Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
-
Upload
nguyen-dung -
Category
Documents
-
view
217 -
download
0
Transcript of Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
1/45
ITRiskManagementLifeCycleandenablingitwithGRCTechnology
DebbieLew([email protected]),SeniorManager,E&Y
StevenJones([email protected]),SeniorManager,E&Y
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
2/45
1. Whatisriskmanagement? Commonunderstanding
2. ITriskmanagementlifecycle
3. KeycomponentsofanITriskmanagementprogram
4. ResourcesandenablersforITriskmana ement
5. Whatdoestechnologyenablementmean?
6. Industry
perspective.
8. Trendsandchallenges
9. Riskprocessimplementation
10. GRCtechnology
implementation
considerations
11. Valueconsiderations
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
3/45
Is the identification, assessment, and prioritization of risks (as theeffect of uncertainty on objectives, whether positive or negative)
minimize, monitor, and control the probability and/or impact of
unfortunate events or to maximize the realization of opportunities.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
4/45
Whatare
your
challenges
with
ITris managementinyour
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
5/45
IndustryPerspective
Riskmanagement,regulatory,andcompliancerequirementsare increasinglycomplexandintrusive(especiallyforfinancialservicesinstitutions)andhavebecome agrowingoperationalandfinancialburden. Theserequirementsarenotoptionalandmustbe
.
Institutionshave
often
approached
the
requirements
in
silos,
leading
to
the
creation
of
multipleriskgovernanceprocesses,methodsandinfrastructure.
Typicalcontrolfunctionsareexperiencingscopecreepduetoacombinationofexternalandinternalpressures. Highexpectationshaveblurredthelinesofauthorityand
responsibilityamong
the
control
units.
Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeeppacewithbusinessgrowth.
. amounts
of
time
and
moneyare
spent
complying
with
risk
requirements,
which
can
be
furtherburdenedbymultiplerequestsandduplicativeefforts.
,consolidated,andactionablegovernance,riskandcomplianceinformation.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
6/45
Riskmanagementlifecycle
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
7/45
ITriskmanagementprogram
ITriskgovernanceandstrategy,andthesupportingorganization,resourcesandcomponents
usedtoestablishaneffective,operationalandsustainableITriskmanagementprogram
omponen scan nc u e:
Definedbusiness
drivers
that
align
to
Risk
Strategy,
Charter
and
Reporting
on
critical
successfactors
Defineregulatoryrequirementsandindustrystandardsforadherence
,governancestructureforoperatingtheprogram
ITriskmanagementstrategicplanthatdefinesprogramobjectives,businessdrivers
alignment,
critical
success
factors
and
measurements,
risk
governance
structure,
risk
managementprocesses,
roles
and
responsibilities,
risk
appetite
and
tolerance
guidance,
s ra eg can ac ca n a ves, me nesan wor e or or es gnan implementations,interdependencieswithotherfunctionaloperations ERM/ORM,Security,BCM,Compliance,SOX,etc.
Definedriskmanagementpoliciesandstandards
Defined and documented taxonom
DefinedIT
Risk
&
Control
Framework
Process/Risk/Control
Model
Rating,scoringandweightingmodelorquantificationmodel
Riskidentificationprocess internalandexternaldataminingfortrends,analysisandclassification
Riskprofilingattributesandprocess
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
8/45
BusinesscaseandvalueofanITRisk(GRC)
Effective,documentedresponsetonumerousregulatory/industry/audit/compliance requirements
Repeatableprocessesandriskbasedtechnologydecisionsproduce812%costsavings
Average
from
various
sources
including
Gartner,
Forrester,
and
the
Risk
Management
Association
Reducesiloedanddu licativeefforts
Linesofbusiness/functionsexperiencingassessmentfatigue
Consistentcontrolsandconsistenttestingstrategyfocusedjustonhigherriskareasdeemed
key
for
the
organization Betterallocationoftechnologyspendandresources
Defensible,riskbaseddecisionstoproperlyallocatetechnologyspendtohighestriskareas
Manageunknownrisk
Quicklyidentifynewrisksandquantifycostofexposurethroughconsistentprocesses(newsystems,newtechnologies)
Enablego
to
market
for
new
ventures,
emerging
technologies,
and
business
products
Systemstability/performance
Reducesystemfailureswithriskbasedapproachtosystemandarchitectureinvestmentse.g.,identificationandcategorizationoffailuretrendsandissueswithsystemsallowing
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
9/45
RiskIT
Framework
and
Practitioners
Guide
COBIT5Framewor an supportingpro ucts
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
10/45
ISACAsRiskITFrameworkandPractitionersGuide
RiskITisaframeworkbasedonasetofguidingprinciplesan ea ur ng us ness
processesand
management
guidelinesthatconfirmtheserinci les.
RiskITframeworkistobeusedtohelpimplementITgovernance.
Organisationsthathaveadopted(orareplanningtoadopt)CobiTastheirIT
Governance
ramewor
canuseRiskITtoenhancerisk
management.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
11/45
RiskITFramework
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
12/45
COBIT5
TheCOBIT5governanceormanagementpracticesaree uivalenttotheRiskITprocesses.
TheCOBIT
5activities
are
equivalenttotheRiskITmanagementpractices.
COBIT5followsthesamegoalandmetricconceptsasRiskIT,butthesearerenamedenterprise
goals,
IT
related
goals
an processgoa sre ec nganenterpriselevelview.
COBIT5providesRACIchartsdescribingrolesand
toRisk
IT.
FutureenablerincludesCOBIT5forRisk
12
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
13/45
MeetingStakeholderNeeds
Principle1.MeetingStakeholderNeeds
n erpr sesex s ocrea eva ue or e rs a e o ers.
13Source: COBIT 5,
figure
3.
2012
ISACA All
rights
reserved.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
14/45
COBIT5:Enabling Processes
14
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
15/45
EnablingProcessAPO12 ManageRisk
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
16/45
Whenyouheartheterm,GRC,whatdoesitmeantoyouandyourorganization?
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
17/45
WhatdoesGRCtechnologyenablementmean?
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
18/45
Thedevelopmentofbusinessalignedrequirementstodrivetheuseof
technologytodesign,enhance,implementandoperationalize
Organizationsthat
use
technology
to
enable
their
GRC
processes
have
the
potential
to
reducethecostofriskmanagement,enhancecomplianceandaudit,streamlinereporting,bettermanagerisk,anddeliverinsightforbetterdecisionmaking. By
,
enablingtechnology,companiescanbuildaneffectivefoundationthatallowsthemtobuildefficiency,integrityandconsistencyintotheirprocesses:
Datamapping
to
identify
critical
relationships
between
corporate
objectives,
risks
and
con ro s;
Workflowtooptimallycoordinateactivitiesacrossmultiplelayersoftheorganization;
Decisionsupportnecessaryforplanningandreporting;
Managementofrisksfromidentification,toassessmentandtreatment;
o e mu t p er s erarc esan ntegrater s nte gencew t ot erassetan r s information
systems;
UnderstandingtheholisticITProcess,RiskandControlenvironmentinplacewithinanorganization;and
, ,indicators)acrosstheITenvironment.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
19/45
Governance,Risk&Compliance
toolspace
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
20/45
Businessdriversfortechnology
enablement
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
21/45
Businessdrivers Increasinglycomplexandupdatedriskmanagement,regulatoryandcompliance
requirements,andBoardandshareholderexpectations
PendingDoddFranklegislation
n ncrease pressure ocomp yw
RegulatoryupdatesacrossFFIECandBITS
PCIDSSv2.0
Du licationofrisk overnance rocesses methodsandinfrastructure
Toomanysiloedassessmentsacrossfunctionalareasoftechnology
Nonaggregatedreportingacrossmultiplesourcesofriskintelligence
Inconsistentrisktaxonomies
Controlfunctionsexperiencingscopecreepandhighexpectationshaveblurredlinesofauthority/responsibilityamongstcontrolunits
DuplicationofcontrolsacrossmultipleITunits
Multiplesharedcontrolsthatcouldbecondensed
r v ng owar scon ro convergencean au oma e con ro mon or ng roug ec no ogy
Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeeppacewithbusinessgrowth
ITriskmana ementre uirementshaveincreasedwhile ressureisfacedacrossavailablebud etandheadcount
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
22/45
Linesofbusinessareexperiencingriskmanagementprocessfatigueduetotheamountof
timeandmoneyspentcomplyingwithriskrequirements
Repeatandoverlappingassessmentsoverfunctionalareasoftechnology
Timecommitment
required
to
follow
organizational
risk
management
processes
is
placing
aburden
on
the
first
line
ofdefense
Nonprioritizedapproachtoriskmitigationleadingtopotentialimproperallocationoffunds
Managementisdemandingmorecomprehensive,consolidated,andactionable
governance,riskandcomplianceinformation
Reportingof
risk
management
activity
and
outcomes
across
multiple
hierarchies
is
achallenge
for
IT
risk
functions
Organizationsarefacingchallengeswhenattemptingtoincorporateriskintelligenceacrosstheorganization
Mergers&Acquisitions Multipleriskprogramsrequiringconsolidationandaggregation
ITrisksinheritedfromlegacyenvironments
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
23/45
Mostcompanieshavetakenaverysiloedapproachtoriskandcompliancemanagementwhichcreatesmultipleredundanciesandextensiveinconsistencyinhowrisksareassessedandmanaged.
External regulators,analysts,investors
Board/seniormanagementoversight
Boardoversight
Audit
committee
Compensation
committee
Risk
committees
Other
committee
u
committee
s
committee
er
committees
ternal
ntrol
Executivemanagement
CEO CFO CRO GeneralCounsel
Internal
audit
Risk
management Compliance
Internal
control
Information
technology
Legaland
regulatory
External
audit
Internal
audit
In c
External
audit
Alignedmandateandscope
Business
unit
Business
unit
Business
unit
Business
unit
Businessunit
Businessunit
Businessunit
Businessunit
Consistentmethods
and
practices
Commoninformationandtechnology
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
24/45
Trendsandchallenges
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
25/45
KeyissuesandtrendsfacingGRCtools
LackofaGRCstrategy,visionandholisticbusinessandfunctionalrequirementscan ea toincorrecttoo se ections,over u get
implementationsof
GRC
tools,
or
misuse
of
GRC
technology.
ThereisacontinuedevolutionandbroaderuseoftechnologyforGRC.
TherehasbeenarecententranceofsoftwareheavyweightsintotheGRCmarket.
assessmentrulesenginesalongwithcontinuousauditing,monitoringandcontroltesting.
GRCvendorsaredevelopingrelationshipswithotherapplicationvendors
(competitorsand
complementary
products)
to
extend
the
range
of
the
software.Othershavebeenacquiredtocombineproductofferingsintolarger,morecomprehensivepackages.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
26/45
KeyissuesandtrendsfacingGRCtools
AlackofgovernanceandaccountabilityforGRCtoolscanlimitthereturn
oninvestmentfromaGRCsolution.OwnershipofGRCtechnologyis
crucia to rivingconsistencyinmet o o ogy,reportingan presentation.
Manyorganizations
are
designing
aholistic
GRC
technology
ecosystem
to
achieveholisticriskintelligenceacrosstheenterprise.
TherearemultipleregulatoryenvironmentsthatcanbecoveredbyGRC
tools,andnotoneGRCvendorprovidescontenttocoverallthe
environments. ThereisincreasedboardliabilityasitpertainstoITrisk.
OrganizationsarelookingatleveragingGRCtechnologytofacilitatea
centralcorporatepolicymanagementportal.
Thereis
outsourcing
of
compliance
monitoring
for
the
internal
and
externalbusinessenvironments.
Consultin firmsareeithertoola nosticorthe arenot.Man firmshave
strategicrelationshipswithGRCvendorsthatmayskewtheirperspective.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
27/45
Currentstatelimitations DefinitionofGRC
ThedefinitionofGRCdiffersfromclienttoclientandvendortovendor,leadingtoan
inabilitytostandardizeGRCrequirementsandguidefuturedevelopment.
IsolationoffinancialriskmanagementfunctionalityfrommainstreamGRCsolutions
Nosingle
solution
available
AllsolutionsperformwellforcertainaspectsofGRC,butnoonesolutionprovidesa
.
Immaturedashboardingandmetrics
Notalltoolsprovidewebenabledreportinganddashboards.
Nonfinancial
RM
tools
do
not
provide
advanced
charting
capabilities
to
address
complex
riskscenarioanalysis.
Virtuallynonexistentglobalregulatorycontent
Inconsistentframeworkmappingandcontent
Onlyaselect
few
tools
allow
for
logic
based
assessments
(questionnaires,
surveys,
etc.),
whichintegratebusinessworkflowandriskcalculationsdrivenbyassessmentresults.
Riskcontrollibrarymanagementisnotintegratedintoassessmentstodriverisk
convergence.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
28/45
Keyissues&trendsfacingGRC
Trends
Continuedevolutionandbroaderuseof
Issues
Nosilverbullet
tec no ogy or
Entranceofsoftwareheavyweights
intoGRC
market
ArchitectingaholisticGRCtechnology
ecos stem
NonstandarddefinitionofGRChampersability
todefinefuturestateanddriverequirements
Multipleregulatoryenvironments
Increasedboardliability
Integrationofwebservicestoenablerisk
andregulatoryintelligence
Implementationofacentralcorporate
policymanagement
portal
Manyofthesystemscurrentlyinusewere
developedforaspecificfunctionorsectorneed.
Thesevendorsarechallengedwithfinding
alternativeusesfortheirapplications
Immaturedashboards
and
metrics
Marketissuesare
drivingproduct
trends
Useofbusinessprocessmanagement
andrulesenginesalongwithcontinuous
auditing,monitoringandcontroltesting
Outsourcingofcompliancemonitoring
fortheinternalandexternalbusiness
Immaturecapabilitiestogainrealtimedata
feeds
Inconsistentframeworkmapping
Configurationflexibility
environments
Acquisitionsandalliancesareformingto
extendorenhanceproductoffering
Assessmentmethodologyandmaturity
Initiativeshouldbeadirectivefrom
executivemanagementwithagreement
fromallkeystakeholders
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
29/45
Whatare ourchallen es(anticipated)inselecting,configuringandimplementingGRCtechnology?
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
30/45
GRCtoolimplementationchallenges
Functionalrequirementsalongwithorganizationalandprocessconvergenceshouldbedefinedpriortotoolselectionbyperformingafeasibilitystudy
Organizationspurchasingasolution,andthenattemptingtoconvergetherisk
MaturityofvendorsolutionsisnotwhereitneedstobetomeetallGRCfunctionalrequirements
AlackofunderstandingofhowotherbusinesstoolscanintegrateintoGRCsolutionsandoffutureGRCstaterequirementsstillexist
ManyorganizationswillneedtocustomizetheirselectedGRCtoolorchangetheircurrentmethodologies,businessprocesses,andhierarchiestohaveasuccessfulGRCtoolimplementation
Contentmanagement
decision
if
aligning
to
leading
practices,
frameworks,
and
re ulations
adecision
needs
to
be
made
to
determine
if
ou
will
rel
on
avendor
to
provi ean managecontentgoing orwar orwi it ecustomize an manage yt eclient
Timeframesforimplementationisoftenunderestimatedmostorganizationstakebetween1224monthsforsuccessfulimplementationandforoperationalcompetenciestoberealized
GRC
tool
cost
is
often
underestimated
due
to
improper
calculating
of
customization
or
functionaland
process
modifications
that
will
be
needed
by
the
firm
LackofexperienceandknowledgeableresourcesthatarededicatedtoGRCtoolimplementation
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
31/45
AkeyconsiderationwhenanalyzingGRCsolutionsistheconceptofcustomization
vs.configuration.Thesearetwoverydistinctterms,andhavesignificantimpacton
.
ConfigurationreferstotheprocessofalteringaGRCsolutionbymakingbasicchangestothe
outoftheboxcapabilitytomeetbusinessrequirements.ThisprocesswillnotgreatlyenhanceaGRCsolutionsfunctionality.Examplesofconfigurationinclude:
ang ngco ors
Changingfieldproperties(i.e.,text,number,length,etc.)
Addingfields
Creatingbasic
calculations
CustomizationreferstotheprocessofalteringandenhancingaGRCsolutionbymaking
advancedchangestotheoutoftheboxcapabilitytomeetbusinessrequirements.This
processcangreatlyenhanceaGRCsolutionsfunctionality.Examplesofcustomizationinclude:
Buildingcustombusinessworkflow
UsingJavaScript
or
HTML
to
enhance
the
functionality
of
the
GRC
solution
Usingadvancedcalculationsandlogic
Integratingdatafrommultiplesystemsandsources
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
32/45
Complexity Support Needtoincreasecostto
achievebalance
AdministrationCustomizationComplexity Support
AdministrationCustomization
Whatstherightbalancefor
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
33/45
GRCtoolfunctionalcoverage
Governance Financial risk Risk managementMetrics, presentation
and reporting
Standards
Procedures
PRC framework
Asset and hierarchy
management
Risk modeling
Financial risk impact
analysis
Risk assessment
Risk identification
Risk analysis
KRIs
Threat and vulnerability
Ad-hoc reporting
Notifications
User interface
Statistical analysis
Historical trending
Data management
Awareness training
Project management
Information security
BCP/DR
Internal control
management
KRI/KPI management
Audit tracking
Data export
en or managemen
Service delivery
management
Compliance Audit Issuesmanagement Incidentmanagement
Regulatory contentManagement
Leading practice content
Management
Compliance monitoring
Program management Scheduling
Attestation
Evidence capture
SAS 70/SOC 2
Risk treatment Risk acceptance
Policy exceptions
Risk transference
Event capture Loss capture
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
34/45
ITGRCtoolvendorgeographic
footprintLeader:Bwise
Leader:RSAArcher,Thompson
Reuters
Presence:Allothers ,
ThompsonReuters
Leader:Bwise
Presence:RSAArcher,
ThompsonReuters
Leader:RSAArcher
Leader:Modulo
Presence:RSAArcher,
ThompsonReuters,Bwise
Leader:None
Presence:BWise
Leader:None
Presence:RSAArcher,
resence: ompson euters
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
35/45
Riskprocessimplementation
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
36/45
Populations/inventories/authorityinformation
e erm na ono on gura on anagemen a a ase an asse managemen oo
integrationforapplicationsandsupportinginfrastructure,databases,operatingsystemsanddata
centers
Identificationofrelevantindustryregulationsandbestpracticestoalignwith
Businesshierarchy Considerationsaroundfunctional,lineofbusiness(LOB)orentityhierarchyembeddedwithinthe
GRCtool
Determinationofdepthandbreadthofhierarchy
SSOintegration
Inte rationwithLDAP Li htwei htDirector AccessProtocol tosim lif userauthenticationand
user
access
administration
Accesscontrolstrategy
,
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
37/45
Potentialtechnologyenablement
coverage
ITRisk Op Risk ERM InternalAudit Regulatory
Risk
Legal&
Compliance InfoSecurity
PRCFramework
ProgramMgmt
IssuesMgmt
CaseMgmt
KRIs
ContentMgmt
UI/Metrics
/Dashboards
Other
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
38/45
GRCtechnologyimplementationconsiderations
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
39/45
KeyGRCfunctionalrequirements
Policy,StandardsandProceduresMgmt. ContentManagement
RiskMgmtProcesses(Assessments,KRIs,EventCapture,RiskProfiling,etc)
AuditProcesses AuditProcessesandWorkflow AttestationCapabilities Archival
en or anagemen RiskAssessmentandRiskAnalysisCapabilities RiskIdentificationandProfiling Issues,Mitigation,RiskAcceptanceLifecycle
Management TrainingandAwareness
on ro u oma on on or ng AutomatedControlTesting
Real
Time
Monitoring NotificationServices
Metrics,Measurements,andReporting Quantity&qualityoftemplatereports
Frameworks&HierarchyStructure(Org,Process,Risk,Control) AssetManagementCapabilities HierarchyStructureOrganizational,Process,Risk,
Control,Metrics
and
Reporting
AdhocReporting RiskSimulationCapability RiskWeighting&Calculations StatisticalAnalysis Dashboards
FinancialRisk
Mana ement
TechnologyControls/Information Security
RegulatoryMapping RegulatoryMappings RegulatoryComplianceCapabilitiesandLeading
PracticesStandards
FinancialRiskModeling FinancialRiskImpactAnalysis QuantificationEngine EventLoss/CaptureIncidentManagement FinancialRiskContent(i.e.ratings)
, , ,PCI,FFIEC,BITS,COSO,ISO27002,CobiT,
ITIL,
etc. ComplianceMonitoring
BusinessProcessManagement BusinessWorkflowManagement
Interoperability/ApplicationInterface/Open
Standards ConfigurationCapabilities CustomizationCapabilities
Ke GRC f nctional req irements
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
40/45
KeyGRCfunctionalrequirements
. AvailableModulesanddescriptions
AdditionalFunctionality
SystemAdministration Backup&Recovery
ManagementAssurance
EaseofUse
Auditingand
Logging
VendorQualifications
UserAdministration
Documentation&
Guidance
SecurityConfiguration
TechnicalArchitecture
ClientBase
Marketratingsandrankings
ReleaseCycle
Im lementationRe uirements
InfrastructureRequirements
ApplicationRequirements
IntegrationCapabilities
DataOwnership
&
Management
ProductTraining
RiskBasedServices
Maintenance&Support
EnterpriseScalability
SingleSignOnIntegration
DataIntegrityandAudit
FutureProductRoadmap
Deployment&Migration
End
User
Experience/Interface TeamingandSupportfromVendor
IndustrySaturation/Customerloyalty
Fees,ContractsandSoftwareArrangements
,
exercisemustbedonetoensurepropertoolselection.
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
41/45
Designconsiderations
Convergenceofrisks,controls,processes,issues
Roadmapand
strategic
approach
Reportingrequirementsanddataconsiderations
Sourceofrecordvs.datafeeds
Im lementationmana ement
Functionaland
technical
requirement
validation
Supportpersonnel
GRC technology enablement
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
42/45
GRCtechnologyenablement
Suggested key milestones Suggested program deliverables
Development of technical specifications from business
and functional requirements Detailed design of core foundational components
Organizational hierarchy
Technical specifications for risk assessments,
issues management, and reporting Core framework solution implementation
Risk process solution implementation
Process hierarchy
Risk Hierarchy
Control Hierarchy
Hierarchy relationships and interdependencies
Reporting and dashboarding implementation
UAT completion and a run book/design binder
Training material and procedural guides
Design and implementation of risk assessment
methodology and assessments
Design and implementation of Issues Management
Design and implementation of additional risk
management processes
Design and implement reporting and dashboarding
requirements
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
43/45
Valueconsiderations
V l iti
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
44/45
Valueproposition
Measurableanddocumented
transparencyandcompliance
Decreasedexposure
to
fraud,
catastrophiclossesandthefull
comp men o opera ona r s s
Preparedtoanticipateandrespondto
newandchangingregulatorymatters
Greaterinsight
and
more
effective
decisionsupport
Betterequippedtolowercostand
improveperformance
enterpriseinformation
-
7/25/2019 Risk ManaRISK MANAGEMENT LIFE CYCLEgement Life Cycle
45/45
Thankyou!