• No results found

GRC Program Best Practices & Lessons Learned

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "GRC Program Best Practices & Lessons Learned"

Copied!
15
0
0

Loading.... (view fulltext now)

Download now ( 15 Page )

Full text

(1)

GRC Program

Best Practices &

Lessons Learned

Carl Sawicki, American Express

Kathleen Randall, RSA Archer

Steps to Establishing and Maturing a

GRC program

(2)

Abstract

In today’s world, few organization’s contest the value of a

GRC tool to increase the efficiency and effectiveness of

their programs. But getting budget approval, organization

buy-in and executing on a successful implementation can

be daunting tasks to take on.

How do you measure the cost and ROI of an

implementation, so that you can present the case to

management?

How do you identify the maturity and design of your GRC

program, and plan on an appropriate GRC implementation

given your current state?

This presentation will guide you through these questions to

help you determine if what it takes to have a successful

(3)

Today’s Speakers

Carl Sawicki

American Express, Director of Technical Delivery

Carl is responsible for delivering technical solutions that have a focus around the areas of Operational Risk and Information Security for American Express. With his 33 years of experience in various technical roles and 23 of those years at his current company, Carl works with a variety of business partners across the enterprise to deliver solutions and support their needs for GRC (Governance, Risk & Compliance).

With the ever changing landscape of complex regulatory demands for the Financial &

Banking Industry, Carl and his team have to be ready to understand, support and deliver to this demand with a variety of GRC

platforms and custom solutions that he is responsible for.

Kathleen Randall

RSA Archer, Senior GRC Account Manager

As a Senior Account Manager specializing in the RSA Archer eGRC product suite, Kathleen is responsible for managing Archer’s strategic customer accounts located in the southwest U.S. region. Kathleen has domain expertise in risk, audit, compliance and security

domains, and has earned the CISSP, CISA, and GSNA designations. Prior to joining RSA, Kathleen was a part of the Deloitte &

Touche’s Enterprise Risk Services group. She has led enterprise risk assessments, internal audit projects, and global risk and audit assessments for Fortune 500 organizations. She was also formerly the Regional Director of ControlPath, a GRC software solution acquired by Trustwave, responsible for channel and direct sales.

Kathleen has served as a SANS course reviewer and course contributor, and has spoken several ISACA and IIA events.

(4)

Today’s Agenda

Next Steps

Recommendations to get

you there

Ideal State Definition

Where you want to go?

Implementation

Opportunities

(5)

Maximizing Return

Implementation

Set Requirements and Design

Key Stakeholders Engaged

Program Strategy

Define Process, Content & Infrastructure

(6)

What is GRC Tool Implementation ROI?

• Project definition

• View of implementation plan

(short-run VS long-run)

• Cross-domain strategy

• Technology

• Bridging people, process and

technology

• Program Sponsorship

Implementation

ROI

=

Implementation

Costs

+

(7)

GRC Tool ROI Spectrum

Where do you see your organization?

Basic • Use-cases identified Customer Profile • Focused use-cases • Single domain • Largely compliance focused Defined

All “Basic” elements plus…

• Current state objectives and use-cases identified • Processes identified • Requirements documented • Implementation plans developed • Implementation team identified Customer Profile

• Use-cases largely align to “out-of-the-box” • Single domain • Largely compliance

focused

Foundational

All “Defined” elements plus…

• Forward-looking objectives set and coordinated

• Integrated, streamlined processes and content for a single domain

• Scalable infrastructure plan • Key stakeholders trained

Customer Profile

• Mix of “out-of-the-box” as well as unique use-cases • Single domain

• Compliance and risk focused

Leading

All “Foundational” elements plus…

• eGRC vision, scope, and strategy considered • Enterprise-wide adoption • Integrated, streamlined

processes and content across domains

• Understanding of business risk • Complete content taxonomy

and visibility

• Fully enabled stakeholders

Customer Profile

• Many unique and/or industry specific use-cases

• Multiple domains • Governance, risk and

(8)

GRC Tool ROI Spectrum

Moving from Basic to Defined Implementation:

Return Drivers

Project definition

View of implementation plan (short-run VS long-run) Cross-domain strategy

Technology

Bridging people, process and technology Program sponsorship

Implementation

ROI

=

Implementation

Costs

+

Return Drivers

Return Drivers

Return Drivers

Return Drivers

Project definition

View of implementation plan (short-run versus long-run)

Ability to bridge people, process and technology

Technology leverage

Cross-domain strategy

Program consideration

(9)

GRC Tool ROI Spectrum

Moving from Basic to Defined Implementation:

Recommended Steps

Step 1: Align current state use cases

Step 2: Identify process and content

Step 3: Develop implementation project plans

Step 4: Identify implementation team

(10)

GRC Tool ROI Spectrum

Return Drivers

Return Drivers

Return Drivers

Return Drivers

Project definition

View of implementation plan (short-run VS long-run)

Ability to bridge people, process and technology

Technology leverage (full suite of modules)

Cross-domain strategy

Program consideration

Project definition

View of implementation plan (short-run VS long-run) Cross-domain strategy

Technology

Bridging people, process and technology Program sponsorship

Implementation

ROI

=

Implementation

Costs

+

(11)

GRC Tool ROI Spectrum

Step 1: Identify future state use-case and objectives across domains

Step 2: Document, benchmark and optimize process and content for

a single domain

Step 3: Evaluate success metrics

Step 4: Introduce convergence of processes

Step 5: Engage & alignment of stakeholders to program vision

(12)

GRC Tool ROI Spectrum

Return Drivers

Return Drivers

Return Drivers

Return Drivers

Project definition

View of implementation plan (short-run VS long-run)

Ability to bridge people, process and technology

Technology leverage (full suite of modules)

Cross-domain strategy

Program stakeholders

Project definition

View of implementation plan (short-run VS long-run) Cross-domain strategy

Technology

Bridging people, process and technology Program sponsorship

Implementation

ROI

=

Implementation

Costs

+

(13)

GRC Tool ROI Spectrum

Step 1: Formalize eGRC program (Framework, Vision, Scope)

Step 2: Document, benchmark and optimize process and content for

multiple domains

Step 3: Identify data gaps and consolidate siloes of information

(common taxonomy)

Step 4: Fully enable and align stakeholders… continuously reviewing

(14)

GRC Tool GRC Maturity Spectrum

Risk Identification

& Reaction

• Silo’d, fragmented

information

• “Get it done”

mentality

• No/minimal

dedicated

resources

Risk Awareness &

Anticipation

• Efficiency and

automation

• Basic governance

and strategy

• Increased

accountability

• Key risk appetites

known

Risk Integration

& Collaboration

• Continuous

monitoring and

improvement

• Enterprise

objectives set and

coordinated

• Complete content

taxonomy and

visibility

• Integrated,

streamlined

processes

GRC Optimization &

Intelligence

• Risks identified

• Risk posture

understood

• Aggregated,

prioritized view

managing key

performance

indicators

• Active governance

• Automated,

integrated systems

What’s next?

(15)

Questions? Comments?

Carl Sawicki

[email protected]

602.766.7338

Kathleen Randall

[email protected]

310.318.4883

References

Download now ( PDF - 15 Page - 1.24 MB )

Related documents

MADRID CITY REPORT. Belén Zorrilla Elena Boldo* Public Health Institute

reduced to 20 µg/m 3 , all other risks being equal, and only the short term effects (0-1 days) are taken into account, 538 hospital admissions for respiratory and cardiac

Encrypting a Single Customer View file using WinZip

Click the ‘New…’ button to assign a name to the archive (at this point you can also choose a different location if required – make a note of the directory you have selected as

Numerical and experimental investigation on the elastic properties of discontinuous fiber reinforced composites

1) An integrated software package is developed to predict the elastic properties of DFRC, and the prediction shows good agreement with the data of the tensile test of

COALA: A Protocol for the Avoidance and Alleviation of Congestion in Wireless Sensor Networks

Specifically, TALONet combines various levels of transmission power in order to relieve existing congestion in data link layer, along with buffer management to avoid congestion

Mobility particle size spectrometers: Calibration procedures and measurement uncertainties

Following calibration procedures and target uncertainties against standards and reference instruments are suggested for a complete MPSS quality assurance program: (a) calibration of

Estimating the benefits of cooperation in a residential microgrid: A data-driven approach

To quantify their potential, we use detailed energy consumption and production data collected from 201 households in Austin (Texas) over the year 2014 as well as historic

Why Buy Cyber and Privacy Liability When You Have a Perfectly Good Commercial General Liability Program?

Even before the recent 2014 data breach exclusions were introduced, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, entitled “Amendment

A natural language help system shell through functional programming

Given the list of possible tag sets it is often found that all of them are the same: ambiguities in parsing do not always reflect semantic ambiguities. When all the syntax has