Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Is your organization
making risk-aware
decisions?
Companies are seeking to embed
Governance, Risk and Compliance
(GRC) into the fabric of the organization—
allowing busines...
Why? Because GRC impacts
every aspect of an organization…
Operational
Risk
Compliance
IT
Governance
SOX
EUC
Audit
Vendor R...
GRC has many disciplines that also interact
with each other in a complex web.
Operational
Risk
Compliance
IT
Governance
SO...
A lack of visibility into policy could set
off a series of events across controls
and associated issues and actions.
Opera...
Business & Risk Owners Executive Oversight Teams Regulators
Process Owners Compliance Teams Audit Teams
Who would benefit ...
An aggregated view informs key individuals
how issues and actions may affect the
organization and departments within it.
O...
For example, an internal audit team
conducts a test of an organization’s IT
control—changing of passwords…
IT Governance
L...
Operational
Risk Mgmt
Policy and
Compliance
Mgmt
Financial
Controls Mgmt
Business
Area
Retail Banking …
Processing and
Ope...
Unauthorized
Access
Risk
Change
Passwords on
Regular Basis
Requirement Invalid or
Unapproved Entries
Risk
It finds that th...
Operational
Risk Mgmt
Policy and
Compliance
Mgmt
Financial
Controls Mgmt
Business
Area
Retail Banking …
Processing and
Ope...
The impact to the business if risks like
these are incurred could be significant.
So what is keeping organizations from
in...
Siloed people, data,
knowledge, projects
Defining system
interlock (granularity,
lookup, golden source)
Lack of executive
...
No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturit...
No visibility.
No understanding
of how GRC is
interconnected.
Few (if any) IT
resources are
allocated.
Source: GRC Maturit...
How do organizations achieve an
integrated and optimized GRC?
Leverage big data and AI
to create a sophisticated
risk warning system.
Secure a strong
corporate sponsorship
Create a str...
An aggregated view from a standardized
Governance, Risk & Compliance deployment:
There are tangible advantages to
creating this aggregated view of GRC:
Improved alignment of objectives with mission,
visi...
Learn more about IBM solutions for
governance, risk and compliance.
ibm.com/OpenPages
Upcoming SlideShare
Loading in …5
×

Advantages of an integrated governance, risk and compliance environment

2,348 views

Published on

Risk management is increasingly becoming a strategic, executive-sponsored solution that many organizations view as providing a competitive advantage. When companies have an aggregated view of all the different kinds of risk and compliance data, they can start to generate insights about how to run the business better. In this presentation, learn why and how to empower business leaders to make more risk-aware decisions with visibility across controls and associated issues and actions throughout the organization.

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

Advantages of an integrated governance, risk and compliance environment

  1. 1. Is your organization making risk-aware decisions?
  2. 2. Companies are seeking to embed Governance, Risk and Compliance (GRC) into the fabric of the organization— allowing business managers and leaders to make more risk-aware decisions.
  3. 3. Why? Because GRC impacts every aspect of an organization… Operational Risk Compliance IT Governance SOX EUC Audit Vendor Risk Management Business Continuity ManagementPolicy Management Model Risk Governance Data Security
  4. 4. GRC has many disciplines that also interact with each other in a complex web. Operational Risk Compliance IT Governance SOX EUC Audit Vendor Risk Management Business Continuity ManagementPolicy Management Model Risk Governance Data Security
  5. 5. A lack of visibility into policy could set off a series of events across controls and associated issues and actions. Operational Risk Compliance IT Governance SOX EUC Audit Vendor Risk Management Business Continuity ManagementPolicy Management Model Risk Governance Data Security
  6. 6. Business & Risk Owners Executive Oversight Teams Regulators Process Owners Compliance Teams Audit Teams Who would benefit most from an aggregated view of GRC?
  7. 7. An aggregated view informs key individuals how issues and actions may affect the organization and departments within it. Operational Risk Compliance IT Governance SOX EUC Audit Vendor Risk Management Data Security Policy Management Model Risk Governance Business Continuity Management
  8. 8. For example, an internal audit team conducts a test of an organization’s IT control—changing of passwords… IT Governance LDAP Unauthorized AccessRisk Processing Systems CRM ERP HR Systems HR Systems NA Data Center Security Secure Logins Password Security Review password changes and exceptions Audit Section Workpaper Control Test Audit Change passwords every 60 days. Control
  9. 9. Operational Risk Mgmt Policy and Compliance Mgmt Financial Controls Mgmt Business Area Retail Banking … Processing and Operations … Payment, Settlement and Collections … Process Subprocess Business Area Reg. Library … FFIES Info Security … Exam Tier II Obj A.4 … (Authentication) Mandate Sub- mandate Business Area Finance … Purchasing and Payments … Adjustments and Payments … Process Subprocess Shared Control The result of that test has a knock-on effect to multiple areas of the business. NA Data Center Security Secure Logins Password Security Review password changes and exceptions Audit Section Workpaper Control Test Audit Change passwords every 60 days. Control
  10. 10. Unauthorized Access Risk Change Passwords on Regular Basis Requirement Invalid or Unapproved Entries Risk It finds that the policy of regularly changing passwords has not been enforced in key systems. Shared Control Operational Risk Mgmt Policy and Compliance Mgmt Financial Controls Mgmt Business Area Retail Banking … Processing and Operations … Payment, Settlement and Collections … Process Business Area Reg. Library … FFIES Info Security … Exam Tier II Obj A.4 … (Authentication) Mandate Business Area Finance … Purchasing and Payments … Adjustments and Payments … Process Subprocess Sub- mandate Subprocess NA Data Center Security Secure Logins Password Security Review password changes and exceptions Audit Section Workpaper Control Test Change passwords every 60 days. Control
  11. 11. Operational Risk Mgmt Policy and Compliance Mgmt Financial Controls Mgmt Business Area Retail Banking … Processing and Operations … Payment, Settlement and Collections … Unauthorized Access Process Risk Business Area Reg. Library … FFIES Info Security … Exam Tier II Obj A.4 … (Authentication) Change Passwords on Regular Basis Mandate Requirement Business Area Finance … Purchasing and Payments … Adjustments and Payments … Invalid or Unapproved Entries Process Risk A breach of those passwords could impact the system’s operations and compromise key processes in various lines of business. Shared Control Subprocess Sub- mandate Subprocess NA Data Center Security Secure Logins Password Security Review password changes and exceptions Audit Section Workpaper Control Test Change passwords every 60 days. Control
  12. 12. The impact to the business if risks like these are incurred could be significant. So what is keeping organizations from integrating and optimizing GRC?
  13. 13. Siloed people, data, knowledge, projects Defining system interlock (granularity, lookup, golden source) Lack of executive sponsorship and alignment Lack of skills, adoption, engagement, agile self-service Data integration issues (middleware, API, ETL) Defining workflow and reporting across multiple systems There are complexities and challenges to integrating systems and creating a single view of nonfinancial risk.
  14. 14. No visibility. No understanding of how GRC is interconnected. Few (if any) IT resources are allocated. Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12 Departmental Initiatives ?? ? Tactical, siloed approach to GRC. No integration or sharing of information. Too much reliance on fragmented technology. Recognizes the need for greater GRC integration. Strategic approach, mature processes, good reporting and trending at the department level. Because of these issues, GRC is still at the departmental level for many organizations... Fragmented Integrated Unaware
  15. 15. No visibility. No understanding of how GRC is interconnected. Few (if any) IT resources are allocated. Source: GRC Maturity: From Disorganized to Integrated Risk and Performance, Corporate Integrity, 03/12 Departmental Initiatives Enterprise GRC ?? ? Tactical, siloed approach to GRC. No integration or sharing of information. Too much reliance on fragmented technology. Recognizes the need for greater GRC integration. Strategic approach, mature processes, good reporting and trending at the department level. Strategic approach to GRC across departments. Silos are eliminated. Leverages GRC to realize business benefits. GRC is integrated throughout the business and is part of strategic planning. Extensive measurement and monitoring of GRC in the context of business. While advanced and forward-thinking organizations have adopted enterprise GRC. Fragmented Integrated Unaware Aligned Optimized
  16. 16. How do organizations achieve an integrated and optimized GRC?
  17. 17. Leverage big data and AI to create a sophisticated risk warning system. Secure a strong corporate sponsorship Create a strategy for integrating all aspects of GRC Centralize on one Enterprise GRC Software vendor Prioritize GRC projects Establish a centralized GRC solutions team Here are our recommendations:
  18. 18. An aggregated view from a standardized Governance, Risk & Compliance deployment:
  19. 19. There are tangible advantages to creating this aggregated view of GRC: Improved alignment of objectives with mission, vision and values of the organization, resulting in better decision-making agility and confidence. Leverage cognitive capabilities to improve quality of information, user interaction and reduce manual tasks. Reduced costs in maintaining duplicated controls, tests, issues, actions and reporting across multiple disciplines. Reduced IT costs by consolidating on a single GRC solution.
  20. 20. Learn more about IBM solutions for governance, risk and compliance. ibm.com/OpenPages

×