Risk Technology Strategy, Selection and Implementation
-
Upload
risk-management-institution-of-australasia -
Category
Economy & Finance
-
view
815 -
download
8
description
Transcript of Risk Technology Strategy, Selection and Implementation
Risk Technology
Strategy, Selection and
Implementation
Scott Farquharson
Principal – Risk Services
RMIA 1st October 2014
1
Todays Agenda…
• Context - Risk Capability
• Why do we need technology and
what can it do?
• Focus on Core components
• Strategy
• Selection
• Implementation
2
Our Approach Today…
From the CRO perspective…..
Governance and
Assurance
Office of CRO
Risk SME’sBusiness
Look at Capability across the Organisation
3
A Quick Definition…
So what are we talking about
when we say GRC…?
Who are we talking about? What Processes and
Activities?
What Systems?
Corporate Governance
IT Governance
Financial Reporting Compliance
SOX
P7
Operational Risk
Safety
Legal Compliance
Strategic risk
Privacy
Project Delivery Risk
Ethics
Controls
Security
AML
Environmental Compliance
Enterprise Risk Management
Access Risk
Business Continuity Planning
Whistleblower
Risk Financing
Risk Management
Corporate Compliance
Finance
Internal Audit
Security
IT
Legal
HR
Board Liaison
Business Units
Consultants
Customer
Insurance
Board
Operations
Quality Management
Safety
Company Secretarial
External Audit
Risk Assessments
Audits
Self Assessments
Investigations
Risk Reports
Training
Community Consultation
Advice
Remediation
Stakeholder reporting
Policy Management
Frameworks
Incident Management
Risk Financing
Audit Actions
Board Reporting
Audit remediation
Delegation of authority
Hazard Identification
SoD’s
Risk Database
Security System
Audit System
EHS System
Financial Systems
Portfolio Management
Surveys
Audit issues
Operational Systems
Back Office
Compliance system
Spreadsheets
Access Databases
CRM
Loss Management
Claims Management
Investigations Management
FICO
Plant Management
4
What is the Value of Risk…?
Objective What Examples
Licence to OperateMeeting our legal, regulatory and
social obligations
Good corporate governance
Compliance
Laws and regulation
Protecting ValueMinimising loss and protecting
shareholder value
brand and reputation
Control frameworks
Contract risk Fraud risk
Insurance BCM
Driving EfficiencyDoing things right
Business efficiency
Understanding Total Cost of Risk
Process risk and control
Prioritising management attention
Creating ValueDoing the right things
Where and When to take a “risk”
Better decision support
Risk appetite Risk Culture
Risk adjusted returns
Scenario Planning
Rewarded risk
Provides a premium if managed well.
It relates to risks in areas such as mergers and
acquisitions, product development, investment,
markets and business models, risk adjusted
returns, VaR.
Unrewarded risk –
Provides no premium if managed well.
It relates to risk areas such as financial
misstatement, compliance with laws and
regulation and fraud.
“Must” be done.
Dri
vin
g S
har
eho
lder
Val
ue
Gua
rdin
g th
e B
alan
ce S
heet
–P
rote
ctin
g th
e B
rand
5
However a Siloed Approach Lessens Effectiveness…
Risk Integration has a significant impact on overall Risk Management effectiveness
Source – Corporate Executive Board
6
A Number of Stumbling Blocks…
Timely Assessment and Reporting of
Emerging & Changing Risk Information
Duplication with Multiple Assurance
Activities Across Enterprise
Obtaining Quality Risk Information from
the Business
Lack of Transparency of Key RisksDisconnect between Risk Appetite and
Risk Profile & GRC Efforts
Risk Information is Siloed Across a
Number of GRC Providers
Manual and inefficient processesGRC efforts are not aligned to strategy
delivery
Poor cross functional integration and
lack of clarity of accountability
Source – Corporate Executive Board
7
Source Systems
Re-Thinking Risk Capability….
Common Enterprise GRC Processes
Risk and Obligation Identification
Analysis and Evaluation
Risk Mitigation and Control Design
Control Activities
Corporate Policies
Monitoring, Testing and Assurance
Incident/Loss Management Investigations
Reporting and Communication
EHS Systems
Security Systems
PMO System
Enterprise Risk Management
System
Compliance Management
System
Internal Audit System
Single Source of
Truth
Information Flows and
Reporting Channels
Roles and Responsibilities
Accountability Model
(RACI)
Technology
Reporting and AnalyticsOrganisational
Structure
Source Systems
8
Operating Model Components…
Three Lines of
Defence
Organisation
Structure and
Engagement
Cultural
Drivers
People
Defined GRC
Processes
Common Risk
Language
Industry
Standards
Process
Repository -
Single Source of
Truth
Analytics and
Reporting
Workflows
and
automation
TechnologyOperating Model
Assessed Through
Capability Maturity Model
Governance
Context
9
The Role of Technology…
Information to support
risk decisions
Efficiency of risk
processes
10
What Else Does it Do…
Single source of truth
Consistency of data
Improved transparency
Speed of Action
11
GRC Capability Maturity Model…
Level 1 Level 2 Level 3 Level 4 Level 5 Level 6
Element Non-Existent Ad HocInitial
Siloed
Top Down
Repeatable
Managed
Systematic
Leading
Optimised
Manual (paper)
Processes
Only
Risk registers
for some risks
in Excel
Qualitative
Only
Overall risk
register in
Excel
Some SME
systems in
place for critical
risks
Qualitative
Only
Overall risk
register in a
GRC Tool
SME systems
in place
Some
Quantitative
Integrated
GRC in place
Integration with
SME systems
Integration with
ERP
Qual and Quat
Automated
CSA
Integrated
GRC and SME
ERP
Integration
Risk Appetite
and Tolerances
KRI’s
Decision
Support
Analytics
Predictive
12
Incorporates Industry Standards…
OCEG
ISO31000
HB158
HB254
AS3806
AS8000
HB221
etc
COSOEnterprise Risk
Management and
Control Framework
ITIL
IT Process Model
COBIT5
IT Control Framework
+
ISO27000
AS8015
HB231
PCIDSS
etc
IT Risk and Compliance Management Standards
IT Specific ComponentsBuilt into SAP GRC
ISO31000Risk Management
13
3 Lines of Defence Provides Basis for the Model…
3rd Line of
Defence
OversightBoard
Board Risk Audit Committee
AssuranceExternal Audit
External Providers
Internal Assurance Function
Provides oversight, independent testing, verification and
review on the efficacy of:
• GRC frameworks
• Business management of risk
• Business compliance with Internal/External Obligations
Identifies opportunities for improved business performance
2nd Line of
Defence
Common Risk
InfrastructureCentral GRC Functions
Support Units
Provides the major mechanism for Governance through a central
Policy Framework and repository.
Provides enterprise GRC frameworks
Provides enterprise GRC programs
Provides Subject Matter Experts for enterprise risks
Monitors adherence to frameworks, enterprise risk and
compliance programs and losses/incidents
Escalates and provides aggregated risk and compliance
Reporting
1st Line of
Defence
Risk OwnershipExecutive
Management
Business Units
Adheres to enterprise risk and compliance frameworks
Owns the risk, control and losses/incidents
Understands it’s risk profile and control framework
Performs risk/control self assessment
Must meet internal and external obligations – compliance
Clear Lines of
Accountability
for GRC
Activities
14
Technology Support at Each Line of Defence
3rd Line of
Defence
OversightBoard
Board Risk Audit Committee
AssuranceExternal Audit
External Providers
Internal Assurance Function
Board Papers and Communication
Audit Planning and Management
CCM
Review Risk and Control Profiles
Review Incident Reports
2nd Line of
Defence
Common Risk
InfrastructureCentral GRC Functions
Support Units and SME’s
Consolidate Risk Reports
Risk Analytics
Update Obligations Register
Plan Assessments
Conduct Surveys
1st Line of
Defence
Risk OwnershipExecutive
Management
Business Units
Create Risks and Controls
Assess Risks
Control Self Assessment
Review Risk Profile
15
Model Must be Aligned to the Risk Profile...
Compliance Obligations RiskPolicy
ProcessGRC
Risk
Specific ERP Analytics Integrated
Information Compliance
Privacy PCI/DSS FOI
Records / Archives / ACMA
Information Risk
Technology / Info Security
Records & Archives
Information
Management,
IT Security
× x x ×
Financial Compliance
AML / FSL / APRA / SOX / P7
Financial Integrity Risk
Technology / Security
Crime / Fraud
Fraud
P2P
Retail Ops
× ? × × ×
Commercial Compliance
Trade Practices
Contract Compliance
Commercial Risk
Intellectual Property
Contract Risk
Contract
O2C× ? ? × ×
Health and Safety
Compliance
OHS TSP
CoR Dangerous Goods
Health and Safety Risk
Physical Security
Hazard Identification
Transport
Operations× × ? ×
Asset Compliance
Property/Fire Services
Asset Risk
Physical Security
Fire Protection
Security,
Facility Mgmt× × ×
Sustainability &
Environment
EEO, EPBC, NGERS
CPRS
Sustainability &
Environment
Carbon Reduction
Sustainability Principles
Sustainability,
Transport× × × ×
Strategic Compliance
Investment Projects
Planning Products External
Strategic Risk
Investment Projects
Planning Products
External
Investment Life
Cycle
Planning
? × × × ×
Risk
Universe
Governance
Strategy and
Planning
Operational
Compliance
Reporting
16
Technology Support Model
Technology Layer Role
eGRC Layer • Core functionality to support Risk,
Compliance, Audit, Controls, Policy, Incident
Management
• Centred around data backbone -
risk/obligation/policy/control/test/incident or
loss
• Reporting and dashboards
• Workflows
Systems Integration
• eGRC
• Point Solutions
• Transactional
Systems
• Data and Analytics
• Corporate Reporting
Interface
Risk/Obligation
Specific Layer
HSE/Security Fraud Crime /Plant and Equip/IT
Security/Environmental
ERP Layer Transactional systems
Data and Analytics
Layer
Data warehouse combining eGRC and other
data including transactional/external/social
17
Risk and Compliance Profile sits at the Core of the Model…
Risk Profile by:
• Business Unit
• Business Process
• Business Scorecard
• Strategic Initiatives
• Program/Projects
Each Risk/Compliance Class
Appetite/Thresholds
Key Risk Indicators
Treatments/Controls
Assurance
Incidents/Claims/Losses
Aggregated Exposure
Bottom Up - Individual Risk Profile for each BU overlays Business Process and Business Objective
Aggregated Corporate Profile and Reporting
Standard Risk, Control and Policy Library
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
GovernanceStrategy and
Planning
Operations
InfrastructureCompliance Reporting
Single Source of GRC Truth
Top Down
Business Unit Business UnitBusiness UnitBusiness Unit
18
Multi Risk and Compliance Framework…
GRC Operating Model
Overarching Enterprise Risk and Compliance Framework
Common Risk Library – Risks can be aggregated for reporting and analysis
Risk can be assessed by multiple methods including control effectiveness
Process F
ocus
Pro
cu
re to
Pa
y H
ire to
Re
tire O
rde
r to C
ash
Fin
an
cia
l Clo
se
etc
IT and
Information
CoBit
PCIDSS
ISO27000
Cyber
FOI
Privacy
Archives
Integrated Control Library
Control Library with Controls that can be linked to multiple Risk and Compliance Requirements
Control Testing can then satisfy multiple “Regulations” or “Risks”
Fun
ctio
nal F
ocus
Ris
k an
d C
ompl
ianc
e P
rofil
es b
y B
usin
ess
Uni
t
Corporate Policy FrameworkPolicy Lifecycle Management Linked to:
• Risk and Compliance Framework
• Control Library
Financial
Reporting
SOX
Principal 7
SoD’s
DoA’s
IFRS
Crime
Fraud
Fraud
Austrac
AML
Transport
SoD’s
Cyber
Human
Capital
OHS
Environment
EEO
CoR
Property
Food
Medical
Commerce
Contract
Consumer
Contract
Lease
Liquor
Tobacco
Lotteries
IP
Obligations
Analytics and Reporting – Dashboards, KRI’s, Aggregated Risk Profiles
Strategic
Strategic Risk
Strategy
Execution
Project and
Portfolio
BCM
External
Legal, Industry and Community Stds
Internal
Cultural, Performance Stds
Integration with Other Systems
Continuous testing can be undertaken across the SAP Platform including - EHS SSM ECC HCM etc
Interfaces can also be setup with Non-SAP Systems and Manual Entry
Powered By SAP GRC
Provides:
Risk Management
Enterprise Wide Risk
Management Capability
Process Control
Supports Risk and
Compliance control
Frameworks
Policy Framework
Supports
Multiple Regulations
Range of Testing
Methods
Range of Assessment
Techniques
Common Risk
Language
Each
Risk/Compliance
Class
Appetite/Thresholds
Key Risk Indicators
Response
Plans/Controls
Assurance
Incidents/Claims/Losse
s
Aggregated Exposure
Risk Adjusted
Performance
Audit Issues
19
You need a (strategy) road map…
Phase One -Quick Wins
• Compliance Obligations
• Training
Phase 2 – Risk Management
• Risks and Controls
• Risk Assessment
Phase 3 - Policy Management
• Life cycle
• Policy Surveys
• Mobility –iPad App
Phase 4 - Risk Analytics
• Risk Appetite
• KRI’s
• CCM
• Dashboards
Year One Year Two Year Three Year Four
20
The Most Popular GRC Tool in the World…
21
The eGRC Core…
Core functionality to support common
enterprise risk, compliance, and
assurance activities
• Governance
• Enterprise Risk Management
• Compliance Obligations and Risks
• Risk and Compliance Control Framework
• Policy Management
• Incident and Loss Management
• Internal Audit Practice Management
Plus…
• HSE
• Fraud/Financial Crime
22
5 Key Underpinning Technologies
Database
Workflow Management
Document and Content Management
Analytical and
Reporting Tools
Data Warehouse
23
Typical eGRC Functionality…
Overall
Considerations
Risk Control
Data Architecture
Data Aggregation
Workflows
Monitoring and Alerting
Triggers
Analytics and Reporting
Risk Modelling
Risk Data
Risk Creation
Risk Library
Risk Analysis Methods
Risk Assessment
Process
Loss and Incident Data
Risk Appetite
Issues Management
Control Attributes
Control Creation
Control Library
Control Assessment
Link to Risks or
Obligations
24
The User Experience
• Who is going to use it?
• Are they going to log into the
application?
• How often?
• What will they do on the system?
• How is data to be entered?
• How much data?
• How do they run reports?
• Ad Hoc Analysis?
• What platforms? PC Only?
25
Data and Analytics
26
What Can Data Analytics Provide?
27
Analytics
• Some Typical Applications:
- Controls transformation: process
analytics and continuous controls
monitoring
- Contract risk compliance: IT,
employee, supplier and customer
contract reviews
- Financial crime: fraud investigations,
litigation support
- Finance analytics: uncovering
leakage / inefficient processes
- Internal audit transformation:
planning, auditing and reporting.
28
An Example…Simple Outlier Identification
29
Key risk analytics techniques:
• Rules-based quantification of
known profiles
• Statistical modelling
• to understand drivers of known
behaviors,
• raise awareness of unknown
behaviors
• predict future behaviors
• Visualisation to easily
communicate data insights into
informed decision-making
30
Moving to Real Time Risk Analytics…
Source – SAP Analytics
31
Reporting and Dashboards
iPad Risk Reporting Dashboard
32
Corporate Performance Reporting
Source - Enterprise Dashboard
Risk
should be
on this
dashboard
How to
Integrate?
33
What Now…?
Strategy and Roadmap
Technology Selection
Build and Implement
Improvement
An Structured Approach to Risk Technology
34
Technology Strategy
35
Engage with Internal Processes
• Engage Your IT Group
- Architecture
- Data
- Cloud vs On Prem
- Program
• Project Funding
- Capital vs Opex
- Business Case Process
- Benefits
- Gaining Support
36
Elements of a Risk Technology Strategy
• Organisational context
• Maturity of current capability
• Specific problems to be addressed
• Scope of application of the
toolsets
• The current technology
environment
- Data Management
- Application Architecture
• Establish priorities
• The desired end-state and timing
• Benefits and Budget
37
Technology Selection
38
First Steps…
• Refine Phase 1 Scope
• Develop Requirements - Sample
• Identify Suitable Vendors
39
The Market
• Now 00’s of GRC products in the
market place – 40+ in enterprise
• Strengths based on their origins
and focus
• Continued convergence of
products around core functionality
• Addition of more SME functionality
• Bigger not necessarily better
• Niche players
40
Get to Know Your Vendor…
• Industry Knowledge
• Thought Leadership
• Origins – product history
• Their sweet spot
• Customer base
• Drive the product – make sure it
just doesn’t run best on
Powerpoint
41
Some of the Products…Just a Sample
• Nasdaq Bwise
• IBM Open Pages
• Thomson Reuters Accelus
• RSA Archer
• Protecht
• SAP GRC
• Oracle GRC
• MetricStream
• SAI Global
• Wolters Kluwer
• Cura
• Enablon
• Wynard
• Risk Cloud
• Protiviti
• Resolver
• ACL
• Teamate
• Modulo
42
The $’s....
43
The Role of the Analysts and Industry Pundits
The Analysts
• Gartner – Magic Quadrant
• Forrester – Wave
The Pundits
• GRC20/20 – Michael Rasmussen
• Norman Marks – Marks on Governance
Other Sources
• Linkedin Groups
• Forums
• Consultants
• Vendors
• Existing Customers
44
Other Considerations..
• You don't know what you don't
know
• Products typically capture IP and
better practice
• Is there opportunity for
improvement?
• Do a POC with the shortlist – pay
if you have to
45
Define Business
Requirements
Identify
Potential
Vendors
Establish
Market
Response
Requirements
Issue
To
Market
Complete
Market
Sounding
Questionnaire
Develop & Test
Analysis
Toolkit
Conduct
Analysis
Prepare
Market
Sounding
Report
Ven
do
r
Pro
cess
es
Pro
curi
ng
Au
tho
rity
Pro
cess
es
• Define the solution scope
• Review existing flow of
information and reporting output
• Identify potential data sources
• Establish risk information and
reporting needs (including
current and future out to approx.
3 years)
• Consider leading risk practice
functionality across various
software vendor tiers
[integrated/ point solution/
stand-alone]
• Confirm refine system
requirements for market
communication
• Conduct initial
vendor research
based on
Customer
requirements,
using better
practice research
• Consider
appropriate
vendors
• Finalise vendor
list
• Seek registration
of interest (if
required)
• Construct
questionnaire for
responses by
vendors
• Seek review and
approval for
submission of
questionnaire for
approach to
market
• Issue
questionnaire to
finalised vendor
list
• Communicate
nominated contact
person
• Communicate
response times
and requirements
• Consider IT
Architecture and
IT Strategy for
system
integration
• Build response
analysis and
scoring
mechanism
• Determine
visualisation
methods
• Conduct test
analyses
• Map vendor
system
functionality to
business needs
• Receive
completed
questionnaires
• Participate in
vendor
presentations
• Analyse results
• Add qualitative
analysis from
supplementary
material (if
appropriate)
• Communicate
preliminary
analysis results
• Produce formal
Market Sounding
Report
• Issue for review
and comment
• Finalise document
for executive
• Develop a plan to
document,
consolidate, refine
and transform data
pre-implementation
2 weeks 2 weeks 2 weeks
Technology Selection Process
46
Technology Implementation Process
Design
Build
Implement
47
Project Structure
• IT PMO Engagement
• Project Manager
• Business Representative
- Each Functional area
• Implementation Partner
- Solution Architect
- Technical Consultants
• IT Representative
48
Design
Selection should have
confirmed fit
Detailed Requirements
Defined
4 Key Elements in Blueprint
• Selecting Configuration Options
• Defining Master Data
• Defining Processes and Workflows
• Roles and Authorisations
49
Build
Typically the easy bit:
• Data Preparation
- Clean Your Data
- What to do with Historic Data?
• Testing – UAT
• Watch for:
- Performance issues – screen refresh
- Interfaces
50
Roll Out…
Key for Success
• Don’t skimp on Change
Management effort
- Clear Change plan
- Tailored Communication
- Follow up support
• Tailor Training to Users
• Ongoing Support
• Measure Take Up and Feedback
51
Pitfalls and Problems…
Requires major transformation effort across the
enterprise…
Organisation system legacies…
• Lots of different Stakeholders
• Lots of different Systems
• No one owns all the benefits
It’s better to…
• Start.
• It will never be perfect.
So where do you start?
• Big bang usually not possible (or advisable…)
• Need to show value – clear about benefits
• Need an Influential Cross Org Sponsor who sees the value
• Develop Roadmap with incremental benefits
• Sell the vision…needs everyone on board
52
Questions
Thank You