a technology blueprint for governance, risk management and compliance carole stern switzer, esq....
TRANSCRIPT
![Page 1: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/1.jpg)
A Technology Blueprint for Governance, Risk Management and ComplianceCarole Stern Switzer, Esq.President, [email protected]
Driving Principled Performance®
![Page 2: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/2.jpg)
3/12/2009 (c) OCEG
![Page 3: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/3.jpg)
Our PURPOSE
Community– Interdisciplinary, Cross-Industry– Benchmarking and Research– Education, Webinars and Events
Content– Standards & Guidelines (technical, process, content)– Repositories of Laws, Regulations and Related Standards– Media, Research and other Resources
Certification– Entire Programs or Components of a Program– Solutions, Products and Services
OCEG is the only nonprofit that helps organizations drive Principled Performance® by enhancing corporate culture and improving governance, risk management, internal control and compliance (GRC) capabilities via:
3/12/2009 (c) OCEG
![Page 4: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/4.jpg)
3/12/2009 (c) OCEG
![Page 5: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/5.jpg)
The Bottom Line
an organization must clearly define WHAT it will achieve and how it
will create value while addressing UNCERTAINTY, PROTECTING VALUE and staying within BOUNDARIES
3/12/2009 (c) OCEG
Principle Performance® depends on defining what is “right” for your company and doing the “right” things the “right” way – to achieve these goals.
![Page 6: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/6.jpg)
What is GRC
3/12/2009 (c) OCEG
![Page 7: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/7.jpg)
Integration
“Principled Performance®” requires the integration of a number of enterprise processes, most notably
Governance, Risk Management & Compliance
3/12/2009 (c) OCEG
![Page 8: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/8.jpg)
What is New?
Increased global footprint, increased executive liability, increased volume and velocity of
mandates, increased pressure from stakeholders and other drivers are forcing organizations to…
3/12/2009 (c) OCEG
![Page 9: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/9.jpg)
Trend or Fad?
3/12/2009 (c) OCEG
![Page 10: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/10.jpg)
Market Need
Forrester Research Briefing “GRC Software Platform Revenues Will Rise To $1.3 Billion In 2011” … “We estimate that the market is currently $36 billion, and we expect it to grow to $50 billion over the next three years”
Forrester Research Briefing “GRC Software Platform Revenues Will Rise To $1.3 Billion In 2011” … “We estimate that the market is currently $36 billion, and we expect it to grow to $50 billion over the next three years”
AMR Research Briefing“2007 GRC spending will hit $29.9B, growing 8.5% from last year; companies now expect to spend an additional 3.6%, or $31B, in 2008.”
AMR Research Briefing“2007 GRC spending will hit $29.9B, growing 8.5% from last year; companies now expect to spend an additional 3.6%, or $31B, in 2008.”
Gartner Research Briefing “By 2009, the annual worldwide total software spending for GRC will be about $14 billion.”
Gartner Research Briefing “By 2009, the annual worldwide total software spending for GRC will be about $14 billion.”
3/12/2009 (c) OCEG
![Page 11: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/11.jpg)
90%
“We should adopt a consistent approach or methodology for similar activities in governance,
risk and compliance”
Agree or Strongly Agree
Source: 2007 OCEG Benchmark Series: GRC Strategy Study
Most Important
3/12/2009 (c) OCEG
![Page 12: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/12.jpg)
Adverse Impact of failure to be consistent
Increased general operating expenses
Increased cost of reconciling disparate information
Reduced margins
Higher cost from suppliers
Higher cost of capital
Source: 2007 OCEG Benchmark Series: GRC Strategy Study
3/12/2009 (c) OCEG
![Page 13: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/13.jpg)
Red Book 2.0
3/12/2009 (c) OCEG
![Page 14: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/14.jpg)
GRC Taxonomy & Technical Standards
OCEG GRC Capability Model
Capability Model describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance, ethics and internal control.
Content Domains provide topical or industry-specific information that integrates with and assumes that the a capability is in place
Taxonomy & Technical Standards define key entities and systems that comprise a GRC “backbone” and interface standards so that these systems more easily and effectively integrate.
3/12/2009 (c) OCEG
![Page 15: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/15.jpg)
Component View of the OCEG GRC Capability Model
3/12/2009 (c) OCEG
INFORM &INTEGRATE
DETECT & DISCERN
ORGANIZE & OVERSEE
ASSESS & ALIGN
MONITOR & MEASURE
PREVENT & PROMOTE
RESPOND & RESOLVE
8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES
Enhance Organizational Culture
Increase Stakeholder Confidence
Prepare & Protect the Organization
Prevent, Detect & Reduce Adversity
Motivate & Inspire Desired Conduct
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
Achieve Business Objectives
![Page 16: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/16.jpg)
Element View of the GRC Capability Model
3/12/2009 (c) OCEG
![Page 17: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/17.jpg)
Element Contents
• Principles• Common Sources of Failure• Practices• Related Requirements• Key Deliverables • Technology Modules from the GRC-IT
Blueprint
3/12/2009 (c) OCEG
![Page 18: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/18.jpg)
3/12/2009 (c) OCEG
![Page 19: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/19.jpg)
Effectiveness is a term of art• Design Effectiveness• Operating Effectiveness
We want to keep it that way!
Effectiveness Performance The law does not demand
anything beyond effectiveness
– BUT shareholders (stakeholders) expect more!
![Page 20: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/20.jpg)
High-Performance
EFFECTIVE
EFFICIENT RESPONSIVE
O U T C O M E S
ACTIVITIES
![Page 21: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/21.jpg)
Principles and Needs
IT for GRC Principles• Integration – it is unlikely a single
application can enable all GRC activities. Create a “GRC Backbone” of integrated parts
• Simplification – Simplify the architecture and use common components to enable multiple risk areas
• Reuse – Leverage existing investments and only buy when you must
• Automation – For repetitive or complex tasks, but sometimes human judgment is required
• Information – Sharing information about performance, risks, controls, incidents and resolution is fundamental to GRC. The ability to analyze this information alongside business information is the essence of GRC.
Common IT Needs for GRC:• Legal and regulatory requirements
management• Policy and procedure management• Communication management• Organization and responsibility
management• Process and control libraries or
frameworks• Risk libraries• Training and attestations• Risk and impact assessments• Audit and assurance activities• Incident and action plan
management• Alignment with the business• Visibility for process owners• Visibility at the business unit and
enterprise levels
3/12/2009 (c) OCEG
![Page 22: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/22.jpg)
The GRC-IT Blueprint
The Blueprint defines 72 GRC Technology Modules and organizes and maps them in several ways as follows:
• To Each of the Elements of the GRC Capability Model
• Within Three Technology Levels – Business Applications– GRC Core Applications– Infrastructure
• Within Nine Technology Arenas – Assurance and Audit
Management– Business Intelligence– Business Process Management– Corporate Governance– Enterprise Content
Management– Enterprise Resource
Management– Enterprise Risk Management– Human Resources
Management– Security Management
3/12/2009 (c) OCEG
![Page 23: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/23.jpg)
Sample Element Page
3/12/2009 (c) OCEG
![Page 24: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/24.jpg)
Next Steps for OCEG
• Release of final Red Book 2.0 – March 2009• Release of final GRC-IT Blueprint – March 2009• Release of GRC-IT Roadmap (a process guide for
maturing use of IT for GRC with self-evaluation tools) – June 2009
• Development of GRC-XML – ongoing through OCEG Technology Council
• Launch of broader GRC-IT Community in OCEG site – June 2009
3/12/2009 (c) OCEG
![Page 25: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/25.jpg)
A few key take aways
• The use of technology for GRC is not an option, it is a necessity
• Using the OCEG Red Book and GRC-IT Blueprint can help you benchmark against an independent standard and other companies
• There are barriers beyond budget – people like their spreadsheets; data hoarding has perceived benefits
• But don’t attempt to boil the ocean – look for small quick wins and build support for more
3/12/2009 (c) OCEG
![Page 26: A Technology Blueprint for Governance, Risk Management and Compliance Carole Stern Switzer, Esq. President, OCEG cswitzer@oceg.org Driving Principled Performance®](https://reader035.vdocuments.mx/reader035/viewer/2022062712/56649ca75503460f949694b5/html5/thumbnails/26.jpg)
OCEG Resources
• For more information and to access some key OCEG resources, go to: https://www.oceg.org/subscribe/FEI
• 15 days demo subscription• Download OCEG Illustrations (from the GRC Illustrated Series)
– IT ROADMAP FOR GRC– How Do We Integrate IT to Enable GRC?– HOW DO I ASSESS RISK?
• Download from the OCEG Whitepaper Series “Critical Conversations” - CFO AT THE CENTER
3/12/2009 (c) OCEG