SlideShare a Scribd company logo
PRESENTATION
Governance, Risk Management & Compliance Insight
UK SMCR’s Breakfast on Accountability vs
Responsibility
The Chicken and the Pig
2019-11
2© GRC 20/20 Research, LLC • www.GRC2020.com
Sound along-side
If you wish to hear the audio
for these slides you can watch
the webinar for FREE in the
link on the last slide.
3© GRC 20/20 Research, LLC • www.GRC2020.com
Navigating
Chaos
4© GRC 20/20 Research, LLC • www.GRC2020.com
The more we study the major problems of our time, the
more we come to realise that they cannot be
understood in isolation. They are systemic problems,
which means that they are interconnected and
interdependent.
- Physicist Fritjof Capra
5© GRC 20/20 Research, LLC • www.GRC2020.com
The Chaos of Compliance
Interconnectedness
Realize that everything connects to everything else.
Leonardo da Vinci
6© GRC 20/20 Research, LLC • www.GRC2020.com
Compliance in Transition: to Greater Accountability
7© GRC 20/20 Research, LLC • www.GRC2020.com
One [REGULATION] to rule them all, One [REGULATION] to find
them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to
bring them all, and in the [ENFORCEMENT] bind them.
Accountability Regulations
8© GRC 20/20 Research, LLC • www.GRC2020.com
9© GRC 20/20 Research, LLC • www.GRC2020.com
Chicken is Responsible for Your Breakfast, the Pig is Committed & Accountable
10© GRC 20/20 Research, LLC • www.GRC2020.com
UK SMCR is About Integrity
11© GRC 20/20 Research, LLC • www.GRC2020.com
UK SMCR Having a Global Impact
Ireland
Australia
Singapore
Hong Kong
United Kingdom
12© GRC 20/20 Research, LLC • www.GRC2020.com
Accountability is the Focus
Senior Managers
Senior Managers can be held accountable for
misconduct that falls within their area of responsibility
Individuals
Indivicuals at all levels can be held to
appropriate standards of conduct
Focus is to improve
‘genuine’ accountability
by removing ambiguity
an clarifying individual
responsibilities. FCA
requires genuine
engagement.
 Executive Roles
 Oversight (non-executive)
 GRC/Lines of Defence & Control Roles
 Others . . .
 Material risk takers
 Significant management
 Customer facing roles
 Line managers of certified people
 Others . . .
13© GRC 20/20 Research, LLC • www.GRC2020.com
Scope of Accountability
Certified Employees
 Annual certification as fit and proper
by the firm
 Certification regime overseen by
Senior Manager
 Regulatory references
 Subject to conduct rules
Senior Management
 Pre-approved by regulators and
subject to fit and proper assessment
by the firm (done annually)
 Subject to conduct rules
 Statements of responsibilities
 Criminal records checks
 Regulatory references
All Other Staff
 Subject to conduct rules
 Except for ancillary staff
14© GRC 20/20 Research, LLC • www.GRC2020.com
Management Responsibilities Statements & Map
 Statements of Responsibilities record
relevant prescribed responsibilities with a
summary of these on Responsibility Maps
 Management & governance
arrangements
 Senior management and their
responsibilities
 Reporting lines
 Allocation of responsibilities
 How management and governance
arrangements fit within the group
15© GRC 20/20 Research, LLC • www.GRC2020.com
Conduct Rules
Individual Conduct Rules
 You must act with integrity
 You must act with due skill, care and
diligence
 You must be open and cooperative with the
FCA, the PRA and other regulaors
 You must pay due regard to the interests of
customers and treat them fairly
 You must observe proper standards of market
conduct
Senior Management Conduct Rules
 You must take reasonable steps to ensure
that the business of the firm for which you are
responsible is controlled effectively
 You must take reasonable steps to ensure
that the business of the firm for which you are
responsible complies with the relevant
requirements and standards of the regulatory
system
 You must take reasonable steps to ensure
that any delegation of your responsibilities is
to an appropriate person and that you
oversee this effectively
 You must disclose approprirately any
information of which the FCA or PRA would
reasonably expect notice
Exposure if . . .
 Misconduct was deliberate
 Standard of conduct was below that which would be reasonable
16© GRC 20/20 Research, LLC • www.GRC2020.com
The Organization Has to be Able to See . . .
 The Tree. The individual area of Risk & Compliance
 The Forest. The interconnectedness of Risk &
Compliance
17© GRC 20/20 Research, LLC • www.GRC2020.com
Inevitability of Failure: Too Many Documents & Manual Approaches
18© GRC 20/20 Research, LLC • www.GRC2020.com
UK SMCR: a Top Down Approach
UK SMCR Management Strategy
UK SMCR Management Technology
UK SMCR Management Information
UK SMCR Management Process
19© GRC 20/20 Research, LLC • www.GRC2020.com
UK SMCR Technology Provides Automation and Tracking
COLLABORATIONAUDIT TRAIL ENFORCEMENT
MANAGEMENT REPORTING
WORKFLOW &
TASKS
20© GRC 20/20 Research, LLC • www.GRC2020.com
Defensible UK SMCR Compliance
VERSION (DATE/TIME) ASK & RESOLVE QUESTIONS
MANAGE EXCEPTIONS
UNDERSTAND CONTEXT PROVIDE AUDITABLE RECORDS
DEMONSTRATE SEQUENCE
MEET REQUIREMENTS
REPEATABLE CYCLE
21© GRC 20/20 Research, LLC • www.GRC2020.com
Usability
Scalability
Analytics
Cost of Ownership
Adaptability
Process
Automation
Configurability
Integration
Future Proof
Components of Agile UK SMCR Technology
Feature/Functionality
22© GRC 20/20 Research, LLC • www.GRC2020.com
Benefits of 360° Contextual Awareness of Compliance
Agile
Compliance
6 1
4 3
25
Aware
Aligned
ResponsiveAgile
Resilient
Efficient
23© GRC 20/20 Research, LLC • www.GRC2020.com
Two Things to Note . . .
 Organizations evaluating or considering
GRC solutions are free to ask GRC 20/20
on our understanding and comparison of
solutions in the market to meet your GRC
requirements.
 Inquiries are single focused questions that
can be answered in under 30 minutes.
 Complimentary inquiry is only available to
organizations evaluating or considering
GRC solutions for their internal use.
Complimentary Inquiry
 GRC 20/20 has an extensive library of RFP
requirements across a range of GRC
capability areas presented in this
presentation.
 GRC 20/20 can be engaged in RFP
development and support projects to
streamline your process, gain perspectives
learned from other organizations, and to
keep solution providers honest in their
responses.
RFP Development & Support
24© GRC 20/20 Research, LLC • www.GRC2020.com
Q&A
How would you recommend to approach SMCR?
Understand the effect on business, refine requirements/process, look for
flexible technology to support requirements, implement SMCR processes
and supporting technology
What should I do with SMCR, if I haven’t done anything yet?
Refine the process, if you require a tool start basic and develop
throughout the next 12 months
How important is the use of Technology to support SMCR?
Given the complexity, it would be difficult to manage the ongoing
compliance burden. As there need to be process automation to ensure
people are clear and understand their responsibilities
Solution Overview
Senior Manager & Certification Regime
Matthew Davies, Product Marketing Director, SureCloud
11th November 2019
Who we are?
26www.surecloud.com © 2019 SureCloud. All rights
reserved.
• GRC Cloud based Software-as-a-
Service provider
• 400+ customers across Europe, US &
Asia
• Listed on Gartner IRM magic quadrant
• Offices across UK and US
• GRC solutions, Cyber Security
Services and Risk Advisory
27
Challenges with SMCR
• How do you know what level of SMCR you
need to comply with?
• How do you document the legal entities
and ensure the relevant staff, at all levels,
clearly understand where responsibility
lies?
• How do I ensure that the relevant staff
review and attest understand there SMCR
obligations?
28
SMCR SureCloud
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Document Legal Entities
Document IT Assets
• Document the; Information Assets, Infrastructure
and Supporting Assets
• Create the interdependencies between
components
Conduct Risk Assessment
• Document risks and map to IT Assets
• Select the assessment type and Assess the Risk
• document treatment and actions
Manage Controls
• Document/manage controls in the control library
• Create local control and map to IT Assets and
Functions
• Conduct simple control tests
Audit Planning and Tracking
29
SMCR SureCloud Demo
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Document Roles and
Responsibilities
Document Legal Entities
30
SMCR SureCloud Demo
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Document Roles and
Responsibilities
Document Legal Entities
FIT Assessment
31
SMCR SureCloud Demo
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Attest the Conduct
Rules
Document Roles and
Responsibilities
Document Legal Entities
FIT Assessment
32
SMCR SureCloud Demo
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Attest the Conduct
Rules
Document Roles and
Responsibilities
Document Legal Entities
FIT Assessment
Breach Register
33
SMCR SureCloud Demo
www.surecloud.com © 2019 SureCloud. All rights
reserved.
Attest the Conduct
Rules
Document Roles and
Responsibilities
Document Legal Entities
FIT Assessment
Breach Register
Track and Report on
SMCR
34
Carry on the conversation…
Watch our SMCR Video over on our YouTube channel – SureCloud TV
• Head over to our SMCR products page
• Read our SMCR whitepaper
• Download our SMCR datasheet.
Get in touch
matthew.davies@surecloud.com
www.surecloud.com © 2019 SureCloud. All rights reserved.
35
The Full Experience
Watch the original
webinar on demand on
BrightTALK for free here
www.surecloud.com © 2019 SureCloud. All rights reserved.

More Related Content

What's hot

FFIEC Regulatory Training
FFIEC Regulatory TrainingFFIEC Regulatory Training
FFIEC Regulatory Training
Brad Garland
 
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsGRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
Kate Tomlinson
 

What's hot (20)

2018 STS - What’s Really Going on in Washington, D.C.
2018 STS - What’s Really Going on in Washington, D.C.2018 STS - What’s Really Going on in Washington, D.C.
2018 STS - What’s Really Going on in Washington, D.C.
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...
 
Not-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 EnvironmentNot-For-Profit Risks in the COVID-19 Environment
Not-For-Profit Risks in the COVID-19 Environment
 
Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012Third Party Risk Due Diligence - Feb 2012
Third Party Risk Due Diligence - Feb 2012
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoV
 
ISO Standards support for Anti-Bribery investigations and audits in the cyber...
ISO Standards support for Anti-Bribery investigations and audits in the cyber...ISO Standards support for Anti-Bribery investigations and audits in the cyber...
ISO Standards support for Anti-Bribery investigations and audits in the cyber...
 
FFIEC Regulatory Training
FFIEC Regulatory TrainingFFIEC Regulatory Training
FFIEC Regulatory Training
 
Legal Governance, Risk Management and Compliance
Legal Governance, Risk Management and ComplianceLegal Governance, Risk Management and Compliance
Legal Governance, Risk Management and Compliance
 
Whistleblowers – A key but misunderstood tool in the fight against corruption
Whistleblowers – A key but misunderstood tool in the fight against corruptionWhistleblowers – A key but misunderstood tool in the fight against corruption
Whistleblowers – A key but misunderstood tool in the fight against corruption
 
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gapsGRC15620_Report_-_Third_party_risk_exposing_the_gaps
GRC15620_Report_-_Third_party_risk_exposing_the_gaps
 
The New Competitive Advantage – How a robust compliance program can both prot...
The New Competitive Advantage – How a robust compliance program can both prot...The New Competitive Advantage – How a robust compliance program can both prot...
The New Competitive Advantage – How a robust compliance program can both prot...
 
Chief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk managementChief Audit Execs speak out: Cybersecurity & risk management
Chief Audit Execs speak out: Cybersecurity & risk management
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
 
Third party risk management and it’s complexities
Third party risk management and it’s complexitiesThird party risk management and it’s complexities
Third party risk management and it’s complexities
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
 
Continuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva SpectrumContinuous Monitoring Webinar Aviva Spectrum
Continuous Monitoring Webinar Aviva Spectrum
 
Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?Is it a Risk to Be Compliant?
Is it a Risk to Be Compliant?
 
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
[ON-DEMAND WEBINAR] Understanding SOC2: A SOC 2 Guide for Managed Service Pro...
 
New York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services CompaniesNew York Cybersecurity Requirements for Financial Services Companies
New York Cybersecurity Requirements for Financial Services Companies
 
ISO 37001 – Preparing for Certification
ISO 37001 – Preparing for CertificationISO 37001 – Preparing for Certification
ISO 37001 – Preparing for Certification
 

Similar to SMCR The Chicken & The Pig with GRC2020 & SureCloud

Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
Subhajit Bhuiya
 
Risk%20Management_Compliance%20FINAL
Risk%20Management_Compliance%20FINALRisk%20Management_Compliance%20FINAL
Risk%20Management_Compliance%20FINAL
Mary Wasylenko
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?
EDR
 
Chapter 6 aml compliance programme
Chapter 6   aml compliance programmeChapter 6   aml compliance programme
Chapter 6 aml compliance programme
Quan Risk
 

Similar to SMCR The Chicken & The Pig with GRC2020 & SureCloud (20)

Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
Policies cornerstone of privacy, compliance and information security manage...
Policies   cornerstone of privacy, compliance and information security manage...Policies   cornerstone of privacy, compliance and information security manage...
Policies cornerstone of privacy, compliance and information security manage...
 
Supplier Assurance During COVID-19
Supplier Assurance During COVID-19Supplier Assurance During COVID-19
Supplier Assurance During COVID-19
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
Enterprise policy-management
Enterprise policy-managementEnterprise policy-management
Enterprise policy-management
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013
 
Vendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds YouVendor Risk Management - Find It Before It Finds You
Vendor Risk Management - Find It Before It Finds You
 
Risk%20Management_Compliance%20FINAL
Risk%20Management_Compliance%20FINALRisk%20Management_Compliance%20FINAL
Risk%20Management_Compliance%20FINAL
 
Navigating COVID's Impact on the Financial Services Industry
Navigating COVID's Impact on the Financial Services IndustryNavigating COVID's Impact on the Financial Services Industry
Navigating COVID's Impact on the Financial Services Industry
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
FulcrumWay GRC Solutions
FulcrumWay GRC SolutionsFulcrumWay GRC Solutions
FulcrumWay GRC Solutions
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?
 
2017 07-26 Demystify the Government Contracting Challenges and Opportunities ...
2017 07-26 Demystify the Government Contracting Challenges and Opportunities ...2017 07-26 Demystify the Government Contracting Challenges and Opportunities ...
2017 07-26 Demystify the Government Contracting Challenges and Opportunities ...
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdf
 
Outsourcing in Financial Services Infoline conference November 2016
Outsourcing in Financial Services Infoline conference November 2016 Outsourcing in Financial Services Infoline conference November 2016
Outsourcing in Financial Services Infoline conference November 2016
 
Chapter 6 aml compliance programme
Chapter 6   aml compliance programmeChapter 6   aml compliance programme
Chapter 6 aml compliance programme
 
CEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architectureCEO / CXO Architecture - The missing piece in your BI&A architecture
CEO / CXO Architecture - The missing piece in your BI&A architecture
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey ahead
 
7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)7 Grc Myths Webinar 20110127 Final (2)
7 Grc Myths Webinar 20110127 Final (2)
 
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
The State of TPRM in the UK - DVV Solutions Breakfast Briefing March 2019
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at Priceline
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 

SMCR The Chicken & The Pig with GRC2020 & SureCloud

  • 1. PRESENTATION Governance, Risk Management & Compliance Insight UK SMCR’s Breakfast on Accountability vs Responsibility The Chicken and the Pig 2019-11
  • 2. 2© GRC 20/20 Research, LLC • www.GRC2020.com Sound along-side If you wish to hear the audio for these slides you can watch the webinar for FREE in the link on the last slide.
  • 3. 3© GRC 20/20 Research, LLC • www.GRC2020.com Navigating Chaos
  • 4. 4© GRC 20/20 Research, LLC • www.GRC2020.com The more we study the major problems of our time, the more we come to realise that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent. - Physicist Fritjof Capra
  • 5. 5© GRC 20/20 Research, LLC • www.GRC2020.com The Chaos of Compliance Interconnectedness Realize that everything connects to everything else. Leonardo da Vinci
  • 6. 6© GRC 20/20 Research, LLC • www.GRC2020.com Compliance in Transition: to Greater Accountability
  • 7. 7© GRC 20/20 Research, LLC • www.GRC2020.com One [REGULATION] to rule them all, One [REGULATION] to find them [RISK, COMPLIANCE, CONTROL], One [REGULATION] to bring them all, and in the [ENFORCEMENT] bind them. Accountability Regulations
  • 8. 8© GRC 20/20 Research, LLC • www.GRC2020.com
  • 9. 9© GRC 20/20 Research, LLC • www.GRC2020.com Chicken is Responsible for Your Breakfast, the Pig is Committed & Accountable
  • 10. 10© GRC 20/20 Research, LLC • www.GRC2020.com UK SMCR is About Integrity
  • 11. 11© GRC 20/20 Research, LLC • www.GRC2020.com UK SMCR Having a Global Impact Ireland Australia Singapore Hong Kong United Kingdom
  • 12. 12© GRC 20/20 Research, LLC • www.GRC2020.com Accountability is the Focus Senior Managers Senior Managers can be held accountable for misconduct that falls within their area of responsibility Individuals Indivicuals at all levels can be held to appropriate standards of conduct Focus is to improve ‘genuine’ accountability by removing ambiguity an clarifying individual responsibilities. FCA requires genuine engagement.  Executive Roles  Oversight (non-executive)  GRC/Lines of Defence & Control Roles  Others . . .  Material risk takers  Significant management  Customer facing roles  Line managers of certified people  Others . . .
  • 13. 13© GRC 20/20 Research, LLC • www.GRC2020.com Scope of Accountability Certified Employees  Annual certification as fit and proper by the firm  Certification regime overseen by Senior Manager  Regulatory references  Subject to conduct rules Senior Management  Pre-approved by regulators and subject to fit and proper assessment by the firm (done annually)  Subject to conduct rules  Statements of responsibilities  Criminal records checks  Regulatory references All Other Staff  Subject to conduct rules  Except for ancillary staff
  • 14. 14© GRC 20/20 Research, LLC • www.GRC2020.com Management Responsibilities Statements & Map  Statements of Responsibilities record relevant prescribed responsibilities with a summary of these on Responsibility Maps  Management & governance arrangements  Senior management and their responsibilities  Reporting lines  Allocation of responsibilities  How management and governance arrangements fit within the group
  • 15. 15© GRC 20/20 Research, LLC • www.GRC2020.com Conduct Rules Individual Conduct Rules  You must act with integrity  You must act with due skill, care and diligence  You must be open and cooperative with the FCA, the PRA and other regulaors  You must pay due regard to the interests of customers and treat them fairly  You must observe proper standards of market conduct Senior Management Conduct Rules  You must take reasonable steps to ensure that the business of the firm for which you are responsible is controlled effectively  You must take reasonable steps to ensure that the business of the firm for which you are responsible complies with the relevant requirements and standards of the regulatory system  You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee this effectively  You must disclose approprirately any information of which the FCA or PRA would reasonably expect notice Exposure if . . .  Misconduct was deliberate  Standard of conduct was below that which would be reasonable
  • 16. 16© GRC 20/20 Research, LLC • www.GRC2020.com The Organization Has to be Able to See . . .  The Tree. The individual area of Risk & Compliance  The Forest. The interconnectedness of Risk & Compliance
  • 17. 17© GRC 20/20 Research, LLC • www.GRC2020.com Inevitability of Failure: Too Many Documents & Manual Approaches
  • 18. 18© GRC 20/20 Research, LLC • www.GRC2020.com UK SMCR: a Top Down Approach UK SMCR Management Strategy UK SMCR Management Technology UK SMCR Management Information UK SMCR Management Process
  • 19. 19© GRC 20/20 Research, LLC • www.GRC2020.com UK SMCR Technology Provides Automation and Tracking COLLABORATIONAUDIT TRAIL ENFORCEMENT MANAGEMENT REPORTING WORKFLOW & TASKS
  • 20. 20© GRC 20/20 Research, LLC • www.GRC2020.com Defensible UK SMCR Compliance VERSION (DATE/TIME) ASK & RESOLVE QUESTIONS MANAGE EXCEPTIONS UNDERSTAND CONTEXT PROVIDE AUDITABLE RECORDS DEMONSTRATE SEQUENCE MEET REQUIREMENTS REPEATABLE CYCLE
  • 21. 21© GRC 20/20 Research, LLC • www.GRC2020.com Usability Scalability Analytics Cost of Ownership Adaptability Process Automation Configurability Integration Future Proof Components of Agile UK SMCR Technology Feature/Functionality
  • 22. 22© GRC 20/20 Research, LLC • www.GRC2020.com Benefits of 360° Contextual Awareness of Compliance Agile Compliance 6 1 4 3 25 Aware Aligned ResponsiveAgile Resilient Efficient
  • 23. 23© GRC 20/20 Research, LLC • www.GRC2020.com Two Things to Note . . .  Organizations evaluating or considering GRC solutions are free to ask GRC 20/20 on our understanding and comparison of solutions in the market to meet your GRC requirements.  Inquiries are single focused questions that can be answered in under 30 minutes.  Complimentary inquiry is only available to organizations evaluating or considering GRC solutions for their internal use. Complimentary Inquiry  GRC 20/20 has an extensive library of RFP requirements across a range of GRC capability areas presented in this presentation.  GRC 20/20 can be engaged in RFP development and support projects to streamline your process, gain perspectives learned from other organizations, and to keep solution providers honest in their responses. RFP Development & Support
  • 24. 24© GRC 20/20 Research, LLC • www.GRC2020.com Q&A How would you recommend to approach SMCR? Understand the effect on business, refine requirements/process, look for flexible technology to support requirements, implement SMCR processes and supporting technology What should I do with SMCR, if I haven’t done anything yet? Refine the process, if you require a tool start basic and develop throughout the next 12 months How important is the use of Technology to support SMCR? Given the complexity, it would be difficult to manage the ongoing compliance burden. As there need to be process automation to ensure people are clear and understand their responsibilities
  • 25. Solution Overview Senior Manager & Certification Regime Matthew Davies, Product Marketing Director, SureCloud 11th November 2019
  • 26. Who we are? 26www.surecloud.com © 2019 SureCloud. All rights reserved. • GRC Cloud based Software-as-a- Service provider • 400+ customers across Europe, US & Asia • Listed on Gartner IRM magic quadrant • Offices across UK and US • GRC solutions, Cyber Security Services and Risk Advisory
  • 27. 27 Challenges with SMCR • How do you know what level of SMCR you need to comply with? • How do you document the legal entities and ensure the relevant staff, at all levels, clearly understand where responsibility lies? • How do I ensure that the relevant staff review and attest understand there SMCR obligations?
  • 28. 28 SMCR SureCloud www.surecloud.com © 2019 SureCloud. All rights reserved. Document Legal Entities Document IT Assets • Document the; Information Assets, Infrastructure and Supporting Assets • Create the interdependencies between components Conduct Risk Assessment • Document risks and map to IT Assets • Select the assessment type and Assess the Risk • document treatment and actions Manage Controls • Document/manage controls in the control library • Create local control and map to IT Assets and Functions • Conduct simple control tests Audit Planning and Tracking
  • 29. 29 SMCR SureCloud Demo www.surecloud.com © 2019 SureCloud. All rights reserved. Document Roles and Responsibilities Document Legal Entities
  • 30. 30 SMCR SureCloud Demo www.surecloud.com © 2019 SureCloud. All rights reserved. Document Roles and Responsibilities Document Legal Entities FIT Assessment
  • 31. 31 SMCR SureCloud Demo www.surecloud.com © 2019 SureCloud. All rights reserved. Attest the Conduct Rules Document Roles and Responsibilities Document Legal Entities FIT Assessment
  • 32. 32 SMCR SureCloud Demo www.surecloud.com © 2019 SureCloud. All rights reserved. Attest the Conduct Rules Document Roles and Responsibilities Document Legal Entities FIT Assessment Breach Register
  • 33. 33 SMCR SureCloud Demo www.surecloud.com © 2019 SureCloud. All rights reserved. Attest the Conduct Rules Document Roles and Responsibilities Document Legal Entities FIT Assessment Breach Register Track and Report on SMCR
  • 34. 34 Carry on the conversation… Watch our SMCR Video over on our YouTube channel – SureCloud TV • Head over to our SMCR products page • Read our SMCR whitepaper • Download our SMCR datasheet. Get in touch matthew.davies@surecloud.com www.surecloud.com © 2019 SureCloud. All rights reserved.
  • 35. 35 The Full Experience Watch the original webinar on demand on BrightTALK for free here www.surecloud.com © 2019 SureCloud. All rights reserved.

Editor's Notes

  1. 11
  2. 12
  3. 13
  4. 14
  5. 15