2013 10 31_oceg_webinar 2013

954 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
954
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2013 10 31_oceg_webinar 2013

  1. 1. INTEGRATING GRC TECHNOLOGY WITH STANDARDS SPEAKERS: SAID TABET, SENIOR TECHNOLOGIST, EMC YUJI FURUSHO , DEPUTY GENERAL MANAGER, FUJITSU MASATOMO GOTO , MANAGER, FUJITSU October 31, 2013 OCEG WEBINAR SERIES
  2. 2. Housekeeping      Download slides at http://www.oceg.org/event/integrating-grctechnology-with-standards/ Answer all 3 polls Certificates of completion (only for OCEG Premium/Enterprise members and All-Access Pass holders) Evaluation survey at the close of the webinar Archive at Recorded Events on OCEG site
  3. 3. Our Panelists Said Tabet Yuji Furusho Masatomo Goto
  4. 4. Learning Objectives Understand the goals and objectives of the GRC-XML Working Group  Understand the core concepts and entities in a GRC technology ecosystem  Understand how to apply GRC-XML to both reporting and exchanging GRC information  Understand how XBRL technology is used in GRC-XML 
  5. 5. AGENDA  Introduction  What is OCEG? GRC and OCEG  Overview of the GRC XML Initiative  GRC-XML 1.0: where we started  GRC-XML 2.0: Current state and timeline  The OCEG Open Risk Universe  GRC-XML Technical Architecture   GRC-XML Extensions   GRC-XML Taxonomy and Information Model Solvency II, Basel III, CRD IV Summary and Takeaways
  6. 6. What is OCEG? OCEG is a nonprofit think tank that helps organizations drive principled performance® with a global community of skilled practitioners focused on improving governance, risk management, and compliance (GRC) processes  Framework & Standards – tell us what we should do   Technical standards (key systems and integration points)   Process standards (key concepts, components and terminology) Developed by experts and publicly vetted to ensure quality Evaluation Criteria & Metrics - tell us how we are doing   Tools & technologies to appropriately benchmark   Effectiveness & performance evaluation (suitable criteria) Certification of GRC design and implementation Community of Practice – share what everyone else is doing  Online education, tools & resources  Collaboration with peers in a number of professions
  7. 7. Mission: The Integration of Disciplines OCEG brings together disciplines and professions to collaborate and pursue a common mission: to refine and improve GRC and drive Principled Performance®.              Governance Risk Management Compliance Legal Human Capital Management Change Management Ethics Management Internal Audit Security Quality Management Project Management Information Technology Financial and Resource Planning
  8. 8. GRC-XML
  9. 9. Current state…
  10. 10. Overview  GRC architecture is predominantly silo-based, making sharing data difficult and error-prone  A common language to represent Risks, Controls, Policies, Procedures and Test of Controls can facilitate discussion, comparison, integration, performance, and interchange  We are driving the development of GRC-XML to address this problem  GRC-XML is based on XBRL  Our Goal: Enable highly efficient and agile Risk and Control Monitoring systems in a format that is application-neutral and easy to integrate OCEG GRC-XML Webinar Series, 2013
  11. 11. The Business Case • A common language of risk and control is a prerequisite for effective management of audit, risk, and compliance processes • Most organizations currently struggle with a common language of risk and control between their internal GRC silos • There is no standard risk and control language for multiple information systems to communicate or pass information
  12. 12. Every GRC System as GRC-XML System 1 GRC-XML System 2 GRC-XML System 3 GRC-XML Account# accountMainID 勘定科目番号 accountMainID Identificador de la Cuenta Description accountMainDescription 勘定科目説明文 accountMainDescription Descripción Principal de la Cuenta Amount amount 金額 amount Monto Monetario PostDate postingDate 転記日付 postingDate Fecha de Asignación/Ingreso EvaluationDate TOE-Day 評価日 TOE-Day accountMainID accountMainDescription amount postingDate Fecha de evaluación TOE-Day
  13. 13. GRC-XML 1.0 Taxonomy  • Based on "INTERNAL CONTROL - INTEGRATED FRAMEWORK - Evaluation Tools" published with permission (AICPA) A “data set” of internal controls, containing  Control Objectives  Risks  (Sample) Control Activities • Based on 25 company "Activities"
  14. 14. GRC-XML 1.0 Taxonomy: Activities  25 activities defined in COSO Evaluation Tool. 1/Activity : INBOUND 2/Activity : OPERATIONS 3/Activity : OUTBOUND 4/Activity : MARKETING AND SALES 5/Activity : SERVICE 6/Activity : PROCUREMENT 7/Activity : TECHNOLOGY DEVELOPMENT 8/Activity : HUMAN RESOURCES 9/Activity : MANAGE THE ENTERPRISE 10/Activity : MANAGE EXTERNAL RELATIONS 11/Activity : PROVIDE ADMINISTRATIVE SERVICES 12/Activity : MANAGE INFORMATION TECHNOLOGY 13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS 15/Activity : PLAN 16/Activity : PROCESS ACCOUNTS PAYABLE 17/Activity : PROCESS ACCOUNTS RECEIVABLE 18/Activity : PROCESS FUNDS 19/Activity : PROCESS FIXED ASSETS 20/Activity : ANALYZE AND RECONCILE 21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 22/Activity : PROCESS PAYROLL 23/Activity : PROCESS TAX COMPLIANCE 24/Activity : PROCESS PRODUCT COSTS 25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING
  15. 15. TAXONOMY DEFINITION LINK VIEW Activities Copyright , OCEG 2010 Objectives Risks Controls
  16. 16. Extensibility  Risk frameworks – “plug and play” What’s your favourite framework?  COSO, COBIT, ISO 31000, PCI, AS/NZ 4360 , etc.    Companies can leverage the “X” to add elements to define their own specific "Activities", "Control Objectives", "Risks", or "Control Activities” Based on these extensions, companies can evaluate their specific controls using a specific format and criteria
  17. 17. Risk Extension Taxonomy 30 October 2013 Marcus Spies and Said Tabet, OCEG 2011
  18. 18. Risk Extension Taxonomy: Instance Document View 30 October 2013 Marcus Spies and Said Tabet, OCEG 2011
  19. 19. Risk Instance Example   <?xml version="1.0" encoding="UTF-8"?> <xbrli:xbrl xmlns:oceg-risk="http://www.oceg.org/xbrl/risk_control/risk" xmlns:link="http://www.xbrl.org/2003/linkbase" xmlns:iso4217="http://www.xbrl.org/2003/iso4217" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xbrli="http://www.xbrl.org/2003/instance" xmlns:xlink="http://www.w3.org/1999/xlink">  <link:schemaRef xlink:type="simple" xlink:href="risk.xsd"/>  <xbrli:context id="FY2009-4Q">   <xbrli:entity> <xbrli:identifier scheme="risk">oceg</xbrli:identifier></xbrli:entity>  <xbrli:period>  </xbrli:context>  <oceg-risk:titleOrName contextRef="FY2009-4Q">Improper capitalization of expenses</oceg-risk:titleOrName>  <oceg-risk:identifier contextRef="FY2009-4Q">R-FIN-0100</oceg-risk:identifier>  <oceg-risk:status contextRef="FY2009-4Q">In progress</oceg-risk:status>  <oceg-risk:owner contextRef="FY2009-4Q">CFO</oceg-risk:owner>  <oceg-risk:likelihood contextRef="FY2009-4Q">Low</oceg-risk:likelihood>  <oceg-risk:impact contextRef="FY2009-4Q">Serious</oceg-risk:impact>  <oceg-risk:netControlEffectiveness contextRef="FY2009-4Q">Strong</oceg-risk:netControlEffectiveness>  <oceg-risk:dateOpened contextRef="FY2009-4Q">2001-01-12</oceg-risk:dateOpened>  <oceg-risk:activeFlag contextRef="FY2009-4Q">true</oceg-risk:activeFlag>  </xbrli:xbrl> <xbrli:instant>2009-12-21</xbrli:instant> </xbrli:period>
  20. 20. CONTROL Instance Example   <?xml version="1.0" encoding="UTF-8"?> <xbrli:xbrl xmlns:oceg-control="http://www.oceg.org/xbrl/risk_control/control" xmlns:link="http://www.xbrl.org/2003/linkbase" xmlns:iso4217="http://www.xbrl.org/2003/iso4217" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xbrli="http://www.xbrl.org/2003/instance" xmlns:xlink="http://www.w3.org/1999/xlink">  <link:schemaRef xlink:type="simple" xlink:href="control.xsd"/>  <xbrli:context id="FY2009-4Q">  <xbrli:entity>  <xbrli:period>  </xbrli:context>  <oceg-control:titleOrName contextRef="FY2009-4Q">Manual Accounting Entry Controls</oceg-control:titleOrName>  <oceg-control:identifier contextRef="FY2009-4Q">CTA.090</oceg-control:identifier>  <oceg-control:status contextRef="FY2009-4Q">Active</oceg-control:status>  <oceg-control:state contextRef="FY2009-4Q">Failed but remediated</oceg-control:state>  <oceg-control:natureOfControl contextRef="FY2009-4Q">Detective</oceg-control:natureOfControl>  <oceg-control:owner contextRef="FY2009-4Q">John Jones</oceg-control:owner>  <oceg-control:dateImplemented contextRef="FY2009-4Q">2001-01-14</oceg-control:dateImplemented>  <oceg-control:dateLastUpdated contextRef="FY2009-4Q">2001-03-03</oceg-control:dateLastUpdated>  <oceg-control:externalApprovalFlag contextRef="FY2009-4Q">true</oceg-control:externalApprovalFlag>  <oceg-control:internalApprovalFlag contextRef="FY2009-4Q">true</oceg-control:internalApprovalFlag>  </xbrli:xbrl> <xbrli:identifier scheme="control">oceg</xbrli:identifier> <xbrli:instant>2009-12-21</xbrli:instant> </xbrli:entity> </xbrli:period>
  21. 21. GRC-XML illustrated Scenario GRC XML Dictionary Risk & Controls Repository Controls Testing & Monitoring GRC XML Data Risk models Controls documentation Organization / Process Test Procedures Test Results GRC Applications & Systems GRC XML Data Automated Control Tests Transactions Configurations User access Manual Control Tests Surveys, Sampling Enterprise GRC, Operational GRC, IT GRC, etc.
  22. 22. GRC-XML 2.0
  23. 23. GRC-XML 2.0  Support for conversion and versioning between available frameworks (COSO, COBIT, ITIL, PCI, NIST, UCF, Basel2, etc.)   Provide guidance and enable tooling and solutions to demonstrate how standard libraries can be integrated and translated to GRC-XML Support tagging and traceability from data level to business/process level and in between  Integrate the Open Risk Universe  GRC-XML for external reporting   Support for Solvency II ORSA and RMORSA reporting GRC-XML for the Cloud  GRC-XML to provide guidance and enable GRC information to be shared and exchanged between providers, end users/consumers, regulators and auditors
  24. 24. GRC-XML Open Risk Universe
  25. 25. ERM – Definition & Process 25  ERM - is a decision-making process to manage uncertainties and to give policy and resource allocation decisions a defensible basis. Corporate Level Business Unit Level 1)Corporate policy - Risks to manage - Risk appetite 3)Risk integration (Heat Mapping) & Mitigation strategy 2)Risk evaluation 4)Risk mitigation planning/action
  26. 26. ERM Data Flow Summary 26 Corporate Policy Risk Definition Corporate Policy Risk Appetite Company Extension Evaluation at each location Company specific definition of “significant risks” mapped to risks defined in Risk Universe Risk Universe Risk Evaluation & Integration Integration Definition of corporate-wide risk criteria and tolerance level for each risks defined Risk Mitigation Mitigation Planning at each location Mitigation Strategy for each risks that exceed Company’s risk tolerance Monitored KRI’s 26
  27. 27. Summary of Risk/other elements 27 Risk Category Risk Criteria Risk Each risk is evaluated according to risk criteria, such as frequency and severity ; level 1 to 5, etc.. Risk Tolerance Risk (extended) Location A Each risk is evaluated along with locations, and finally consolidated as a corporate. Mitigation Strategy Mitigation Plan Evaluation (total) KRI’s (automated) Location B Evaluation A Evaluation B KRI’s (automated) KRI’s (automated) Mitigation considered where risk evaluation exceeds risk tolerance. Automatically captured KRI’s may be able to be used as “evaluation”
  28. 28. OCEG Open Risk Universe Macro Environment  Nature External     Natural disaster Weather Pandemic  Society    Politics Social requests Demographic    Regulations    Technology Change of administration Legislation Public policy    Economics Cross-border Cross-sector     Micro Environment   Energy technology innovation Production Innovation IT innovation Environment technology innovation Business condition Price of goods Price of materials Market condition (currency, interest rate, etc.)  Effectiveness/Efficiency       Management Oversight  Strategy Internal Vision/Mission Competence assessment Capability/Capacity assessment Alliance Merger & acquisition Planning Culture  Corporate culture  Ethical behavior  Effectiveness of the board Copyright , OCEG 2012 Brand Image Stakeholder relationship Process  Governance       Competition Customers/Consumers Investors/Lenders Trading partners Affiliates Government Reputation   Decision Making         Quality/Customer satisfaction Business disruption Product development Production capacity Product/service deficiency Operation error  Financial   Liquidity Credit Labor capability Labor sincerity Authority/Limit Intellectual property     Law violation Privacy protection Information control Social Imperative  Reporting     Financial reporting Tax reporting Environment conservation Regulator reporting Technology People/Organization      Compliance     Effectiveness Efficiency Confidentiality Integrity  Availability  Compliance  Reliability
  29. 29. Example of Insurance ERM 29 Target Risks [Quantitative Risks]  Market Risk (Interest rate, Stock price, R.E., Products, etc.)  Credit Risk (Debtor, Reinsurer, Security issuer, etc.)  Insurance Risk    Underwriting Risk Loss Reserve Risk, etc. Operational Risk [Qualitative Risks]  Strategy Risk  Reputational Risk  Compliance Risk  Liquidity Risk How to integrate Risk Management Process as well as Risk Reporting…
  30. 30. GRC-XML 2.0 Architecture
  31. 31. GRC-XML 2.0 Information Model
  32. 32. GRC data supply chain Line of business National Service Agency Line of business National Service Agency HQ Supervisor for supervisors Supervisor Syndicate Managing Consistency Internal Reporting ERM External Reporting / Regulation eSupervision eSupervision Amount of information (in a report) Full set of data Aggregated/summarized data Further aggregated/ Summarized data
  33. 33. GRC for Internal and External Reporting 1 data definition 2 data format in ERM area GRC-XML data point taxonomy Data point definition (OCEG and Industry wide) Regulators External Reporting Taxonomy Extension Taxonomy (Company wide) ERM Supervision System System A Internal reporting taxonomy or schema (system wide data exchange format) System B Inside a company
  34. 34. Taxonomy Architecture #1  GRC-XML data point taxonomy  All data points are defined here as dimension in the taxonomy    Various relationship are defined by relationship over definition linkbase with appropriate arcrole. GRC reporting taxonomy   Define reporting bucket elements for each data point. Define supplemental elements for other data   Risk, Control, Objectives … etc Test score, Link to compensation, Explanatory information. GRC exchange taxonomy (schema)   Define referencing attribute pointing each data point in GRC-XML taxonomy. Define element which need to be exchanged among ERM systems.
  35. 35. Taxonomy Architecture #2  Extensibility  GRC-XML data point taxonomy   GRC reporting taxonomy   Single reporting format is possible GRC exchange taxonomy (schema)    Need to be able to extended in a proper manner and understandable for supervisor Single reporting format is enough It does not need to be XBRL. Could be XML. Harmonization  Need to align with other taxonomy?  Ex. Solvency II pillar 1,2 and 3.
  36. 36. Physical GRC Taxonomy Structure L xsd xsd L R D P L R D P R F C P xsd C V External Reporting Terms Taxonomy GRC Data Point Taxonomy C GRC External Reporting Taxonomy L xsd xsd L R D P D L R D P R D C F C P xsd V Internal Exchange Terms Taxonomy C GRC Data Point Industry Extension Taxonomies GRC Internal Exchange Taxonomy xsd L R D P C L R D F P xsd GRC Data Point Undertaking Extension Taxonomy Data Point Taxonomy Data Point Browsing Entry Point Taxonomy V C Reporting Taxonomy
  37. 37. Taxonomy Owner (Ex. Solvency II) L xsd xsd L R D P L R D P R F C P ? C D xsd V External Reporting Terms Taxonomy C GRC Data Point Taxonomy GRC External Reporting Taxonomy L xsd xsd L R D P L R D P R D C F C P xsd V Internal Exchange Terms Taxonomy C GRC Data Point Industry Extension Taxonomies GRC Internal Exchange Taxonomy xsd L R D P C L R D F P xsd GRC Data Point Undertaking Extension Taxonomy Data Point Taxonomy Data Point Browsing Entry Point Taxonomy V C Reporting Taxonomy
  38. 38. Summary and Conclusion        Integration Elevation from business units to top down approach Integration of different areas: Security risk, IT risk, Financial risk, Operational risk, and others – many areas, one language Visibility across islands of automation Reduction of redundancies and duplications Standardization, simplification Reduced information friction to facilitate (more) continuous monitoring and audit of controls
  39. 39. Thank You!
  40. 40. Questions?

×