PERSPECTIVES ON GOVERNANCE, RISK, COMPLIANCE & CULTURE ... · perspectives on governance, risk, compliance & culture ... oceg establishes blueprint ... p&p lifecycle management

®

perspectives on governance, risk, compliance & culture

Presented by the Open Compliance & Ethics GroupA supplement of Summit Business Media Publications

Fall 2008

Chart the Course

IT for GrC

rIsk InTellIGenCe The DaTa DIaspora

a unIfIeD approaCh To GrC

Issue anD InCIDenT InvesTIGaTIon

ManaGInG CoMplIanCe requIreMenTs

auDIT faTIGue

ask The analysTs

SINGLE USER NON-COMMERCIAL LICENSE: GCAGRC4 ([email protected]). EMAIL [email protected] FOR COMMERCIAL LICENSE.

� www.oceg.org

Table of Contents

3OCEG UPDATES

4IT fOr GrC: ImPrOvInG InfOrmATIOn QUAlITy

8rISk InTEllIGEnCE

10ThE DATA DIASPOrA managing Privacy When Data is Dispersed

16A UnIfIED APPrOACh TO GrC

18ISSUE AnD InCIDEnT InvESTIGATIOn

20mAnAGInG COmPlIAnCE rEQUIrEmEnTS

22AUDIT fATIGUE

24ASk ThE AnAlySTS

open compliance & ethics group (oceg)

Chairman and CEOSCOTT l. [email protected]

President and ClOCArOlE STErn SWITZEr, [email protected]

summit Business media

Director of Custom mediaCArOl AlfrED

Art DirectionCavedweller Studio rAnDy SChIrZ

GrC 360º is published as a supplement of highline media Publications

Copyright 2008 by the OCEG. All rights reserved. no reproduction of anyportion of this supplement is allowedwithout written permission. Pleasecontact [email protected] for permissions or advertising in GrC 360º.

OCEG, Driving Principled Performance and GrC 360º are registered trade-marks of the Open Compliance & Ethics Group. All rights reserved. The views expressed herein are the views ofthe author(s) and do not necessarilyreflect those of OCEG.

OCEG6245 n. 24th Parkway, Suite 212Phoenix, AZ 85016


driving principled performance® �

OCEG UpdatEs

For more information on the technology Council projects, contact Lane Leskela at lleskela@oceg.

Version 2.0 of the OCEG Red Book, the central piece of the OCEG Framework for principled performance®, is now available. the Red Book (formerly named the GRC Capabil-ity Model™) sets out the elements of a GRC system that integrates the principles of good governance, risk management, compliance, ethics and internal control.

Red Book 2.0 was open for public comment through september 30th. Obtain a public exposure copy at www.oceg.org/view/redbook2.0, and you will be informed by email when the final version is available.

this work was un-dertaken by a steer-ing committee and supporting taskforce and review committee of hundreds of experts in the OCEG community. We appreciate their efforts, which have allowed us to provide a roadmap for organizations of all sizes and structures to use when creating, improving, or assessing their own systems of people, process, and technologies to address their GRC needs.

We would particularly like to thank our co-chairs:• John steer, partner with allenbaugh samini

LLp and former vice-chair of the U.s. sentenc-ing Commission;

• scott roney, Vice president, Compliance & Ethics for archer daniels Midland Company;

• Brad Jewett, director of Enterprise Risk Management at Microsoft; and

• larry Harrington, Vice-president, Internal audit for Raytheon

to learn how you can participate in beta test-ing Red Book 2.0 in your organization, contact carole switzer at [email protected].

oceg estaBlisHes Blueprint For grc tecHnologies

the OCEG technology Council has defined 60 information technologies that comprise GRC technology architecture. the visual mapping of these 60 technology areas are the base of the GRC Blueprint™ being developed by the technology Council. the categories of the bluebook are mapped to Elements in the OCEG Red Book 2.0 and are defined in an appendix to it. these categories form the base of the GRC Blueprint now under development. We welcome comment on how they have been established.

grc roadmap program launcHedthe OCEG technology Council is developing the GRC Roadmap and tech-nology implementation maturity model. these tools will help companies understand how to embed GRC criteria in enterprise technology planning, budgeting, product selection, infrastructure, support and service delivery. applying established frameworks such as the It Governance Institute’s VaL It™ Model and the IsM3’s Information security Management Maturity Model, the Council is creating the first version of the OCEG GRC technol-ogy Value Model™ with actual end-user cases that follow GRC technology maturity paths. this holistic GRC technology and business objectives align-ment model will be completed and published in 2009.

Industry Process Applications

GRC Core Applications

Business Applications

Technology Infrastructure

Industry Specific Requirements

GRC Management Requirements

PUBLIC EXPOSURE

GRC CAPABILITY MODELTM

®

DRIVING PRINCIPLED PERFORMANCE®

Open Compliance and Ethics Group

OCEG Red Book

Comprehensive and Detailed Practices for an Integrated Approach to Governance, Risk and Compliance.

Log into the OCEG website to download your free copy today! www.oceg.org/view/RB2Project

oceg issues grc capaBility model

grc-Xml proJect underway

XBRL International has accepted OCEG as a provisional jurisdiction authorized to establish a GRC-XML schema compatible with XBRL. the GRC-XML 1.0 schema will be available in 2009. this new interna-tional open standard for GRC technologies will improve GRC process efficiency with standardized messaging and taxonomy that reduce the cost of related software selection, development, integration and implementation.


� www.oceg.org

As risks become more diverse and interrelated, as laws and regulations become more complicated and as boards and executives become more accountable, the activities and controls associated with governance, risk management and compliance (Grc) have expanded accordingly, becoming extraordinarily complex themselves. in spite of that complexity, today’s Grc activities are largely manual, not standardized and not well integrated into core business processes. The resulting situation puts organizations at greater risk and makes it difficult and costly for the cFo and other executives to do their jobs.

For most executives and managers, there is too much data and not enough insightful information, and what is available is often not sufficiently timely, accurate or reliable. business people are forced to

become middleware, trying to turn growing streams of data from transactional processes into useful information. Assembling governance, risk and compliance management information is still mainly a manual activity, prone to human error or worse.

While many organizations have controlled costs and reduced complexity by re-engineering their supply chain, crm, Hr and core financial processes, Grc activities have not received as much attention. The reason for this historic disregard is that most organizations have treated governance, risk and compliance as discrete activities, separate from mainstream business processes and decision-making. As a result, existing iT infrastructures, applications and processes do not provide sufficient support for effective risk management and efficient compliance. most organizations experience some combination of the following: • Governance, risk management, and compliance

activities and controls are fragmented and managed in silos

• organizations use reactive, one-off approaches to address compliance issues

• risk and compliance considerations are not integrated into core business processes and mainstream decision-making

• Humans are utilized as the middleware to piece together the necessary information for reporting and decision-making

• Leaders often lack an enterprise view of risks • iT assets are not well aligned with risk or

compliance management needs • businesses do not have the high-quality

information they need and want When things are fragmented in this way, there’s

an increased risk of adverse consequences to the enterprise. Fortunately, most business leaders aren’t blind to dangers such as these. in a 2007 survey of more than 250 entities by the open compliance & ethics Group (oceG) in collaboration with deloitte consulting LLP, sAP and cisco, 65 percent of the respondents said that redundant or inconsistent Grc processes adversely affected their business.

It FOR GRC: IMpROVInG InFORMatIOn QUaLIty architected, platform-based strategies support performance management

By lee dittmar



(see Findings From The OCEG 2007 GRC Strategy Study, at http://www.oceg.org/view/20056)

Build inFormation QualityPoor information quality and the inability to get relevant, accurate and reliable information to the right place at the right time is a ubiquitous challenge—one that consistently arises both in the field and in formal research. For instance, in 2005, cFo research services in collaboration with deloitte embarked on a survey program that illuminated the pervasiveness of poor information quality (iQ) in today’s enterprises. The initial report, entitled IQ Matters: Senior Finance and IT Executives Seek to Boost Information Quality, found that a majority of respondents don’t have ready access to high-quality, reliable, useful information on operating and financial performance at their companies. Queried on 10 categories of iQ—combinations of the utility, timeliness and accuracy of financial and operating information—a majority of the senior financial respondents reported room for improvement in every category.

A recent follow up to that study, entitled Look Closer, Look Further: How to Build a Better Business Case for Improving Information Capabilities, indicates that, two years later, the needle still has not moved much in a positive direction. most companies do well at mandated information management act iv i t i es , such as reporting financial results. many still struggle to produce the timely, accurate and insightful information needed for strategic planning; supporting board oversight and governance; making investment decisions; and identifying, monitoring, managing or mitigating risks. Forty-seven percent of the 443 senior finance and iT executives surveyed reported that their companies struggle to produce and develop the desired quality of information needed to make good business decisions.

Wi th t h e r i gh t i n fo rma t ion , leadership can confidently understand the ramifications of risks, including

risks of non-compliance with policies, regulations and laws. Understanding risk better prepares executives to address problems before they become crises. High-quality information is needed—information that comes with the assurance that it is factual, relevant and a true representation of what’s happening—or not happening—and that there is, in fact, a single version of the truth.

nO kIllEr APPlICATIOn

Business activity Monitoring

Business Intelligence

Business process Management

Business Rule Engines

Change Management

databases

disaster Recovery

Enterprise Content Management• Information/data discover• Records Management• Retention technologies

Identity Management

networks

security

storage

eLearning/LMs

audit Management

automated Controls

Business systems

Contract/Relationship Management

Corporate social Responsibility/sustainability

Environmental Health/safety

Governance• Board & Entity Management• Corporate performance

Management• decision support

It GRC

Insurance/Claims Management

Intellectual property Management

Loss & Investigations Management• Complaints/Issue/Event Management• Crisis Management• non-Conformance Management• Whistleblower/Helpline

Matter/Litigation Management• discovery Management

policy & procedure Management• p&p Lifecycle Management• p&p eLearning

privacy Management

Risk Management• Financial/treasury Risk Management• Capital Risk Management• Credit Risk Management• Market Risk Management• Foreign Exchange Risk Management• Operational Risk Management• Business Continuity• Fraud Management• physical security Management• Risk assessment• Risk dashboards• Risk Modeling/analytics• decision tree Modeling• Qualitative Modeling• Quantitative Modeling• scenario Modeling

When considering applications, a wide variety of functionality comes into play:

there really is no such thing as the GRC solution, per se. Rather, think about It for GRC broadly, recognizing that there are ramifications and implications for essen-tially all parts of a company’s It architecture and across nearly all types of applica-tions. Looking at it from an infrastructure perspective, the following list provides a starting point.


� www.oceg.org

get insigHtFul inFormationA single version of the truth should reflect past performance, the current environment and the future path of the enterprise. To find it, the process is to turn data into information, information into knowledge of how the business is operating and, ultimately, knowledge into insight.

executives are keenly aware of the relationship among better information quality, more efficient and effective Grc and enterprise value. eighty-one percent of IQ Matters survey respondents said that better information can improve profitability; 82 percent said it can reduce costs.

if so many companies are aware of the risks and rewards, why haven’t they done more about it? in answering several deloitte webcast polls, respondents report that the most significant barrier is “competing priorities,” which we interpret as meaning that resources are being channeled to priorities that are perceived to be even more pressing.

Perhaps the more formidable obstacle is that for a long time the technologies weren’t up to the challenge. consequently, some executives today incorrectly assume that implementing individual solutions for each specific problem is the only option and that taking an enterprise approach to Grc is too hard, too expensive or just not possible. While this perception still lingers, technological advances have dramatically changed the reality of the situation. Today, while an integrated, enterprise approach to Grc may be a complex undertaking, it’s hardly an unassailable challenge.

cHange coursemost companies simply don’t have the iT assets in place to efficiently and effectively turn data into insightful information. in addition, the technological assets they do have are not being fully used to enable governance, risk management and compliance—or performance management. There is a growing imperative to fundamentally change course.

The trends are clear. demands for board and executive accountability to comply with ever-mounting regulatory requirements, reign in spiraling compliance costs and more-effectively manage risk are increasing. organizations of all kinds are judged by their ability to demonstrate good governance to multiple stakeholders through a transparent, measurable chain of accountability. The management of risk and compliance can no longer live a separate life from mainstream decision-making and business processes.

The integrated enterprise approach is the fundamental design principle needed to align iT architecture and applications with Grc requirements. Professionals must incorporate risk management into everyday decision-making and core business processes at strategic and operational levels.

Leverage information technology. The solution needs to be architected from a portfolio of applications that leverage existing and new iT assets. An effective strategy demands an enterprise platform that extends and integrates with core business systems. An architected solution requires considerations from presentation layer to infrastructure.

it is no longer about discrete, decentralized tools. it is essential to overcome silos. This is why the increased consolidation of Grc, enterprise performance management, analytics and, more generally, information management technology solutions are more than simply an expansion by large firms into new software categories.

use wHat you HaveUsing iT to enable improvements in Grc provides a unique opportunity for leading organizations to lever-age their investment in existing enterprise systems. incorporate enterprise information consideration into desktop widgets, dashboards and e-mail programs. doing so can help remove the pain of buying and integrating individual and specialized applications. data can be consistent and protected across all ap-plications and access points. And because integration can be built-in with a service-oriented architecture, upgrading and adding new information is part of the solution, not another problem.

…some executives

today incorrectly

assume that implementing

individual solutions for each specific

problem is the only option…



With an integrated, enterprise approach, executives across the organization can gain a new level of understanding of and control over cross-business functions and processes. iT assets, and the iT organization, become much more aligned with and responsive to business needs.

by providing actionable information based on a single source of the truth, an integrated approach can give managers new methods to quickly adapt to the changing business terrain. For example, when an enterprise prepares to launch an international expansion strategy, it must have an integrated approach to planning and managing performance, risk and compliance. integrating Grc and performance considerations into the enterprise information system can bring together the many silos of people, processes and information.

emBrace tHe Futureone significant challenge in all of this is to be able to move beyond looking in the rearview mirror for historical reporting purposes. instead, illuminate the current status and trajectory of the enterprise. This changes the mindset from transactional to analytical—from “do we have the data we need for a report?” to “How can we use information to better our business?”

cios can enable this transition by building systems that collect and analyze many types of business and transactional events—with an emphasis on governance, risk and compliance—more quickly and more accurately than with human middleware. such business systems present events to product managers, sales executives, financial analysts and other business users in the appropriate context for accurate decision-making.

in the face of today’s business complexities, iT for Grc is the only way for an organization to know that it can make knowledge decisions to execute on strategy that drives a stronger business performance.

Lee diTTmAr is A PrinciPAL WiTH

deLoiTTe consULTinG LLP. conTAcT

Lee AT LdiTTmAr@ deLoiTTe.com.

as used in this article, “deloitte” means deloitte Consulting LLp, a subsidiary of deloitte LLp. please see www.deloitte.com/us/about for a detailed description of the legal structure of deloitte LLp and its subsidiaries. this article contains general information only and is based on the experiences of deloitte practitioners. deloitte is not, by means of this article, rendering business, financial,


� www.oceg.org

orGAnizATions cAnnoT AFFord to be simply risk-aware. knowing what risks an enterprise may face helps, of course; indeed, no management body anywhere would try to run a corporation without some level of risk-awareness. but in many cases they might as well.

simply being risk-aware without the context of what the risks truly mean does not help manage against them. Without context to turn risk-awareness into an actionable risk management plan, risk just becomes additional data. And that data doesn’t help you get where you want to go because it doesn’t help management focus decision-making. simple risk-awareness lends itself to knee-jerk reactions and to unnecessary putting out of fires. And those are two of the most irksome clichés in the entire business world.

organizations must, instead, strive to be risk-intelligent, according to dave Anderson, senior

director, solution marketing, at sAP businessobjects. “most organizations are risk-aware,” he says, meaning key risks to the business have been identified. but awareness does not equate to being risk-intelligent.

“For instance, if transportation is a strategic part of your business, any risks associated with the strategic objectives could affect your business and your bottom line,” he explains. “so you’ve identified rising oil prices, a striking union and bad weather as risks. now you’re risk-aware.” but to become risk-intelligent, an organization must evaluate its risks and the impact to its strategies; quantify those risks and develop a menu of predetermined possible responses, or mitigation strategies, to those risk events deemed most worthy of management’s attention.

From aware to intelligentin this transportation analogy, a risk-aware corporation knows that its reliance on transportation brings with it certain identifiable risks. A risk-intelligent corporation knows where and when each type of risk is most likely to affect deliverables and when combinations of otherwise minor risk events will demand management intervention. “if there are transportation disruptions in one segment of the routes, the impact of the event may be minor and not require management intervention,” Anderson points out. but if the transportation disruption occurs on the route where movement of goods is critically timed for delivery, or if rising fuel costs or a lack of supplier availability combine to add additional risk to the transportation disruptions, the situation is more serious and needs to be quickly addressed.

A risk-intelligent organization has the tools to see a matrix of risk events as an enterprise management opportunity and has a list of detailed responses already formulated. “more and more companies are realizing that risks need to be evaluated and managed across the entire enterprise,” Anderson notes.

“often, you find that a risk situation in one location, perhaps impacting an individual manufacturing plant, has a little impact, but not enough to require specific action. but when you look at the impact associated with other key risks, such as product quality or availability risks across the supply chain, you find that the holistic, enterprise perspective allows you to understand and assess the true impact of the risk to your business. Then you can develop an appropriate management

RIsk IntELLIGEnCEBy russell a. Jackson



plan. Risk intelligence is the ability to recognize what the risk means across the entire enterprise, and to manage it beyond the silo of a single risk.”

The data coordination required to assess the enterprise cannot be achieved without an information technology infrastructure designed to support it, notes Anderson. And that often requires management take a new view of managing risk. “Historically risk management has been a fragmented, tactical activity impacting a specific line of business,” he says. “Too few companies have looked at risk management from the enterprise perspective. Now companies are recognizing the value of managing risks across the enterprise, and gaining a better understanding of the importance of becoming risk-intelligent. They realize that a manual approach to managing risk cannot possibly bring timely analysis and understanding of risk datapoints.” While companies might be able to track some risks and quantify some values, and even set up a risk management methodology in a document or spreadsheet, they generally fall short once operations start and volumes of data that need evaluating are being generated.

Indeed, a key element of risk-intelligence is continuous learning, Anderson emphasizes. “Your IT infrastructure needs to be flexible and easy-to-use,” he says, “and it needs to support the ability to adjust risk profiles as circumstances change. What was a key risk last month might have been appropriately mitigated and is no longer a key risk. The system must collect information about the current most important risks, and then provide the operational data output that shows what’s going on in your business today, as opposed to yesterday, vis a vis those risks. Compare to get an updated view—and, especially, a qualified and a quantified value—of the risks impacting your business.”

Three STepSThere are three steps to becoming risk-intelligent using IT, Anderson explains. The first is the risk-planning phase, where an organization identifies what its key risks are and how deeply it wants to approach managing them. “The first step involves determining when risks become risks,” he says. “Ask yourself, ‘What are the key risks that can impact what I want to protect and keep me from meeting my objectives?’ Once you define your risks and the associated key risk indicators, establish your initial risk profile. Which risk indicators should you track? What will be the thresholds for key risk indicators?”

The second step to risk-intelligence using IT, Anderson continues, is the assessment and analysis

phase. “Now that the enterprise has an IT infrastructure designed to identify and quantify risks, the output information must be evaluated,” he states. “What’s it coming back with? And what does it mean?”, stressing that the point is to use the information gleaned from the system to focus on the most urgent risk events. “In the earlier stages of risk-awareness, an organization might identify all of its risks, then the inefficient and expensive response would be, ‘We’ve got to address them all because risk is bad.’ But when you’re risk-intelligent, you can manage the subtotal of identified risks that will have the most impact on the organization’s overall strategy or operations.”

The final phase in becoming risk-intelligent is an organization’s response to a given risk event or situation, the “Now, how are we going to deal with this?” phase where the goal is mitigating the detected risk. And a key element of that phase, according to Anderson, is having insight into the impact of each response. “A lot of companies implement responses but don’t know if they’re doing the right thing,” he explains. “Then when the problems recur, they don’t know what they’ve already tried or the actual impact of what they tried. You want to be able, when you see a risk recurring, to say, ‘This was my response last time, and most of it worked, so we need to adjust our mitigation strategy only slightly.’”

Monitoring the enterprise’s risk mitigation and management capabilities is, therefore, critical, Anderson emphasizes. “You go to all kinds of trouble to build an IT infrastructure for risk-intelligence, so you want to maintain a level of intelligence going forward so you can become even more proactive in managing risk, monitoring things in a much more strategic and proactive way,” he says. “Once you’ve combined the three phases, you can realistically say, “This is a risk-intelligent organization.”

Risk intelligence, then, is much like other forms of intelligence in that to be meaningful, it must have context and constantly be fed new information. The “learning” that supports risk intelligence, in other words, never ends—and it demands a commitment to information technology to ensure that the incoming information is properly processed. That means that while achieving risk intelligence in an enterprise may not be easy—although the right information system from a trusted vendor can make that important achievement far more manageable—it is absolutely necessary. Today’s business environment is no place to try to operate without risk intelligence.

DAve ANDeRsON Is seNIOR DIReCTOR fOR

sAP BusINessOBjeCTs.

“Risk intelligence is the ability to recognize what the risk means across the entire enterprise, and to manage it beyond the silo of a single risk.”


10 www.oceg.org

TecHnoLoGY conTinUes To transform business. That’s not new. What is new is how these new technologies are requiring organizations to transform their approach to privacy management.

increasing complexity around who and what has custody and control over personal information is frequently evidenced in a “data diaspora”—with data being widely dispersed in form and purpose from its original location within your company. This new and growing business challenge will require you to change the way you manage the privacy of one of your most valuable corporate assets—personal information about your employees, customers or your customers’ customers.

As your organization takes on increasing responsibility for the privacy and security of personal information, will you change policies or use different technologies? How will your organization approach the additional privacy risks presented by the data diaspora? Feeling the heat? new approaches and new capabilities are finding their way into enterprise architectures and they warrant your attention.

tHe permeation oF devices

devices that process or store personal infor-mation are increasing in number and availabil-ity. Control over the devices will become a privacy challenge.

classic portable devices that may contain personal information include mP3 players, cameras, smart phones or watches, and even medical devices. From employees to customers to business channel partners, everyone has devices. And most are connected in some way to the networked world.

tHE data dIaspORa managing privacy when data is dispersed

By Brian tretick


driving principled performance® 11

in addition, portable media, such as external drives or memory sticks, currently allow for easy transportation of data—and are prime contributors to the data diaspora. What’s more, future enhancements in the form of a simple processor chip could quickly and simply evolve this type of portable media into a portable device.

As these devices converge and hybridize, people are adopting their use for work and home, often blurring the line between the two. individuals own, rent and license these devices and their capabilities, further obscuring issues of ownership and control.

Thus begins the data diaspora of your organization’s information, including personal information.

tHe new networked world

devices will be increasingly networked, and previously unconnected devices are becoming “addressable.”

in the networked world, all those devices, and even many things we currently do not consider devices, have an iP address. if it can display, store, process, transmit, or receive information, or if it can be location aware, time aware, or condition aware, it can be web-enabled and thus have an iP address. every device can be addressable (contactable, locatable), controllable, monitor-able, and even identifiable.

The european commission already considers an iP address to be personal data in most cases. While it remains to be seen how other entities will view iP addresses, it is clear that, as more devices are connected to the networked world, previously innocuous items will become personal. organizations that address, control, monitor, or otherwise deal with them will encounter personal information where they had not done so before, and in volumes never before compiled.

if your organization makes, operates, services, or uses devices in the new networked world, you will have obligations over new repositories of personal in-formation about your customers and employees—in-formation that in some cases you never had before. And, you will need to address your obligations regard-ing information that you may not otherwise consider personal, but for the presence of an iP address.

tHe utility oF computing

Utility computing affords new economies and efficiencies to information processing, but spreads the custody and control of personal information well beyond the organization.

it is called many things: utility computing, grid computing, cloud computing, software-as-a-service. it is the commoditization of computing and includes on-demand computing resources such as processing, analytics, storage, transmission and collection.

With utility computing comes a loss of direct custody and control over information, leaving the organization to rely more on the service providers involved. Utility computing continues the data diaspora, putting the personal information that the organization processes under the custody or control of numerous other parties. in such an environment, there is a tremendous need for more specific instruction to outside providers regarding the protection and use of personal information, further stressing the traditional legal and compliance aspects of privacy.

Further, most organizations will struggle with the concept of third parties, as the parties stop being discrete and become a dense cloud of many parties without distinct identities. in these situations, you must contend with a seamless haze of external and internal parties that have custody and control of personal information.

tHe transFormation oF weB “tHings”

the proliferation of repositories for personal information on the web, and of new ways to provide interconnectivity and interaction, means more personal information in more places under the control of more entities.

in today’s connected world, everyone has their own web “things,” such as web pages, social network nodes, blogs, invitation lists, stored files and even personal medical records. Personal data is increasingly being held in a variety of logical and physical objects, controlled by a variety of entities (employers, service providers, the individuals themselves—even the generic cloud). The growing popularity and presence of these web-based data objects and repositories fosters the data diaspora.

managing tHe data diaspora

the data diaspora changes the custody and control over personal information, and there-fore the way we manage privacy.

As you consider how privacy obligations are changing for your organization:

First, factor portable and other non-traditional devices into your approach. make sure that the right controls over the use and protection of personal information follow the data onto these

the European Commission already considers an Ip address to be personal data in most cases. ... as more devices are connected to the networked world, previously innocuous items will become personal.


1� www.oceg.org

What do you know?Personal information — about your employees, your customers or even their customers — is everywhere within your organization, and is vital to your ability to serve customers, communicate with employees and grow the business. Protecting the privacy of that data is not optional. Customer expectations, supply chain relationships and employee connectivity all increase the complexity of effective privacy protection. Our team of professionals can help you make sense of changing technologies, complex global regulations and challenging business requirements. We provide experieced, independent advice to help protect one of your most valuable assets. Because when it comes to privacy protection, its not what you know — its who you know. Give us a call.

What’s next for your business?ey.com

GRC 360 Magazine Ad_Horizontal_v3.indd 1 8/26/2008 2:33:43 PM

devices. recognize that a new stable of addressable, controllable, monitorable, and identifiable elements need to be addressed.

next, understand the new custodians, processors, and controllers involved with personal information, and the obligations of those parties to manage privacy risk and compliance. As the lines between the parties blur, generic approaches to one-on-one, third-party risk and compliance management will no longer work. Look for new ways to ensure that other parties maintain their accountability for privacy commensurate with their role in the processing.

Address transformational technologies with the involvement of technical and non-technical players within your organization, such as legal, procurement, and the business itself. because of their considerable appeal and utility to the business, it is unlikely that through corporate policy or edict such technologies will be prohibited or defeated. it is more important to actively factor them in to your overall approach to privacy.

Transformations in technology will continue to challenge the way we manage privacy risk and compliance, and the accountability over the custody and control of personal information. To keep current, organizations must transform the ways they manage privacy—or they will put at risk management of their organizational obligations regarding personal information.

briAn TreTick is THe execUTive direcTor, iT

enAbLemenT cenTer, ernsT & YoUnG. He cAn be

conTAcTed AT [email protected]

the views expressed herein are those of the author and do not necessarily reflect the views of Ernst & young LLp.


ADVERTISEMENT

G O V E R N • M A N A G E • S E C U R E

To manage company-wide risk and compliance you must be able to see through walls, around corners, and thousands of miles away. Impossible? It all depends on how you look at it.

Risk, compliance, and the need for X-ray vision.If you’re in charge of risk and compliance, you‘ve got to fi gure out a way to see through departmental walls, and even from one offi ce to another — no matter how much distance separates them. Because the cost of even a single compliance mistake — fi nes, audits, lost business, and even scarier, a lost business reputation —makes getting it right every time, all the time, absolutely crucial. Yet with so much on the line, many people are limited to the view given to them by departmentally generated reports and a few spreadsheets — the traditional, but hardly ideal, solution. Further complicating things, regulations often change and grow more complex, so even the smallest evolution of a rule can have an enterprise-wide domino effect. So without some sort of superhuman vision, how are you supposed to manage compliance with confi dence and effi ciency? Or, quite frankly, at all?

CA has the solution: a unifi ed view.CA developed a Governance, Risk and Compliance (GRC) solution that fi nally gives you the tool you need to take on the challenge — a powerful, unifi ed view of your entire company’s risk and compliance

status. With this powerful central repository, you can see and prove compliance anywhere in the company right from your offi ce.

You can also keep track of all related initiatives in every single department, avoid redundant efforts and better manage costs, all while reacting nimbly to new regulations or changes in the business environment. And, since you can automate processes with CA’s GRC solution, you can fi nally manage compliance around the clock and reduce risk on a continuous basis. So no matter what happens — you’re “on it.”

How do we know it works? Because it worked for us.As an enterprise-sized software solutions company operating in 45 countries, and serving 99% of Fortune 1000 companies, we must meet regulations such as Sarbanes-Oxley and HIPAA, and also constantly evolving international regulations around privacy and the Foreign Corrupt Practices Act. So it’s no surprise that CA is a company with real-world insights into today’s risk and compliance environment. After putting our GRC solution in place, we immediately cut IT controls in half and saved signifi cantly on auditing costs. Our GRC solution also regularly updates over 400 national and international standards and regulations such as COBIT, HIPAA, and the UK Data Protection Act from the global repository provided by the United Compliance Framework (UCF). All of which makes the job of managing company-wide compliance in a fast-paced and ever-changing world suddenly quite manageable.

Finally, there’s a better way to manage compliance and risk. Find out about it now at ca.com/grc.

“CA developed a Governance, Risk and Compliance (GRC) solution that fi nally gives you the tool you need to take on

the challenge — a powerful, unifi ed view of your entire company’s risk and compliance status.”

M2956 Adcode: 272US1 Ver: GRC_D_US

THIS ADVERTISEMENT PREPARED BY DRAFTFCB APPROVAL STAMP

AD: AE: B. Shaw x3609,

V. Mitchell x3729Traffi c: T. Nallen x3687,

F. Watson x3780VQC: M. Parelli x3531,

L. Powell x2851Studio PM: Group CArtist(s): dr/PC, tp, dr

Job #: CASO_BRIN_M2956_GRC_D_USClientFldr: CA > CASO_BRIN Product: BRINFilename:M2956_GRC_D_US.inddCampaign: Proof #: 10 9 8 7 6 5 4 3 Date: 08/15/08

Production: C. Weber x3916 J. Lynch x2821

Colors: 4C Size: Bleed:N/ATrim: 8.375" W x 10.875" HLive: 7.375" W x 9.875" HFonts: CA Whitney Pubs.: OGEC

Signature / Initials DateTraffi c _______________________Proofreader _______________________Art Director _______________________Copywriter _______________________Creative Dir. _______________________Acct. Exec. _______________________Acct. Dir. _______________________Mgt. Dir. _______________________Production _______________________Studio _______________________Studio QC _______________________

M2956_GRC_D_US.indd 1 8/15/08 3:16:47 PM


1� www.oceg.org

PORTAL

PEOPLE PROCESSES

TECHNOLOGY

Address UncertaintyCreate Value

Stay Within Boundries

©2008 OCEG®

EXECUTIVE SUPPORT AND SOLUTIONSRESOURCES AND TOOLS

EVENTS AND NETWORKING

PEOPLE PROCESSES TECHNOLOGY

FRAMEWORKS & GUIDANCE

GRC 360

Resources

GRCIllustrated Series

TechnologyCouncil

Webinars

Assessments

Benchmarks

Product andProgramCertification

Events

Strategy Labs

Conversations

Coaching

TECHNOLOGY COUNCIL

LEARN MORE ATwww.oceg.org

OPTIMIZE YOUR:

OUTCOMES

PROGRAM CERTIFICATION

GovernanceEnsure that sound governance structures are in place “below the board” so that the right information about the right issues is available at the right time.

RiskIntegrate risk management with strategic planning and maintain a 360-degree view of organizational risks and effectively allocate resources to address them.

Ethics & ComplianceEstablish practices and aculture to prevent misconduct, inspire desired conduct, detectproblems and improveoutcomes.

FinanceReduce costs and optimize how you allocate capital to governance, risk and compliance processes so that GRC is better aligned with the business.

TechnologyAddress IT compliance issues and the alignment of information technology to general GRC needs in the rest of the business.

AuditGo beyond financial processes and assess the design and operation of controls for governance, risk management, compliance and ethics effortsthroughout the enterprise.

LegalIdentify and establish sound practices to address your legal risks and improve your ability to detect and correct issues; while improving your ability to defend the organization.

Core ProcessesEmbed sound GRC practices in all lines of business and core processes so that business owners and operators are accountable for GRC success.

Multiple Professions cometogether in ONE PLACE

Thousands of resources developed, collected and organized by OCEG and shared within the OCEG Community:

Take back tools you can use to help your organization and your career

ASSESSMENTS,MEASUREMENTS,& BENCHMARKS

• Tools to evaluate your GRC processes and benchmark with peers

• Benchmarking studies and polls• Assessment tools and processes

OCEG is the only nonprofit organization that brings you an expert executive team with backgrounds in business, legal, finance, audit, technology, research and compliance and ethics management. Our hands-on experience provides the background and understanding to help you put principles into practice in your organization.

A collaborative, open process to develop publicly vetted standards and guidance addressing the full scope of governance, risk, compliance and ethics management and measurement.

An interactive online content portal with cross-referenced and linked resources including full-text search and custom reporting. Get what you want, how you want, and when you want it.

• Provide assurance to the board and senior management that GRC processes are sound

• Gain external recognition of excellence

• Comprehensive GRC Capability Model developed and vetted by hundreds of experts and reviewed by thousands

• Searchable database of laws, regulations, standards and guidance from many sources

• Searchable library of sound practices you can apply to address governance, risk and compliance requirements at your organization

• Select the information you need and use it the way that works best for you through OCEG’s custom report feature

OCEG is ready to help you address the challenges that youface today. Join the thousands of individuals in the OCEGcommunity and stay on the path to Principled Performance™

Principled Performance™ is a management discipline that enables an organization to clearly define its principles and goals, determine how it willaddress risks and uncertainties, and grow and protect value. Achieving Principled Performance™ demands the clear articulation of objectives and the methods by which you will establish and stay within mandatory and voluntary boundaries of conduct while driving toward those objectives.

• Guides and handbooks

• GRC Surveys, research and benchmarking reports

• GRC 360°- OCEG’s magazine presenting critical perspectives on governance, risk, compliance and culture

• The GRC Illustrated Series – pictorial explanations of key GRC processes

• Topical whitepapers and articles

• Links to key government and organizational guidance documents

OCEG can assist you on the path to Principled Perfomance™ with tools and resources you can use to:

• Establish an integrated, organization-wideapproach to GRC ensuring the flow of consistent information.

• Design and measure your GRC efforts against a business process model developed by hundreds of business, financial, legal and technology experts and publicly vetted by thousands.

• Benchmark your organization’s performance against peers and participate in targeted industry research and resource development.

• Join forces with peers who are managing governance, risk and compliance challenges from every angle

• Do your job better, faster, and more economically with the right tools.

• Bring your management team together in the OCEG Strategy Lab, with OCEG experts who can help you integrate GRC with business strategy

• Learn how to implement the OCEG Framework in your organizationby working with OCEG staff and partners

• Opportunities to work together with peers to address GRC challenges from every angle

• Live and archived webinars

• Exchange viewpoints and ideas

This group develops strategic and technical resources to help IT and business professionals improve the application of technology to GRC. Projects include:• GRC Taxonomy™• GRC Blueprint™• GRC XML™• GRC IT Roadmap™

OUR APPROACH AND CAPABILITIES

ARE DISTINCT

YOU AND YOURORGANIZATIONare at the center of

everything that we doPORTAL

PEOPLE PROCESSES

TECHNOLOGY



©2008 OCEG®





GRC 360

Resources


TechnologyCouncil

Webinars

Assessments

Benchmarks


Events

Strategy Labs

Conversations

Coaching

TECHNOLOGY COUNCIL


OPTIMIZE YOUR:

OUTCOMES














































ARE DISTINCT


everything that we do


driving principled performance® 1�

PORTAL

PEOPLE PROCESSES

TECHNOLOGY



©2008 OCEG®





GRC 360

Resources


TechnologyCouncil

Webinars

Assessments

Benchmarks


Events

Strategy Labs

Conversations

Coaching

TECHNOLOGY COUNCIL


OPTIMIZE YOUR:

OUTCOMES














































ARE DISTINCT



PORTAL

PEOPLE PROCESSES

TECHNOLOGY



©2008 OCEG®





GRC 360

Resources


TechnologyCouncil

Webinars

Assessments

Benchmarks


Events

Strategy Labs

Conversations

Coaching

TECHNOLOGY COUNCIL


OPTIMIZE YOUR:

OUTCOMES














































ARE DISTINCT



PORTAL

PEOPLE PROCESSES

TECHNOLOGY



©2008 OCEG®





GRC 360

Resources


TechnologyCouncil

Webinars

Assessments

Benchmarks


Events

Strategy Labs

Conversations

Coaching

TECHNOLOGY COUNCIL


OPTIMIZE YOUR:

OUTCOMES














































ARE DISTINCT




1� www.oceg.org

THe mAnAGemenT oF enTerPrise risk and compliance has become a critical boardroom issue.

The reason is clear—failure to effectively manage risk can result in disastrous consequences. For example, in just one of many lawsuits arising from its dealings with enron, j.P. morgan chase & co. agreed to pay $350 million to settle claims for the role it played in the accounting fraud that led to the energy company’s collapse. in another example of stunningly bad (or non-existent) risk management, barings

bank was the oldest merchant bank in London until its collapse in 1995 after one of its employees lost $1.4 billion while making unauthorized futures speculation. These are just two of the many public examples where ineffective oversight of risk caused catastrophic results for the companies involved.

Although the causes for cases like these are often complex and varied, one common factor is the lack of a unified approach to the management of all risk and compliance activities across the enterprise. These activities are often conducted in organizational silos, resulting in duplication of information, such as mult iple spreadsheets that are used to track risk and compliance for a given regulation. in addition, anytime information is separately maintained, the risk of stale information is high, which, in turn, can cause decisions to be made on bad data.

information si los also cause redundant activit ies across all compliance programs since there is no central place where the current status of all activities, controls, testing results and risks are stored. For example, important controls are often tested multiple times for several

compliance programs, resulting in high costs and loss in productivity of the operational units. These problems are endemic to many organizations and are a strong contributing factor to the high costs of many compliance programs today.

uniFying inFormation silosA much more effective approach is to view governance, risk and compliance (Grc) in a unified fashion. This way information relating to these areas can be centralized to improve the timeliness and quality of the information. The technology enabler of this unified approach is a centralized repository of all Grc information, such as all corporate policies, controls, risks, remediation efforts and testing results. in addition, a large repository of control objectives for relevant regulations, standards and best practices is important so that controls can be rationalized across all regulations, rather than duplicated for each new regulation that comes along. Finally, these elements can be cross-referenced so that the impacts of all potential activities or outcomes can be quantified and tracked effectively. For example, the failure of a control might impact the overall risk profile or the compliance status of any regulation to which this control is related. A centralized and cross-referenced repository of all risk, control and regulatory information enables these relationships and impacts to be visible immediately, thereby improving decision-making and ensuring timely remediation when issue arise.

one of the major benefits of a unified approach to Grc is improved visibility across all of these efforts. With a centralized, mapped repository and customizable dashboards and reports, one can get a real-time assessment of the current state of enterprise risk across all organizations or programs. emerging serious risks can be identified easily, and the potential impacts of risks can be more easily quantified. Also,

ESSEnTIAl ElEmEnTS Of UnIfIED GrC TEChnOlOGy

1. Centralized and mapped repository of policies, controls, risks and compliance programs

2. Integrated database of major regulations, standards and best practices

3. Comprehensive policy management with awareness campaigns and attestation

4. Risk management, including key risk indicators and risk dashboards

5. Controls management and reporting

6. program and project management

7. document (e.g., controls test results) management

8. Configurability for unique local needs

a UnIFIEd appROaCH

tO GRCBy tom mcHale



dashboards help compliance executives or internal auditors get a complete picture of their current compliance posture, including the current status of all compliance-related controls. This not only makes it easier to initiate appropriate responses to failed controls, but also greatly simplifies external audits.

policy, risk and program managementdevising a consistent way of managing all corporate policies and quantifying the risks associated with these policies is also a key element of unified Grc. so, comprehensive policy management, including support for policy awareness campaigns and automated self-attestation, is essential. These capabilities enable compliance executives to be able to track policy awareness throughout the organization as well as measure the level of compliance as determined by the responsible individuals. Further, any effective Grc solution should include the ability to quantify and track current risk through the use of kris (key risk indicators). by associating a specific value to each key risk and a procedure to collect metrics concerning the risk, an organization can more effectively visualize its exact areas of high or non-addressed risk.

Another very important element of unified Grc is comprehensive program and project management capabilities. compliance programs always involve many testing and remediation tasks, some of which can be complex, highly interdependent and time-constrained. These types of projects require the ability to measure and track all aspects of a project, including assets and resource allocations, project schedules and progress, risks, and overall costs. When remediation projects are managed as separate efforts across organizations, the potential for duplicated efforts is high, and the ability to effectively determine their current status is often low. in addition, tracking the total cost of compliance activities is key to helping to identify and eliminate some of the “hidden costs” that most compliance efforts have.

As we have seen, there are a number of key elements of a comprehensive approach to Grc (see essential elements of Unified Grc Technology). but the essential foundation is a unified approach to all risk and compliance activities, starting with a centralized and mapped repository of policies, control and remediation information. A unified repository of requirements and control objectives for all major regulations and best practices is also important for effective compliance. The ability to effectively manage and track all compliance projects will help to control costs and promote compliance success.

Tom mcHALe is vice PresidenT oF ProdUcT

mAnAGemenT AT cA. He cAn be reAcHed

AT [email protected]

DOES YOUR GRC STRATEGYSTAND UP TO SCRUTINY?From managing your legal and regulatory compliance

needs to aligning the requirements of your business

and supporting information technology, the Legal

Management Consulting practice of Duff & Phelps

provides trusted analysis and insight on critical issues.

With more than 1,200 employees serving clients

worldwide through offices in North America, Europe

and Asia, we have the depth and breadth of industry

and technical expertise to meet your needs. Get the

strength of one of the world’s leading independent

financial advisory and investment banking firms.

> Financial Reporting Valuation > Tax Services > Real Estate and Fixed Asset Services > Investment Banking > Corporate Finance Consulting> Restructuring Advisory Services> Dispute and Legal Management Consulting

duffandphelps.com

Merger and acquisition advisory services are provided by Duff & Phelps Securities, LLC.Duff & Phelps Securities, Ltd. is authorized and regulated by The Financial Services Authority.


1� www.oceg.org

IssUE and InCIdEnt InVEstIGatIOnBy tim strong and sHaHeen JavadizadeH

mUcH HAs been WriTTen AboUT the need for effective programs to manage governance, risk and compliance (Grc) issues. in fact, many organizations have spent considerable time and resources to redesign processes and implement technology with these objectives in mind. However, organizational change and the creation of new compliance activities is more often event driven than strategy driven. even with the best intentions, priorities continue to be reactive in nature, creating a patchwork of isolated solutions without any long-term unification of process and technology platforms.

organizations that find themselves in this situation have developed innovative solutions to address risks by first evaluating the following: “What did or did not happen? How did it happen? Why did it happen? What are we doing about it?” based on the answers to those questions, companies then implement a centralized issue investigation and root cause analysis program.

With compliance staff vastly outnumbered by employees, the challenge is to leverage the resources that are available to most effectively promote a compliant culture. The key is to create a proactive and connected compliance program and the supporting infrastructure framework that is nimble enough to monitor and respond to changing regulatory and internal requirements. experience has shown that organizations that implement a comprehensive and proactive compliance framework are more prepared to appropriately mitigate risks in a timely and systematic manner.

The following are common components of proactive frameworks:

• identifying and evaluating organizational risks• embedding policies and controls• communication, education and automation• investigating issues and incidents• monitoring and measuring effectiveness• internal and external reporting With technology, similar goals of unified platforms

that support the processes within a proactive framework have become critical to operational success. organizations that acquire or develop technology platforms that can support the processes and easily scale and change with regulatory or internal requirements have been the most successful.

Unified Grc technology platforms must effectively manage all of the following processes and data:

• risk factors• risk assessments and rankings• internal audits• issue and incident investigation and escalation• Policies and procedures• Programs and trainingWhat we have described is an ideal state for

organizational Grc management. The path to this ideal state is littered with road blocks, such as distractions within business units and cost scrutiny from executives. While many organizations have struggled to unify and optimize both process and supporting technologies, a few have succeeded by using high-profile events to jumpstart their activities, thereby bridging the gap between top-down and bottom-up compliance programs. if successful, the momentum created and learning generated will benefit future compliance initiatives.



one process, which is a great candidate for central-izing within organizations with sustainable supporting technology, is the process of issue and incident inves-tigations. standardizing and centralizing this process, in conjunction with the implementation of technology automation, can be leveraged as a building block for an effective Grc process and technology framework.

most organizations do have a mature triage investigation process. The process often focuses on identifying the root cause of the issue, which often reveals failures in the following areas:

• Policy issues—lack of or failure to comply• Procedural failures• control deficiencies• Training or certification deficienciesorganizations are often capable of coming up

with corrective actions when faced with a crisis. Those recommendations, while appropriate for this single event, are often isolated within a single business unit and do not contribute to global solutions. Therefore, compliance professionals who centralize incident and issue investigation can have much greater visibility and insight into the trends and root causes, correlating directly to the inventory

of organizational risks and facilitating proactive and informed prioritization of those risks.

The necessary glue to all of this is a unified technology platform that allows for visibility into the other processes so the connection points can be made between the root causes and corrective actions. We believe the launching point can be an effective issue investigation and root cause analysis solution.

organizations today understand that compliance is no longer an option and must be woven into the fabric of their organization and everyday business processes in order to be effective. They also understand that the utopian Grc framework may be unrealistic during the first phases of their projects. one path to success lies in creating a centralized issue investigation and root cause analysis program while focusing on high-profile issues and leveraging the tools for a more proactive, unified and sustainable compliance practice.

Tim sTronG, is A direcTor AT dUFF & PHeLPs, cAn be

conTAcTed AT [email protected].

sHAHeen jAvAdizAdeH is vice PresidenT oF sALes

AT miTrATecH. conTAcT sHAHeen AT

[email protected].

TeamConnect GRC: the comprehensive and integrated solution for Audit, Risk Assessment, Control Assessment, and Investigations

Can you answer all of the tough questions?

Why did it happen?

What are we doing about it?

What happened?

MITRATECHwww.mitratech.com


�0 www.oceg.org

To sTATe THe obvioUs, compliance is highly departmentalized. From risk identification to definition of voluntary boundaries, from policy writing to task management, accountability resides across multiple departments with little or no visibility to other groups. The scenario above is but one example of how a failure to communicate creates compliance failures.

When walls exist between risk areas, the full impact of employee actions or inactions is often not fully understood or responded to across the organization. it’s difficult to operate either effectively or efficiently without a framework that connects governance, risk and compliance management across the enterprise.

integration, not centralizationit’s a corporate best practice to provide clearly defined goals to managers. And although a centralized compliance function enables communication, accountability belongs with line management. effective compliance programs take a strategic enterprise view of compliance while supporting line management with a universal, standard and consistent set of methods and tools. such an integrated view into the broad range of requirements, policies, controls and breaches supports effective communication while eliminating any ambiguity about roles.

most organizations maintain their compliance requirements, policies and checklists in segregated multiple spreadsheets, filing cabinets, shared folders and intranets. These are not techniques that can be integrated easily. by providing a central document

repository and defined security roles, business and process owners are able to access the range of information that improves both root-cause analysis and overall program effectiveness.

And there’s no doubt that integration helps solve a common business problem as stated by one of our clients. “our problem was that we had people serving overlapping compliance functions; we had people doing the wrong things in the wrong departments.”

gloBal complicationsThis comment from the director of Global Trade & compliance for a well-known energy company illustrates the complexity of managing compliance in a global business: “my biggest problem has been delivering [our policy statements] to other countries and cultures… People don’t know which U.s. policies do and don’t apply to them.”

With the overwhelming number of consultants, publications and information, it’s easy to assume that legislation, rules and regulations can be easily identified and captured. but compliance silos segregate rather than share information. most organizations don’t properly and completely comprehend the full range of their requirements and, therefore, can’t specify which policies, controls and tasks are appropriate. jurisdictional differences abound. For certain risk areas, such as privacy, multiple global requirements complicate the problem.

The compliance framework provided in a Grc platform increases the assurance that policies and controls, written by many individuals in many jurisdictions, work together and don’t overlap or conflict. This translates to a business that’s

ManaGInG COMpLIanCE

REQUIREMEntsBy andy wyszkowski

For certain risk areas, such

as privacy, multiple global requirements

complicate the problem.

SCEnaRIO: IT develops and implements an enterprise-wide customer database that collects e-mail addresses from a contact form on the Web site. Corporate marketing, located in the U.S., announces a new “green initiative” and launches it with a worldwide e-mail campaign designed to build customer loyalty. The problem is that many of those e-mail addresses were collected from residents of countries with privacy regulations far stricter than those in the U.S. and some of those non-U.S. e-mail recipients are perfectly willing to post their complaints on various Web sites. The compliance breach just became more complicated.


driving principled performance® 21

properly equipped to appropriately handle the full range of its compliance, governance and risk-management challenges.

program eFFectivenessProper execution of any compliance and risk-management program requires• staying up to date on requirements and obligations; • a standardization of process; • the assignment of accountabilities; • a common definition of policies, processes, risks,

controls, loss events and issues; and • the ability to share information in real time.

it’s impossible to imagine a really effective program without the benefit of technology that permits data to be turned into actionable information that can be used by all levels of an organization.

From an efficiency perspective, automation enables a much improved or efficient workflow process. Let’s use privacy as an example. A risk is defined (e.g. unauthorized access to customer information) and controls are put into place. managers are e-mailed quarterly and asked “Are you and your staff following policy by putting customer information into appropriately secure facilities when not in use?” responses are automatically collected and reports generated and summarized by business unit, geography, risk severity, etc. Line and staff compliance managers can now easily assess where new tasks, controls, or policies should be triggered based on responses.

From an efficiency perspective, automation enables

a much improved or efficient workflow process. Let’s go back to the earlier privacy example. Privacy risks are defined—globally and regionally—and controls are put into place. managers in marketing, iT, sales, Web design and public relations are e-mailed quarterly and asked “Are you and your staff following policy by designating e-mail permissions properly?” responses are automatically collected and reports generated and summarized by business unit, geography, risk severity, etc. Line and staff compliance managers can now easily assess where new tasks, controls or policies should be triggered based on responses and where business processes need remediation.

it’s one-dimensional to think of Grc systems as an easier way to gather and automate information—of checking the box. but in a very real and practical way, Grc systems enable an organization to map back to specific actions and to specific programs that mitigate risk and improve compliance. With improved decision-making, better programs and healthier organizations result.

AndY WYszkoWski is GLobAL HeAd oF

comPLiAnce AT sAi GLobAL. conTAcT Him

AT [email protected].

BEnEfITS Of A SInGlE vIEW

• positions “compliance” as a business process

• provides consistency of policies and procedures across geographies and lines of business

• Clarifies direct and indirect responsibilities

• allows policies and procedures to work together enterprise-wide

• Makes it real for employees

• Monitors in real time


�� www.oceg.org

so mAnY reGULATions. so LiTTLe Time. so few resources. That sums up the scenario for many enterprises in this day of proliferating mandates and requirements. come audit time, iT departments are hit with the shear enormity of the tasks they are required to undertake to prove compliance.

mcAfee terms the act of dedicating a continuous effort and a hefty amount of resources to proving compliance “Audit Fatigue.” As part of a long-term study on Audit Fatigue, mcAfee recently commissioned a preliminary market survey on iT audit-related functions in north America and europe. The results indicate that iT departments face great challenges at audit time. At the same time, there are new opportunities to automate controls and processes.

The study identifies several key causes of Audit Fatigue. continued research on the topic is planned for the near future.

manual data collectionThe most notable finding was the lack of automation tools in organizations with more than 5,000 employees.

more than half of the respondents used either unspecified tools or spreadsheets. Timely and accurate data collection is a protracted, manual endeavor for many organizations. Proprietary interfaces for point products prevent data integration, even if the reporting capabilities of the products are automated, resulting in the need for spreadsheets. This lack of operational efficiency puts a huge strain on iT departments. it robs them of time to invest in other initiatives.

iT managers can greatly reduce the amount of staff time needed to satisfy auditors by selecting tools that have a common management platform and that automate data harvesting through a unified compliance reporting infrastructure. it should be noted that several vendors offer automated solutions, but only a few are moving towards such a unified infrastructure.

manual process testscompounding the resource drain imposed by audits is the fact that for the majority of iT audit controls, the elements that are used to test processes are also primarily manual. That appears to be true

aUdIt FatIGUEBy evelyn de souza



for organizations of all sizes. Automating controls is critical for improving audit process, especially since regulations such as sarbanes-oxley encourage continuous internal controls monitoring. by automating controls, organizations can start to build repeatable and more sustainable processes, helping to reduce the impact of iT audits and to better ensure the integrity of audit data.

increased regulationdata breaches across both private and public sectors worldwide have given rise to more mandates and tougher compliance requirements. This was reflected in the finding that even in medium-sized enterprises with less than 5,000 employees, 22 percent manage more than 10 regulations annually.

ad Hoc audit scHedulessurprisingly, few iT departments have optimized their audit scheduling. Almost one-quarter of respondents ran audits on an ad-hoc basis rather than as a scheduled effort of an enterprise risk management program. This lack of control over audit processes impacts iT budgets and key iT projects.

overcoming Fatiguemature organizations tend to use well-built frameworks. They map their processes against a maturity model. Further, cross-mapping of iT controls against multiple regulations to a foundational standard, such as the iso 17799, can help consolidate the number of separate audits they may face. This alone yields substantial compliance savings. A single, comprehensive policy can be used to account for all the regulations that they need to address and makes compliance to internal policy the key driver.

As awareness of the potential benefits of optimizing audit processes increases, iT has the opportunity to implement repeatable, sustainable processes to overcome Audit Fatigue syndrome. much like iso 9001 proved to be a business enabler in the manufacturing segment, so too may a structured compliance for iT departments.

eveLYn de soUzA is A senior mAnAGer, risk And

comPLiAnce soLUTions For mcAFee, inc. conTAcT

eveLYn AT [email protected].

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc.,and/or its affiliatesin the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.

Broader Security Lower Operating Costs Greater Compliance

ALONG WITH AN EXTRANEOUS VENDOR OR TWO.To learn more, see www.mcafee.com/audit_fatigue

ELIMINATE COST,COMPLEXITY,

AND RISK.

half_page_Eliminate.indd 1 8/15/08 12:19:40 PM

timely and accurate data collection is a protracted, manual endeavor for many organizations.


�� www.oceg.org

oceg: what are the top three questions the board of directors of any public company should ask regarding the status of grc enabling technologies in their organization?

mcclean: The most important questions are whether the information they receive is accurate, whether it gives them full visibility into critical Grc issues across the organization, and whether it meets the necessary requirements for corporate reporting and decision-making. Hopefully the enabling technology allows those responsible for Grc to give the board a more satisfactory answer when these questions arise.

Haggerty: many of our customers note that their boards are mandating better risk visibility and management across the business, not just within organizational silos. depending on the industry, risks take different forms across sectors, but the three questions management should be asking are: is our information environment completely secure from unauthorized internal and external access? Are we fully aware of the scope of risks we face as a business? Have we prioritized remediation actions to maximize shareholder value?

rasmussen: my experience is that the board of directors is not really focused on the technology enablement of Grc. my fear is that organizations and boards of directors, will begin to view Grc as a technology issue. Technology enablement of Grc is critical, but Grc is much broader than technology. Grc is about a philosophy of business in which the organization is looking at governance, risk and compliance from a holistic perspective across islands of responsibility. The board should not be focused on whether the organization is using technology; the proper question from them is “do we have sustainable, consistent, efficient, and transparent Grc processes

that work together collaboratively?” in answering this question you will find it can only be done through the use of technology enablement.

oceg: For the remainder of 2008, what are the least-obvious business or market trends that have the highest impact resulting from grc automation?

rasmussen: The biggest value i am beginning to see is the extension of policies and procedures, training, and risk and control assessment to an organization’s business partners. Highly regulated organizations already have to see that certain vendors have communicated and trained vendors/business partners and their respective employees on policies and procedures. Liability and new regulatory requirements are driving this growth. Further, i am seeing many organizations begin to ask how they can leverage technology that they have used for sox to conduct self-assessments of controls to assess their business partners.

mcclean: i expect audit departments to really extend their visibility and value throughout organizations as Grc automation increases. so much of their function has historically depended on manual processes and has been limited in scope. As risk management and compliance information moves closer toward a centralized source of record, auditors will have a much better view into the organization’s

ask tHE anaLysts: chris mcclean, John Haggerty and michael rasmussen

OCEG President, carole stern switzer, asks three leading GRC analysts about what they see coming for GRC technologies. michael rasmussen, Founder and President of Corporate Integrity, LLC; John Haggerty, Vice President, Research Fellow at aMR Research, Inc.; and chris mcclean, analyst, Forrester Research, Inc. provide insights that will help you plan your approach to IT for GRC.

Most companies feel their biggest

exposure is unauthorized

external access. But

internal threats are more

common and more costly,

and need to be remediated.

– John Haggerty, aMR Research, Inc.



complete control profile. ongoing, enterprise-wide risk assessments provide a great foundation for auditors to scope and prioritize their efforts and possibly identify areas of the business where they could be providing more value.

Haggerty: based on our research, operational and enterprise risk management will be the area of biggest impact throughout 2008. buyers recognize the need for more rigorous evaluation of risk—in fact, it’s now part of everyone’s vocabulary and an action item for many firms we advise. Going forward, we see organizations formalizing their risk identification and assessment processes with a plan to prioritize actions or to simply decide which risks are worth accepting.

oceg: what are the biggest misunderstandings about grc-enabling technologies? why are these particular areas the most misunderstood outside of the it organization, and how can it help clarify information?

m c c l e a n : U n f o r t u n a t e l y, t h e b i g g e s t misunderstanding is what really constitutes a Grc-enabling technology. This is caused in large part by software vendors claiming to provide Grc solutions while only offering small pieces of the total package. other misconceptions include the idea that licensing a software platform is a good first step when beginning a Grc program and that it’s typical to tackle a large number of Grc elements at the same time.

The best way to clear up all these issues is to start with a very clear strategy that explains what will happen, who will be involved and how they will benefit. once this plan is laid out, it’s much easier for the process owners to work with iT to identify what they need from a product standpoint so that they can cut through the clutter and only talk with vendors that can address their actual needs.

Haggerty: i see four big misunderstandings. somewhat surprisingly, business owners still think that software/technology alone can solve Grc-related issues. security breaches come from both within and outside the firm. most companies feel their biggest exposure is unauthorized external access. but internal threats are more common and more costly, and need to be remediated.

Grc is not a one-time project but an ongoing part of most if not all business practices. iT alone cannot lead the way. management across the business must set the right tone for how Grc becomes part of standard operating procedure. Without that, each business owner will act in its own self-interest, sub-optimizing the potential impact of an organization-wide approach.

rasmussen: Grc is not just about technology. if you do not have the process and organization structure down, the impact of Grc enabling technology is limited. This is something to understand before investing in technology. There are more than 500 technology providers in the Grc space, and it is a $5 billion-plus market. Approximately 100 of these technology providers are trying to be the central Grc platform. However, many of them were designed for a specific purpose and were not designed from the ground up to be a holistic Grc platform. it is important the organization understand what they are trying to achieve before selecting a vendor or else they may be locked into a specific vendor’s concept and framework of Grc and, thus, disappointed and limited.

oceg: what are the most critical areas for further grc automation and why?

mcclean: Technical controls, such as those for application access or financial transactions will be major focal points for automation over the next year. These types of controls are very important for a lot of different regulations and best practices, and the automation of these controls is a prospect toward which software can add a lot of value. Testing these controls and reporting on their effectiveness is another critical area where automation will be important.

Automatically pulling in data from outside traditional Grc applications—data related to human resources, financial transactions, health and safety, environmental management, and other key areas—is another important area of automation. Tying this information for purposes of risk management and compliance is something that has traditionally been done manually, and companies have a lot to gain by moving this resource-intensive collection and analysis out of the hands of its employees.

Haggerty: First, establish continuous monitoring of business controls. People-related expenses are the biggest percentage of overall Grc budgets. reducing human effort will have payback for years to come.

Access security. security is still the largest concern within iT, and the one that has the most exposure at the cio level. Automating access from provisioning through execution is essential to reduce iT risk.

records retention policy management is also critical. be it a document, an email, or a business transaction, a consistent policy for managing record storage and disposal is critical to establish a legally defensible environment.

rasmussen: The top of my list is what i am calling “next Generation Policy & Procedure management.”

the biggest value I am beginning to see is the extension of policies and procedures, training, and risk and control assessment to an organization’s business partners.

– Michael Rasmussen, Corporate Integrity, LLC


�� www.oceg.org

This may not be on everyone’s radar, but it is a significant area to drive efficiency and consistency, as well as to consolidate spending across the business. The typical organization, large and smal l , i s in a mess as to how

they define, manage and train on corporate policies and procedures. best practice organizations that i am monitoring are beginning to consolidate dozens of different policy and procedure systems (typically intranet sites) into a single policy and procedure management platform owned by legal or compliance.

next is the critical area of loss and investigations management. To manage risk effectively, as well as manage sensitive investigations, it is time for organizations to consolidate on a single investigation, loss, event, complaint, issue management platform.

The third is managing business relationships so they comply with your respective regulatory requirements.

oceg: among the companies you speak with, which organizational departments appear to have the most to gain from grc automation?

rasmussen: business operations has the most to gain. it is the line of business that suffers most from a wide array of demands to assess, train and respond to silos of Grc. business operations want a single platform to harness information and stop them from responding to similar questions week after week. Further, it is business operations that would desire a common portal into policies and procedures instead of a dozen different internal Web sites that store policies and procedures for varying functions.

Haggerty: i don’t see one department over another that has more to gain from Grc automation. depending on what issues they’re tackling and priorities set at a strategic level, some groups will naturally take the lead on automation at different times in the Grc lifecycle.

Finance, as the steward of corporate data with explicit responsibility for external financial disclosure, continues to pioneer Grc-related automation. Legal departments are asserting their prerogative to define document and records retention policy and standards across the enterprise. This naturally leads to more automation. iT is also stepping up to the Grc challenge in two ways—supporting business initiatives with technology support while applying Grc principles to better manage iT risk.

mcclean: Audit professionals have a lot to gain from Grc automation. operational owners that are plugged into the system, who can start to look at how their decisions impact the overall risk profile of the company, will see substantial advantages as well.

Generally, automating Grc is not about singling out individual departments for the largest gain. The idea is to coordinate all of the various departments to participate in something that benefits the organization as a whole. Unless all of the various areas of the business can see real benefits, it will be extremely difficult to achieve the advantages gained through broad collaboration.

oceg: which industries have the most to gain from further grc automation? where in the business, specifically, do you foresee the grc automation process benefiting these industries?

Haggerty: Those companies that have not been subject to significant regulation and oversight to date are the ones who are in the earliest phases of Grc maturity. We expect companies to begin automation at their biggest point of pain. For example, environmental health and safety concerns may be priority number one for a discrete manufacturer. Privacy concerns might trump all in a healthcare environment.

Hopefully, companies will see connections between disparate initiatives and move toward a holistic Grc view. but a lot depends on their organizational maturity and, frankly, on external pressure to do the right thing.

mcclean: Any organization—whether in retail, manufacturing, life sciences, or telecommunication—that has a large business partner ecosystem, diverse product portfolio, and broad geographical footprint, will find it extremely difficult to keep up with their regulatory requirements and risk profiles. in these cases, technology becomes an incredibly important element of success in their ability to set operational boundaries and have the monitoring and reporting capabilities to assure that decisions across the entire organization follow these boundaries.

rasmussen: Large distributed organizations have the most to gain from Grc as they try to manage risk and compliance across multiple regions and jurisdictions around the world. The Global 1000 all should have Grc on their radar and be looking for technology enablement of Grc processes. in addition, we are also going to see a rising use of Grc technology in manufacturing and retail as organizations try to manage supply chain risk and compliance and develop their corporate social responsibility practices.

Unless all of the various areas of the business can see real benefits,

it will be extremely difficult to achieve the advantages gained

through broad collaboration.

– Chris McClean, Forrester Research, Inc.


ACCESS THE LATEST COBIT CONTENT AT www.isaca.org/cobit

GUIDANCE MATERIALS FOR IT GOVERNANCE FEATURING

COBIT® 4.1

COBIT® CONTROL PRACTICES: GUIDANCE

TO ACHIEVE CONTROL OBJECTIVES FOR

SUCCESSFUL IT GOVERNANCE

IT GOVERNANCE IMPLEMENTATION GUIDE: USING COBIT® AND VAL ITTM

IT ASSURANCE GUIDE: USING COBIT®

Also:

COBIT® Security Baseline

COBIT® Quickstart

COBIT Online®

COBIT® Mapping Papers

Aligning COBIT® 4.1, ITIL v3 and ISO/IEC 27002for Business Benefit

CobiT GRC 8x10.8125:CobiT GRC 8x10.8125 7/31/08 9:47 AM Page 1


PUBLIC EXPOSURE

GRC CAPABILITY MODELTM

®

DRIVING PRINCIPLED PERFORMANCE®

Open Compliance and Ethics Group

OCEG Red Book

Comprehensive and Detailed Practices for an Integrated Approach to Governance, Risk and Compliance.

Log into the OCEG website to download your free copy today! www.oceg.org/view/RB2Project


PERSPECTIVES ON GOVERNANCE, RISK, COMPLIANCE & CULTURE ... · perspectives on governance, risk, compliance & culture ... oceg establishes blueprint ... p&p lifecycle management

Documents