SlideShare a Scribd company logo

The Journey to Integrated Risk Management: Lessons from the Field

Resolver Inc.
Resolver Inc.

In a rapidly changing world, companies struggle to keep up with constantly shifting compliance and risk exposure, both external and internal. Regulatory pressure and increasing executive demand for risk insight present evolving challenges for risk, audit, and compliance professionals who are being asked to do more with less. Governance, Risk, and Compliance (GRC) tools help organizations integrate their assurance activities across the three lines of defense, enable more efficient and effective assurance programs, and ultimately sustain the programs. Companies at the beginning of the GRC technology implementation lifecycle often fail to think through all of the components and key activities necessary to ensure a successful initiative. Those that forge ahead without analysis and planning may find that they missed opportunities to converge their risk and compliance programs, their business processes were not ready for automation, the new technology doesn’t work as anticipated, and timelines for completion can’t be met. In fact, without proper planning, companies may not be using GRC tools to their full potential and realizing the value promised to management and key stakeholders.

Leadership & Management
1 of 16
Download to read offline
The Journey to Integrated Risk Management: Lessons from the Field
3 Agenda • Introductions • What does Integrated Risk Management Look like? • KPMG’s Enterprise GRC Life Cycle • Vision & Strategy • Use Cases, Convergence, and Foundational Elements • Program Management • People & Training • Technology Enablement • Q/A
4 With you today: Brian Link VP GRC Strategy & Partnerships link@resolver.com Melinda Mothander Enterprise GRC Manager Washington, DC mmothander@kpmg.com Clyde Tsai Enterprise GRC Director San Francisco ctsai@kpmg.com
5 Risk & Regulation Audit Improve Policy & Control Response Incident Report Investigate Analyze ImproveMonitor INTEGRATED RISK MANAGEMENT PLANNING PREPERATION RESPONSE RECOVERYEVENT
6 Integrated Risk Management Today’s Challenges Legal entities Geographical regions Audit Product Development IT Legaland Regulatory Human Resources SharedServices andSupport Finance Operations Salesand Marketing 1st line Business Risk, Controls, Policies Risk ERM, Ops Risk, Model Risk, Risk Policy Office Compliance SOX, AML, CCAR, Reg Change, Policy, Reg Exam Info Sec, IT Risk, BCP, IT DR, IT GRC Internal Audit Business and risk management information Internal External Board/ Committees Executive/Senior Management Stakeholders Auditor Regulator Rating Agency Fragmented Data Collection Siloed Technologies Inconsistent and Outdated Reporting Assurance Fatigue No single source of ‘Truth’ Control reports Risk reports Compliance reports Issue mgt reports Audit reports Quarterly deficiency SOX reporting Quarterly assessment Risk Appetite Statement & Risk Policies CRMP Open issues Past due issues Audit plan Audit committee External audit reportClosed issuesRegulatory Mapping Inventory Policy Reports Consistent Data Single source of ‘Truth’ Integrated Reporting Reduced Assurance burden on Business Increased Efficiencies Reduced IT Costs Benefits of an Integrated GRC Program enabled by a technology Pain Point Themes Proactive Risk Management eGRC Program Convergence & Foundation Increased risk ownership and awareness – improved ‘Risk Culture’ Increased Regulatory Findings Excessive Compliance Costs Inability to aggregate risk data Suboptimal Risk Management Fewer compliance / regulatory findings Linkage of risk to strategic objectives Inefficiencies Chaos Business and risk management information Internal External Board/ Committees Executive/Senior Management Stakeholders Auditor Regulator Rating Agency Legal entities Geographical regions Audit Product Development IT Legaland Regulatory Human Resources SharedServices andSupport Finance Operations Salesand Marketing eGRC Technology/Technologies
7 Evolution of GRC Technologies and GRC Programs Single Tool Internal Control Tracking Tool Internal Audit Workpaper Tool Risk Excel Files Internal Control (SOX) Tool Internal Audit Risk Assessments (ERM & RCSA) Compliance SharePoint Information Security Repository Business Continuity Word Files Evolution 1 Evolution 2 Integrated GRC Technology Ecosystem SOX Internal Audit Risk - ERM & Ops Risk Compliance Information Security Business Continuity Evolution N From discrete tools for limited functions... to an increase in tools to support multiple risk and compliance functions… to an integrated program & technology ecosystem! Business(1stLine)ERP System, RiskData, Compliance/Control, Policy,andIssue/Gap Data Time Maturity
8 KPMG’s Enterprise GRC Life Cycle Technology Transformation Components Vision & Strategy Use Cases, Convergence, & Foundational Elements Technology Enablement Program Management People & Change Vendor Selection
9 • GRC vision to strategic objectives • Executive and stakeholder commitment • Roadmap for the GRC journey Key Activities Include: Tips for success GRC guiding principles GRC high-level road map Vision and Strategy • Obtain executive and stakeholder buy in and commitment at the onset • Develop a program governance structure • Define and communicate GRC program vision • Develop a roadmap to outline key activities and sequencing
10 Use Case, Convergence & Foundational Elements • Taxonomy elements for a common language • Future state process flows Key Activities Include: Tips for success Defined approach Taxonomy and hierarchy of elements • Document a foundational element inventory • Conduct a foundational element proof of concept • Plan towards the end state, identify and address potential “red flags” • Develop and execute a data rationalization strategy
11 Program Management • Establishes the structure to manage and report activities • Encompasses clearly defined roles and responsibilities Key Activities Include: Tips for success Core team RACI Project plans • Verify identification of program stakeholders • Define project roles, responsibilities and accountabilities • Communicate regularly to program stakeholders
12 People and Change • Communication strategy & plan • Highlight the change agents or champion networks • Providing a consistent message to all stakeholders Key Activities Include: Tips for success Communication plan User group specific training • Determine and communicate the guiding principles • Create consistent messaging • Develop and conduct regular training • Validate communication effectiveness
13 Technology Enablement • Configuration, data migration, and technology testing efforts • Linkage between business requirements and business process design • Requirements to system mapping/proof of concept • Testing strategy, performance and User Acceptance Testing (UAT) Key Activities Include: Tips for success Executes system integration testing Develops and executes deployment check-list • Verify that requirements and desired functionality align • Agree to the “go, no-go criteria” • Develop a training strategy that considers timelines • Create a strategy to guide UAT efforts • Develop and Include user adoption strategies
14 Top 5 GRC Technology Tips Tone from the top and stakeholder alignment are critical Business process before technology Begin with the end in mind, but select a handful of initial use cases Focus on common language and convergence Communicate, Communicate, Communicate!
Q&A
© 2018 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved NDPPS 772654 The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. kpmg.com/socialmedia Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

Recommended

Integrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: BenchmarkingIntegrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: Benchmarking
Resolver Inc.
 
How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101
Resolver Inc.
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Resolver Inc.
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
Resolver Inc.
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
Resolver Inc.
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
Endeavor Management
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
Resolver Inc.
 

Recommended

Integrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: BenchmarkingIntegrated Security & Risk Management: Benchmarking
Integrated Security & Risk Management: Benchmarking
Resolver Inc.
 
How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
Resolver Inc.
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101
Resolver Inc.
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
Resolver Inc.
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
Resolver Inc.
 
Int:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will AndersonInt:rsect: CEO Address with Will Anderson
Int:rsect: CEO Address with Will Anderson
Resolver Inc.
 
Integrated risk management
Integrated risk managementIntegrated risk management
Integrated risk management
Endeavor Management
 
An Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management ApplicationAn Intro to Resolver's Incident Management Application
An Intro to Resolver's Incident Management Application
Resolver Inc.
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
Resolver Inc.
 
The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the Future
Resolver Inc.
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to Core
Resolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
Resolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and Performance
Resolver Inc.
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
Resolver Inc.
 
Spreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX ComplianceSpreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX Compliance
Resolver Inc.
 
Hello ERM - It's Time to Go
Hello ERM - It's Time to GoHello ERM - It's Time to Go
Hello ERM - It's Time to Go
Resolver Inc.
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
Resolver Inc.
 
Risk Management Case Study - Applied Concepts
Risk Management Case Study - Applied ConceptsRisk Management Case Study - Applied Concepts
Risk Management Case Study - Applied Concepts
Resolver Inc.
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Resolver Inc.
 
Globals - Too Big to Govern?
Globals - Too Big to Govern?Globals - Too Big to Govern?
Globals - Too Big to Govern?
Resolver Inc.
 
App Showcase: Compliance
App Showcase: ComplianceApp Showcase: Compliance
App Showcase: Compliance
Resolver Inc.
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management Strategy
Resolver Inc.
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
Corporater
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk Management
JamesMooreCo
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss Prevention
Resolver Inc.
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core Assessments
Resolver Inc.
 
Optimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachOptimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down Approach
Ethisphere
 
FCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in Action
FCBPartners
 

More Related Content

What's hot

The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the Future
Resolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk Management
JamesMooreCo
 

What's hot (20)

Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the Future
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to Core
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
 
The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and Performance
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Spreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX ComplianceSpreadsheets vs Software for SOX Compliance
Spreadsheets vs Software for SOX Compliance
 
Hello ERM - It's Time to Go
Hello ERM - It's Time to GoHello ERM - It's Time to Go
Hello ERM - It's Time to Go
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
Risk Management Case Study - Applied Concepts
Risk Management Case Study - Applied ConceptsRisk Management Case Study - Applied Concepts
Risk Management Case Study - Applied Concepts
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
 
Globals - Too Big to Govern?
Globals - Too Big to Govern?Globals - Too Big to Govern?
Globals - Too Big to Govern?
 
App Showcase: Compliance
App Showcase: ComplianceApp Showcase: Compliance
App Showcase: Compliance
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management Strategy
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk Management
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss Prevention
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core Assessments
 

Similar to The Journey to Integrated Risk Management: Lessons from the Field

FCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in Action
FCBPartners
 
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdfSabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
Brion Carroll (II)
 
Oracle Primavera P6 EPPM for City of Hope
Oracle Primavera P6 EPPM for City of HopeOracle Primavera P6 EPPM for City of Hope
Oracle Primavera P6 EPPM for City of Hope
Volantic, Inc
 
International Target Operating Model Design
International Target Operating Model DesignInternational Target Operating Model Design
International Target Operating Model Design
Chris Oddy
 
The tweedledee and tweedledum of portfolio management 2021
The tweedledee and tweedledum of portfolio management 2021The tweedledee and tweedledum of portfolio management 2021
The tweedledee and tweedledum of portfolio management 2021
Svetlana Sidenko
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
Emma Kelly
 

Similar to The Journey to Integrated Risk Management: Lessons from the Field (20)

Optimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down ApproachOptimizing Compliance Programs in Organizations: A Top Down Approach
Optimizing Compliance Programs in Organizations: A Top Down Approach
 
FCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in Action
 
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdfSabrion_Consulting_Overview CPG Retail Apparel.pdf
Sabrion_Consulting_Overview CPG Retail Apparel.pdf
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-management
 
Shared services - A Strategic Cost Management Platform
Shared services - A Strategic Cost Management PlatformShared services - A Strategic Cost Management Platform
Shared services - A Strategic Cost Management Platform
 
Mhc 2008
Mhc 2008Mhc 2008
Mhc 2008
 
Presentasi JOB Medco rev 1 - A
Presentasi JOB Medco rev 1 - APresentasi JOB Medco rev 1 - A
Presentasi JOB Medco rev 1 - A
 
Oracle Primavera P6 EPPM for City of Hope
Oracle Primavera P6 EPPM for City of HopeOracle Primavera P6 EPPM for City of Hope
Oracle Primavera P6 EPPM for City of Hope
 
International Target Operating Model Design
International Target Operating Model DesignInternational Target Operating Model Design
International Target Operating Model Design
 
The tweedledee and tweedledum of portfolio management 2021
The tweedledee and tweedledum of portfolio management 2021The tweedledee and tweedledum of portfolio management 2021
The tweedledee and tweedledum of portfolio management 2021
 
Insyght Corporate profile 1
Insyght Corporate profile 1Insyght Corporate profile 1
Insyght Corporate profile 1
 
iGrafx | Business Process Management Solution Provider | ProServ UAE
iGrafx | Business Process Management Solution Provider | ProServ UAEiGrafx | Business Process Management Solution Provider | ProServ UAE
iGrafx | Business Process Management Solution Provider | ProServ UAE
 
GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)
 
Preparing for Workday 23: A Practical Approach to Release Management
Preparing for Workday 23: A Practical Approach to Release ManagementPreparing for Workday 23: A Practical Approach to Release Management
Preparing for Workday 23: A Practical Approach to Release Management
 
Technology Strategy for Impact
Technology Strategy for ImpactTechnology Strategy for Impact
Technology Strategy for Impact
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
GRC
GRCGRC
GRC
 
205480 oracle primavera enterprise success at city of hope
205480 oracle primavera enterprise success at city of hope205480 oracle primavera enterprise success at city of hope
205480 oracle primavera enterprise success at city of hope
 
Lean six sigma training services 2013
Lean six sigma training services 2013Lean six sigma training services 2013
Lean six sigma training services 2013
 
Lean six sigma training services 2013
Lean six sigma training services 2013Lean six sigma training services 2013
Lean six sigma training services 2013
 

More from Resolver Inc.

Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
Resolver Inc.
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Resolver Inc.
 

More from Resolver Inc. (20)

Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate Setting
 
Information Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeInformation Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data Safe
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver Core
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses Resolver
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management Strategy
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience Application
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business Resilience
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM Program
 
Risk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New RiskRisk Intelligence: Threats are the New Risk
Risk Intelligence: Threats are the New Risk
 
How to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with ExecutivesHow to Use Storytelling to Communicate with Executives
How to Use Storytelling to Communicate with Executives
 
Planning a move from Perspective to CORE
Planning a move from Perspective to COREPlanning a move from Perspective to CORE
Planning a move from Perspective to CORE
 
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment TeamCreating an Enterprise-Wide Workplace Violence & Threat Assessment Team
Creating an Enterprise-Wide Workplace Violence & Threat Assessment Team
 

Recently uploaded

internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
AllTops
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
Aaron Stannard
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Nitya salvi
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
William (Bill) H. Bender, FCSI
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
SandaliGurusinghe2
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 

Recently uploaded (16)

Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 

The Journey to Integrated Risk Management: Lessons from the Field

  • 1. The Journey to Integrated Risk Management: Lessons from the Field
  • 2.
  • 3. 3 Agenda • Introductions • What does Integrated Risk Management Look like? • KPMG’s Enterprise GRC Life Cycle • Vision & Strategy • Use Cases, Convergence, and Foundational Elements • Program Management • People & Training • Technology Enablement • Q/A
  • 4. 4 With you today: Brian Link VP GRC Strategy & Partnerships link@resolver.com Melinda Mothander Enterprise GRC Manager Washington, DC mmothander@kpmg.com Clyde Tsai Enterprise GRC Director San Francisco ctsai@kpmg.com
  • 5. 5 Risk & Regulation Audit Improve Policy & Control Response Incident Report Investigate Analyze ImproveMonitor INTEGRATED RISK MANAGEMENT PLANNING PREPERATION RESPONSE RECOVERYEVENT
  • 6. 6 Integrated Risk Management Today’s Challenges Legal entities Geographical regions Audit Product Development IT Legaland Regulatory Human Resources SharedServices andSupport Finance Operations Salesand Marketing 1st line Business Risk, Controls, Policies Risk ERM, Ops Risk, Model Risk, Risk Policy Office Compliance SOX, AML, CCAR, Reg Change, Policy, Reg Exam Info Sec, IT Risk, BCP, IT DR, IT GRC Internal Audit Business and risk management information Internal External Board/ Committees Executive/Senior Management Stakeholders Auditor Regulator Rating Agency Fragmented Data Collection Siloed Technologies Inconsistent and Outdated Reporting Assurance Fatigue No single source of ‘Truth’ Control reports Risk reports Compliance reports Issue mgt reports Audit reports Quarterly deficiency SOX reporting Quarterly assessment Risk Appetite Statement & Risk Policies CRMP Open issues Past due issues Audit plan Audit committee External audit reportClosed issuesRegulatory Mapping Inventory Policy Reports Consistent Data Single source of ‘Truth’ Integrated Reporting Reduced Assurance burden on Business Increased Efficiencies Reduced IT Costs Benefits of an Integrated GRC Program enabled by a technology Pain Point Themes Proactive Risk Management eGRC Program Convergence & Foundation Increased risk ownership and awareness – improved ‘Risk Culture’ Increased Regulatory Findings Excessive Compliance Costs Inability to aggregate risk data Suboptimal Risk Management Fewer compliance / regulatory findings Linkage of risk to strategic objectives Inefficiencies Chaos Business and risk management information Internal External Board/ Committees Executive/Senior Management Stakeholders Auditor Regulator Rating Agency Legal entities Geographical regions Audit Product Development IT Legaland Regulatory Human Resources SharedServices andSupport Finance Operations Salesand Marketing eGRC Technology/Technologies
  • 7. 7 Evolution of GRC Technologies and GRC Programs Single Tool Internal Control Tracking Tool Internal Audit Workpaper Tool Risk Excel Files Internal Control (SOX) Tool Internal Audit Risk Assessments (ERM & RCSA) Compliance SharePoint Information Security Repository Business Continuity Word Files Evolution 1 Evolution 2 Integrated GRC Technology Ecosystem SOX Internal Audit Risk - ERM & Ops Risk Compliance Information Security Business Continuity Evolution N From discrete tools for limited functions... to an increase in tools to support multiple risk and compliance functions… to an integrated program & technology ecosystem! Business(1stLine)ERP System, RiskData, Compliance/Control, Policy,andIssue/Gap Data Time Maturity
  • 8. 8 KPMG’s Enterprise GRC Life Cycle Technology Transformation Components Vision & Strategy Use Cases, Convergence, & Foundational Elements Technology Enablement Program Management People & Change Vendor Selection
  • 9. 9 • GRC vision to strategic objectives • Executive and stakeholder commitment • Roadmap for the GRC journey Key Activities Include: Tips for success GRC guiding principles GRC high-level road map Vision and Strategy • Obtain executive and stakeholder buy in and commitment at the onset • Develop a program governance structure • Define and communicate GRC program vision • Develop a roadmap to outline key activities and sequencing
  • 10. 10 Use Case, Convergence & Foundational Elements • Taxonomy elements for a common language • Future state process flows Key Activities Include: Tips for success Defined approach Taxonomy and hierarchy of elements • Document a foundational element inventory • Conduct a foundational element proof of concept • Plan towards the end state, identify and address potential “red flags” • Develop and execute a data rationalization strategy
  • 11. 11 Program Management • Establishes the structure to manage and report activities • Encompasses clearly defined roles and responsibilities Key Activities Include: Tips for success Core team RACI Project plans • Verify identification of program stakeholders • Define project roles, responsibilities and accountabilities • Communicate regularly to program stakeholders
  • 12. 12 People and Change • Communication strategy & plan • Highlight the change agents or champion networks • Providing a consistent message to all stakeholders Key Activities Include: Tips for success Communication plan User group specific training • Determine and communicate the guiding principles • Create consistent messaging • Develop and conduct regular training • Validate communication effectiveness
  • 13. 13 Technology Enablement • Configuration, data migration, and technology testing efforts • Linkage between business requirements and business process design • Requirements to system mapping/proof of concept • Testing strategy, performance and User Acceptance Testing (UAT) Key Activities Include: Tips for success Executes system integration testing Develops and executes deployment check-list • Verify that requirements and desired functionality align • Agree to the “go, no-go criteria” • Develop a training strategy that considers timelines • Create a strategy to guide UAT efforts • Develop and Include user adoption strategies
  • 14. 14 Top 5 GRC Technology Tips Tone from the top and stakeholder alignment are critical Business process before technology Begin with the end in mind, but select a handful of initial use cases Focus on common language and convergence Communicate, Communicate, Communicate!
  • 15. Q&A
  • 16. © 2018 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved NDPPS 772654 The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. kpmg.com/socialmedia Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.