Highlight the top trending security issues and guide GRC professionals in implementing data analytics and risk modelling to enhance GRC activities by choosing the right GRC technologies.
2. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
3. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
4. Organisational Overview
• Eskom is a South African electricity public utility,
established in 1923 as the Electricity Supply
Commission (ESC) by the government of the Union of
South Africa in terms of the Electricity Act (1922).
• Eskom operates a number of notable power stations,
ranging from Coal, Gas, Renewable and a Nuclear
power plant.
• The company is divided into Generation, Transmission
and Distribution divisions and together Eskom
generates approximately 95% of electricity used in
South Africa.
7. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
8. GRC and Security Challenges
Challenges
Regulation
Legislation
Technology
Models
Business
Models
E.g. NERSA,
SABA, HPSA,
NCR
E.g. Industry 4.0
E.g. FICA, PoPIE.g. IoT, Cloud
Services
9. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
13. SAP GRC vs. SAS GRC
• SAS Enterprise GRC Features
– Conduct audits
– Manage policies
– Conduct risk and control assessments
– Test controls
– Investigate incidents
– Create and track issues and develop action plans
– Scenario analysis
14. SAP GRC vs. SAS GRC
SAP Strengths SAS Strengths
1. Integration of Risk and Performance
Management
1. Clear understanding of C-Suite
needs
2. Integration other SAP Modules 2. Great Reporting
3. Advanced Data Analytics 3. Financial and Utility Capabilities
SAP Cautions SAS Cautions
1. Pricing Model 1. Challenging Configuration
2. Customer Experience Satisfaction 2. Minimal Expectations
3. Extensive Configurations 3. Long Implementation Times
15. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
16. How to choose a GRC Platform
• The governance, risk and compliance (GRC) software
market has evolved and segmented.
• Risk management solutions and related processes
are typically focused on individual functions across
an organization, which inhibits collaboration and
understanding of risk at an enterprise level.
• Many organizations employ a "technology-first"
mindset when trying to solve their most pressing risk
management challenges.
17. How to choose a GRC Platform
• Organizations require features and functions for their GRC
platform to support multiple risk management and
compliance, specifically in the following functional categories:
– Architecture
– Reporting
– Administration
– Risk management
– Incident management
– Compliance and policy management
– Regulatory intelligence and change management
– Audit management
– Etc.
18. How to choose a GRC Platform
Basel II/III Foreign Corrupt Practices Act
Business continuity management Internal audit
Corporate compliance management and
oversight
IT risk management
Environmental, health and safety (EH&S)
and sustainability
Privacy compliance
Enterprise risk management Project risk management
Ethics compliance Security risk and compliance oversight
Cyber Risk Management Third-party risk management
Example of High Level Use Cases
19. How to choose a GRC Platform
Gartner Integrated Risk Management Solutions
Corporate Compliance
and Oversight
Enterprise Legal
Management
Audit Management
IT Risk Management
Business Continuity
Management Planning
IT Vendor Risk
Management
Operational Risk
Management
20. How to choose a GRC Platform
Risk Management Solution
Integrated Risk Management Solution
Business
Continuity
Management
Planning
Critical
Capabilities for
Operational
Risk
Management
IT Vendor Risk
Management
IT Risk
Management
Audit
Management
Corporate
Compliance
and Oversight
Enterprise
Legal
Management
Chief Information
Security Officer
Chief Operating
Officer
Chief Risk Officer Chief Compliance
Officer
Chief Audit
Executive
Chief Legal Officer /
General Counsel
Chief Information
Officer
Chief Procurement
Officer
Chief Financial Officer
Gartner IRMS Research and Related Key Stakeholder Roles
21. How to choose a GRC Platform
The Global Risks Report 2017 - 12th Edition (The Risks-Trends Interconnections Map)
22. How to choose a GRC Platform
Business
Relevance
Filter
Technology
Filter
Economic
Filter
POV Filter
23. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
24. How to implement GRC Platform
• The key to the success of a GRC solution deployment
continues to be the existence of clear requirements
from management and well-defined processes.
• The most successful GRC Platform deployments are
characterized as automating and improving existing,
or well-defined, practices versus deployments that
seek to define GRC Platform around a tool.
25. How to implement GRC Platform
• Planning, and not technical issues, is at the root cause of most
deployment failures. Deployment failures are most often the result of
poorly defined requirements or unrealistic timelines and not because of
technical problems with tools.
• GRC solution selections are often heavily influenced by features that are
never fully utilized. Solutions in this space often present long lists of
features, but the resources requirements to implement and operationalize
these features often fall outside the enterprise appetite.
• Enterprises often underestimate the initial and ongoing resource requirements for
utilizing policy management to map policy, controls and compliance requirements.
Enterprises should ensure that they have a durable business case that justifies the
necessary investment.
• In order for GRC processes and their results to be relied upon by executives,
auditors and examiners, they must inspire confidence.
26. How to implement GRC Platform
Time
Skills
Value
1. Identify the requirements
and processes
2. Select and Prioritize Use
Cases
3. Test the identified IRMS
Module
4. Stabilise Infrastructure
to Access and Analyse
5. Deploy the Selected
Module(s)
6. Enable the Enterprise
IRMS
Awareness
Mapping the Solution Path to the Typical Stages and Milestones of IRMS
27. Agenda
• Organisational Overview
• GRC and Security Challenges
• SAP GRC vs. SAS GRC
• How to choose a GRC Platform?
• How to implement GRC Platform?
• Summary
28. Summary
• Failure to deliver Business Value
• Improper Use Case Selection
• Organisational InertiaStrategy
• Identifying the wrong risks
• Using unreliable data
• Misunderstanding the nuances of Risk ModelsRisks
• Lack of Skills
• Inability to address adjacent technologies
Skills
Top Reasons for GRC Platform Failures
30. Summary
• Enterprises should invest time and energy in clearly defining the goals,
objectives, measurements of success, and practices for IT GRC prior to
pursuing the selection and deployment of these solutions. Once a goal
state is clearly defined, enterprises can choose from a number of available
solutions.
• Ensure that the business case has been made not just for purchasing a
solution, but also for the investments that are required to utilize and
maintain it: GRC solutions are frequently purchased as a part of a push to
address particular audit, compliance or regulatory concerns, and then
they languish, underutilized, or become shelf ware. Secure a commitment
not just to acquire capabilities, but also to implement and maintain the
solution. Careful consideration must also be given to how ongoing
maintenance will be staffed.
• GRC itself is a set of processes and practices that aims to manage the risks
of business use of IT and IT itself. Enterprises can purchase solutions to
automate or improve IT GRC, but the actual work of governing, managing
risk and addressing compliance requirements necessitates the enterprise
to establish policies, procedures, practices, organizational structures and
management expectations.