The document discusses key questions regarding integrated governance, risk management, and compliance (GRC). It begins by explaining that GRC means different things and considers the value of an integrated approach. An integrated GRC program can provide improved transparency, efficiency, and decision-making. However, there are also barriers like high costs and lack of a common framework. The document provides practical steps for organizations to achieve an integrated GRC approach, including building a business case, establishing a GRC committee, developing a unified risk framework, and establishing centralized oversight and reporting. The goal is to continuously improve GRC integration over time to optimize processes and better manage risks.
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
The presentation sheds light on the concept of GRC (Governance, Risk and Compliance). Features associated to GRC, such as - its history, its impact on businesses, types etc are covered here.
Here is the list of the topics covered:
1. How was GRC developed?
2. What exactly is GRC?
3. The role of GRC in ISMS
4. Impact of GRC
5. Types of GRC
6. The role IT-GRC in IT-RMC
7. IT-GRC Foundation
8. Why to deploy IT-GRC Management System?
The presentation unifies business value creation and preservation objectives within one framework suitable for use by, and accessible to, all departments of all organizations in all industry sectors. GRC still focuses too much on preserving trust and social capital and not enough on developing them. The entire premise of OCEG's GRC initiative is too narrowly focused and is therefore incomplete. To use a sports analogy, you can't win a football game with defense alone. Offensive business practices develop trust and build social capital, encourage risk taking, facilitate collaboration, and stimulate innovation. These elements remain inadequately addressed by the GRC approach to achieving its Principled Performance objectives.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Governance Risk and Compliance - in Higher Education - AustraliaMarissa McCauley
This is a short presentation on governance, risk and compliance in the higher education industry. It also highlights key TEQSA threshold standards expectations from higher education providers.
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
The presentation sheds light on the concept of GRC (Governance, Risk and Compliance). Features associated to GRC, such as - its history, its impact on businesses, types etc are covered here.
Here is the list of the topics covered:
1. How was GRC developed?
2. What exactly is GRC?
3. The role of GRC in ISMS
4. Impact of GRC
5. Types of GRC
6. The role IT-GRC in IT-RMC
7. IT-GRC Foundation
8. Why to deploy IT-GRC Management System?
The presentation unifies business value creation and preservation objectives within one framework suitable for use by, and accessible to, all departments of all organizations in all industry sectors. GRC still focuses too much on preserving trust and social capital and not enough on developing them. The entire premise of OCEG's GRC initiative is too narrowly focused and is therefore incomplete. To use a sports analogy, you can't win a football game with defense alone. Offensive business practices develop trust and build social capital, encourage risk taking, facilitate collaboration, and stimulate innovation. These elements remain inadequately addressed by the GRC approach to achieving its Principled Performance objectives.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Governance Risk and Compliance - in Higher Education - AustraliaMarissa McCauley
This is a short presentation on governance, risk and compliance in the higher education industry. It also highlights key TEQSA threshold standards expectations from higher education providers.
Building control efficiency: Rationalization, optimization and redesign Vladimir Matviychuk
Increased government reporting requirements have forced those responsible for internal controls to do more. The global recession has required them to do more with less. While regulators press for accountability, investors press for performance. Now, those responsible for internal controls must now take charge by assessing their processes and tools, and execute on efforts to make them as efficient – and effective – as possible. Those able to optimize their controls will be more able to move past compliance toward improved performance and competitive advantage.
eGRC is a rapidly evolving business capability that uses processes and tools to combine:
- Compliance programs that measure control effectiveness,
- Risk management programs that categorize and prioritize risks, and
- Governance programs that identify, monitor and manage remediation of those risks.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
This paper is a primer on the RSA GRC Reference Architecture, a visual representation of the GRC framework needed within an organization to meet today's governance, risk, and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles, and its final objectives.
Governance risk compliance framework by Isorobot,
GRC Framework presentation.
Ensure Reduced Risk and Excellent Compliance with Better Governance
what is GRC?
Building control efficiency: Rationalization, optimization and redesign Vladimir Matviychuk
Increased government reporting requirements have forced those responsible for internal controls to do more. The global recession has required them to do more with less. While regulators press for accountability, investors press for performance. Now, those responsible for internal controls must now take charge by assessing their processes and tools, and execute on efforts to make them as efficient – and effective – as possible. Those able to optimize their controls will be more able to move past compliance toward improved performance and competitive advantage.
eGRC is a rapidly evolving business capability that uses processes and tools to combine:
- Compliance programs that measure control effectiveness,
- Risk management programs that categorize and prioritize risks, and
- Governance programs that identify, monitor and manage remediation of those risks.
A corporation must have social acceptance to survive and grow.
The society’s expectations change through:
1.- Changing population mix.
2.- Changing values and orientations.
Business performance changes through
1.-Economic, competitive, and structural conditions.
2.- Regulatory constraints.
3.- Futuristic, Long Term orientation.
4.- Leadership style
This paper is a primer on the RSA GRC Reference Architecture, a visual representation of the GRC framework needed within an organization to meet today's governance, risk, and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles, and its final objectives.
Governance risk compliance framework by Isorobot,
GRC Framework presentation.
Ensure Reduced Risk and Excellent Compliance with Better Governance
what is GRC?
13 Top GRC Tools for an Integrated Governance, Risk and Compliance StrategyQuekelsBaro
Integrate business governance, risk, and compliance control using these top 13 GRC tools. Lower business costs, collaborate and meet compliance mandates.
138
مبادرة
#تواصل_تطوير
المحاضرة ال 138 من المبادرة
دكتور مهندس / أكرم حسن
استاذ إدارة المشاريع
بعنوان
"أنظمة الرقابة المؤسسية المتكاملة
Governance, Risk management and Compliance integrated systems
الإثنين 29 نوفمبر2021
السابعة مساء توقيت القاهرة
الثامنة مساء توقيت مكة المكرمة
وذلك عبر تطبيق زووم من خلال الرابط
https://us02web.zoom.us/meeting/register/tZwofu-sqTspH9a04XXVZe1FIhkVKqbnTSVG
علما ان هناك بث مباشر للمحاضرة على القنوات الخاصة بجمعية المهندسين المصريين
ونأمل أن نوفق في تقديم ما ينفع المهندس ومهمة الهندسة في عالمنا العربي
والله الموفق
للتواصل مع إدارة المبادرة عبر قناة التليجرام
https://t.me/EEAKSA
ومتابعة المبادرة والبث المباشر عبر نوافذنا المختلفة
رابط اللينكدان والمكتبة الالكترونية
https://www.linkedin.com/company/eeaksa-egyptian-engineers-association/
رابط قناة التويتر
https://twitter.com/eeaksa
رابط قناة الفيسبوك
https://www.facebook.com/EEAKSA
رابط قناة اليوتيوب
https://www.youtube.com/user/EEAchannal
رابط التسجيل العام للمحاضرات
https://forms.gle/vVmw7L187tiATRPw9
ملحوظة : توجد شهادات حضور مجانية لمن يسجل فى رابط التقيم اخر المحاضرة
--
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
DISUSSION-1
RE: Chapter 15: Embedding ERM into Strategic Planning at the City of Edmonton
COLLAPSE
Top of Form
The two strategic processes
The two strategic processes which are tightly connected to ERM in the current scenario of Edmonton City ERM implementation are:
Results based budgeting and Performance measurement.
Results based budgeting (RBB):
ERM helps organizations to allocate the resources based on the requirement for completing the tasks and to produce the desired output. The RBB assists to determine the funding allocation requirements which are mandatory to fulfill the strategic objectives of organization. This budget formulation is performed based on predefined objectives such as priority, resource availability and expected results etc. here the expected results represents the desired outputs which organization expects to meet its strategic goals. In simple words the Results-based budgeting is about emphasizing performance and accountability.
Performance measurement:
The continuous performance measurement helps organizations to drive the progress in risk mitigation and it provides insights where additional attention is required. The Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. The Performance measurement in ERM sends the list of desired outcomes to RBB and receives list of prioritized programs and costs to ensure ERM works at its full potential (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Two criteria’s must be balanced in a successful ERM model
The two criteria are model power and user-friendliness. The powerful model can provide large amount of information and lets the organization to compare the results and risks, effectiveness’ of current program and impact of future initiatives. The user friendliness program helps to easily add information, add new features and easy to understand by the user with simple steps. The user friendliness also includes if needed some unnecessary steps could also be removed without losing model robustness (Fraser, J., Simkins, B. J., & Narvaez, K., 2015).
Thank you
References
Fraser, J., Simkins, B. J., & Narvaez, K. (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken: Wiley.
Bottom of Form
DISCUSSION-2
1. What the other strategic processes are closely tied to ERM?
The strategic processes may have success strategy which is linked to the command of risk and organization understanding. The selection of strategy is an exercise of high-stakes. Approx. 80% of the underperformer may against the industry who have lost their wat over the prior 10 years because of blunder who are strategic and the business and strategy magazine. It may blame on failure on operations errors and the external event or compliance fault.
2. What are three kinds of risks are identified within the city of Edmonton?
There may be three risks which may involve avoidance or risk termination, tolerance or acceptance of ...
=>Concept of Governance
=>Risk and Control (GRC) as applicable to IT operational risk
=>Importance of documentation
=>DATA FLOW DIAGRAM for every application
=>Review of changes in the Data flow, reporting, etc.
=>Parameters for review
=>Importance of review on SLA compliance
=>Reporting to IT Strategy committee, Board etc.
Exploring the Impact of Governance Risk and ComplianceINTERCERT
GRC (Governance Risk and Compliance) is a vital structure in organizations that focuses on assuring business integrity, risk management, and adherence to compliance with the rules and standards. GRC affects all aspects of business operation and governance, with organizations such as INTERCERT playing a crucial role in implementing GRC.
When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all silos have:
o Reduced costs
o Reduced duplication of activities
o Reduced impact on operations
o Achieved greater information quality
o Achieved ability to gather information quickly and efficiently
o Achieved ability to repeat processes in a consistent manner
GRCM Is a practical experience on risk management or financial control and managerial experiences pre-requisite knowledge in accounting ,auditing ,finance and risk based
Crafting an End-to-End Pharma GRC StrategyCognizant
For pharmaceuticals facing increasing oversight and regulatory constraints, governance, risk management and compliance (GRC) tools are playing a more critical role, sometimes in combination with ERP. We compare Approva Bizights and SAP GRC 10 software tools while offering a framework for choosing a suitable GRC package.
Supplier Relationship Management takes traditional sourcing methods to the next level. While the sourcing process uses Requests for Proposals (RFPs) and templated one-way communications to select suppliers and derive the most upfront value for contracted services or products, SRM uses processes, principles, communications and tools to help companies better manage their existing suppliers within all areas of the company during the entire supplier lifecycle.
SymEx 2015 - Turning Risks Into Results, A Wider Perspective to Understand P...PMI Indonesia Chapter
From Enron and WorldCom to the more recent financial crisis, events of the last decade have fundamentally shifted how organizations think about risk. Companies around the world have made substantial investments in personnel, processes and technology to help mitigate and control business risk. Historically, these risk investments have focused primarily on financial controls and regulatory compliance. However, these investments have often not addressed more strategic business risk areas. As a result, senior executives may not perceive risk management as strategic to the enterprise. Senior executives also may not have sufficient confidence in their ability to identify and address the risks that could impact the financial performance − or even the viability — of their organization. A strategic question presents itself: “Do organizations with more mature risk management practices outperform their peers financially?” Our research and experience tend to suggest “yes!”
In this presentation, Isnaeni Achdiat will also discuss how leading organization with higher maturity in managing risks, gets better return. We will also present the new paradigm of dealing with risks, either it is good or bad risks. We will introduce the concept of "risk that matters" in an organization and discuss approach to mitigate. Furthermore, we will present the linkage between strategic and project risks and how a good risk culture can impact the success of organization managing their risks. By analyzing the relationship between the strategic and project risks, the project professionals can better understand the setting priorities the boards make, and thus can anticipate allocation of resources at the optimum level, for the benefit of the enterprise. Managing project risks, without understanding context and background of the initial strategic decision, will not allow the project professionals to understand why top management put on-hold the project, or keep it running at the right speed.
A New Era of Compliance: Innovations in ServiceNow GRC Aelum Consulting
ServiceNow GRC automates various GRC processes, reducing the manual effort and time required for tasks such as risk assessment, audit management, and compliance reporting. This automation not only saves resources but also enhances the speed and accuracy of GRC activities.
2. Protiviti • integrated GRC • 1
What Does Integrated GRC Mean?
GRC means different things to different people. One perception is that integrated GRC is nothing more than enterprise
risk management (ERM) repackaged by solution providers to drive a new market. Others consider ERM and GRC as
distinct subsets of each other. ERM practices have traditionally focused on strategic, financial and operational risks,
with some emphasis on compliance risks, whereas GRC derives its origins largely from a compliance focus. GRC
practices have evolved over a long period of time, and place greater emphasis on integrating various risk and
compliance functions. The impetus of the argument for an integrated approach to GRC is the lack of transparency in
the performance of these varied risk and compliance silos, which makes them distinctively different from the core
operating processes of the business.
Upon closer review, ERM and GRC differ in terms of their moniker origins and related business practices but are
similar in definition. The similarities in definition are illustrated by comparing Protiviti’s definition of the three
elements comprising GRC to the COSO ERM framework:
Defining GRC as a set of aligned activities is the first step toward integrating the management of multiple risk domains
into a unified program that appropriately shares resources and knowledge to efficiently manage all aspects of GRC.
Once this integration takes place, regulatory compliance is viewed as a risk to be managed, and the compliance
process takes on a broader context (i.e., as a process applied to the internal policies pertaining to all risks).
What is the Value of Integrated GRC?
Is integrated GRC an all-or-nothing proposition? The challenge of integration often relates to cultural boundaries
within an organization rather than conceptual or technical issues. GRC processes are unique in relation to operating
processes. Changing markets and a continuing stream of new laws and regulations spanning decades have driven
an ad hoc and reactionary evolution of new policies and procedures in organizations. Often, internal and exter-
nal pressures result in these changes being completed at such a pace that the “new” policies and procedures are
added onto the existing structure. Ultimately, this ongoing spiral of change has led to complex accountabilities,
COSO ERMGRC
Governance
Risk
Compliance
Internal
Environment
Objective-
Setting
Event
Identification
Risk
Assessment
Risk
Response
Control
Activities
Information
and
Communication
Monitoring
Governance is the process by
which directors and executive
management set overall business
objectives and oversee progress
toward those objectives.
Risk is the extent of uncertainty
around the achievement of business
objectives. Risk management is the
process of identifying, sourcing,
measuring, mitigating and monitoring
risk with the primary objectives of
(a) reducing, to an acceptable level,
performance variability in the pursuit
of opportunities, (b) minimizing
the impact of extreme events and
(c) taking the most prudent risks that
the organization can expect to
manage successfully as it creates
enterprise value.
Compliance is the process that
ensures the entity is adhering
to its internal policies, and that its
policies and procedures established
to comply with applicable laws and
regulations are performing as
intended.
The entity’s internal environment is the foundation for all other
components of ERM, providing discipline and structure.
Within the context of the established mission or vision,
management establishes strategic objectives, selects strategy
and establishes related objectives that cascade through the
enterprise and are aligned with and linked to the strategy.
Management recognizes that uncertainties exist – that they
cannot know with certainty whether and when an event will
occur, or its outcome should it occur. Identifying plausible
scenarios enables management to uncover emerging risks.
Risk assessment allows an entity to consider how potential
events might affect the achievement of its objectives and to
ascertain changes in its risk profile. Management assesses
events from two perspectives: likelihood and impact.
Management identifies risk response options and considers
their effect on event likelihood and impact, in relation to risk
tolerances and costs versus benefits, and designs and imple-
ments response options.
Control activities are the policies and procedures that help
ensure risk responses are properly executed.
Pertinent information – from internal and external sources –
must be identified, captured and communicated in a form and time
frame that enable personnel to carry out their responsibilities.
ERM is monitored – a process that assesses both the presence
and functioning of its components and the quality of their
performance over time.
3. Protiviti • integrated GRC • 2
the growth of silos, inefficient communications, decreasing organizational transparency and so on – all leading
to a higher cost of compliance.
Integrating GRC is about bringing people together to manage toward common goals through common processes
while sharing resources and coordinating plans. Today’s business environment is too dynamic to reach a static
state of integration – as if that is the end game. The goal is to develop a culture that promotes collaboration and
views integrated GRC as a continuously improving process – not an end state. The value returned by integrated
GRC correlates to the organization’s program goals, current maturity, technology capabilities and cost of compli-
ance, as illustrated through the diagram below:
The irony of all of this is that many companies don’t even know their total cost of risk and compliance management.
That is because the management of risk and compliance is not integrated and there is a lack of transparency
when it comes to how the underlying GRC processes are performing. Ultimately, an integrated GRC program
results in improved business performance by facilitating a more effective allocation of assets and resources. To
achieve these results, it is essential to align risk and compliance practices with strategy-setting and performance
management. Yet, value can be achieved all along the GRC program maturity continuum. At the very least, a GRC
program, even one in which various GRC domain groups operate in isolation from one another, should support
efficient and demonstrable compliance with specific legal and regulatory requirements, as well as critical inter-
nal policies. Now, facing the prospect of additional regulations, many companies have the opportunity to take
a fresh look at their risk and compliance coverage and cost structure, and focus on strategies for optimization.
Integrated GRC results in a clearer articulation of objectives, roles, responsibilities and accountabilities, which
leads to more effective risk and compliance process design and improved transparency regarding GRC
Effective allocation of assets/resources
Optimized coverage/cost
structure
Demonstrable
compliance
Correlated GRC Program Maturity
Key GRC Platform Requirements
GRC Program Goal Value
• Competitive advantage
• Optimized performance
• Protection of shareholder value
• Reduction of operational losses and incidents
• Lower cost of total compliance
• Compliance with regulatoryfilings/
public reporting
• Competitive advantage for regulatory and other
government contracts
IT Policy Compliance Group (ITPCG) research:
• 17% higher revenues
• 14% higher profits
• 96% lower financial losses from the loss or
theft of customer data
• 50% less spent on regulatory compliance
annually
• Support of
multiple GRC
frameworks
• Risk-centric
views
• Consolidated
reporting
• Policy-centric
views
• Automated
compliance/
continuous
controls
monitoring
Isolated GRC
domains
Integrated risk
and compliance
practices
Alignment with
strategy and
performance
management
• GL/ERP
alignment
• KPIs/KRIs
• Enterprise
dashboards
4. Protiviti • integrated GRC • 3
performance through effective metrics, measures and monitoring. All of this leads to more effective risk-based
decision-making and an increased ability to anticipate and escalate issues and reduce reaction time.
What are the Barriers to Success?
There are significant barriers to successfully implementing an integrated GRC program. In a survey jointly conducted
by Protiviti and OpRisk & Compliance, the adoption of a common risk language and communication among risk
management teams were cited as the two top key characteristics of an integrated GRC program. Unfortunately, the
lack of a common risk language, or framework, and the required change management to support a coordinated
effort were cited as the number two and three key barriers to successfully implementing an integrated program. Not
surprisingly, given the organizational change required to initiate the process, the number one barrier to integrating
GRC practices cited by risk managers is the perceived high implementation cost with a lack of demonstrable ROI.
What are Practical Steps to Achieving Value?
Given the barriers to success, the journey toward integrated GRC must begin with a business case. A GRC com-
mittee with strong executive oversight and representation from multiple stakeholder groups is necessary to
coordinate efforts. With the value understood and a change mechanism in place, the committee can begin the
task of developing a unified risk framework. Ultimately, the effort should produce a consolidated reporting
package that can be used for management decision-making and continuous process improvement. Before delv-
ing into key considerations related to the above steps, several key themes should be noted:
Accommodate differences among GRC stakeholder requirements to break down barriers. For example, we•
believe that integrated GRC should be bifurcated into two distinct areas: (1) integrating risk management
with strategy-setting and performance management and (2) integrated compliance. The reason for this bifur-
cation is that the constituencies for implementing each of the two areas are different in most organizations.
Key Characteristics of an Integrated GRC Program
Adoption of Common Risk
Language
Communication Among Risk
Management Teams
Centralized Risk and
Compliance Oversight
Utilization of a Single GRC
Platform
Consolidation of Risk Metrics
from Business Systems
0% 20% 40% 60% 80% 100%
0% 20% 40% 60% 80% 100%
Key Barriers to Successfully Integrating GRC Practices
High Implementation Cost with
Lack of Demonstrable ROI
Lack of a Single Vision and
Common Risk Language
Required Change Management
to Support Coordination
Lack of Adequate Technology
Solutions
5. Protiviti • integrated GRC • 4
Keep the integration process simple to achieve the appropriate breadth of risk and process coverage.•
Specific areas can be drilled into further, based on the initial results and management’s prioritization.
Enable the effort through GRC technology that deploys the enterprise’s common language, facilitates•
collaboration among people in different silos and drives processes for integrating information for deci-
sion-making. The credibility of the integration process increases when decision-makers have just one
version of the truth to work with, which is made possible through a single, originating source for specific
data elements.
Build a Business Case
There is a growing body of research that suggests integrated GRC efforts drive real value, especially as it pertains
to optimizing risk and compliance coverage and the underlying cost structure. However, there are no benchmarks,
statistics or vision statements that compel a CEO, much less an entire organization, to embark on the journey
without understanding what benefits the organization will specifically derive. Development of the business case
starts with defining goals that correlate to the desired level of program maturity and articulate the economic
justification for moving forward. The steps for achieving value outlined in this paper focus on organizations
seeking to optimize their coverage and cost structure.
The first step is to assess the current coverage by establishing a complete GRC process universe, performing
an enterprise risk assessment, and identifying gaps or overlaps. The business’s core mission and related strategies
drive the business structure inclusive of its offerings, geographic footprint and legal entities, as well as the crit-
ical business processes and systems required to support the business model. Risks spanning strategic,
operational, financial and compliance objectives originate within these structures, processes and systems.
While events related to strategic risks often lead to significant reductions in shareholder value, it is important
to note that often any one of these risks can have a deep impact upon the business if the risk impairs the orga-
nization’s ability to execute its strategy successfully. That is why the essential activity in building a business case
is in performing an initial enterprise risk assessment to determine where there are gaps, overlaps or over-
weighting in any of the risk areas described above.
The results of the assessment should be the identification of the most critical risks inherent in the business
strategy, as well as the consideration of such risks in establishing the key metrics and targets that drive the
business. In addition, there is a value proposition around developing recommendations for efficiency or opti-
mization to address the identified overlaps. While quantifying the value of reducing gaps in coverage and related
financial exposure may require more in-depth analysis, these initial steps begin the process of integrating GRC
activities and, most important, help management learn what it does not know. Finally, communication should not
be limited to executive management. Development of a campaign to support the integration effort is vital to
socializing the new program among key stakeholders. Needless to say, leadership from the top is a must for any
campaign to get off the ground.
Establish a GRC Committee
A GRC committee should be established to promote change and coordinate planning efforts. It is important to
recognize that the beneficiaries of integrated GRC are often in executive management. Because integration
requires individual silos to grant concessions on portions of their specific methodology to advance the overall
effort, executive sponsorship is critical to establishing an integrated GRC program.
The GRC committee should strive to reduce the impact on stakeholders. In this regard, it is essential to have a
strong program administrator to facilitate collection, management, analysis and reporting of information.
Finally, the central GRC committee is responsible for coordinating planning efforts. It is important that a matrix
of the entity structure and GRC domain classifications be used as the basis for planning. This combination helps
ensure that the requisite skills are deployed to various areas of the business while reducing the likelihood that
individuals with similar skill sets are duplicating efforts to, in effect, solve the same problem.
Develop a Unified Risk Framework
Next, the organization should develop a consolidating risk framework consisting of an agreed-upon GRC
universe, inclusive of GRC contexts and a meaningful assessment model. The GL/entity reporting structure
6. Protiviti • integrated GRC • 5
should form the basis of the GRC universe to ensure relevance with respect to management’s strategic and other
business objectives.
While it is important to agree upon the core entity structure to coordinate planning and ongoing rationalization
efforts, compromises can be made in order to develop a set of inclusive GRC contexts. Defining the appropriate
GRC contexts is how the GRC committee defines the scope of the integration effort. For example, a compliance-
focused context (e.g., financial reporting assertions, specific regulatory requirements, etc.), frameworks
promulgated by standards-setting bodies (e.g., ISO, COBIT, etc.) and enterprise risk types all share a common
quality: They are primarily used to categorize specific risks, incidents, events and/or required controls. When
developing a unified risk language, similarities among these different contexts should be mapped so that differ-
ences can be accommodated. The specific risk is owned by the business, not the process owner or business function.
Similar to the way an ERP system rolls up transactions into various reporting structures, risks can be documented
once, tagged to the multiple contexts to which they apply and aggregated into an integrated GRC framework to
support appropriate oversight by various stakeholder groups.
Finally, it is vital to develop techniques to uniformly assess risk across the enterprise. Remember to keep the
process as simple as possible. Several suggestions to consider in developing a uniform assessment model:
Inherent Risk• : Develop an assessment model that accommodates both qualitative (e.g., impact on business
continuity, reputation, human resources, regulatory compliance) and quantitative (e.g., financial loss)
impacts. This model accounts for those types of impacts that are not easily quantifiable, but that could
have a significant impact on the business.
Tolerances• : Attempts to establish tolerable, or target, risk can prove to be an academic exercise unless
management uses specific metrics against established objectives. Traditional models have rated inher-
ent, tolerable and residual risks across a “high, medium, low” scale. This “numerology” assessment is
highly subjective, and its usefulness is questionable since risks are best measured in units-of-measure
that are relevant to them, just as different objectives are measured. An alternative is to employ key risk
indicators that act as a surrogate for the units-of-measure related to different risk types when the vari-
ous risks can be correlated in meaningful ways.
Residual Risk• : Consider a scoring model that implies the action to be taken or required to monitor a particular
risk (e.g., more efforts to quantify, active monitoring, continuous review, periodic review, no further action
required, etc.) versus traditional “high, medium, low” scales. A residual scale that implies an action bias
avoids the subjective assessments of residual value through arbitrary numerology, providing management
and GRC teams with direction on how to improve the management of the risk.
Establish Centralized Oversight and Reporting
Centralized oversight and reporting should be established to aggregate information by GRC context and deliver
a single board-level GRC reporting package. This reporting package should provide a single source of the truth
to executive management, yet be aggregated into different contexts for specific use by individual stakeholder
groups. In this regard, the package supports management’s decision-making with respect to resource allocation
and pursuit of the enterprise’s strategies. It also helps management apply lessons learned across the business,
which results in reduced losses and fewer near misses. Most important, the consolidated package provides a
means for further rationalizing the GRC program, tightening the effort to a core set of activities that can be
“fanned” to manage multiple risk and compliance issues both as they exist today and as they emerge tomorrow.
What Next?
The process of integrating GRC practices is a means rather than an end. Real value can be achieved so long as
all stakeholders work with one another and take practical, measured steps toward integration. Ultimately, the
journey leads to aligning risk management with strategy-setting and enterprise performance management and the
effective integration of compliance activities.