IT Governance Risk and Compliance GRC

ITGRCWORKSHOP

ITGOVERNANCE,RISK&COMPLIANCE BRINGING ITALLTOGETHER

ITGOVERNANCE,RISK&COMPLIANCE BRINGING ITALLTOGETHER

PRESENTATIONOUTLINE 1

InformationProtectionManagementDiv.

2

WhatisGovernance,Risk&Compliance?

3

EnterpriseGovernance,Risk&Compliance

4

ITGovernance,Risk&Compliance

5

ITControlFrameworks

WHATISGOVERNANCE,RISK& COMPLIANCE? GENERALPERSPECTIVE

GOVERNANCE,RISK , ANDCOMPLIANCE Ø Governance v

Istheprocessbywhichpoliciesaresetanddecisionmakingisexecuted.

Ø RiskManagement v

Istheprocessofiden:fica:on,analysisandeitheracceptanceor mi:ga:onofuncertaintyindecision-making.

Ø Compliance v

Istheprocessofadherencetopoliciesanddecisions.

INTERRELATIONSHIP BETWEENGOVERNANCE ,RISK , ANDCOMPLIANCE

Governance

Governancemanagesthe strategicdirec7vesacompany wantstofollow.

GRC Riskmanagement assessestheareasof exposureandpoten7al impacts.

Risk

Compliance

Complianceisthetac7cal ac7ontomi7gaterisk.

WHY FOCUS ONGRCNOW? Ø

Riskshavebecomemorediverseandinterrelated.

Ø

Lawsandregula:onshavebecomemorecomplicated.

Ø

Boards,execu:vesandmanagementhavebecomemore accountable.

Thisputsorganiza:onsatgreaterriskandmakesitdifficult andcostlyforManagementtodotheirjobseffec:vely.

PROBLEMSF ACED BY ORGANIZATIONS Ø

ToomuchriskforthereturnwearegeJng

Ø

TooliKlevaluefrombusiness-ITinvestments

Ø

Slowdecisionmaking

Ø

Projectoverrunsanddelays

Ø

Lackofstability,availability,protec:onandrecoverability

GRCSPECIFICPROBLEMSF ACED BY ORGANIZATIONS Ø

GRCac:vi:esandcontrolsarefragmentedandmanagedinsilos

Ø

Organiza:onsusereac:ve,one-offapproachestoaddresscompliance issues

Ø

Riskandcomplianceconsidera:onsarenotintegratedintocorebusiness processesandmainstreamdecision-making

Ø

Leadersoenlackanenterpriseviewofrisks

Ø

ITassetsarenotwellalignedwithriskorcompliancemanagementneeds

Ø

Managementdoesnothavethehigh-qualityinforma:ontheyneed

IMPROVING EFFICIENCY  AND EFFECTIVENESS REQUIRES IMPROVEMENT IN THREE ASPECTS OFGRC A?en7on Awareness&People

Improvementsaredependentonprogressinotherareas.

Efficiency

Effec7veness

Automa:on&Tools

Governance&Processes

ESSENTIALELEMENTS OF AGRCPROGRAM Governance • Centralized repository of policies and controls • Integrated database of major regulations, standards and best practices • Comprehensive policy management with awareness campaigns and attestation • Controls management and reporting

Risk  • Risk management, including key risk indicators and risk dashboards

Compliance • Compliance assessment, monitoring and reporting

BENEFITS OFINTEGRATINGGRC Ø

Makerisk-informedstrategicdecisions.

Ø

Analyzeriskbasedonquan:ta:vedata.

Ø

Managecompliance.

Ø

Priori:zeremedia:onac:vi:es.

ENTERPRISEGOVERNANCE,RISK& COMPLIANCE TOUNDERSTANDITGRCY OUMUSTFIRST UNDERSTANDENTERPRISEGRC

ENTERPRISE GRC

Governance Strategy

RiskManagement Assessment

Planning

Mitigation

Compliance Assessment

Reporting

 ANENTERPRISE GRCPLATFORM  Auditors

Boards

 AuditManagement RiskManagement

     S      E      E      L      S      S      P      E      O      C      E      O      P      R      P

ComplianceManagement RemediationManagement PolicyManagement

Risk&ControlsMatrix

EnterpriseGRCPlatform

     T      M      E      M      E      G      A      N      A      M

ITGOVERNANCE,RISK&COMPLIANCE TO ESTABLISH MORE ACCOUNTABLE AND EFFECTIVE ITFUNCTIONS

ITGRCTIES TOGETHER THE PROGRAMS OF.. Ø ITGovernance v

AnITgovernanceprogramtoleveragethedevelopedrisk-basedop:onsin supportofanorganiza:on’sdecision-makingprocess.

Ø ITRiskmanagement v

AnITriskmanagementprogramperformsriskassessmenttodevelopand priori:zeop:onsforremedia:on

Ø ITCompliance v

AnITcomplianceprogramtomeasurethelevelofcompliancewithinanIT environment

IT-GRC

ITGRCMEANSM ANAGING… ITstrategy ITservices Systemsinfrastructure Informa:onmanagement Informa:onsecurity Resourceavailability(hardware,soware&data) Dataintegrity Technologyrisk Legalandregulatorycompliance

GRCM ATURITY MODEL CurrentIT-GRCMaturity.

NextPhase

REACTIVE,FRAGMENTEDIMPLEMENTATION PHASE Ø

GRCac:vi:esarelargelymanual,notstandardizedandnotwell integratedintocorebusinessprocesses

Ø

GRCac:vi:eshavenotreceivedasmuchaKen:oninthepast

Ø

Mostorganiza:onshavetreatedgovernance,riskandcomplianceas discreteac:vi:es,separatefrommainstreambusinessprocessesand decisionmaking

Ø

Exis:ngITinfrastructures,applica:onsandprocessesdonotprovide sufficientsupportforeffec:veriskmanagementandefficient compliance

ITGRCMUSTBEDRIVENFROM THETOP-DOWN Ø

CorporateGRCisanimportantinputfordefiningITGRC.

Ø

ITGRCrequiresseniorbusinesspar:cipa:on,especiallyatthe boardlevel.

ITCONTROLFRAMEWORKS COBIT CONTROLOBJECTIVES FORINFORMATION  AND RELATEDTECHNOLOGY 

COBIT ANDOTHERITM ANAGEMENTFRAMEWORKS

WHEREDOESCOBITFIT?

THECOBITFRAMEWORK WASDESIGNEDTO PROVIDE.. Acomprehensivecontrolframeworktocover Ø

ITorganiza:on

Ø

ITusers

Ø

ITprofessionals

Ø

ITgovernance

Ø

ITrisks

Ø

ITprocesses

SUMMARY  Ø Ø

Ø

ITGRCisasubsetofCorporate Governance

Governance

ITGRCcomprisesof v

ITGovernance

v

ITRisk

v

ITCompliance

Withoutoneyoucannothavetheother.. v

Governance,RiskandComplianceare interrelated

GRC Risk

Compliance

DO YOU HAVE ANY QUESTIONS ?

Thankyou!