Enterprise Risk Management - GRC as a practice
•
6 likes•1,296 views
Risk management forms the core of many disciplines: compliance management, business continuity planning and disaster recovery. The key to GRC is knowing how, when, where and just exactly how much to apply. Additionally, Risk Management is a practice that matures and grows within the enterprise - always increasing its ability to respond and build resilience.
Recommended
More Related Content
What's hot
What's hot (9)
Viewers also liked
Viewers also liked (7)
Similar to Enterprise Risk Management - GRC as a practice
Similar to Enterprise Risk Management - GRC as a practice (20)
Recently uploaded
Recently uploaded (19)
Enterprise Risk Management - GRC as a practice
- 1. Enterprise Governance, Risk and Compliance Mapping david.daniel@casewise.com David Daniel Leverage Architecture to Drive Consistent Enterprise GRC Management
- 2. 2 © 2015 Casewise - confidential RISKSHAZARDSEvolution of an event from identification to retrospective Risk Lifecycle LIKELIHOOD OF OCCURANCE awareness controls contingencies recovery preparations OUTCOMES IMPACTSCONSEQUENCES TIME
- 3. 3 © 2015 Casewise - confidential Integrated approach encompasses all areas of the enterprise ThreeTiered Risk Management Tier 1: Organization Governance Tier 2: Business Process Information Flows Tier 3: Information Systems Operational Environment People Process Technology Technical Architecture Process Architecture Business Architecture
- 4. 4 © 2015 Casewise - confidential Risk Awareness
- 5. 5 © 2015 Casewise - confidential You can’t manage what you don’t know Risk Awareness Identify areas of concern – Direct risks – Indirect risks Outline risk objectives – Supports construction of risk appetite model – “Right sizes” risk management practices Establish risk registry – Maintain objective catalog – Establish ownership Implement systematic identification processes – Introduce risk awareness into strategic planning – Benchmark against industry standards – Inject risk mapping into SDLC TOOLING SERVICES workshops SERVICES workshops SERVICES practice building
- 6. 6 © 2015 Casewise - confidential Guiding Information and Information Systems Security Typical Information Security Objectives Confidentiality “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” A loss of confidentiality is the unauthorized disclosure of information. Integrity “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” A loss of integrity is the unauthorized modification or destruction of information. Availability “Ensuring timely and reliable access to and use of information…” A loss of availability is the disruption of access to or use of information or an information system.
- 7. 7 © 2015 Casewise - confidential Risk Controls
- 8. 8 © 2015 Casewise - confidential Understand, implement, govern and monitor controls Risk ManagementControls Framework Categorize Select Implement Assess Authorize Monitor SERVICES practice building TOOLING
- 9. 9 © 2015 Casewise - confidential • Market-centric orientation provides solid business guidance • Fosters full-spectrum analysis of risk and compliance issues • Aligns risk appetite with business goals and objectives • Defines strong governance model to support compliance • Translates risk into business terms that are easily consumable by stakeholders Control the activities that perform the business Controls – Business Architecture P E S T LEGAL ENVIRONMENTAL political economic social technologic
- 10. 10 © 2015 Casewise - confidential Control the processes that operate the business Controls – Process Architecture • Objectively identifies key areas of concern for continuity planning • Builds culture of compliance by overlaying strategic risk and compliance onto day-to-day activities • Fosters innovation through risk awareness and response • Institutionalizes GRC in the fabric of the enterprise
- 11. 11 © 2015 Casewise - confidential Control the systems that support the business Controls –TechnicalArchitecture • Risk management becomes core area of concern for solution development • Supports objective recovery options in day-to-day operations • Facilitates audit/compliance reporting • Translates technical risk into business terms • Defines both functional and non- functional requirements
- 12. 12 © 2015 Casewise - confidential Risk Mitigation and Response
- 13. 13 © 2015 Casewise - confidential Event handling and residual risk must be addressed systematically Mitigation Prepare systematic recovery response to known risk – Reduce – Retain – Avoid – Transfer Map events to contingencies – Develop systematic event response methodologies – Understand how to respond to unforeseen events Understand Residual Risk – Monitor and maintain residual risk register – Provide feedback loop for continuous improvement SERVICES workshops SERVICES practice building SERVICES practice building
- 14. 14 © 2015 Casewise - confidential “Tell me and I forget.Teach me and I remember. Involve me and I learn.” - Benjamin Franklin Continuous Improvement Articulate responses objectively – Construct root cause assessments to determine causes/responses to events Identify KRI (Key Risk Indicators) – Update and Manage a catalog of KRIs – Map new KRIs to risk areas Reduce variability and uncertainty – Each event is a learning environment: monitored, measured, analyzed and communicated to risk management teams Maintain Risk Management Maturity Model – Managed growth of GRC capability in the enterprise SERVICES practice building TOOLING SERVICES practice building SERVICES practice building
- 15. david.daniel@casewise.com David Daniel “If you don’t have the time to do something right, where are you going to find the time to fix it?” - Stephen King