Jeremy Wilde, Powertech Ltd
www.itgrc.eu

The GRC market (Governance, Risk
and Compliance)
GRC is a global issue

 Comprising many different initiatives
○ some regulatory, many policy driven
 Cuts to the core of every business,
regardless of geography or industry.
 Over $32B in spending in 2007 just in US
John Hegarty: AMR
Research 2008

IT risk management is the biggest
projected spend within the $30 Billion

What is IT Compliance?
A broad brush approach

 Application of best practise
 CObIT, ITIL, even TOGAF
An understandable, auditable level of

quality and security
 Compliance is, at least, the production of
evidence of governance within the
business process

Case studies
A US based telecom company partially

responsible for SOX -2004
 Over scoped, expensive, paranoid
A UK bank present on the NYSE – 2005

 Unprepared, changing goal posts, confused
A global Oil Giant – 2006

 Prepared, risk managed, implementation of
control self assessment and a governance
architecture

Gartner BPM conference Sept 2008
GRC is a short term audit driven need

 Imposed regulations are forcing
‘stovepipe’ applications to cover them
 This is the current GRC market - driven
by requirements for legislation domain
knowledge and short time to implement
 These are the 2 main weaknesses of
BPM

However, Business really wants..
Performance and Risk Management

 Workflow, Risk Management, Simulation
These are strengths of BPM and within

the BPM space..
 According to Gartner
 Expect to see BPM tools take over the GRC
space

Risk Management Business
Performance Measurement
BPM suites will start to include:

 Risk Management with modelling
capability
 Built in compliance
 See Microsoft Connected Information
Security Group
 http://blogs.msdn.com/cisg/default.aspx

Business Process Management
Provides a framework for managing

complex processes
 A top to bottom view of the processes
and procedures within an organisation
 Ready for the imposition of compliance
 Assists Change Management

Abstraction of Business Rules
Presentation Layer
Process Business Process Layer
Integration
App App App
(Web) (ERP (CRM)
Application Server Layer
Partners
Integration Layer
Technical
Integration Database
Operating System

So what are we waiting for?
BPM is driven by the adoption and

acceptance of industry standards
 Web services, XML, BPMN, component
based, process centric, application
integration
In terms of Risk Management

 E.g. WS-Security, XML Digital signatures,
claims based id management

Delivery capability still seen as
immature
Need greater confidence in these

standards for mainstream adoption
 Achieve ‘verticalisation’ of solutions
 Form common practise for typical audit,
reporting and monitoring needs
 Provide compliance for ‘vanilla’
processes
 Procure to pay, Order to cash

Compliance is a business project so
BPM can help..
BPM can provide a framework based on

the compliance pain points with a lot of
technical detail already plumbed in
 Helps then to capture domain expertise
into the model
 All important abstraction of flexible
business rules
 E.g. Management approval

‘Differentiating Processes
Innovation and readily changed

collaborative processes are not good for
this
 We are looking for process orientated
processes and we don’t want to change
them if we can help it
 Change in a regulated environment is
difficult

Business Processes are difficult
Can be temporally short/long

Automated, manual, a mix

Simple or complex

Simple processes can span several

operational applications
 Orchestration of transactions and sub
processes can become very complex
 Difficult to determine cause and effect
within the overall enterprise
 The Merrill Lynch rule

Processes hide
complexity within
End user computing!
Ownership!
Vulnerabilities, risk controls!
Are all
Problems...

Research and Analysis
Problem 1
End User Computing

A business process that uses web services will

also use relatively uncontrolled end user
applications including management workflows
 End User Computing covers a number of technologies,
usually MS Office, Data Warehouse reports, SQL
queries and most commonly spreadsheets
The majority of companies use spreadsheets

and many business decisions may be based
upon spreadsheet modelling
Very problematic area within compliance

projects and inherently difficult to control

Research and Analysis
Problem 2
Ownership

 Critical to compliance and security
The mapping of expertise, ownership and

governance on to a process can be a complex
and political task
 Fraught with opportunities for conflict it is a significant
management task
TOGAF is brilliant for this

 Directs technical strategy
 Coordinates performance measurement
 Provides Project Management
 Centralises integration

Research and Analysis
Problem 3
How secure do we need to be

 Risk analysis, simulation, costing, analysis of
control effectiveness
Gartner again..

 The future of risk analysis is to apply risk
factors to a business process and run
simulations to understand the impact

Why am I here?
To find research partners and make an

application to the EU FP7 or Eureka
Programmes
 Research to focus on making solutions
within this compliant BPM space
For the defined and other complexities

 I have some ideas..

Who am I?
Email is best:
Jeremy@compliancetutorial.com