delivering an engaging, mobile, and interactive grc ...€¦ · delivering an engaging, mobile, and...

of 26 /26
(888) 519-9200 www.complianceweek.com Sponsored by Delivering an Engaging, Mobile, and Interactive GRC Experience to All Levels of the Organization Welcome to Compliance Week’s Webcast on delivering an engaging, mobile, and interactive GRC experience to all levels of the organization The Webcast will feature Michael Rasmussen, Principal Analyst with GRC 20/20 Research The discussion will be hosted by Compliance Week Executive Editor, Joseph McCafferty. You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

Author: others

Post on 28-May-2020

4 views

Category:

Documents


0 download

Embed Size (px)

TRANSCRIPT

  • (888) 519-9200 www.complianceweek.com

    Sponsored by

    Delivering an Engaging, Mobile, and Interactive GRC Experience to All Levels of the Organization

    Welcome to Compliance Week’s Webcast on delivering an engaging, mobile, and interactive GRC experience to all levels of the organization

    The Webcast will feature Michael Rasmussen, Principal Analyst with

    GRC 20/20 Research

    The discussion will be hosted by Compliance Week Executive Editor, Joseph McCafferty.

    You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

  • (888) 519-9200 www.complianceweek.com

    Sponsored by

    This Webcast will last for 60 minutes

    2:00 p.m. Introduction Joseph McCafferty, Compliance Week

    2:05 p.m. Discussion Michael Rasmussen, GRC 20/20 Research

    2:45 p.m. Q&A: Will be kept anonymous

    3:00 p.m. Closing Remarks: From Compliance Week

    Agenda for Today’s Webcast

    You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

  • (888) 519-9200 www.complianceweek.com

    Sponsored by

    Introduction: The Series, Schedule & Instructions

    Upcoming Webcasts:

    Visit our website for future Webcast dates and topics www.complianceweek.com Instructions:

    Use the “Ask A Question” function (left side of your screen) All questions will be anonymous. Please disable your pop-up blockers to access the automatic CPE exam presented at the webcast conclusion.

    You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

    Please disable your pop-up blockers to access the CPE exam presented at the webcast conclusion.

    http://events.complianceweek.com/

  • (888) 519-9200 www.complianceweek.com

    Sponsored by

    Michael Rasmussen, Principal Analyst, GRC 20/20 Research • Well-known thought-leader, keynote speaker, author and

    collaborator. • Noted for being the first analyst to define and model the GRC

    market for products and professional services. • With more than 15 years of experience, Michael's objective is

    to assist organizations in defining GRC processes that are sustainable, consistent, efficient, and transparent.

    You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

    Today’s Presenter

  • Delivering an Engaging, Mobile, and Interactive GRC Experience

    to All Levels of the Organization

    September 2013

    Michael Rasmussen, J.D.,

    Chief GRC Pundit @ GRC 20/20 Research, LLC

    OCEG Fellow @ www.OCEG.org

  • 6 © 2013, all rights reserved, www.grc2020.com

    Are you truly aware of your risks?

    “Never in all history have we

    harnessed such formidable

    technology. Every scientific

    advancement known to man

    has been incorporated into its

    design. The operational

    controls are sound and

    foolproof!”

    E.J. Smith,

    Captain of the Titanic

    The modern organization is

    encumbered by change.

    The onslaught of changing

    business, risk, and

    regulatory environments

    while keeping change in

    sync is a significant

    challenge for and

    governance, risk

    management, and

    compliance (GRC). GRC

    fails when it is addressed

    as a system of parts that

    do not integrate and work

    as a collective whole.

  • 7 © 2013, all rights reserved, www.grc2020.com

    Operational

    Unit

    Operational

    Unit

    Operational

    Unit

    Operational

    Unit

    Changing

    business, risk,

    and regulatory

    environments

    GRC Impacted From So Many Directions

    Board

    Line of

    Business

    Management

    Employees

    Assessment

    Issues Procedures

    Training

    Policy

    Testing

    Controls

    Issues

    Issues

    Policies

    Issues

    Policy Training

    Issues

    Assessment Issues

  • 8 © 2013, all rights reserved, www.grc2020.com

    Email-based process with

    disparate, documentation

    and paper trails

    Complex interfaces

    Poor visibility and reporting

    Files and documents out of

    sync

    Wasted resources and

    spending

    Overwhelming complexity

    No accountability

    Battling the Hydra of GRC

  • 9 © 2013, all rights reserved, www.grc2020.com

    Too many formats and approaches are

    inefficient, ineffective, and lack agility

  • 10 © 2013, all rights reserved, www.grc2020.com

    The Winchester Mystery House

    • 160 rooms

    • 47 fireplaces

    • 6 kitchens

    • 10,000 windows

    • 65 doors to blank walls

    • 13 staircases abandoned

    • 25 skylights – in floors

    • 147 builders/no architects

    • Built without a blueprint

    • $5.5 million over 38 years

    … confusing user experience

  • 11 © 2013, all rights reserved, www.grc2020.com

    . . . and we are just hoping nothing fails

    Inability to gain clear view of GRC

    dependencies;

    High cost of consolidating GRC

    information;

    Difficulty maintaining accurate GRC

    information;

    Failure to trend across assessment and

    reporting periods;

    Redundant approaches limit correlation,

    comparison and integration of

    information; and

    Lack of agility to respond timely to

    changing risks, regulations, laws, and

    situations.

  • 12 © 2013, all rights reserved, www.grc2020.com

    What GRC is all about . . .

    BUSINESS MODEL

    strategy, people, process, technology and

    infrastructure in place to drive toward objectives

    OPPORTUNITIES

    OPPORTUNITIES

    OPPORTUNITIES

    MANDATORY BOUNDARY boundary established by external forces including

    laws, government regulation and other mandates.

    VOLUNTARY BOUNDARY boundary defined by management including organizational

    values, contractual obligations, voluntary policies and other

    promises.

    OBJECTIVES

    strategic, operational, customer,

    process, compliance objectives

    GRC is a capability that enables an

    organization to reliably achieve

    objectives while addressing uncertainty

    and acting with integrity…

  • 13 © 2013, all rights reserved, www.grc2020.com

    GRC 1.0

    GRC 2.0

    GRC 3.0

    GRC 3.0 is about . . .

    Bringing GRC to the ‘coal-face’ – the

    frontlines of the organization

    Mobility and engagement

    Dynamic integration of actionable content

    360° GRC contextual awareness

    GRC Architecture

    Operationalizing GRC

    Evolution of GRC

    GRC is a capability that enables an

    organization to reliably achieve

    objectives while addressing uncertainty

    and acting with integrity…

  • 14 © 2013, all rights reserved, www.grc2020.com

    GRC Engagement: Lack of Interactive Structure

    User experience with GRC is typically poor in most organizations,

    resulting in . . .

    Time consuming and redundant processes that are

    NOT EFFICIENT

    A check-box mentality that sends off messages and

    tasks that are NOT EFFECTIVE

    Lack of central coordinated efforts for GRC

    communications that hinder the organization to the

    point where it is not NOT AGILE

    Inefficient processes create critical resources constraints:

    Multiple sources of policy, training, survey,

    assessment, issue reporting/hotline, and interaction

    consume human and financial capital resources

    Employee interactions are inconsistently logged in

    documents and spreadsheets – if they are logged at all

    The organization lacks a consistent approach to GRC

    communications and fails to prioritize action items

    Emails fly about, slip through cracks, are not

    responded to, simply forgotten

    Not

    Effective

    Not

    Efficient

    Not

    Agile

  • 15 © 2013, all rights reserved, www.grc2020.com

    GRC Engagement: an Agile Approach

    However, if organizations align and optimize processes supported

    by technology that provides an intuitive interface for employee

    engagement, GRC programs becomes . . .

    Effective. The organization ensures that risk and

    compliance is effectively monitored, and managed at

    all levels of the organization. That policies are not only

    read but understood, that employees are trained

    properly, that they know how to ask questions when in

    doubt, to report issues, and what to be alert for.

    Efficient. GRC engagement provides efficiency and

    savings in both human and financial capital resources

    by providing access to the right information at the right

    time for employees.

    Agile. The organization is able to respond rapidly to

    changes in the internal business environment as well

    as the external environment and communicate to

    employees GRC context to these changes. GRC

    engagement is measured in the ability to identify and

    react to events and issues.

    Effective Efficient Agile

  • 16 © 2013, all rights reserved, www.grc2020.com

    Employee GRC Engagement

    Employee

    GRC

    Engagement

    Interactive & Relevant Content

    Mobility Analytics

    Gamification Socialization & Collaboration

    GRC needs to deliver interactive and

    relevant content in the context of the user,

    such as:

    Policies & Training. Policies and training come

    together into a unified employee experience.

    Relevant resources are easily accessible and

    provided in the same interface without hopping

    between disconnected systems.

    Issue Reporting. Employees can easily report

    issues and in doing so can be provided with relevant

    contextual information to see if what they are

    reporting is an issue or not and helps educate them

    as they engage in GRC.

    Surveys & assessments. As employees answer

    questions they can easily look up relevant policies

    and other information in the context of the

    assessment to be informed on context so their

    answers are relevant.

  • 17 © 2013, all rights reserved, www.grc2020.com

    Employee GRC Engagement

    Employee

    GRC

    Engagement

    Interactive & Relevant Content

    Mobility Analytics

    Gamification Socialization & Collaboration

    GRC engagement is accomplished through

    socialization and collaboration across the

    organization that:

    Gets questions answered. Employees should be

    able to ask questions and get them answered quickly

    with contextually relevant information and pathways.

    Provides for two-way communication. Employees

    have ideas and ways to improve GRC and have

    feedback on values, code of conduct, policies,

    trainings, risks, or incidents.

    Shares information. Getting employees engaged is

    about sharing information and allows the organization

    to see what works and keeps employees engaged.

    Connects the dots through collaboration. GRC

    needs to allow for the collaboration on GRC across

    broad geographic boundaries without the need for

    everyone being in the same physical location.

  • 18 © 2013, all rights reserved, www.grc2020.com

    Employee GRC Engagement

    Employee

    GRC

    Engagement

    Interactive & Relevant Content

    Mobility Analytics

    Gamification Socialization & Collaboration

    There is an app for GRC! GRC engagement

    through use of mobile technologies to make GRC

    assessable as well as efficient through mobile:

    Policies & training. Delivery of policies and training

    on mobile devices which works particularly well in

    environments where a tablet could be deployed as a

    policy and training kiosk.

    Surveys & assessments. Employees answer GRC

    surveys and assessments and can use mobile

    devices to get the job done. They can provide

    pictures through integrated cameras to capture

    information related to the assessment.

    Issue reporting. Mobility allows for quick reporting

    and integrated cameras can capture a visual of the

    issue at the moment (e.g., health and safety hazard,

    accident).

    Investigations. Investigations can be done, evidence

    photos attached, barcodes on evidence bags

    scanned, and even interviews captured with

    integrated audio and video.

    Reporting. For executives, managers, and GRC

    professionals, mobility provides an engaging

    experience to get reports and drill into them wherever

    and whenever needed.

  • 19 © 2013, all rights reserved, www.grc2020.com

    Employee GRC Engagement

    Employee

    GRC

    Engagement

    Interactive & Relevant Content

    Mobility Analytics

    Gamification Socialization & Collaboration

    Metrics and analytics become stronger through

    employee engagement when risk boundaries,

    ethics, and values helps the organizations measure

    corporate integrity and improved corporate

    culture. Consider the following:

    Alignment. Employee engagement feeds into

    analytics to ensure that the culture of the

    organization, its values, and risk boundaries are

    understood and supported across the organization.

    Reception. It allows employees to rate policies and

    training programs to determine what was well and

    received and what was not. Did they understand the

    policy?. Was the training interesting, appropriate,

    and informative? Are there things around

    policies/trainings that they still don't understand?

    Organizations should focus on delivering engaging

    GRC user experiences that align with the needs of

    employees, integrates with organization

    architecture and systems, and delivers relevant

    content when needed wherever it is needed.

  • 20 © 2013, all rights reserved, www.grc2020.com

    Employee GRC Engagement

    Employee

    GRC

    Engagement

    Interactive & Relevant Content

    Mobility Analytics

    Gamification Socialization & Collaboration

    GRC engagement is about interactive experiences,

    recognition, and rewards. It is not about trivializing

    GRC, but using content and technology to engage,

    communicate, and allow for broader participation.

    GRC gamification includes:

    Interactive content. Getting employees involved

    through video, comedy, and games to educate on

    risk, policy, and compliance. Games, puzzles, and

    illustrations all help to answer questions, develop

    skills, and communicate a point.

    Recognition and awards. Employees can engage

    GRC to gain points and achieve levels/badges.

    Recognition can be given when people complete

    assessment, discover and report issues, educate

    others, and champion GRC in different ways.

  • 21 © 2013, all rights reserved, www.grc2020.com

    The Role of Technology in Regulatory Change

  • 22 © 2013, all rights reserved, www.grc2020.com

    Bringing it all Together: Value of Integrated GRC Information

    REGULATIONS &OBLIGATIONS

    RISK & ANALYSIS

    OBJECTIVES& GOALS

    INCIDENTS& ISSUES

    ASSETS & RELATIONSHIPS

    POLICIES &TRAINING

    CONTROLS &ASSESSMENT

    ROLES & RESPONSIBILITIES

  • 23 © 2013, all rights reserved, www.grc2020.com

    Elements of GRC communication plan

  • 24 © 2013, all rights reserved, www.grc2020.com

    Defensible and effective GRC communications

  • Questions? Michael Rasmussen, J.D.

    Chief GRC Pundit & OCEG Fellow

    [email protected]

    +1.888.365.4560 GRC 20/20 Newsletter LinkedIn: GRC 20/20

    Blog: GRC Pundit

    Twitter: GRCPundit

    LinkedIn: Michael Rasmussen

    Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy

    slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

    You can submit

    questions to our

    speaker by using the

    “Ask a Question” button

    on the left side of your

    screen.

    mailto:[email protected]

  • (888) 519-9200 www.complianceweek.com

    Sponsored by

    Feedback Please send to: [email protected] Thanks Michael Rasmussen, Principal Analyst, GRC 20/20 Research

    *CPE Credit

    Please disable your pop-up blockers to access the automatic CPE exam presented at the conclusion of the webcast. The CPE test will appear in a separate window at the conclusion of the Webcast. If you have trouble accessing the test, please email us at [email protected]

    CPE certificates will be emailed to you separately following completion of the exam

    You can submit questions to our speaker by using the “Ask a Question” button on the left side of your screen.

    *

    Thank You for Joining Us