Ajay Dhir - The Role of GRC and Creating a Risk Assured Framework - Interop 2009
-
Upload
interop-mumbai-2009 -
Category
Technology
-
view
2.149 -
download
0
Transcript of Ajay Dhir - The Role of GRC and Creating a Risk Assured Framework - Interop 2009
INTEROP Mumbai October 09, 2009INTEROP Mumbai October 09, 2009
THE ROLE OF GRC
AND
CREATING A RISK ASSURED FRAMEWORK
AJAY K. DHIR
GROUP CIO
JSL LIMITED
Governance, Risk & Compliance...Governance, Risk & Compliance...
� Governance - setting business strategy & objectives, determining risk appetite, establishing culture & values, developing internal policies and monitoring performance.
� Risk Management - identifying and assessing risk that may affect the ability to achieve objectives, applying risk management to gain competitive advantage and determine risk response strategies and control activities.
� Compliance - operating in accordance with objectives and ensuring adherence with laws and regulations, internal policies & procedures, and stakeholder commitments.
Governance, Risk & Compliance...
GRC provides a framework and a methodology to enable those responsible for managing the business to give confidence to those who are accountable to shareholders and to regulators that corporate objectives are being met.
Business drivers for an integrated approach to Governance, Risk and Compliance
Business drivers for an integrated approach to Governance, Risk and Compliance
IncreasingIncreasing
regulationsregulations
Increased Increased
complexity due complexity due
to globalisationto globalisation
New New
technologiestechnologies
IntegrityIntegrity--driven driven
performance performance
expectationsexpectationsIncreased Increased
demands from demands from
stakeholdersstakeholders
Transparency and Transparency and
accountability accountability
demandsdemands
Ethical and Ethical and
financial financial
scandalsscandals
Increased Increased
competitive competitive
pressurespressures
GovernanceGovernance
Risk andRisk and
ComplianceCompliance
RiskRisk
•
In simplified Chinese the word risk is composed by two characters; one represents danger, and the other represents opportunity.
Definition of RiskDefinition of Risk
�“Risk is a measure of future uncertainties in achieving program performance goals and objectives within defined cost, schedule, and performance constraints.”[1]
�“...an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.” [2]
[1] Risk Management Guide for DoD Acquisition, Sixth Edition DoD, DAU, August 2006
[2] Project Management Institute PMBOK®, 2008, Fourth Edition
Likelihood of an event occurring. The consequence if such an event occurs.
Enterprise Risk and Compliance-Drivers and TrendsEnterprise Risk and Compliance-Drivers and Trends
� Drivers: • Multiplicity of risk and regulations
• Distributed operations and relationships
• Interdependency of risk
• Increased accountability
• Fragmentation and duplication of effort
� 2009 – 2010 trends:• Establishment of risk and compliance architecture
• Development of risk intelligence
• Implementation of GRC platforms
• Centralized communication and training on corporate policies and procedures
• Continued evolution of the CxO responsible for GRC
Risk Sensors Risk Sensors
Risk Sensors can provide automated inputs from low level data;
� to demonstrate compliance to legislation and regulation (and non-compliance)
� to demonstrate working controls (and not working controls)
� to highlight risks / threats
� to identify incidents
� to highlight possible data leakage
� identify potential reputation damage
+ many more……
Example of SensorsExample of SensorsSensors to detect events
� System monitors• Vulnerability assessment, configuration and policy compliance
� Network traffic monitors• Intrusion detection, Intrusion prevention, Firewalls, Routers,
� Access and identity monitors• Failed logins, privilege escalation, Bio-metric identities
� Web site monitors• Pages visited, referred from,
� End point monitoring• Data leakage
• Anti-virus, anti-phishing, Malware detection
� Others• Event and Audit log collection – OS, Infrastructure, applications
• CMDB systems
• Incident management
• Backup software, Business continuity management
• IT Security Information (intelligence feeds)
� Emerging• Virtualised environments / ‘Cloud’ computing
What Are the GRC Management Challenges?
Enterprise-Wide Responsibility
What Are the GRC Management Challenges?
Enterprise-Wide Responsibility
CFO / VP CFO / VP CFO / VP
FinanceFinanceFinanceChief Compliance Chief Compliance
Officer (CCO)Officer (CCO)Chief Risk Chief Risk Chief Risk
Officer (CRO)Officer (CRO)Officer (CRO)CIOCIOCFO / VP CFO / VP
FinanceFinanceChief Risk Chief Risk
Officer (CRO)Officer (CRO)
Reducing the total
cost of GRC
• Timely notification
of control issues,
material weaknesses
and violations
• Accurate and
comprehensive
information on
financial exposure,
compliance and
audit.
Increasing efficiency &
consistency of
compliance processes
• Reducing regulatory
actions by reducing
compliance violations
• Planning and oversight
of compliance
management resources
• Identifying and
implementing optimal
detective & preventative
controls
Balancing the range of
enterprise risks
• Evaluating business
requirements and
technical risk
capabilities
• Reducing
organizational cost of
risk exposure and cost
of mitigation or
acceptance
Ensuring Auditable
secure information
• Automating GRC
information risk
management
• Eliminating multiple
internal GRC solutions
• Implementing IT
platform for GRC
standardisation,
simplification &
security
What Are the GRC Management Challenges?Enterprise-Wide Responsibility
What Are the GRC Management Challenges?Enterprise-Wide Responsibility
CFO / VP CFO / VP CFO / VP
FinanceFinanceFinanceChief Compliance Chief Compliance
Officer (CCO)Officer (CCO)Chief Risk Chief Risk Chief Risk
Officer (CRO)Officer (CRO)Officer (CRO)CIOCIOCFO / VP CFO / VP
FinanceFinanceChief Risk Chief Risk
Officer (CRO)Officer (CRO)
• Reducing the total
cost of GRC
• Timely notification
of control issues,
material weaknesses
and violations
• Accurate and
comprehensive
information on
financial exposure,
compliance and
audit.
• Increasing efficiency &
consistency of
compliance processes
• Reducing regulatory
actions by reducing
compliance violations
• Planning and oversight
of compliance
management resources
• Identifying and
implementing optimal
detective & preventative
controls
• Balancing the range
of enterprise risks
• Evaluating business
requirements and
technical risk
capabilities
• Reducing
organizational cost of
risk exposure and cost
of mitigation or
acceptance
• Ensuring Auditable
secure information
• Automating GRC
information risk
management
• Eliminating multiple
internal GRC solutions
• Implementing IT
platform for GRC
standardisation,
simplification &
security
CC
EE
OO
GRC – What are the objectives?GRC – What are the objectives?
� Governance• Ultimately, Governance determines what the Board is responsible
for and to what degree it entrusts day-to-day administration to the CEO, the management team and perhaps below.
� Knowledge Management• In creating a shared governance, risk and compliance
environment, software supports performance objectives by regulation, standards and policy to whatever degree the Board wants.
� Process• Crucially, software enables linkage of roles, processes and assets.
Plan, Do, Check. Act (PDCA) processes should be effectively managed in a single framework, so the organization as a whole isbetter governed
� Technology• Convergence of data, status, actions and incidents must be easily
monitored, providing visibility and control to the business.
Today’s organizations are concerned about:Today’s organizations are concerned about:
� Risk Management
� Governance
� Control
� Assurance
Enterprise Risk Management
“How Do I take more Intelligent Risks ?”
�Disciplined Decision Making
�Risk Timing
�Business & Technology Innovation
� Increased Shareholder Value
� Industry Leadership
“How Do I take more Intelligent Risks ?”
�Disciplined Decision Making
�Risk Timing
�Business & Technology Innovation
� Increased Shareholder Value
� Industry Leadership
“Is my current Risk level in control?”
�Business Risk Monitoring
�Risk Responsiveness
�Tolerance
•Controllable Risks
•Non-Controllable Risks
“Is my current Risk level in control?”
�Business Risk Monitoring
�Risk Responsiveness
�Tolerance
•Controllable Risks
•Non-Controllable Risks
“How Do I Reduce Business Risk?”
�Risk Analysis
�Risk Assessment
�Business Continuity Planning
�Business Resilience
“How Do I Reduce Business Risk?”
�Risk Analysis
�Risk Assessment
�Business Continuity Planning
�Business Resilience
OPTIMIZE GROWPROTECT
ERM
Corporate Strategy
Primary Drivers for Implementing ERMPrimary Drivers for Implementing ERM
53Regulatory pressures3
51Board request4
60Greater understanding of strategic and operating risks
2
41Competitive advantage5
66%Corporate governance requirements
1
PercentDriverRank
Highest Priority ERM ObjectivesHighest Priority ERM Objectives
24Align risk exposures andmitigation programs
19Institute more rigorous risk measurement
40Avoid surprises and “predictable” failures
17Integrate ERM into other corporate practices like strategic planning
44%Ensure risk issues are explicitly considered in decision making
The Growing Influence of Risk ManagementThe Growing Influence of Risk Management
9%
35% 56%
Preparing/Developing/Implementing
Positivelydisposed
Have rejected
A majority of companies are choosing ERM… …and ERM is seen as an increasinglyimportant responsibility
50%
46%
39%
29%
30%
38%
29%
36%
19%
16%
32%
35%
Internal
audit
CFO
CEO
Board
Very high Significant Somewhat or less
Degree of Importance
Enterprise Risk Management — An Integrated FrameworkEnterprise Risk Management — An Integrated Framework
An ERM framework defines essential components, suggests a common language, and provides clear
direction and guidance for enterprise risk management.
The ERM FrameworkThe ERM Framework
� Entity objectives can be viewed in the
� context of four categories:
• Strategic
• Operations
• Reporting
• Compliance
The ERM FrameworkThe ERM Framework
ERM considers activities at all levels
of the organization:
� Enterprise-level
� Division or
subsidiary
� Business unit
processes
ERM Roles & ResponsibilitiesERM Roles & Responsibilities
� Management
• The board of directors
• Risk officers
• Internal auditors
Key Implementation FactorsKey Implementation Factors
1. Organizational design of business
2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review by management
Getting glasses: how GRC software platforms help organizations regain control
Getting glasses: how GRC software platforms help organizations regain control
� Frequently, individuals or departments get bogged down in one
area of compliance, such as Sarbanes-Oxley (SOX) or privacy
laws, but fail to realize that compliance is an octopus-like
challenge. Managing this many-tentacled beast requires that an
organization establish a technology architecture for Governance, Risk, and Compliance (GRC).
� What is the value of the GRC software platform?
• The GRC software platform enables an enterprise risk and
compliance strategy; the software is not a strategy itself. GRC
software platforms must be:
• Sustainable
• Consistent
• Efficient
What is a GRC software platform and what does it do ?What is a GRC software platform and what does it do ?
� The GRC software platform is the technology heart of the GRC architecture — it provides a single system of record for defining, maintaining, and monitoring Governance, Risk and Compliance. GRCplatforms create centralized systems of record for the entire business in four areas:
1. Policy, procedure, and control documentation maintenance and communication
2. Risk and control assessment processes
3. Risk analytics, modeling, and reporting
4. Loss, event collection, and investigations management.
Usage varies across:Usage varies across:
� Business executives. Executives use the software to monitor the state of risk and compliance, as well as to monitor corporate losses —driving strategic decisions and management of the organization.
� Risk and compliance officers/managers. These executives typically represent the heaviest users of the software and are focused on the day-to-day management of risk and compliance content and processes.
� Business unit and process managers. These executives must use the software to answer risk and control assessments and monitor the state of risk and compliance to individual areas of responsibilities.
� Employees, contractors, consultants, and temporary workers.The system helps every member of the firm read, acknowledge, andreceive training on policies and compliance issues that pertain to their individual responsibilities.
� Business partners. Business partners (e.g., suppliers, contractors, outsourcers) work with the system in conducting contract and control assessments to attest to their performance to contractual requirements.
The technical support GRC software platforms need to succeed
The technical support GRC software platforms need to succeed
� Achieving integration across the four capability areas that is considered essential for governance, risk, and compliance software platforms — policies/controls, assessment, analytics, and loss/investigations — requires that GRC software platforms have four integrated areas of technical functionality to deliver on these features
� Enterprise content management. GRC starts as a content problem. As organizations struggle to manage an assortment of risk assessment and compliance examination documentation, organizations first look for content management capabilities to categorize, store, retain, and manage access to this sensitive information.
� Business process management. After gaining control of content, organizations then look to drive efficiency into their GRC processes through process management and workflow technologies. Specifically, they require a platform that provides collaboration and automation of risk and compliance processes.
� Enterprise applications. Next, organizations look for further automation of control monitoring and enforcement alongside the monitoring and measurement of risk by gathering information directly from enterprise applications.
� Business intelligence/business analytics. Finally, after solving the content, process, and enterprise integration challenges of risk and compliance comes the reporting and communication requirements delivered through business intelligence and analytic features.
RecommendationsRecommendations
� Define your risk and compliance architecture.
• A GRC software platform is not a silver bullet to manage risk and compliance — no technology is.
• Start with defining your GRC vision.
• Develop your long-term strategy for GRC.
• Be selective in the platform you choose.
• Get your feet wet first ! ! !
Common PitfallsCommon Pitfalls
� Unclear or ‘moving goalpost’ objectives
� Different ‘agendas’
� Too much detail to analyse
� Too much effort or insufficient knowledge
� Insufficient resource, takes too much time
� Answers lead to more questions
� Can’t articulate benefits to the business
About JSLAbout JSL
� JSL Limited, set up in 1970 by the steel visionary Mr. O.P. Jindal, has grown from an indigenous single-unit steel plant in Hisar, Haryana to the present multi-billion, multi-national and multi-product steel conglomerate. The organization is still expanding, integrating, amalgamating and growing
� A ISO: 9001 & ISO: 14001 company, it is the flagship company of the Jindal Organization.
� Total Revenue (FY 2008- 2009) : USD 2 billion
� Manufacturing Plants
• Hisar (Haryana)
• Vizag (Andhra Pradesh)
• Indonesia
• Kalinganagar, Orissa – the largest, integrated, green field project in Stainless Steel, globally
� Hisar Plant : At Hisar, JSL has India's only composite stainless steel plant for the manufacture of Stainless Steel Slabs, Blooms, Hot Rolled and Cold Rolled Coils, 60% of which are exported worldwide.
• Slabs
• Blooms
• HR & CR Coils
• Precision Strips
• Blade Steel
• Coin Blanks
� The present production capacity of plant is 6,00,000 TPA which is expanded to 7,20,000 TPA. With the commissioning of the Plant inOrissa in 2010, the capacity will be approximately 12 million tpa.
� An exclusive complex for manufacturing stainless steel for razor and surgical blades has been created. A coin blanking line has also been installed. The major export destinations are China, Bangladesh, Vietnam, South Africa, Russian Federation, Ukraine, Belgium, Italy, Greece, UK, and USA
JSL’s Integrated ERM FrameworkJSL’s Integrated ERM Framework
� Integrate ERM in Corporate Compliance and Governance Activities
• Integrate key risk processes and systems
• Understand our risk appetite
• Sustain a risk-based approach to improving and managing Corporate compliance and governance
• Use Risk Review Group to increase multi-disciplinary risk education, awareness and information sharing
Internal Controls Internal Controls (ICS)(ICS)
SarbanesSarbanesOxley Oxley (SOX) (SOX)
Risk Risk ManagementManagement
(RM) (RM)
Finance Planning Finance Planning and Analysisand Analysis
(FP&A) (FP&A)
JSL’s ERM ProcessJSL’s ERM Process
Determine priorities for ERM via Risk Review Group and Board
� Identify Executive Sponsor in area to be assessed
� Interview key executives in multiple functional areas re: their
perceptions of key risks facing the company and their quantification of
the probability, severity and current management effectiveness at
managing the risk – the discussion is the most important aspect
� Consolidate interview results, identify key risks and report back to
Executive Sponsor and collect feedback
� Share final report with Corporate Executive Sponsors and Audit
Committee
� Facilitate discussions/workshops with risk owners wrt decisions re:
identified key risks
� Track progress via Ops Reviews, Risk Review Group, Internal Audit
Schedule and integrate with business planning
FY 2009 - 2010 ERM ObjectivesFY 2009 - 2010 ERM Objectives
� Enhance understanding of risks affecting the Group & the drivers of those risks
� Raise the level of ERM awareness & education within JSL & externally
� Integrate risk management with existing processes – investment management, strategic planning & business development
� Continue to integrate risk management with line management processes