GRC Foundation: Transforming Data to Information · Navigating Your GRC Journey MetricStream GRC Summit Europe 2014: Case Study GRC Foundation: Convergence and Alignment The objective
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Agenda
1. Introduction 2. Practical Steps
• Begin with the end in mind • Understand the data • Design data structure • Link data to technology • Data Migration • Robust Reporting
3. Case Study Spotlights 4. Q&A
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Introduction: Alleviating Today’s Challenges through GRC Foundational Transformation
Desired State
Legal Entities Geographical Regions
Audi
t
Prod
uct
Dev
elop
men
t
IT
Lega
l and
Reg
ulat
ory
Hum
an R
esou
rces
Shar
ed S
ervi
ces
and
Supp
ort
Fina
nce
Ope
rati
ons
Sale
s an
d M
arke
ting
Business and
Controls ERM Compliance Internal
Audit
Other Assurance
Groups
Business and Risk Management Information
Internal External
Board/ Committees
Executive/ Senior
Management Stakeholders Auditor Regulator
Rating Agency
Business and Risk Management Information
Internal External
Board/ Committees
Executive/ Senior
Management Stakeholders Auditor Regulator
Rating Agency
Legal Entities
Audi
t
Prod
uct
Dev
elop
men
t
IT
Lega
l and
Reg
ulat
ory
Hum
an R
esou
rces
Shar
ed S
ervi
ces
and
Supp
ort
Fina
nce
Ope
rati
ons
Sale
s an
d M
arke
ting
CONTROL REPORTS ERM
REPORTS COMPLIANCE
REPORTS AUDIT
REPORTS
ISSUE MANAGEMENT
REPORTS
QUARTERLY DEFICIENCY
SOX REPORTING QUARTERLY ASSESSMENT
FIRM
CRMP
AUDIT PLAN
AUDIT COMMITTEE
OPEN ISSUES
PAST DUE ISSUES
CLOSED ISSUES EXTERNAL AUDIT
REPORT
eGRC Foundation Transformation
Geographical Regions
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Increasing Efficiencies and Effectiveness
Integrated Risk
Assessments
Standardized Risk
Measurement
Consistent Monitoring
Transparent, real-time Integrated Reporting
eGRC
Today, each business group performs the same four core activities in silos with no common taxonomy, risk ratings,
and governance.
The eGRC program aims to eliminate redundancy in these core activities by providing an integrated, real-time view of risks and associated issues governed by a standardized framework. This enables Management to make informed decisions while effectively and efficiently delivering on a Risk Management strategy.
ERM & Compliance
Assess
Measure
Monitor
Report
Business & Controls
Assess
Measure
Monitor
Report
Global Audit
Assess
Measure
Monitor
Report
9
Siloed, Manual, Duplicated
Efforts, Reactive
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Value of holistic and integrated GRC over time C
ost
Man
ual
Duration
Siloed
Integrated GRCAlthough the initial spend may seem small, manual processes lead to increasing costs over time
Implementing distinct technologies in silo’s leads to cost bumps and increasing costs over time
An integrated GRC approach may have a high initial spend, but flattens over time decreasing costs and improving efficiencies!
The Shift From Manual to Integrated
State
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Enterprise GRC Considerations
GRC Vision Guiding Principles Executive Buy-in GRC Business Case Functional Commitment Roadmap
1
Strategy Convergence
& Foundational Elements
Program Management
People & Change
Business Requirements
& Reporting
Technology Enablement
Foundational Elements (taxonomies and libraries)
Future State Process Flows Convergence Opportunities, Alignment
of Shared Functionality, and Integration Points with GRC Tool
High-level Business, Functional, and Technical Requirements Definition
Stakeholder Analysis Roles and Responsibilities Communication Plan Learning, Development and
Training Adoption Plan/Roll-out
GRC Business requirements design & documentation
Fit-Gap Analysis Process, Risk, Transactional
level dashboards & reporting
Link between Business Requirements and Business Process Design
Requirements to System Mapping /Proof of Concept
System Configuration Data Conversion Testing Strategy,
Performance and User Acceptance Testing
Enterprise GRC Considerations Components
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
GRC Foundation: Convergence and Alignment
The objective of this session is to focus on the importance of structuring GRC technology and data elements to meet your governance objectives. It will address the importance of data from the perspective of the business side and key methods to promote gathering and inputting of “quality” data and combining it with the data structure to enable integrated reporting. As you move forward through your GRC journey, it is imperative that a comprehensive convergence and foundational element strategy be implemented:
• Common/Universal Language • Taxonomy Definitions • Data Structure • Reporting
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Considerations for optimizing your data
What is the most important information that needs to be shared across the business?
Who are the key stakeholders?
Who is providing the data and content? Do they have all of the required information? Do you understand your data?
How do we maximize information value
while minimizing the cost to maintain it?
How do we best leverage data from multiple
sources?
How do you structure your content within the GRC solution to enable valuable analysis and
reporting?
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Practical steps – transforming data into information
Understand the data Design a
comprehensive data structure
Begin with the end in mind
1 2 3
Link data to technology
Gather, scrub, format, and import the data
Design robust actionable reports
4 5 6
9
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
What do you want to achieve? Begin with the end in mind
1
Consolidated report of cross-functional risks
and issues
Single view of
controls across the organization
Real-time reporting of Issue Management
Activities
Actionable Reports
Interface with other systems
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
How do you say Tomato? Understand the data
2
Foundational Elements form the “foundation” for how the GRC Tool is configured and establish a common language for GRC across the organization. Foundational Elements can be thought of as filing cabinet where each filing drawer represents specific contents to store key information. Key Question for consideration include:
• What are the elements that you need? • How do you define the elements? • Does a common language exist for these
elements? • What is the level of detail and granularity for
each element?
Organizational Structure
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
For your data, identify how it connects to other pieces of data to build information.
Design data structure
3 How does your data connect? What is and will be the source of truth?
Exam Type
Member
Module
Violation A
Procedures 1 Procedures 2
Rule 1
Procedures 3
Rule 2 Rule 3 Rule 4
Violation B
Procedures 4 Procedures 5
Rule 5
Procedures 6
Rule 6 Rule 7 Rule 8
Sect
1
Sect
2
Identify the source of truth and if the information will be interfaced from another system, is static in a repository or needs to be created.
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Link data to technology
4 How do you enable data elements relationships and linkage?
Link Objects, Map Data, Create Relationships
Exam Type
Member
Module
Violation
Rules/Regs
Procedures
Procedures
Procedures
Procedures
Section
MetricStream Object
Organization
Auditable Entity
Risk
Reference
Checklists
Task Grouping
Test Step
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Gather, scrub, format, and
import the data
5 What are the steps to input, migrate, or interface quality data?
Gather the data
Scrub the data to element redundancies and inconsistencies
Format the data
Import the data – test run, validate, full run, validate
Build and test real-time interfaces
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Design robust reports
6 Can you create targeted and analytical reports to meet your business needs?
The culmination of defining structure and foundational elements, relating data to the objects in the GRC tool enable robust reporting and dashboards to provide meaningful analysis.
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
An integrated GRC reporting system
GRC Tool
Integrate Tool with System of Record/Source of Truth
MetricStream GRC Summit Europe 2014: Case Study Navigating Your GRC Journey
Client Spotlight #1
• Client Challenge: Multiple groups performing divergent, and inconsistent examination activities Lack of workflow and documentation repository to enforce completeness of procedures Regulator dissatisfaction with the existing processes Inability to report on examination statuses
• Solution: Migrate to the MetricStream platform to automate the manual processes Define common language and the foundational elements to drive consistency Establish consistent future state process which incorporates industry leading practices Restructure internal data to align to future state process, which includes regrouping of
procedures Map data to the MetricStream structure and objects Design reports to provide real-time status of key elements of examination process
• Benefits: Promote common language in the culture, used daily across organization, even prior to
technology go-live Streamline and automate the processes Provide real-time progress reporting on examination process