In a rapidly changing world, companies struggle to keep up with constantly shifting compliance and risk exposure, both external and internal. Regulatory pressure and increasing executive demand for risk insight present evolving challenges for risk, audit, and compliance professionals who are being asked to do more with less. Governance, Risk, and Compliance (GRC) tools help organizations integrate their assurance activities across the three lines of defense, enable more efficient and effective assurance programs, and ultimately sustain the programs. Companies at the beginning of the GRC technology implementation lifecycle often fail to think through all of the components and key activities necessary to ensure a successful initiative. Those that forge ahead without analysis and planning may find that they missed opportunities to converge their risk and compliance programs, their business processes were not ready for automation, the new technology doesn’t work as anticipated, and timelines for completion can’t be met. In fact, without proper planning, companies may not be using GRC tools to their full potential and realizing the value promised to management and key stakeholders.
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
The Journey to Integrated Risk Management: Lessons from the Field
1. The Journey to Integrated
Risk Management:
Lessons from the Field
2.
3. 3
Agenda
• Introductions
• What does Integrated Risk Management Look like?
• KPMG’s Enterprise GRC Life Cycle
• Vision & Strategy
• Use Cases, Convergence, and Foundational Elements
• Program Management
• People & Training
• Technology Enablement
• Q/A
4. 4
With you today:
Brian Link
VP GRC Strategy &
Partnerships
link@resolver.com
Melinda Mothander
Enterprise GRC Manager
Washington, DC
mmothander@kpmg.com
Clyde Tsai
Enterprise GRC Director
San Francisco
ctsai@kpmg.com
6. 6
Integrated Risk Management
Today’s Challenges
Legal entities
Geographical regions
Audit
Product
Development
IT
Legaland
Regulatory
Human
Resources
SharedServices
andSupport
Finance
Operations
Salesand
Marketing
1st line Business
Risk, Controls,
Policies
Risk
ERM, Ops Risk,
Model Risk,
Risk Policy
Office
Compliance
SOX, AML,
CCAR, Reg
Change, Policy,
Reg Exam
Info Sec, IT
Risk, BCP, IT
DR, IT GRC
Internal Audit
Business and risk management information
Internal External
Board/
Committees
Executive/Senior
Management
Stakeholders Auditor Regulator
Rating
Agency
Fragmented Data
Collection
Siloed
Technologies
Inconsistent and
Outdated Reporting
Assurance
Fatigue
No single
source of ‘Truth’
Control reports Risk reports Compliance reports Issue mgt reports Audit reports
Quarterly deficiency
SOX reporting Quarterly assessment
Risk Appetite Statement &
Risk Policies
CRMP Open issues
Past due issues
Audit plan
Audit committee
External audit reportClosed issuesRegulatory Mapping Inventory
Policy Reports
Consistent
Data
Single source of
‘Truth’
Integrated
Reporting
Reduced Assurance
burden on Business
Increased
Efficiencies
Reduced IT
Costs
Benefits of an Integrated GRC Program enabled by a technology
Pain Point Themes
Proactive Risk
Management
eGRC Program Convergence & Foundation
Increased risk ownership and
awareness – improved ‘Risk Culture’
Increased Regulatory
Findings
Excessive Compliance
Costs
Inability to
aggregate risk data
Suboptimal Risk
Management
Fewer compliance / regulatory
findings
Linkage of risk to strategic
objectives
Inefficiencies
Chaos
Business and risk management information
Internal External
Board/
Committees
Executive/Senior
Management
Stakeholders Auditor Regulator
Rating
Agency
Legal entities
Geographical regions
Audit
Product
Development
IT
Legaland
Regulatory
Human
Resources
SharedServices
andSupport
Finance
Operations
Salesand
Marketing
eGRC Technology/Technologies
7. 7
Evolution of GRC Technologies and GRC Programs
Single Tool
Internal Control Tracking Tool
Internal Audit Workpaper Tool
Risk Excel Files
Internal Control (SOX) Tool
Internal Audit
Risk Assessments (ERM & RCSA)
Compliance SharePoint
Information Security Repository
Business Continuity Word Files
Evolution 1
Evolution 2
Integrated GRC Technology Ecosystem
SOX
Internal Audit
Risk - ERM & Ops Risk
Compliance
Information Security
Business Continuity
Evolution N
From discrete tools for limited functions...
to an increase in tools to support multiple risk
and compliance functions…
to an integrated program & technology ecosystem!
Business(1stLine)ERP
System,
RiskData,
Compliance/Control,
Policy,andIssue/Gap
Data
Time
Maturity
8. 8
KPMG’s Enterprise GRC Life Cycle
Technology
Transformation
Components
Vision &
Strategy
Use Cases, Convergence,
& Foundational Elements
Technology
Enablement
Program
Management
People & Change
Vendor
Selection
9. 9
• GRC vision to strategic objectives
• Executive and stakeholder commitment
• Roadmap for the GRC journey
Key Activities Include: Tips for success
GRC guiding principles
GRC high-level road map
Vision and Strategy
• Obtain executive and stakeholder buy in and commitment at
the onset
• Develop a program governance structure
• Define and communicate GRC program vision
• Develop a roadmap to outline key activities and sequencing
10. 10
Use Case, Convergence & Foundational Elements
• Taxonomy elements for a common language
• Future state process flows
Key Activities Include: Tips for success
Defined approach
Taxonomy and
hierarchy of elements
• Document a foundational element inventory
• Conduct a foundational element proof of concept
• Plan towards the end state, identify and address potential
“red flags”
• Develop and execute a data rationalization strategy
11. 11
Program Management
• Establishes the structure to manage and report activities
• Encompasses clearly defined roles and responsibilities
Key Activities Include: Tips for success
Core team RACI
Project plans
• Verify identification of program stakeholders
• Define project roles, responsibilities and accountabilities
• Communicate regularly to program stakeholders
12. 12
People and Change
• Communication strategy & plan
• Highlight the change agents or champion networks
• Providing a consistent message to all stakeholders
Key Activities Include: Tips for success
Communication plan
User group
specific training
• Determine and communicate the guiding principles
• Create consistent messaging
• Develop and conduct regular training
• Validate communication effectiveness
13. 13
Technology Enablement
• Configuration, data migration, and technology testing efforts
• Linkage between business requirements and business
process design
• Requirements to system mapping/proof of concept
• Testing strategy, performance and User Acceptance Testing
(UAT)
Key Activities Include: Tips for success
Executes system
integration testing Develops and executes
deployment check-list
• Verify that requirements and desired functionality align
• Agree to the “go, no-go criteria”
• Develop a training strategy that considers timelines
• Create a strategy to guide UAT efforts
• Develop and Include user adoption strategies
14. 14
Top 5 GRC Technology Tips
Tone from the top and stakeholder alignment
are critical
Business process before technology
Begin with the end in mind,
but select a handful of initial use cases
Focus on common language and convergence
Communicate, Communicate, Communicate!