Enterprise-wide GRC Implementation - Dell EMC · We using many solutions of RSA Archer eGRC...
Transcript of Enterprise-wide GRC Implementation - Dell EMC · We using many solutions of RSA Archer eGRC...
1© Copyright 2013 EMC Corporation. All rights reserved.
Enterprise GRC ImplementationOur journey so far… implementation observations and learning points
Derek WalkerCorporate Risk ManagerNational Grid
2© Copyright 2013 EMC Corporation. All rights reserved.
Introduction to National Grid
One of the world’s largest 100% listed utilities focused on regulated transmission and distribution activities in electricity and gas in the
United Kingdom and the United States
3© Copyright 2013 EMC Corporation. All rights reserved.
Introduction to National Grid
Electricity generators Gas producers and importers
National GridTransmission UK
Regional electricitydistribution networks
National GridGas Distribution UK
Other regional gasdistribution networks
Commercial and domestic customers
National Grid’s principal UK businesses
4© Copyright 2013 EMC Corporation. All rights reserved.
Introduction to National GridNational Grid UK
5© Copyright 2013 EMC Corporation. All rights reserved.
Introduction to National Grid
Electricity generators Gas producers and importers
National Grid ElectricityDistribution US
National GridGas Distribution US
Other electricity/gas distribution networks
Commercial and domestic customers
National Grid Transmission US
Gas Transmissionpipelines
Other Electricity Transmission networks
National Grid’s principal US businesses
6© Copyright 2013 EMC Corporation. All rights reserved.
Introduction to National GridNational Grid US
7© Copyright 2013 EMC Corporation. All rights reserved.
GRC Selection & ImplementationBackground National Grid conducted a review of governance, risk and
compliance functions across the enterprise Broad consolidated review initiated to understand benefits of
pulling together governance, risk and compliance Review included governance, risk and compliance:
– Processes– Culture– Information and data– Systems
Review found areas were fit-for-purpose Potential for improvement and closer integration
8© Copyright 2013 EMC Corporation. All rights reserved.
GRC Selection & ImplementationProcesses, information and systems review
Conducted a wide review involving many GRC business departments within the enterprise (UK and US)
The process-systems-information workstream looked at– Current systems and data– Products on the market which could support governance, risk
and compliance processes independently– Integrated “eGRC” products
Full procurement exercise
Company organisational change
Business programme change
9© Copyright 2013 EMC Corporation. All rights reserved.
GRC Implementation Sponsorship, ownership and governance
Start-up of the GRC programme Ensure clear rationale understood “at the top” of the company Sponsorship
– Executive sponsor– Formed Steering Group with sponsorship across the governance, risk and
compliance groups benefiting from GRC…– …including GRC business areas in planned future implementation Stages– Group Audit and Risk Committees
Ownership– Steering Group nominated lead business SMEs within each of the business
areas – the Business Leads
Governance– Programme and project governance – Business Leads, RSA Archer and IS– Independent programme review and implementation assurance
10© Copyright 2013 EMC Corporation. All rights reserved.
GRC Implementation ObjectiveImplement an integrated, company-wide, cost-effective GRC system capable of adequately managing information to meet our current and future risk, compliance and assurance requirements
Configured GRC will… Enable controlled data sharing and alignment Use common information – ‘single source of the truth’ Facilitate automated monitoring, action-tracking and reporting Help ensure that the Company is acting in accordance with its rules and controls
11© Copyright 2013 EMC Corporation. All rights reserved.
GRC ImplementationDefining the implementation roadmap
Strategy Roadmap exercise– optimum start point for full future GRC configuration– Start ‘small’ and build from stable core– Take account of ‘final’ system configuration at the outset– Start with the business areas which derive the greatest benefit
from using the solutions– Final roadmap influenced by business areas best able to
support programme
Strategy Roadmap produced with business SMEs and RSA Professional Services
12© Copyright 2013 EMC Corporation. All rights reserved.
GRC ImplementationDefining the implementation roadmap
13© Copyright 2013 EMC Corporation. All rights reserved.
GRC ImplementationDefining the implementation roadmap
Roadmap an optimum balance of,– starting small, and yet…– large enough business critical-mass to
– ensure visibility at the highest level– justify the enterprise licence costs
– generating value– generating ‘speed-to-value’
Full project scope divided in two to reduce implementation risk (Stages 1 & 2)
Sanction initially sought for Stage 1 as part of the full programme
14© Copyright 2013 EMC Corporation. All rights reserved.
We using many solutions of RSA Archer eGRC
Compliance ManagementDocument your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.
Policy ManagementCentrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance.
Threat ManagementTrack threats through a centralized early warning system to help prevent attacks before they affect your enterprise.
Enterprise ManagementManage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.
Risk ManagementIdentify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance.
Incident ManagementReport incidents and ethics violations, manage their escalation, track investigations and analyse resolutions.
Business Continuity ManagementAutomate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution.
Audit ManagementCentrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency.
Vendor ManagementCentralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls.
15© Copyright 2013 EMC Corporation. All rights reserved.
To support the GRC processes in the first stage of implementation
Compliance ManagementDocument control framework and respond to policy and regulatory compliance issues
Policy ManagementCentrally manage policies, map them to objectives andguidelines, and promote awareness to support a culture of corporate governance
Threat ManagementTrack threats through centralised warning to help ensure reduced impact on enterprise
Enterprise ManagementManage relationships and dependencies within hierarchy and infrastructure to support GRC initiatives.
Incident ManagementReport incidents and ethics violations, manage their escalation, track investigations and analyse resolution
Risk ManagementIdentify and capture risks, evaluate them and respond with remediation or acceptance
Corporate Risk Management
Group Compliance
IS Digital Risk & Security
Information Records M’ment
US Regulatory Compliance
US Network Strategy
Incident Management (Ethics)
16© Copyright 2013 EMC Corporation. All rights reserved.
GRC ImplementationOriginal stages and phases
Stage 1
Phase 1
Enterprise Management
Risk Management
Incident Management
{Risk Management, IS DR&S, Ethics Case Management}
Stage 2
Phase 2
Compliance Management
Policy Management
{Group Compliance, US Regulatory Compliance, IS DR&S}
Phase 3
Policy Management
{Information Records Management, IS DR&S}
Phase 4
Issues Management
Policy Management
{IS DR&S, Regulatory Support & Reporting, US Controls and Governance}
Phase 5
Audit Management and extending Stage 1 solutions
{Project Management and Construction (UK, US)}
Phase 6
Threat Management and extending Stage 1 solutions
{Global Security, Group Finance and Controls, IS DR&S}
17© Copyright 2013 EMC Corporation. All rights reserved.
Targeted Benefits
Improved review and change-tracking capability
Improved ease of data entry
Closer integration with other assurance-related processes
Risk Management
18© Copyright 2013 EMC Corporation. All rights reserved.
Targeted Benefits
Help ensure consistent adherence to the corporate Compliance Management Procedure
Enable more efficient and timely Compliance reporting and resolution actions
Promote improved compliance information to enable the more effective monitoring and challenging of controls
Reduce the compliance management administrative burden
Increase transparency of ownership and trace-ability of controls across the enterprise
Group Compliance
19© Copyright 2013 EMC Corporation. All rights reserved.
Targeted Benefits
Provide a central database for managing and tracking regulatory requirements
Centralise action tracking for issues management reducing administrative burden
Provide automated workflows across the organisation
Link identified risks and internal audit findings to associated compliance action plans
Provide dashboard reports to aid both executive and business oversight of compliance obligations and corrective action plans
US Regulatory Compliance
20© Copyright 2013 EMC Corporation. All rights reserved.
Targeted Benefits
Provide a more timely and efficient reporting mechanism
Reduction of administrative burden Improved collaboration on more complex
cases/ incidents Opportunity for further flexibility and
adaptability to changing business needs and requirements
Ethics and Compliance Office
21© Copyright 2013 EMC Corporation. All rights reserved.
Targeted Benefits
Single repository of compliance documentation Enhanced transparency and ownership of
compliance requirements Improved compliance reporting Reduced risk of non-compliance with standards
US Network Strategy - Regulatory Support & Reporting
22© Copyright 2013 EMC Corporation. All rights reserved.
Learning points from our implementation experience so far…
Know your organisation’s hierarchy Need for business collaboration and potential
compromise on shared solutions Significant effort and time required from Business
SMEs Business priorities will change Business areas may not have the same GRC process
maturity Enterprise GRC implementation is not the panacea to
resolve organisational process challenges alone Potential for integrated reporting is a step on path
towards improved assurance-community interactions but not the sole enabler
Allow time to get through the governance and procurement processes
Thank you