SlideShare a Scribd company logo

GRC - Isaca Training 16.9.2014

Paul Simidi
Paul Simidi

The document discusses governance, risk, and compliance (GRC) and integrated GRC (iGRC). It defines GRC, risk management, and compliance. It outlines challenges with current GRC approaches like complexity, duplication, and silos. The goals of iGRC are outlined as awareness, alignment, responsiveness, agility, resilience, and learning. iGRC frameworks like OCEG are presented, as well as how technology can support iGRC. Universal outcomes of improved objectives, culture, confidence, adversity handling, and value optimization are reviewed.

1 of 29
Download to read offline
1 Governance, Risk & Compliance -GRC (Integrated Approach) 16th September 2014 Paul M Simidi
 Introduction  GRC component framework  GRC Current status  iGRC & goals  iGRC Models  iGRC & Technology  Overall iGRC benefits  Organization experiences Overview
Governance …….setting business strategy & objectives, determining risks appetite, establishing culture and values, developing policies and monitoring performance…… Introduction
Risk Management …….identifying and assessing risks that may affect ability to achieve business objectives, applying risks management to obtain competitive advantage, and determine response strategies and control activities…… Introduction….cont
Compliance …..Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures and stakeholder commitments….. Introduction…cont
GRC Component Frameworks
• Control Objectives for Information and Related Technology - CoBIT Framework provides guidance for executive management to govern IT within the enterprise. It is an IT governance framework that bridges the gap between control requirements, technical issues and business risks • Sarbanes–Oxley Act of 2002 - An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes Governance - Examples
• Information Technology Infrastructure Library - ITIL is the most widely adopted approach for IT Service Management in the world. It is a practical framework for identifying, planning, delivering and supporting IT services to the business. Governance - Examples
 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - A framework dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence) Risk Management - Examples
• ISO 31000 -Provides principles and generic guidelines on principles and implementation of risk management. Can be applied to any kind of organization, risk type and is not specific to any industry or sector. • ISO 31000:2009 is intended to be used by a wide range of stakeholders including those responsible for • Implementing risk management, • those who need to manage risk for the organization as a whole or within a specific area or activity; • those needing to evaluate an organization's practices in managing risk; • and developers of standards Risk Management - Examples
 Organizations Policies and Procedures  IFRSs  Legal & Regulatory Framework in Kenya  Company’s Act  Capital Markets Authority  Nairobi Stock Exchange  Communications Authority of Kenya  Central Bank Regulations  Public Procurement Act  Occupational Safety and Health Administration Act 2007 (OSHA)  etc Compliance - Examples
• Basel Standards i.e. I, II and III – An international standard for Banking Regulators developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector. • Total Quality Management (TQM)- Management methods used to enhance quality and productivity in business organizations Compliance - Examples
Complexity Lack of visibility Duplication InflexibilityVulnerability Poor Integration Increased regulations Poor Performance High Costs Silos Wasted Information Frauds Wasted Resources GRC Current Status
Public Sector Overview
Private sector Overview
• iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, effective information sharing and reporting, reduce cost and enhance performance. ERM ICT iGRC Approach
 Large, forward-thinking organizations believe that effective iGRC is a value driver and a source of competitive advantage.  Organizations that embrace effective iGRC are realizing significant value in the areas of reputation and brand, employee retention and profitability. iGRC Trends
 Significant improvements in the areas of accuracy, decision-making quality, timeliness and reductions in task redundancies as organization's move to an integrated iGRC environment.  Inclusion of iGRC in Corporate Performance Management  Increased Leverage on Technology iGRC Trends
iGRC Goals 1. Awareness • Changes in internal & external environment, • Turn data into information that be analyzed. • Share information 2.Alignment • Support and inform business objectives • Strategic consideration to GRC information
iGRC Goals 3. Responsiveness • You cant react to something you don’t sense • Greater awareness and understanding of info that drives decisions and actions
iGRC Goals 4. Agile • Decisions and actions that are quick, coordinated and well thought out. • Allow an entity to use risk to its advantages, grasp strategic opportunities and be confident in its ability to stay on course
iGRC Goals 5. Resilient • Ability to bounce back from changes in the environment e.g. threats • Confidence to rapidly adopt and respond to opportunities 6.Learn • Get rid of unnecessary duplication, redundancies, misallocation of resources within GRC capability
• Examples of iGRC - OCEG-iGRC • iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps ERM ICT iGRC Models
iGRC – OCEG Model ORGANIZE AND OVERSEE O1 – Outcomes and Commitment O2 – Roles and Responsibilities O3 – Approach and Accountability INFORM AND INTEGRATE I1 – Information Management and Documentation I2 – Internal and External Communication I3 – Technology and Infrastructure ASSESS AND ALIGN A1 – Risk Identification A2 – Risk Analysis A3 – Risk Optimization PREVENT AND PROMOTE P1 – Codes of Conduct P2 – Policies P3 – Preventive Process Controls P4 – Awareness and Education P5 – Human Capital Incentives P6 – Human Capital Controls P7 – Stakeholder Relations and Requirements P8 – Preventive Technology Controls P9 – Preventive Physical Controls P10 – Risk Financing/Insurance DETECT AND DISCERN D1 – Hotline and Notification D2 – Inquiry and Survey D3 – Detective Controls MONITOR AND MEASURE M1 – Context Monitoring M2 – Performance Monitoring and Evaluation M3 – Systemic Improvement M4 – Assurance CONTEXT AND CULTURE C1 – External Business Context C2 – Internal Business Context C3 – Culture C4 – Values and Objectives RESPOND AND RESOLVE R1 – Internal Review and Investigation R2 – Third-Party Inquiries and Investigations R3 – Crisis Response and Recovery R4 – Remediation and Discipline
GRC & Technology Solutions -Examples Solution Modules 1 SAP GRC Suit  Process Control  Access Control  Risk Management  Fraud Management  Audit Management 2 ACL GRC Packages Data Analytics Compliance & Monitoring Dashboards Reporting 3 MetricStream GRC Platform A Web-based platform built on J2EE architecture with Governance, Risk, Compliance and Quality programs.
Strategic Plan  Charter  Mission, vision statement  Responsibilities  Performance Measurement  Organization chart  Human capital  Financial plan  Technology plan  Assurance plan  Implementation plan
GRC – Universal Outcomes  Achieve Business Objectives  Enhanced organization culture towards GRC  Increased stakeholder confidence  Prevent, detect & reduce adversity  Motivates, inspire desired conduct  Improve responsiveness & efficiency  Optimize economic & social value
Why is it working or not working in your organization ?
END Paul Simidi Tel 0720-739-425 email – paulsimidi@yahoo.com

Recommended

Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
Capgemini
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
Transcendent Group
 

Recommended

Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
Magdalena Matell
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
Governance, Risk, and Compliance Services
Governance, Risk, and Compliance ServicesGovernance, Risk, and Compliance Services
Governance, Risk, and Compliance Services
Capgemini
 
Grc governance, risk management & compliance
Grc governance, risk management & complianceGrc governance, risk management & compliance
Grc governance, risk management & complianceHR Globe Consulting
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
Max Neira Schliemann
 
Integrated GRC
Integrated GRCIntegrated GRC
Integrated GRC
Transcendent Group
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
Manoj Agarwal
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
3Sixty Insights
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
Maxime CARPENTIER
 
it grc
it grc it grc
it grc
9535814851
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
GRC
GRCGRC
GRC
Maryam Hidayatallah CPFA,MIPA,MA,CICA
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
Adam Miller
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
Richard Swartzbaugh
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
NICSA
 
Achieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfAchieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdf
infosecTrain
 
Achieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfAchieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdf
Infosec train
 

More Related Content

What's hot

ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
Manoj Agarwal
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
3Sixty Insights
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
Maxime CARPENTIER
 
it grc
it grc it grc
it grc
9535814851
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
GRC
GRCGRC
GRC
Maryam Hidayatallah CPFA,MIPA,MA,CICA
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
Adam Miller
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
Richard Swartzbaugh
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
Akhil Garg
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
NICSA
 

What's hot (20)

ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
it grc
it grc it grc
it grc
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
GRC
GRCGRC
GRC
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Iso 27001
Iso 27001Iso 27001
Iso 27001
 
Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020 Enterprise Risk Management (ERM) Framework 2020
Enterprise Risk Management (ERM) Framework 2020
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a Strategy
 

Similar to GRC - Isaca Training 16.9.2014

Achieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfAchieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdf
infosecTrain
 
Achieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfAchieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdf
Infosec train
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
Nema Chhaya Buch
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPScott Baron
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
360 BSI
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear LLC
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
Resolver Inc.
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
DandzaPraditya
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docxCHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
robertad6
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
goreankush1
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
Risk Management Institution of Australasia
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
TRANANHQUAN4
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0Amit Verma
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
PECB
 
CISM sertifikacija
CISM sertifikacijaCISM sertifikacija
CISM sertifikacija
BKA (Baltijos kompiuteriu akademija)
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 

Similar to GRC - Isaca Training 16.9.2014 (20)

Achieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdfAchieving GRC Excellence White Paper.pdf
Achieving GRC Excellence White Paper.pdf
 
Achieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdfAchieving GRC Excellence White Paper (6).pdf
Achieving GRC Excellence White Paper (6).pdf
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
Risk - IT Services
Risk - IT ServicesRisk - IT Services
Risk - IT Services
 
EUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIPEUCI Mapping Cybersecurity to CIP
EUCI Mapping Cybersecurity to CIP
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field
 
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptxCELOE MRKI Lecture Notes 02 v0.1_old.pptx
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
 
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docxCHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
CHAPTER 6INFORMATION GOVERNANCEInformation Governance Po.docx
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Risk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and ImplementationRisk Technology Strategy, Selection and Implementation
Risk Technology Strategy, Selection and Implementation
 
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
Lecture 06 - CoBit - Control Objectives for Information and Related Technolog...
 
Resume-Amit 1.0
Resume-Amit 1.0Resume-Amit 1.0
Resume-Amit 1.0
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
 
CISM sertifikacija
CISM sertifikacijaCISM sertifikacija
CISM sertifikacija
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 

GRC - Isaca Training 16.9.2014

  • 1. 1 Governance, Risk & Compliance -GRC (Integrated Approach) 16th September 2014 Paul M Simidi
  • 2.  Introduction  GRC component framework  GRC Current status  iGRC & goals  iGRC Models  iGRC & Technology  Overall iGRC benefits  Organization experiences Overview
  • 3. Governance …….setting business strategy & objectives, determining risks appetite, establishing culture and values, developing policies and monitoring performance…… Introduction
  • 4. Risk Management …….identifying and assessing risks that may affect ability to achieve business objectives, applying risks management to obtain competitive advantage, and determine response strategies and control activities…… Introduction….cont
  • 5. Compliance …..Operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures and stakeholder commitments….. Introduction…cont
  • 7. • Control Objectives for Information and Related Technology - CoBIT Framework provides guidance for executive management to govern IT within the enterprise. It is an IT governance framework that bridges the gap between control requirements, technical issues and business risks • Sarbanes–Oxley Act of 2002 - An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes Governance - Examples
  • 8. • Information Technology Infrastructure Library - ITIL is the most widely adopted approach for IT Service Management in the world. It is a practical framework for identifying, planning, delivering and supporting IT services to the business. Governance - Examples
  • 9.  The Committee of Sponsoring Organizations of the Treadway Commission (COSO) - A framework dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence) Risk Management - Examples
  • 10. • ISO 31000 -Provides principles and generic guidelines on principles and implementation of risk management. Can be applied to any kind of organization, risk type and is not specific to any industry or sector. • ISO 31000:2009 is intended to be used by a wide range of stakeholders including those responsible for • Implementing risk management, • those who need to manage risk for the organization as a whole or within a specific area or activity; • those needing to evaluate an organization's practices in managing risk; • and developers of standards Risk Management - Examples
  • 11.  Organizations Policies and Procedures  IFRSs  Legal & Regulatory Framework in Kenya  Company’s Act  Capital Markets Authority  Nairobi Stock Exchange  Communications Authority of Kenya  Central Bank Regulations  Public Procurement Act  Occupational Safety and Health Administration Act 2007 (OSHA)  etc Compliance - Examples
  • 12. • Basel Standards i.e. I, II and III – An international standard for Banking Regulators developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector. • Total Quality Management (TQM)- Management methods used to enhance quality and productivity in business organizations Compliance - Examples
  • 13. Complexity Lack of visibility Duplication InflexibilityVulnerability Poor Integration Increased regulations Poor Performance High Costs Silos Wasted Information Frauds Wasted Resources GRC Current Status
  • 16. • iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, effective information sharing and reporting, reduce cost and enhance performance. ERM ICT iGRC Approach
  • 17.  Large, forward-thinking organizations believe that effective iGRC is a value driver and a source of competitive advantage.  Organizations that embrace effective iGRC are realizing significant value in the areas of reputation and brand, employee retention and profitability. iGRC Trends
  • 18.  Significant improvements in the areas of accuracy, decision-making quality, timeliness and reductions in task redundancies as organization's move to an integrated iGRC environment.  Inclusion of iGRC in Corporate Performance Management  Increased Leverage on Technology iGRC Trends
  • 19. iGRC Goals 1. Awareness • Changes in internal & external environment, • Turn data into information that be analyzed. • Share information 2.Alignment • Support and inform business objectives • Strategic consideration to GRC information
  • 20. iGRC Goals 3. Responsiveness • You cant react to something you don’t sense • Greater awareness and understanding of info that drives decisions and actions
  • 21. iGRC Goals 4. Agile • Decisions and actions that are quick, coordinated and well thought out. • Allow an entity to use risk to its advantages, grasp strategic opportunities and be confident in its ability to stay on course
  • 22. iGRC Goals 5. Resilient • Ability to bounce back from changes in the environment e.g. threats • Confidence to rapidly adopt and respond to opportunities 6.Learn • Get rid of unnecessary duplication, redundancies, misallocation of resources within GRC capability
  • 23. • Examples of iGRC - OCEG-iGRC • iGRC - synchronize information and activity across governance, risk management and compliance in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps ERM ICT iGRC Models
  • 24. iGRC – OCEG Model ORGANIZE AND OVERSEE O1 – Outcomes and Commitment O2 – Roles and Responsibilities O3 – Approach and Accountability INFORM AND INTEGRATE I1 – Information Management and Documentation I2 – Internal and External Communication I3 – Technology and Infrastructure ASSESS AND ALIGN A1 – Risk Identification A2 – Risk Analysis A3 – Risk Optimization PREVENT AND PROMOTE P1 – Codes of Conduct P2 – Policies P3 – Preventive Process Controls P4 – Awareness and Education P5 – Human Capital Incentives P6 – Human Capital Controls P7 – Stakeholder Relations and Requirements P8 – Preventive Technology Controls P9 – Preventive Physical Controls P10 – Risk Financing/Insurance DETECT AND DISCERN D1 – Hotline and Notification D2 – Inquiry and Survey D3 – Detective Controls MONITOR AND MEASURE M1 – Context Monitoring M2 – Performance Monitoring and Evaluation M3 – Systemic Improvement M4 – Assurance CONTEXT AND CULTURE C1 – External Business Context C2 – Internal Business Context C3 – Culture C4 – Values and Objectives RESPOND AND RESOLVE R1 – Internal Review and Investigation R2 – Third-Party Inquiries and Investigations R3 – Crisis Response and Recovery R4 – Remediation and Discipline
  • 25. GRC & Technology Solutions -Examples Solution Modules 1 SAP GRC Suit  Process Control  Access Control  Risk Management  Fraud Management  Audit Management 2 ACL GRC Packages Data Analytics Compliance & Monitoring Dashboards Reporting 3 MetricStream GRC Platform A Web-based platform built on J2EE architecture with Governance, Risk, Compliance and Quality programs.
  • 26. Strategic Plan  Charter  Mission, vision statement  Responsibilities  Performance Measurement  Organization chart  Human capital  Financial plan  Technology plan  Assurance plan  Implementation plan
  • 27. GRC – Universal Outcomes  Achieve Business Objectives  Enhanced organization culture towards GRC  Increased stakeholder confidence  Prevent, detect & reduce adversity  Motivates, inspire desired conduct  Improve responsiveness & efficiency  Optimize economic & social value
  • 28. Why is it working or not working in your organization ?
  • 29. END Paul Simidi Tel 0720-739-425 email – paulsimidi@yahoo.com