Randy Moeller discusses the evolution of application risk management at P&G, highlighting the implementation of the iRisk platform for application compliance reviews and self-assessments since 2008. The process emphasizes collaboration among compliance groups, identifying risks associated with applications, and integrating governance into development processes. Moeller also addresses the challenges faced in maintaining compliance and the need for ongoing evaluations and structured assessments.

1. Mitigating Application Risk
Upfront
Without increased hair loss Randy Moeller

2. Randy Moeller - Bio
• Global Records & Information Governance Manager
• 35 years in RIM
• Usual responsibilities (policy, certification, RRS etc.)
• RRS online since 1985
• 70% time on iRisk/IT consulting

3. P&G
• 93k employees, 60+ countries
• 66 brand lines, 170+ countries
• 9 entrepreneurial businesses
• 10k applications (most with DB)
• Make, pack, ship - #1 daily job

4. Governance in P&G – brief history
• 2008 – First Team; Ethics, RIM, Information Security
• 2009 – Launched combined training, saved work 80k hrs.
• 2010 – Governance, Risk & Compliance formed
• RIM included in Business Conduct
• 2013 – iRisk launched (application compliance review)
• 2015 – iRisk2 launched (self assessment added)
• 2018 – iRisk3 launched (concierge service added)

5. iRisk?
• Application risk review/mitigate process
• Built on RSA’s Archer platform
• Use of workflow stages
• Upfront Concierge Service
• Questionnaire determines compliance groups
• Enterprise Architecture & InfoSec next
• Rest of compliance groups

6. Why? Data wreck.
Security not properly designed
Use of ‘free’ apps
Questionable cloud/SaaS sites
Piles of useless information
Bleeding information = money
publicdomainpictures.net

7. Compliance Groups
• Employee Relations
• Global Security
• IT Continuity
• Labor Relations
• Network Capacity
• Privacy
• Germany IT
• Payment Card
• Rec & Info Governance
• Reg Computer Validation
• Tax
• 3rd Party Risk Management
• Legal/IP

8. Create Assessment
Title, geography, etc.
MEGA – application about applications
- Regulated
- PII
- Sox
- Vendor
- Business impact assessment
- Data classification

9. Concierge

10. Architecture & InfoSec

12. Records & Information Governance
• Database Name
• System or Application Name
• Type of Data
• Legal Entities
• Data Age Range
• Record Series & Record Name
• Company official or copy records
• Retention time
• Records Review & Disposal Process, Auto,
Semi-auto, Manual
• Outline disposal logic to identify records
to be destroyed
• Title of document that contains the
Record Review & Disposal process
• Downstream system(s) that receive feeds
from this application
• Upstream systems(s) that sends data to
this application

13. Compliance Area
Status
Awaiting Review = my Inbox to review
Rest represents it will be, has been and will
be again

14. The hook?
Incorporated into two development
processes
• SIMPL – Standard development process
for project not led by IT
• IT Stewardship Checklist – Used by IT
when they lead a project
No iRisk = no further funding
Internal Audit ding
This Photo by Unknown Author is licensed under CC BY

15. The Good
• Apps are compliant
• Process flow is right
• Concierge
• No fixed meetings with unprepared folks
• Architecture and InfoSec consulting
• Reminder emails to assessment owners
• Past assessments as a foundation

16. The Bad
• Concierge, Architecture & InfoSec staff availability
• No fixed meeting with well prepared folks
• More investigating, questions
• Email intensive
• No automated ‘on hold’ process
• Reporting needs work

17. The Ugly
• Be careful of what you ask for
• 2015/16 – 479 assessments
• 2017/18 – 750 assessments
• 30-60% first time users
• The lazy few

18. Starting Point
• Don’t have $$$?
• See posted Excel file

19. Thank You
• Randy Moeller
• moeller.rj@pg.com
• @RJMrim – Twitter
• www.linkedin.com/in/rjmpg