SlideShare una empresa de Scribd logo

Business and IT Compliance Strategy

Descargar como PPTX, PDF
Allyn McGillicuddy
Allyn McGillicuddy

Presentation Delivered at the Silicon Valley Chapter of ISACA on February 21, 2013

Empresariales
1 de 27
Business and IT Compliance Strategy A Conceptual Framework Allyn McGillicuddy The Office Of The CIO
Enterprise Compliance Process • Is it sufficiently scalable to encompass functions within the enterprise ? • Is funding for compliance remediation adequate? • Is it fully integrated into day-to-day business operations? • Does it have the appropriate executive sponsorship/ownership? • Has the compliance process achieved a reasonable level of simplicity? • Is the program cost appropriate? Office of the CIO® © Proprietary 2013
Compliance Process Challenges • Compliance management processes are labor-intensive • Compliance automation is often fragmented among disparate systems and data structures • Widespread organizational agility is evolving too slowly to keep pace with dynamic business and technology demands such as mobile payments • Shortcomings cannot be attributed to lack of either effort or good intentions. Office of the CIO® © Proprietary 2013
Stakeholder View of Compliance? Office of the CIO® © Proprietary 2013
For Others, It’s Like Taking the DMV Road Test Without the Benefit of a Driver’s Manual… Office of the CIO® © Proprietary 2013
…Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide. Office of the CIO® © Proprietary 2013
Established Frameworks Help To Organize the Process… COBIT ISO/IEC 27002 Common Security Framework (CSF) DSCI Security Framework (DSF©) EU Data Security Framework NIST COSO Office of the CIO® © Proprietary 2013
… But Establishing a Single, Unified Enterprise Strategy That Fits Can Be Daunting. Office of the CIO® © Proprietary 2013
A Pragmatic Alternative: Distill and Decompose the Process • Group Major Compliance Process Elements • Define Core Competencies for Each Process Group • Set Process Group Competency Goals • Enable Skills Focus via Division of Labor Office of the CIO® © Proprietary 2013
A Compliance Process Framework Reliable and efficient business framework to assess, execute, monitor, and audit enterprise compliance ASSESS EXECUTE MONITOR AUDIT FIND GAPS REMEDIATE • MONITOR NETWORK PROVE PROVE REMEDIATE • RESULTS DATA COMPLIANCE COMPLIANCE • ACCESS • APPLICATIONS • THREATS Office of the CIO® © Proprietary 2013
The ASSESS Process • Controlled Self-assessment • Risk Frameworks and Scripts • Asset Inventories • Configuration Management Library/database • Business Process Mapping A core goal of this process is to find evidence of compliance controls and gaps, to prove they do/do not exist. Office of the CIO® © Proprietary 2013
The EXECUTE Process • Actions to remediate the observed gaps • Real-time evidence of control mechanisms • Evaluate/quantify risk tailored to compliance objectives • Tools, such as self-assessment software and scripts • Training • Programs to support compliance Office of the CIO® © Proprietary 2013
The MONITOR Process Validate Monitor and measure to validate previous decisions and remedial controls Direct Monitor and measure to set direction for activities in order to meet compliance targets Justify Monitor and measure to justify, with factual evidence or proof, that a course of action is/is not required Intervene Monitor and measure to identify a point of intervention, including subsequent changes and corrective actions Office of the CIO® © Proprietary 2013
The AUDIT Process • Prove compliance: Measure and prove the effectiveness of the compliance programs • Evidence of Policies and their Dissemination • Evidence Repository for Assessments • Results – evidence of control mechanisms • Reports Office of the CIO® © Proprietary 2013
Process Competence Plan • Identify, target improved skills and capabilities for each of the four process groups • Establish tactical and strategic goals, plans to close gaps • Identify evidence/metrics of target goal achievement • Report results, evaluate achievement Assess/measure Assess/measure start Office of the CIO® © Proprietary 2013
Process Capability Escalator* Minimum level of prerequisite items are available to support the process activities Organizational policy statements, business objectives providing purpose & guidance Process Capability – Evidence that defined steps are being carried out Internal Integration - activities are integrated sufficiently to fulfill the process intent Products - Actual output of the process, evidence that relevant products are produced Quality Control - Review and verification of the process output Management Information - Adequate and timely information to support management decisions External Integration – All process interfaces are identified and understood Validation - External review and validation of the process * This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful. Office of the CIO® © Proprietary 2013
The Underlying Capability Strategy… V V efficiency V organization V Office of the CIO® © Proprietary 2013
… Achieved Via Managing Defined Process Competency … Rules and Policy Tools, Inventory Training, and Process Programs efficiency organization Assessment Risk Methods, Identification, automation Management Best-in-Breed Applications Office of the CIO® © Proprietary 2013
… And By Integrating Business and IT Compliance Controls 1. Define “Top-down”, broad business processes 2. Decompose broad processes to identify in-scope business process activities 3. Map in-scope process activities to compliance policies 4. Define and integrate business control procedures 5. Focus IT capabilities on automating required IT controls, automating business controls, assessment, and reporting Office of the CIO® © Proprietary 2013
Example: Integrated Business - IT Controls Business Process Payer Payment/Deductible/Denial Posting & Reconciliation Transaction Auto-Posting Transaction Processing billing or payment information on a timely basis Business Policy 8.5.8. Use of another person’s login to gain access to Policy company systems and network is prohibited. Do not use group, shared, or generic accounts and passwords. Compliance Requirement PCI-DSS-002 Password Control Business Compliance Control Implement Strong Access Control Measures 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third IT Compliance parties Control Policies 8.4 Encrypt all passwords during transmission and storage on all system components 8.4 Encrypt all passwords during transmission and storage 8.5.4 Immediately revoke access for any terminated users Office of the CIO® © Proprietary 2013
Defining Business Controls 1. The Business Activity is documented as a establish patient’s model comprising account in billing • Process Activities • Governance Activities Update a 2. The Compliance Policy requires the patient’s business process to incorporate Governance account Activities at specific points Strong Access Y 3. The Business Entity determines the specific Communicate Measures in Place? integration of the Governance Activity within Ambulatory Payment the business process Classification (APC) 4. The Compliance Process grouping NO • Verifies the presence of the Governance Notify Supervisor Activity within the business process and Delete a patient’s billing/accounts • Documents the evidence of the controls receivable records Office of the CIO® © Proprietary 2013
Business Processes with Compliance Controls Determine Patient Obtain Client’s Establish Download Patient Eligibility Compliance Y Electronically Verify Eligibility Eligibility Eligibility Eligibility Data Information for Control? Criteria Payment N A/P Reimbursement Determine Calculate Amount Type of of Reimbursement Compliance Y Provide Payment Reimbursement Control? N Pharmaceutical/Medic al Management Formulate a Process Payment Medication Information on a Compliance Y Manage Generate Report Services Medication Treatment Plan Timely Basis Control? Inventory N
Control Point Example: Limit access to billing information via designated payment workstation* PCI/P05.01- Limit ability to view/update member’s account to PCI-DSS Compliant Workstations Modify application access to check for PCI-DSS Description compliant workstation Strong Access Measures YES in Place? View/update billing Member Number Inputs transaction flag Outputs Plan Type Workstation identifier Billing Clerk A/R Supervisor In-scope Roles A/R Specialist Region Controller * Example, for illustration purposes Office of the CIO® © Proprietary 2013
Steps to Create Business Governance Control Processes Employ a Reference Process Model Map Reference Model Processes to Actual Identify the Processes in-scope Compliance Processes Define and Implement the Required Controls
Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation ASSESS EXECUTE MONITOR AUDIT MONITOR PROVE FIND GAPS REMEDIATE REMEDIATE COMPLIANCE RESULTS RISK-PRIORITIZED PROCESS FOUNDATION Prioritize all process activities based on relative risk • Perform quarterly, structured risk recalibration and adjust plans accordingly
Transition Steps/Considerations • Establish and Leverage Compliance Process Dashboards • Dashboards designed for each of the 4 process groups • Map current activities to one or more process groups • Appoint enterprise process leaders for each process group • Integrated Enterprise View of Compliance Process Data • Single data view of aggregated compliance –relevant data • Enterprise view of compliance risk vectors • External risk • Internal risk
Discussion: the Big Picture • What’s Missing? • What’s Wrong? • Anything Right? • Thank You!

Recomendados

Ibm pure flex client presentation
Ibm pure flex client presentationIbm pure flex client presentation
Ibm pure flex client presentationArrow ECS UK
 
Amazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportAmazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportPaul Muller
 
IBM Social Business Agenda template
IBM Social Business Agenda templateIBM Social Business Agenda template
IBM Social Business Agenda templateFlávio Mendes
 
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft Upgrade
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft UpgradeAstute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft Upgrade
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft UpgradeArvind Rajan
 
Master Epm
Master EpmMaster Epm
Master Epmantonella Buonagurio
 
IBM PureFlex - Expert Integrated System
IBM PureFlex - Expert Integrated SystemIBM PureFlex - Expert Integrated System
IBM PureFlex - Expert Integrated SystemIBM Danmark
 
Advance controls 2013
Advance controls 2013Advance controls 2013
Advance controls 2013Zeeshan Khan
 
Enterprise quality data for the supply chain
Enterprise quality data for the supply chainEnterprise quality data for the supply chain
Enterprise quality data for the supply chainIBS America
 

Recomendados

Ibm pure flex client presentation
Ibm pure flex client presentationIbm pure flex client presentation
Ibm pure flex client presentationArrow ECS UK
 
Amazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportAmazing Winter Keynote - IT as a Team Sport
Amazing Winter Keynote - IT as a Team SportPaul Muller
 
IBM Social Business Agenda template
IBM Social Business Agenda templateIBM Social Business Agenda template
IBM Social Business Agenda templateFlávio Mendes
 
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft Upgrade
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft UpgradeAstute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft Upgrade
Astute @ Oracle Open World 2011 - Cost Efficiencies During PeopleSoft UpgradeArvind Rajan
 
Master Epm
Master EpmMaster Epm
Master Epmantonella Buonagurio
 
IBM PureFlex - Expert Integrated System
IBM PureFlex - Expert Integrated SystemIBM PureFlex - Expert Integrated System
IBM PureFlex - Expert Integrated SystemIBM Danmark
 
Advance controls 2013
Advance controls 2013Advance controls 2013
Advance controls 2013Zeeshan Khan
 
Enterprise quality data for the supply chain
Enterprise quality data for the supply chainEnterprise quality data for the supply chain
Enterprise quality data for the supply chainIBS America
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0Novell
 
Identity Access Management Fishnet Security
Identity Access Management Fishnet SecurityIdentity Access Management Fishnet Security
Identity Access Management Fishnet Securitytbeckwith
 
Integrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine appIntegrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine appEPM Live
 
Reporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local AuthoritiesReporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local Authoritiesdamian_85
 
Looking for my fittest process' model
Looking for my fittest process' modelLooking for my fittest process' model
Looking for my fittest process' modelEnrique Morey
 
Microsoft Project Server 2010
Microsoft Project Server 2010Microsoft Project Server 2010
Microsoft Project Server 2010Nah Wee Yang
 
Stages Brochure 3.14
Stages Brochure 3.14Stages Brochure 3.14
Stages Brochure 3.14duncanseidler
 
Smarter Computing Integrated Systems
Smarter Computing Integrated SystemsSmarter Computing Integrated Systems
Smarter Computing Integrated SystemsIBMGovernmentCA
 
Managing Work Processes Automation 1
Managing Work Processes Automation 1Managing Work Processes Automation 1
Managing Work Processes Automation 1JaynePilot
 
Arrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William BurnsArrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William BurnsArrow ECS UK
 
JSoft Corporate presentation
JSoft Corporate presentationJSoft Corporate presentation
JSoft Corporate presentationJSoft Solutions Ltd.
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerIntegrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerNovell
 
Net@Work Client Presentation with Security
Net@Work Client Presentation with Security Net@Work Client Presentation with Security
Net@Work Client Presentation with Security Ray Glass
 
Salesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social EnterpriseSalesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social EnterpriseJames Hindes
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Portfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It BasicPortfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It BasicEPM Live
 
Aufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPMAufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPMDinesh Kumar P
 
Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2OracleIDM
 
Product Portfolio Usp June 2009
Product Portfolio Usp June 2009Product Portfolio Usp June 2009
Product Portfolio Usp June 2009TrendIC
 
Integrated ERP
Integrated ERPIntegrated ERP
Integrated ERPkprao1979
 
CRM Strategy
CRM StrategyCRM Strategy
CRM StrategyElijah Ezendu
 
Compliance Strategies, Cara Maguire
Compliance Strategies, Cara MaguireCompliance Strategies, Cara Maguire
Compliance Strategies, Cara MaguireOECD Governance
 

Más contenido relacionado

La actualidad más candente

What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0Novell
 
Identity Access Management Fishnet Security
Identity Access Management Fishnet SecurityIdentity Access Management Fishnet Security
Identity Access Management Fishnet Securitytbeckwith
 
Integrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine appIntegrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine appEPM Live
 
Reporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local AuthoritiesReporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local Authoritiesdamian_85
 
Looking for my fittest process' model
Looking for my fittest process' modelLooking for my fittest process' model
Looking for my fittest process' modelEnrique Morey
 
Microsoft Project Server 2010
Microsoft Project Server 2010Microsoft Project Server 2010
Microsoft Project Server 2010Nah Wee Yang
 
Stages Brochure 3.14
Stages Brochure 3.14Stages Brochure 3.14
Stages Brochure 3.14duncanseidler
 
Smarter Computing Integrated Systems
Smarter Computing Integrated SystemsSmarter Computing Integrated Systems
Smarter Computing Integrated SystemsIBMGovernmentCA
 
Managing Work Processes Automation 1
Managing Work Processes Automation 1Managing Work Processes Automation 1
Managing Work Processes Automation 1JaynePilot
 
Arrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William BurnsArrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William BurnsArrow ECS UK
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerIntegrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerNovell
 
Net@Work Client Presentation with Security
Net@Work Client Presentation with Security Net@Work Client Presentation with Security
Net@Work Client Presentation with Security Ray Glass
 
Salesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social EnterpriseSalesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social EnterpriseJames Hindes
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto SolutionHPDutchWorld
 
Portfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It BasicPortfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It BasicEPM Live
 
Aufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPMAufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPMDinesh Kumar P
 
Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2OracleIDM
 
Product Portfolio Usp June 2009
Product Portfolio Usp June 2009Product Portfolio Usp June 2009
Product Portfolio Usp June 2009TrendIC
 
Integrated ERP
Integrated ERPIntegrated ERP
Integrated ERPkprao1979
 

La actualidad más candente (20)

What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0
 
Identity Access Management Fishnet Security
Identity Access Management Fishnet SecurityIdentity Access Management Fishnet Security
Identity Access Management Fishnet Security
 
Integrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine appIntegrated it portfolio management using epm live's it engine app
Integrated it portfolio management using epm live's it engine app
 
Reporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local AuthoritiesReporting, Analytics and Dashboard Services for Local Authorities
Reporting, Analytics and Dashboard Services for Local Authorities
 
Looking for my fittest process' model
Looking for my fittest process' modelLooking for my fittest process' model
Looking for my fittest process' model
 
Microsoft Project Server 2010
Microsoft Project Server 2010Microsoft Project Server 2010
Microsoft Project Server 2010
 
Stages Brochure 3.14
Stages Brochure 3.14Stages Brochure 3.14
Stages Brochure 3.14
 
Smarter Computing Integrated Systems
Smarter Computing Integrated SystemsSmarter Computing Integrated Systems
Smarter Computing Integrated Systems
 
Managing Work Processes Automation 1
Managing Work Processes Automation 1Managing Work Processes Automation 1
Managing Work Processes Automation 1
 
Arrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William BurnsArrow ECS Partner Jam - PureSystems - William Burns
Arrow ECS Partner Jam - PureSystems - William Burns
 
JSoft Corporate presentation
JSoft Corporate presentationJSoft Corporate presentation
JSoft Corporate presentation
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerIntegrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity Manager
 
Net@Work Client Presentation with Security
Net@Work Client Presentation with Security Net@Work Client Presentation with Security
Net@Work Client Presentation with Security
 
Salesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social EnterpriseSalesforce Platform: Governance and the Social Enterprise
Salesforce Platform: Governance and the Social Enterprise
 
HP Software - The Bto Solution
HP Software - The Bto SolutionHP Software - The Bto Solution
HP Software - The Bto Solution
 
Portfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It BasicPortfolio Planning for 2013 - Keeping It Basic
Portfolio Planning for 2013 - Keeping It Basic
 
Aufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPMAufait Technologies - Introduction to BPM
Aufait Technologies - Introduction to BPM
 
Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2Agilent webcast bestpractices-platformv2
Agilent webcast bestpractices-platformv2
 
Product Portfolio Usp June 2009
Product Portfolio Usp June 2009Product Portfolio Usp June 2009
Product Portfolio Usp June 2009
 
Integrated ERP
Integrated ERPIntegrated ERP
Integrated ERP
 

Destacado

Compliance Strategies, Cara Maguire
Compliance Strategies, Cara MaguireCompliance Strategies, Cara Maguire
Compliance Strategies, Cara MaguireOECD Governance
 
Agile Online Marketing
Agile Online MarketingAgile Online Marketing
Agile Online MarketingBart De Waele
 
Trends voor lokale websites
Trends voor lokale websitesTrends voor lokale websites
Trends voor lokale websitesBart De Waele
 
Understand and act on your goal flow analysis
Understand and act on your goal flow analysisUnderstand and act on your goal flow analysis
Understand and act on your goal flow analysisBart De Waele
 
Wijze Case: A/B testing
Wijze Case: A/B testingWijze Case: A/B testing
Wijze Case: A/B testingBart De Waele
 
Apestaartjaren: de mobiele generatie
Apestaartjaren: de mobiele generatieApestaartjaren: de mobiele generatie
Apestaartjaren: de mobiele generatieBart De Waele
 
How to track events with GA
How to track events with GAHow to track events with GA
How to track events with GABart De Waele
 
Kernwaarden van Wijs
Kernwaarden van WijsKernwaarden van Wijs
Kernwaarden van WijsBart De Waele
 

Destacado (20)

CRM Strategy
CRM StrategyCRM Strategy
CRM Strategy
 
Compliance Strategies, Cara Maguire
Compliance Strategies, Cara MaguireCompliance Strategies, Cara Maguire
Compliance Strategies, Cara Maguire
 
Agile Online Marketing
Agile Online MarketingAgile Online Marketing
Agile Online Marketing
 
Trends voor lokale websites
Trends voor lokale websitesTrends voor lokale websites
Trends voor lokale websites
 
Over Netlash-bSeen
Over Netlash-bSeenOver Netlash-bSeen
Over Netlash-bSeen
 
E-commerce - INTAC
E-commerce - INTACE-commerce - INTAC
E-commerce - INTAC
 
E-apotheek
E-apotheekE-apotheek
E-apotheek
 
Wijze Case: SEO (4)
Wijze Case: SEO (4)Wijze Case: SEO (4)
Wijze Case: SEO (4)
 
Understand and act on your goal flow analysis
Understand and act on your goal flow analysisUnderstand and act on your goal flow analysis
Understand and act on your goal flow analysis
 
Wijze Case: A/B testing
Wijze Case: A/B testingWijze Case: A/B testing
Wijze Case: A/B testing
 
HR for modern times
HR for modern timesHR for modern times
HR for modern times
 
Apestaartjaren: de mobiele generatie
Apestaartjaren: de mobiele generatieApestaartjaren: de mobiele generatie
Apestaartjaren: de mobiele generatie
 
How to track events with GA
How to track events with GAHow to track events with GA
How to track events with GA
 
Mediaconvergentie
MediaconvergentieMediaconvergentie
Mediaconvergentie
 
Cms
CmsCms
Cms
 
Trendsnight
TrendsnightTrendsnight
Trendsnight
 
Online Marketing
Online MarketingOnline Marketing
Online Marketing
 
Netlash-bSeen ?
Netlash-bSeen ?Netlash-bSeen ?
Netlash-bSeen ?
 
EPO and the 4 A's
EPO and the 4 A'sEPO and the 4 A's
EPO and the 4 A's
 
Kernwaarden van Wijs
Kernwaarden van WijsKernwaarden van Wijs
Kernwaarden van Wijs
 

Similar a Business and IT Compliance Strategy

OUTSOURCING ASSURANCE
OUTSOURCING ASSURANCEOUTSOURCING ASSURANCE
OUTSOURCING ASSURANCEArul Nambi
 
SIM presentation Oct 9 2012
SIM presentation Oct 9 2012SIM presentation Oct 9 2012
SIM presentation Oct 9 2012sdlc_coach
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionSoftware Guru
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditingcarlabrut
 
ProcessGene GRC Software Suite
ProcessGene GRC Software SuiteProcessGene GRC Software Suite
ProcessGene GRC Software SuiteProcessGene Ltd
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanAccendo Reliability
 
Introduction To KPIs
Introduction To KPIsIntroduction To KPIs
Introduction To KPIsAlastairs1
 
Stages Product Development BPM Suite - Better Processes in Practice
Stages Product Development BPM Suite - Better Processes in PracticeStages Product Development BPM Suite - Better Processes in Practice
Stages Product Development BPM Suite - Better Processes in Practiceehmeier
 
Continuous Auditing D.French
Continuous Auditing D.FrenchContinuous Auditing D.French
Continuous Auditing D.FrenchDan French
 
Cloud Governance Presentation Dreamforce 2012
Cloud Governance Presentation Dreamforce 2012Cloud Governance Presentation Dreamforce 2012
Cloud Governance Presentation Dreamforce 2012Bluewolf
 
Infusing EPM in people and process
Infusing EPM in people and processInfusing EPM in people and process
Infusing EPM in people and processRavi Tirumalai
 
Delivering applications at the pace of business
Delivering applications at the pace of businessDelivering applications at the pace of business
Delivering applications at the pace of businessAccenture Technology
 
Networx Apoint E
Networx Apoint ENetworx Apoint E
Networx Apoint Edarrenfry
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 

Similar a Business and IT Compliance Strategy (20)

OUTSOURCING ASSURANCE
OUTSOURCING ASSURANCEOUTSOURCING ASSURANCE
OUTSOURCING ASSURANCE
 
SIM presentation Oct 9 2012
SIM presentation Oct 9 2012SIM presentation Oct 9 2012
SIM presentation Oct 9 2012
 
Measuring the Results of your Agile Adoption
Measuring the Results of your Agile AdoptionMeasuring the Results of your Agile Adoption
Measuring the Results of your Agile Adoption
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditing
 
ProcessGene GRC Software Suite
ProcessGene GRC Software SuiteProcessGene GRC Software Suite
ProcessGene GRC Software Suite
 
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silvermanRAMS 2013 Calculating roi when implementing a dfr program by mike silverman
RAMS 2013 Calculating roi when implementing a dfr program by mike silverman
 
Introduction To KPIs
Introduction To KPIsIntroduction To KPIs
Introduction To KPIs
 
Stages Product Development BPM Suite - Better Processes in Practice
Stages Product Development BPM Suite - Better Processes in PracticeStages Product Development BPM Suite - Better Processes in Practice
Stages Product Development BPM Suite - Better Processes in Practice
 
Continuous Auditing D.French
Continuous Auditing D.FrenchContinuous Auditing D.French
Continuous Auditing D.French
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
It Risk Advisory Brochure
It Risk Advisory BrochureIt Risk Advisory Brochure
It Risk Advisory Brochure
 
Accelerate Time to Business Outcomes through BPM
Accelerate Time to Business Outcomes through BPMAccelerate Time to Business Outcomes through BPM
Accelerate Time to Business Outcomes through BPM
 
Cloud Governance Presentation Dreamforce 2012
Cloud Governance Presentation Dreamforce 2012Cloud Governance Presentation Dreamforce 2012
Cloud Governance Presentation Dreamforce 2012
 
M&A Process Model
M&A Process ModelM&A Process Model
M&A Process Model
 
Infusing EPM in people and process
Infusing EPM in people and processInfusing EPM in people and process
Infusing EPM in people and process
 
Delivering applications at the pace of business
Delivering applications at the pace of businessDelivering applications at the pace of business
Delivering applications at the pace of business
 
Networx Apoint E
Networx Apoint ENetworx Apoint E
Networx Apoint E
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 

Último

Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSendBig4
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 

Último (20)

Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Send Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.comSend Files | Sendbig.com
Send Files | Sendbig.comSend Files | Sendbig.com
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 

Business and IT Compliance Strategy

  • 1. Business and IT Compliance Strategy A Conceptual Framework Allyn McGillicuddy The Office Of The CIO
  • 2. Enterprise Compliance Process • Is it sufficiently scalable to encompass functions within the enterprise ? • Is funding for compliance remediation adequate? • Is it fully integrated into day-to-day business operations? • Does it have the appropriate executive sponsorship/ownership? • Has the compliance process achieved a reasonable level of simplicity? • Is the program cost appropriate? Office of the CIO® © Proprietary 2013
  • 3. Compliance Process Challenges • Compliance management processes are labor-intensive • Compliance automation is often fragmented among disparate systems and data structures • Widespread organizational agility is evolving too slowly to keep pace with dynamic business and technology demands such as mobile payments • Shortcomings cannot be attributed to lack of either effort or good intentions. Office of the CIO® © Proprietary 2013
  • 4. Stakeholder View of Compliance? Office of the CIO® © Proprietary 2013
  • 5. For Others, It’s Like Taking the DMV Road Test Without the Benefit of a Driver’s Manual… Office of the CIO® © Proprietary 2013
  • 6. …Or Like Trying to Get From Point A to B in Ireland Without a Michelin Guide. Office of the CIO® © Proprietary 2013
  • 7. Established Frameworks Help To Organize the Process… COBIT ISO/IEC 27002 Common Security Framework (CSF) DSCI Security Framework (DSF©) EU Data Security Framework NIST COSO Office of the CIO® © Proprietary 2013
  • 8. … But Establishing a Single, Unified Enterprise Strategy That Fits Can Be Daunting. Office of the CIO® © Proprietary 2013
  • 9. A Pragmatic Alternative: Distill and Decompose the Process • Group Major Compliance Process Elements • Define Core Competencies for Each Process Group • Set Process Group Competency Goals • Enable Skills Focus via Division of Labor Office of the CIO® © Proprietary 2013
  • 10. A Compliance Process Framework Reliable and efficient business framework to assess, execute, monitor, and audit enterprise compliance ASSESS EXECUTE MONITOR AUDIT FIND GAPS REMEDIATE • MONITOR NETWORK PROVE PROVE REMEDIATE • RESULTS DATA COMPLIANCE COMPLIANCE • ACCESS • APPLICATIONS • THREATS Office of the CIO® © Proprietary 2013
  • 11. The ASSESS Process • Controlled Self-assessment • Risk Frameworks and Scripts • Asset Inventories • Configuration Management Library/database • Business Process Mapping A core goal of this process is to find evidence of compliance controls and gaps, to prove they do/do not exist. Office of the CIO® © Proprietary 2013
  • 12. The EXECUTE Process • Actions to remediate the observed gaps • Real-time evidence of control mechanisms • Evaluate/quantify risk tailored to compliance objectives • Tools, such as self-assessment software and scripts • Training • Programs to support compliance Office of the CIO® © Proprietary 2013
  • 13. The MONITOR Process Validate Monitor and measure to validate previous decisions and remedial controls Direct Monitor and measure to set direction for activities in order to meet compliance targets Justify Monitor and measure to justify, with factual evidence or proof, that a course of action is/is not required Intervene Monitor and measure to identify a point of intervention, including subsequent changes and corrective actions Office of the CIO® © Proprietary 2013
  • 14. The AUDIT Process • Prove compliance: Measure and prove the effectiveness of the compliance programs • Evidence of Policies and their Dissemination • Evidence Repository for Assessments • Results – evidence of control mechanisms • Reports Office of the CIO® © Proprietary 2013
  • 15. Process Competence Plan • Identify, target improved skills and capabilities for each of the four process groups • Establish tactical and strategic goals, plans to close gaps • Identify evidence/metrics of target goal achievement • Report results, evaluate achievement Assess/measure Assess/measure start Office of the CIO® © Proprietary 2013
  • 16. Process Capability Escalator* Minimum level of prerequisite items are available to support the process activities Organizational policy statements, business objectives providing purpose & guidance Process Capability – Evidence that defined steps are being carried out Internal Integration - activities are integrated sufficiently to fulfill the process intent Products - Actual output of the process, evidence that relevant products are produced Quality Control - Review and verification of the process output Management Information - Adequate and timely information to support management decisions External Integration – All process interfaces are identified and understood Validation - External review and validation of the process * This is an ITIL capability framework example, with a view toward progressive capability achievement. Other frameworks can be useful. Office of the CIO® © Proprietary 2013
  • 17. The Underlying Capability Strategy… V V efficiency V organization V Office of the CIO® © Proprietary 2013
  • 18. … Achieved Via Managing Defined Process Competency … Rules and Policy Tools, Inventory Training, and Process Programs efficiency organization Assessment Risk Methods, Identification, automation Management Best-in-Breed Applications Office of the CIO® © Proprietary 2013
  • 19. … And By Integrating Business and IT Compliance Controls 1. Define “Top-down”, broad business processes 2. Decompose broad processes to identify in-scope business process activities 3. Map in-scope process activities to compliance policies 4. Define and integrate business control procedures 5. Focus IT capabilities on automating required IT controls, automating business controls, assessment, and reporting Office of the CIO® © Proprietary 2013
  • 20. Example: Integrated Business - IT Controls Business Process Payer Payment/Deductible/Denial Posting & Reconciliation Transaction Auto-Posting Transaction Processing billing or payment information on a timely basis Business Policy 8.5.8. Use of another person’s login to gain access to Policy company systems and network is prohibited. Do not use group, shared, or generic accounts and passwords. Compliance Requirement PCI-DSS-002 Password Control Business Compliance Control Implement Strong Access Control Measures 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third IT Compliance parties Control Policies 8.4 Encrypt all passwords during transmission and storage on all system components 8.4 Encrypt all passwords during transmission and storage 8.5.4 Immediately revoke access for any terminated users Office of the CIO® © Proprietary 2013
  • 21. Defining Business Controls 1. The Business Activity is documented as a establish patient’s model comprising account in billing • Process Activities • Governance Activities Update a 2. The Compliance Policy requires the patient’s business process to incorporate Governance account Activities at specific points Strong Access Y 3. The Business Entity determines the specific Communicate Measures in Place? integration of the Governance Activity within Ambulatory Payment the business process Classification (APC) 4. The Compliance Process grouping NO • Verifies the presence of the Governance Notify Supervisor Activity within the business process and Delete a patient’s billing/accounts • Documents the evidence of the controls receivable records Office of the CIO® © Proprietary 2013
  • 22. Business Processes with Compliance Controls Determine Patient Obtain Client’s Establish Download Patient Eligibility Compliance Y Electronically Verify Eligibility Eligibility Eligibility Eligibility Data Information for Control? Criteria Payment N A/P Reimbursement Determine Calculate Amount Type of of Reimbursement Compliance Y Provide Payment Reimbursement Control? N Pharmaceutical/Medic al Management Formulate a Process Payment Medication Information on a Compliance Y Manage Generate Report Services Medication Treatment Plan Timely Basis Control? Inventory N
  • 23. Control Point Example: Limit access to billing information via designated payment workstation* PCI/P05.01- Limit ability to view/update member’s account to PCI-DSS Compliant Workstations Modify application access to check for PCI-DSS Description compliant workstation Strong Access Measures YES in Place? View/update billing Member Number Inputs transaction flag Outputs Plan Type Workstation identifier Billing Clerk A/R Supervisor In-scope Roles A/R Specialist Region Controller * Example, for illustration purposes Office of the CIO® © Proprietary 2013
  • 24. Steps to Create Business Governance Control Processes Employ a Reference Process Model Map Reference Model Processes to Actual Identify the Processes in-scope Compliance Processes Define and Implement the Required Controls
  • 25. Integrate the Four Compliance Processes via a Risk-Prioritized Process Foundation ASSESS EXECUTE MONITOR AUDIT MONITOR PROVE FIND GAPS REMEDIATE REMEDIATE COMPLIANCE RESULTS RISK-PRIORITIZED PROCESS FOUNDATION Prioritize all process activities based on relative risk • Perform quarterly, structured risk recalibration and adjust plans accordingly
  • 26. Transition Steps/Considerations • Establish and Leverage Compliance Process Dashboards • Dashboards designed for each of the 4 process groups • Map current activities to one or more process groups • Appoint enterprise process leaders for each process group • Integrated Enterprise View of Compliance Process Data • Single data view of aggregated compliance –relevant data • Enterprise view of compliance risk vectors • External risk • Internal risk
  • 27. Discussion: the Big Picture • What’s Missing? • What’s Wrong? • Anything Right? • Thank You!