Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation


Published on

Information Week Virtual Trade Show. Topic: Governance, Risk, Compliance. Keynote speech.

  • Be the first to comment

  • Be the first to like this

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

  1. 1. Governance Risk Compliance A Luxury Good in Hard Times? 2/10/10
  2. 2. Why the GRC emphasis in the last 5-10 years? • Lots of reasons: – Worldwide complexity and specialization. Risk is less “bounded.” – Global trend of transparency for both emerging and industrialized nations. – The usual suspects, Enron, World Com, Madoff, etc. widely reported; stakeholders demand more accountability. – Changing structure of work. Industrial management models do not fit today’s less hierarchical, more distributed structures. Appropriate GRC systems provide flexibility while keeping risk in check. – Higher accountability for the Board of Directors. – Calls for increased regulation and control spawned by recession. 2
  3. 3. Is GRC really a luxury good? • Risks don’t decrease in hard times. • Cost management is always in style. • If there was ever a bad time for a major project to fail, that time is now. • Could be a CLM. Auditors are quick to note declines in governance and they report to the BOD. • GRC tools are growing in power and value every day, but “home grown” is better than nothing. 3
  4. 4. Frameworks & Tools • Frameworks: mental constructs – not dependent on time, place or technology. Mostly words. • Tools: programs, databases and other artifacts that allow the framework to be realized. 4
  5. 5. Select the framework(s) that fits. No need to use all of it. Mix & match OK 5
  6. 6. Frameworks often sound like bureaucrat-speak, but when properly implemented, they work …. 6
  7. 7. CobiT Common IT framework, accepted by the “Big 4” and other auditing firms as a reliable framework. Source: CobiT 4.1, Information Systems Auditing and Control Association 7
  8. 8. A Plethora of Governance Mechanisms Information Systems Control Journal, volume 2, 2008, p. 25 8
  9. 9. GRC Maturity Model 9
  10. 10. Match your framework(s) to your IT strategy/architecture – layer by layer 10
  11. 11. Match your framework(s) to your IT strategy/architecture – layer by layer -Network management/monitoring: iCIMS’ Applicant Tracking Solar Winds, What’s Up Gold -Approva -Alertlogics: IDS -Oracle -Alertlogics: Log Manager -- SAP GRC -Antivirus:SOD reporting, using Excel -- Custom McAfee --AON Risk Service -Email Spam: CISCO Ironmport, Vamsoft: ORF, Baracuda 11 11
  12. 12. GRC is the glue that keeps the architecture together 12
  13. 13. PMO 13 The Effective CIO, CRC Press
  14. 14. SDLC – “Post it” Notes for Governance 14
  15. 15. Let the SDLC anchor your governance processes for projects 15
  16. 16. Risk Models for Projects 16
  17. 17. Annual risk assessment 17
  18. 18. PMO challenges • Changing the culture. • Making projects & progress visible to the right people. • Prevents use of “enhanced” numbers by project sponsors – with no follow up. • Creates metrics to measure success. • Develops structure to force logical rather than emotional estimates. • Enforces the methodology. 18
  19. 19. PMO Dashboard 19
  20. 20. PMO History 20
  21. 21. GRC serves IT, general business processes or both 21
  22. 22. GRC focus areas 22
  23. 23. GRC Packages – Narrow Focus/vertical Examples: • Applicant tracking system. Office of Federal Contract Compliance Programs (OFCCP) can levy fines if hiring practices are not in compliance. • Risk tracking (focus on insurance). Feeds from insurance carriers interfaced with fleet information, such as number of miles logged, hours driven, accidents, claims. 23
  24. 24. GRC packages …. A few suggestions • GRC touches so many groups -- the chances of duplication are high. • Make sure your package has hooks for customization (SDK, API, etc.). • Decision point: industry specific or generic package. 24
  25. 25. GRC package selection is no different from other software – do your due diligence 25
  26. 26. GRC Package Examples 1 2 26
  27. 27. One off governance examples Example 1 Example 2 27
  28. 28. Governance using packages augmented with in-house developed tools • Reporting and enforcement tightly coupled with real-time events. • Controls enforcement, credit risk management analytics, SOD, configuration management, fraud alerts, odd behaviors, hierarchical approvals … 28
  29. 29. Metrics are the raw fuel of good governance 29
  30. 30. WIP ….. 30
  31. 31. Some examples of improving GRC “on the cheap” • Use your accounting system to improve granularity of expenditure reporting. • Create as many accounts/sub accounts as you need. • “Chunk” projects for better control. 31
  32. 32. GRC tools include not only software/consulting from providers but also in-house documents and strategies. You can do a lot with existing resources. • Policies and procedures may be tedious. Yet thinking through P&P forces a useful governance discipline. • Technical architecture. It can be five pages or five hundred but you need one. A stable delivery platform requires structure rather than ad hoc decisions in times of stress. 32
  33. 33. Another in-house example • Security turnaround document – send an access rights listing to supervisors and have them send back deletions for employees & contractors who are gone or who no longer need specific access (consider it as backup for your primary security process) 33
  34. 34. Active Management of Contracts 34
  35. 35. Actively Manage Contracts – a win/win in the long run • Note that contracts from large vendors are not necessarily fixed in stone. They will often work with you. • Facilitate negotiations by converting draft vendor contracts in PDF format to an editable document. After both sides reach agreement, the final document can be converted to PDF. • Set up a repository/tracking system. • Centralize hardware/software purchases. • Think through the entity name (Corporate entity or subsidiary) used in the purchase, as well as “affinity language” or assignments. • Insert price lists and price holds if appropriate. • Work with your vendor to explicitly address auto-renewals. • Include downturn scenarios in the final agreement. 35
  36. 36. Actively Manage Contracts – Work with your vendors to: • Build mutually satisfactory caps on maintenance increases. • Keep audit clauses reasonable and practical so that your vendor can be assured of compliance but the audit itself is not burdensome. • Manage the accuracy of data that drives billing. You owe no more and no less than the contract requires. User name changes and confusion between Corporate and subsidiary use of software should be monitored. • Specify explicitly the pricing variance between “true up” and unanticipated growth. 36
  37. 37. Actively manage contracts • Routinely include non-disclosure agreements in your contracts (works both ways). • Work with supplier to layout contract maintenance going forward. • Obtain agreement on who owns the code. The decision could go either way, depending on a number of factors. 37
  38. 38. Some GRC issues are really close to home 38
  39. 39. Getting in front of your auditors • GRC, including self audits, lets you know where you stand before the audit. • Aside from fraud investigations, IT audits should not be a surprise … work with IA to separate best practices from essential governance requirements. 39
  40. 40. Wrap up. In difficult times: • Don’t let GRC go • Do your homework (formal analysis) and acquire the tools that fit your business • Think beyond IT – your enterprise needs GRC (both vertical and horizontal) for many activities • Maintain/develop PMO • Develop an architecture/roadmap • Avoid fragmented/duplicated efforts • Work with your auditors (internal and external) 40
  41. 41. Thank You. Questions? 41