7 grc myths webinar 20110127 final (2)
TRANSCRIPT
The 7 Myths of GRC Initiatives
Today’s Agenda - 35 minutes
About Lightwave Security
Why GRC
GRC Myths
Countering the Myths
Our Solution
2
About Lightwave Security
Lightwave Security is:
A privately held Strategic IT Security Services Company Established in 2006 and comprised of industry veterans
Servicing Global Enterprise, Commercial and Government
Located in Atlanta, GA with multi-location presence in USA
Focused on Automated IT GRC Solutions and Services
Exclusive distributor of SecureAware® in North America
Learn more at www.lightwavesecurity.com
3
SecureAware®
SecureAware®, an all-in-one platform for compliance, best practices and security
awareness that incorporates an automated compliance workflow system built in
accordance with ISO international standards.
It currently supports ISO 2700x, PCI DSS, and CoBIT 4.1 frameworks out-of-the
box
4
Webinar Series: Effective GRC Management
Part 1: “The 7 Myths of GRC Initiatives”
Today
Part 2: “Defining a Best-In-Class GRC Program”
Thursday, February 10th, 2010 - 1:00 PM
5
What is GRC?
Manage
Risk exposures
Security practices
Compliance requirements
Satisfy the Auditors
Communicate with Regulators
6
Aberdeen Group Report
7
Effective GRC ManagementPositioning Your Company for Growth
December 2010
In-depth and comprehensive look into
process, procedure, methodologies, and
technologies with best practice identification
and actionable recommendations.
Download from
http://www.lightwavesecurity.com/grc_report.html
Aberdeen Effective GRC Report
Over 100 companies were surveyed between
November and December 2010:
Guidance on implementing effective Governance,
Risk, and Compliance (GRC) management
Review of capabilities and enabling technologies that
help improve financial and operational control
Identify best practices and current initiatives in
enterprise GRC management
8
Setting the Stage for GRC
Ongoing corporate consolidations and new
regulatory requirements amidst a recovering
economy has introduced a series of new liabilities for
organizations
Parent companies continue to be concerned about
management standards across their constituent
companies, operational risks, and the ability to
comply in a dynamic regulatory environment
9
New Economy Challenges
Today’s companies must comply or be fined /
banned from selling their products in a state or
region
Organizations must closely track and manage their
processes against regulations that vary widely
The global economy necessitates expediting key
processes and mitigating risks
10
Key Definition - Governance
Method in which executives:
“Conduct" their organizations
Provide clear visibility of management directives to
the staff
Ensure initiatives are properly executed in a timely
manner
Maintain top priorities on the executive's agenda
11
Understanding GRC Drivers
Internal:
Measure impact of proper governance and risk mitigation
External
Quantify the impact of tightened regulations
12
The Executive’s Role
Responsible for:
Identifying liability associated with any business
decision
Performing an accurate risk assessment to formulate
mitigation strategies
Work effectively with government and regulatory
bodies to ensure business compliance
13
The GRC Challenge
Implementing GRC management can significantly
improve operational and financial control
BUT
Many organizations lack the initiatives, capabilities,
and technological enablers to realize the benefits
14
Myth #1 – GRC is a Cost Center
GRC management has traditionally been viewed as a
means to:
Reduce liability-related costs
Address problems associated with financial and
operational control
This traditional approach relegates GRC to a Cost
Center, not a business enabler
15
Myth #1 - Busted by GRC Enablement
Given the dynamic regulatory environment, GRC
management is now setting the stage for new revenue
opportunities:
Improving access to selling into global markets
Attracting new customers through liability-reduction
Best-in-class companies view GRC solutions and
services as key elements to their growth strategy
16
Myth #2 – GRC Misunderstands Risk
GRC processes are not able to identify risk reliably,
let alone mitigate them quickly enough to compete in
today’s economy
GRC prevents executives from being able to
understand the impact of risk on overall corporate
performance in a timely manner
17
Myth #2 - Busted GRC Counters Risk
Top companies have taken the initiative to
standardize GRC processes to enable better trade,
safety, and environmental compliance, as well as
improve their abilities to quickly identify risk elements
to expedite mitigation actions
In these organizations, executives are able to
understand the impact of risk on overall corporate
performance
18
Myth #3 – GRC Can’t Fit My Organization
GRC is a straight-jacket that will prevent
management and executives from correcting
problems as they occur
GRC is too generic and can’t generate enough data
to identify the sources of issues in my complex
organization
We need both Quantitative and Qualitative data and
GRC can't supply both
19
Myth #3 – Busted GRC Can Fit Everyone
Executive driven GRC allows them intervene and
provide a corrective paths quickly
Both qualitative and quantitative feedback can be
collected from various departments, at various
levels, to validate the success of the strategy
GRC scales to large, complex organization
20
Myth #4 – GRC Data is Too Dispersed
GRC efforts result in data scattered all across an
enterprise preventing timely stakeholder access
Management can’t get easily get mission-critical risk
data that impacts corporate objectives
21
Myth #4 – Busted GRC Centralizes Data
Effective GRC centralizes risk data and compliance
information to facilitates stakeholder access,
particularly in situations where the organization is
dispersed geographically and operating in different
time zones
Best-in-Class companies leverage this centralized
repository to maintain GRC information to provide
visibility into to management directives, risk
elements, and regulatory changes
22
Myth #5 – GRC Impacts Performance
There is too much overhead in GRC programs to
monitor all my risks and compliance needs, so it
can’t really tell us what is going on
Getting real-time data out of a GRC program is
nearly impossible, so I can’t get actionable
information
23
Myth #5 – Busted GRC Enhances Performance
Effective GRC programs systematically monitors key
risk indicators, so organizations can consistently get
a pulse on the health of the business
Best-in-Class companies are therefore better at
measuring how well their staff is following
management directives
Timely tracking of corporate governance
effectiveness enables executives to ensure the
alignment of staff execution to enterprise objectives
24
Myth #6 – GRC is NOT a Technology Problem
We need to rely on our employees to manage risk
due to the highly regulated nature of our business
Our data is created by people, and they understand
it best
Our executives are tired of technology solutions
25
Myth #6 – Busted Technology Enables GRC
Companies relying completely on people for
communication are at a disadvantage when
compared to software-enabled organizations
Effective GRC provides an infrastructure that allows
executives to concurrently access GRC data /
information
GRC tears down silos of information, allowing
decisions to be made in a quick and informed
manner
26
Myth #7 – GRC is just another “Me Too” project
Everyone has tried it, and the benefits don’t exceed
the costs
The ROI for GRC just isn’t there
27
Myth #7 – Busted GRC Differentiates
Implementing a GRC program will help to
differentiate a company from its competitors
GRC provides a quantifiable ROI due to increased
agility and growth
GRC = Governance, Risk and Compliance
OR
“Guard Assets, Revenue Enhancement, Cost Reduction”
28
GRC Truths
Initiatives foster growth
Is a competitive differentiator
Protects innovation
Attract new customers in new markets
Facilitates stakeholder action
Designed for Executive involvement
29
Key GRC Management Benefits
Driving organizational alignment of executive and
staff agendas through effective governance
Understanding risks in terms of dollar-value impact
and corporate brand equity
Prioritizing organizational initiatives based on risk
level
Creating additional revenue opportunities by meeting
compliance requirements for selling into new
markets / regions
30
Enterprise Benefits
Companies can better position themselves for
growth if they become proactive in their GRC
management initiatives:
making sure that objectives, risk, regulatory information,
and accountability information are made visible to
stakeholders ahead of time to enable informed decisions
31
Call to Action for Effective GRC
Best-in-Class Companies:
Define a workflow from Risk Identification to
Mitigation
Align staff accountability to corporate objectives
Establish platforms to promote visibility and
collaboration on strategic, financial and operational
plans
32
SecureAware – Our GRC Solution
• Policies, rules, and procedures
• PCI, ISO, and COBIT templates
• Import existing policies
• Create new policies
• Rapidly deploy SAT training
• IT risk management
• Risk assessment
• Vulnerability assessment
• Business impact assessment
• Business process map with IT systems
• Compliance gap analysis
• Internal audit
• Self assessments
• Tasks linked to policies
• Workflow for review & approval
• Recurring tasks
• Documents performed activities
• Gap analysis
• Business continuity plans
• BCP structures
• BCP templates
• Tasks with compliance
Complete customization (skins)
Multiple portals
Multiple languages
API for integration
Interfaces with Active Directory
Automated security awareness
Mapped to policies and procedures
Certificate of completion
33
Contact Information
Thank you for attending our webinar!
Erik Rolf
Vice President Enterprise GRC
Lightwave Security
For a copy of this presentation please send an email to:
34