicant Tracking Solar Winds, What’s Up Gold -Approva -Alertlogics: IDS -Oracle -Alertlogics: Log Manager -- SAP GRC -Antivirus:SOD reporting, using Excel -- Custom McAfee --AON Risk Service -Email Spam: CISCO Ironmport, Vamsoft: ORF, Baracuda 11 11
  12. 12. GRC is the glue that keeps the architecture together 12
  13. 13. PMO 13 The Effective CIO, CRC Press
  14. 14. SDLC – “Post it” Notes for Governance 14
  15. 15. Let the SDLC anchor your governance processes for projects 15
  16. 16. Risk Models for Projects 16
  17. 17. Annual risk assessment 17
  18. 18. PMO challenges • Changing the culture. • Making projects & progress visible to the right people. • Prevents use of “enhanced” numbers by project sponsors – with no follow up. • Creates metrics to measure success. • Develops structure to force logical rather than emotional estimates. • Enforces the methodology. 18
  19. 19. PMO Dashboard 19
  20. 20. PMO History 20
  21. 21. GRC serves IT, general business processes or both 21
  22. 22. GRC focus areas 22
  23. 23. GRC Packages – Narrow Focus/vertical Examples: • Applicant tracking system. Office of Federal Contract Compliance Programs (OFCCP) can levy fines if hiring practices are not in compliance. • Risk tracking (focus on insurance). Feeds from insurance carriers interfaced with fleet information, such as number of miles logged, hours driven, accidents, claims. 23
  24. 24. GRC packages …. A few suggestions • GRC touches so many groups -- the chances of duplication are high. • Make sure your package has hooks for customization (SDK, API, etc.). • Decision point: industry specific or generic package. 24
  25. 25. GRC package selection is no different from other software – do your due diligence 25
  26. 26. GRC Package Examples 1 2 26
  27. 27. One off governance examples Example 1 Example 2 27
  28. 28. Governance using packages augmented with in-house developed tools • Reporting and enforcement tightly coupled with real-time events. • Controls enforcement, credit risk management analytics, SOD, configuration management, fraud alerts, odd behaviors, hierarchical approvals … 28
  29. 29. Metrics are the raw fuel of good governance 29
  30. 30. WIP ….. 30
  31. 31. Some examples of improving GRC “on the cheap” • Use your accounting system to improve granularity of expenditure reporting. • Create as many accounts/sub accounts as you need. • “Chunk” projects for better control. 31
  32. 32. GRC tools include not only software/consulting from providers but also in-house documents and strategies. You can do a lot with existing resources. • Policies and procedures may be tedious. Yet thinking through P&P forces a useful governance discipline. • Technical architecture. It can be five pages or five hundred but you need one. A stable delivery platform requires structure rather than ad hoc decisions in times of stress. 32
  33. 33. Another in-house example • Security turnaround document – send an access rights listing to supervisors and have them send back deletions for employees & contractors who are gone or who no longer need specific access (consider it as backup for your primary security process) 33
  34. 34. Active Management of Contracts 34
  35. 35. Actively Manage Contracts – a win/win in the long run • Note that contracts from large vendors are not necessarily fixed in stone. They will often work with you. • Facilitate negotiations by converting draft vendor contracts in PDF format to an editable document. After both sides reach agreement, the final document can be converted to PDF. • Set up a repository/tracking system. • Centralize hardware/software purchases. • Think through the entity name (Corporate entity or subsidiary) used in the purchase, as well as “affinity language” or assignments. • Insert price lists and price holds if appropriate. • Work with your vendor to explicitly address auto-renewals. • Include downturn scenarios in the final agreement. 35
  36. 36. Actively Manage Contracts – Work with your vendors to: • Build mutually satisfactory caps on maintenance increases. • Keep audit clauses reasonable and practical so that your vendor can be assured of compliance but the audit itself is not burdensome. • Manage the accuracy of data that drives billing. You owe no more and no less than the contract requires. User name changes and confusion between Corporate and subsidiary use of software should be monitored. • Specify explicitly the pricing variance between “true up” and unanticipated growth. 36
  37. 37. Actively manage contracts • Routinely include non-disclosure agreements in your contracts (works both ways). • Work with supplier to layout contract maintenance going forward. • Obtain agreement on who owns the code. The decision could go either way, depending on a number of factors. 37
  38. 38. Some GRC issues are really close to home 38 www.bsa.org
  39. 39. Getting in front of your auditors • GRC, including self audits, lets you know where you stand before the audit. • Aside from fraud investigations, IT audits should not be a surprise … work with IA to separate best practices from essential governance requirements. 39
  40. 40. Wrap up. In difficult times: • Don’t let GRC go • Do your homework (formal analysis) and acquire the tools that fit your business • Think beyond IT – your enterprise needs GRC (both vertical and horizontal) for many activities • Maintain/develop PMO • Develop an architecture/roadmap • Avoid fragmented/duplicated efforts • Work with your auditors (internal and external) 40
  41. 41. Thank You. Questions? 41
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×