SlideShare una empresa de Scribd logo

2013 RSA Archer GRC Executive Forum Key Findings

E
EMC

This 10th annual event - The 2013 RSA Archer GRC Summit - offered a three-day agenda packed with case studies, best practices, and industry trends that will help you grow your governance, risk, and compliance (GRC) program…and your career. Read how leaders are integrating GRC into a unified view of risk management, driving risk responsibility into business units, winning program support, and more.

TecnologíaEmpresarialesEconomía y finanzas
1 de 7
Descargar para leer sin conexión
® KEY FINDINGS RSA, the Security Division of EMC, hosted its secondannual RSA Archer® GRC Executive Forum, an invitation-only event attended by more than 50 business leaders responsible for their organizations’ enterprise risk management, corporate compliance, audit, information technology, or security programs (GRC for shorthand). GRC “integration” continued to be top-of-mind at this year’s Forum. Participants typically used this phrase to mean either applying the same GRC solutions across organizational siloes or to pulling outputs of disparate solutions together, to create a unified view of risk management information. The idea of GRC integration (used interchangeably by some speakers with “harmonizing” GRC or employing a “consistent approach”) referred to the process and technology aspects of GRC; it did not necessarily mean unifying all GRC activities under one director or one cross-company team. As with 2012’s inaugural Forum, GRC program owners from this year’s event reported they’re creating consistency in their GRC frameworks so that
information extracted from different organizational siloes share a common data structure and provide a bigger-picture view of risk and performance. “There’s no debate on the importance of integrating risk and governance silos,” said one participant. “Getting the broader view is what’s needed to promote the good and prevent the bad.” Another theme carried over from last year’s Forum is the idea that GRC may be fading as a discrete discipline. Forum participants reported they’re continuing to drive responsibility for risk management into business units. They’re looking for ways to embed risk monitoring and controls into everyday business processes, to the point that one speaker at the event said, “Your objective should be to be invisible to the business.” In contrast with last year’s Forum, in which GRC program managers shared strategies for winning board support, the emphasis at this year’s event shifted toward winning support for GRC initiatives from business leaders and front-line managers. This shift is consistent with the broader trend of enfolding GRC into “the business.” Many other trends were discussed at the 2013 RSA Archer GRC Executive Forum. This document highlights recurring themes and important observations from the event.
ORGANIZATIONS FACE RAPID RATE OF REGULATORY CHANGE In an informal audience poll (not scientific), about three-quarters of the Forum’s participants said they operate within highly regulated industries. Forum participants reported that rising regulatory oversight and complexity has driven them to improve transparency across risk domains and organizational units. “It’s very challenging to cope with a doubling in what we have to track with no change to process, approach or staff,” said a Forum participant. Many companies are intensifying their efforts to create efficiencies in GRC policy and procedure management across different parts of the company and to improve how they map those policies and procedures to laws and regulations. GRC researcher Michael Rasmussen shared statistics on the accelerating rate of regulatory change. In 2008, the banking industry saw 8,704 changes to key regulations; in 2012, there were 17,000+ changes. “We’re dealing with increased regulatory complexity with fewer resources, so we’re [pushing for a consistent GRC approach] because we can’t afford not to do it,” said a participant from the financial services industry. International expansion has compounded regulatory complexity for many companies’ GRC programs. “There’s a crazy velocity in emerging markets to regulate,” said one participant whose company is expanding its operations in China and India. “You need in-country leads where you operate whose job it is to work with legislators and regulators. That’s pretty resource-intensive.” DECENTRALIZE GRC TO ADAPT TO REGULATORY CHANGE AND COMPLEXITY To enable their organizations’ GRC capabilities to accommodate the accelerating rate of regulatory change, Forum participants said they’re decentralizing some GRC functions. They’re distributing responsibilities such as tracking changes in regulations to regional teams. They’re also driving risk monitoring to lower levels of the business. One participant stated, "The GRC program may be owned by the chief compliance officer, but ownership really comes down to the business owners. It has helped us to have these owners documented so we know where to go when new regulatory changes come down the line and who should manage exceptions associated with the new reg. … We also have [GRC responsibilities] divided up regionally. Then, it’s divided by country managers. There are people on the ground doing regional translations to identify impacts." Another shared, "To assume we’ve captured all our risks is naïve. We’re constantly looking for what we’ve missed. It has to start with relationships at the local level. Risk leaders at the local level are key to getting the data we’re missing. … At first, we were surprised how many green dots we had on our dashboards and how quiet the meetings were. As trust developed, more reds and yellows popped up and communications began to flow. As trust develops among teams, a more honest picture of risk emerges because of better, more transparent data sharing."
FOCUS INTEGRATION PROGRAMS ON CONVERGENCE, NOT CONVERSION Organizations are rationalizing multiple siloed compliance programs by mapping linkages across regulations, policies, rules, assets (such as facilities and IT infrastructure), and controls. While individual parts of the organization may have their own GRC methodologies and tools, it’s up to the GRC executive owner to help harmonize approaches among groups. “GRC maturity centers on collaboration. It’s up to the GRC facilitator to get people to play in the same sandbox.” A couple of Forum participants, drawing from their experiences, suggested that the most productive first step in GRC integration is to focus on converging data streams from disparate groups, not converting everyone to new processes and technologies. “We are starting at the elementary level to come to agreement [with various business] teams. We don’t change how they are doing things, but bring them together into an enterprise view,” said a participant who recently began a crossenterprise GRC integration program. Another participant said, “We realized we needed to share GRC vocabulary, the taxonomy and then we can pull that through to other departments. We can’t afford not to do this.” DRIVE RESPONSIBILITY FOR GRC DEEPER INTO THE BUSINESS Expanding beyond last year’s discussions on winning board- and C-level support for GRC programs, this year’s Forum attendees shared strategies for enlisting active participation from business leaders and front-line managers. “You can’t just have a top-down risk structure. … The more people that buy in, the better your chances to succeed.” The focus on front-line business leaders at this year’s Forum did not mean GRC leaders didn’t value top-level support. “Having the message top-down from senior leadership allows you to pull risk education down to all employees. You don’t want to ask them to do a lot more, but make them aware. Make it easy. Get senior leaders to say, ‘What does Risk think?’ As soon as this is stated, you no longer have to chase people down.” Yet, beyond top-level executive support, this year’s Forum attendees seemed to acknowledge that their enterprise GRC programs depended on the cooperation of lower-level business leaders. One Forum speaker observed, “You can have the best (GRC) policies but ultimately you control nothing. The business controls implementation … so you have to show how what you’re doing can make their job easier and build knowledge there.” Forum participants expressed a growing sense that everyone in the company should have an ownership stake in GRC. Involving different parts of the business in GRC processes was diplomatically described by some as requiring “thoughtful planning” and by others as “painful.” To enlist broader business participation in GRC initiatives, a couple of speakers said GRC program owners should focus on the process of risk and compliance assessments, not on organizational actors. “Don’t let ownership get in the way, because if you get stuck on organizational change up front, you won’t succeed. We looked at the process, what part [each team] had to
play, and we tried not to get wrapped around the wheel on ownership. After all, the business owner is the one who needs to be compliant.” INJECT A "SO WHAT?" INTO PROGRAM MEASUREMENTS In an informal audience poll, just about everyone said they wanted better metrics for measuring GRC impact. In subsequent discussions, Forum participants said they do not have good ways to measure GRC success. Many felt their existing metrics focused on “project management” or process measurements. They would prefer to re-orient their program measurements on business impacts or on evidence of ethical outcomes. “What’s important is that we report in ‘human-speak’ and what it means to the business,” said a Forum participant. Another speaker at the Forum disclosed, “We force our risk owners to have ‘so-what’ sessions to synthesize what risk data to evaluate. This way, it’s not just a simple red/yellow status indicator. We all benefit from having conversations about the risk so-whats.” For assessing ethical compliance, for which it may be difficult to develop hard metrics, several speakers encouraged GRC program owners to “avoid the ‘checkbox’ programs—that is, just checking the box and that makes everything okay. Think instead about the letter and spirit of law. Ethical precepts are at the base of laws. Compliance structures support ethical outcomes.” Another speaker said, “In audits, the ethical response might not be the one that checks the box. You may have to ask if you’re complying with the intent of the law or regulation.” TIE GRC TO ENTERPRISE PERFORMANCE Customers with more advanced GRC programs expressed their intent to combine enterprise and operational risk management with performance management. These customers are in the process of transitioning from reporting on risk- and controlthresholds to reporting performance-focused metrics. Said one Forum participant, “Keep it as simple as possible. Collaborate with key risk stakeholders. Limit impact to the business when designing a measurement process.” Many GRC program owners seem to be in the exploratory phase: experimenting with ways to tie compliance and risk metrics to business processes and business outcomes. They acknowledge their GRC programs are more mature in some processes than others, so metrics and measurement quality will differ. “Operational risk is vast. Legal is more qualitative. We have different measurements for different types of risk. Our overarching goal, however, is that we make [what’s measured] meaningful to business first, not risk managers.” The push to link GRC programs to enterprise performance metrics may be driven in part by the scrutiny and support that corporate governance and risk management functions are getting from boards of directors. “We report up to the board through the board’s audit committee. So, we have to match measurements to management’s expectations and report at the appropriate level.”
CALIBRATE CULTURE SO RISK ISN’T SEEN AS BAD Forum participants emphasized the importance of cultivating organizational cultures that encourage openness and disclosure—even if what’s being disclosed is bad news. “This a cultural shift, bringing information forward and not being penalized when you bring issues up. People often are afraid when they see [red metrics], but we have to be able to define our emerging risks in order to deal with them. Risk cannot be seen as bad.” A culture of openness begins at the top. Said one Forum speaker, “If management admits issues, then the rank and file will see it’s okay to do so. It takes courage to do the right thing.” ASSIMILATE THREAT MONITORING AND DETECTION INTO GRC PROGRAMS Cyber risks have expanded, with BYOD, mobile, and cloud computing all introducing new security threats and risk management challenges. Along with external exposures, organizations must also contend with employee misbehavior. Echoing a familiar refrain often heard in the information security industry, a Forum participant said, “There are two kinds of companies: companies who have been breached and companies who know they have been breached.” GRC program owners recognize their inputs, tools, and processes must evolve with the threat. For that reason, they’re exploring using a wider range of data sources and advanced analytics to make threat detection and risk assessments timelier, more comprehensive and accurate. In addition to ingesting traditional types of structured information (logs and events), GRC tools must also accommodate unstructured information, such as audit findings, social media reports, and external threat intelligence feeds. PREPARE FOR BIG DATA IN RISK ASSESSMENTS The data analytics methods, Big Data inputs, and data visualization tools used in other enterprise functions are now making their way into enterprise GRC programs. The use of advanced analytics tools in this domain, though, is still nascent. “It’s definitely an evolution. There is overlap in the maturity elements. Take stochastic modeling … we’re enamored with the results, but there’s a false impression that we are going to run business by these results. It’s just not there yet. We need to take a look farther into the distribution to use it for modeling.” Another Forum participant noted, “Risk measurements are becoming more analytical … not just for assessments but also for forecasting.” Applying big data for predictive risk analytics, not just historic analyses, will become increasingly important in the coming years.
CONTACT US To learn more about how EMC and RSA products, services and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller—or visit us at www.EMC.com/rsa. EMC2, EMC, the EMC logo, Archer, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2013 EMC Corporation. All rights reserved. Published in the USA. 09/13 EMC Perspective. H12373 EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. www.EMC.com/rsa

Recomendados

Informe de empleados
Informe de empleadosInforme de empleados
Informe de empleadosNathalia Sanchez
 
20120827maru scaleout seminar
20120827maru scaleout seminar20120827maru scaleout seminar
20120827maru scaleout seminarMaco Yoshioka
 
Highlights from the EMC & VMware CIO Summit
Highlights from the EMC & VMware CIO SummitHighlights from the EMC & VMware CIO Summit
Highlights from the EMC & VMware CIO SummitEMC
 
Cibi e colori: l'influenza del colore sull'appetito
Cibi e colori: l'influenza del colore sull'appetitoCibi e colori: l'influenza del colore sull'appetito
Cibi e colori: l'influenza del colore sull'appetitoSara M
 
Money supply inflation
Money supply inflationMoney supply inflation
Money supply inflationTravis Klein
 
Monopsony graphs
Monopsony graphsMonopsony graphs
Monopsony graphsTravis Klein
 
Email campaign
Email campaignEmail campaign
Email campaignEsteban Paulin
 
Wed thurs reform
Wed thurs reformWed thurs reform
Wed thurs reformTravis Klein
 

Recomendados

Informe de empleados
Informe de empleadosInforme de empleados
Informe de empleadosNathalia Sanchez
 
20120827maru scaleout seminar
20120827maru scaleout seminar20120827maru scaleout seminar
20120827maru scaleout seminarMaco Yoshioka
 
Highlights from the EMC & VMware CIO Summit
Highlights from the EMC & VMware CIO SummitHighlights from the EMC & VMware CIO Summit
Highlights from the EMC & VMware CIO SummitEMC
 
Cibi e colori: l'influenza del colore sull'appetito
Cibi e colori: l'influenza del colore sull'appetitoCibi e colori: l'influenza del colore sull'appetito
Cibi e colori: l'influenza del colore sull'appetitoSara M
 
Money supply inflation
Money supply inflationMoney supply inflation
Money supply inflationTravis Klein
 
Monopsony graphs
Monopsony graphsMonopsony graphs
Monopsony graphsTravis Klein
 
Email campaign
Email campaignEmail campaign
Email campaignEsteban Paulin
 
Wed thurs reform
Wed thurs reformWed thurs reform
Wed thurs reformTravis Klein
 
แนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัดแนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัดKamthon Sarawan
 
Media homework andrew goodwin
Media homework andrew goodwinMedia homework andrew goodwin
Media homework andrew goodwinloousmith
 
Client+server side bean validation
Client+server side bean validationClient+server side bean validation
Client+server side bean validationAleksandr Zhuikov
 
Chance1
Chance1Chance1
Chance1Chandan Dubey
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluationloousmith
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC
 
Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide EMC
 
Tms ppt
Tms pptTms ppt
Tms pptLalita Pandey
 
Formulario clientes
Formulario clientesFormulario clientes
Formulario clientesNathalia Sanchez
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risksIslam Azeddine Mennouchi
 
Informe general
Informe generalInforme general
Informe generalNathalia Sanchez
 
Learnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-packLearnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-packandresopaez
 
Barrokko
BarrokkoBarrokko
Barrokkopvsa_8990
 
Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook EMC
 
Information is the new oil
Information is the new oilInformation is the new oil
Information is the new oilEMC
 
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 

Más contenido relacionado

Destacado

แนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัดแนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัดKamthon Sarawan
 
Media homework andrew goodwin
Media homework andrew goodwinMedia homework andrew goodwin
Media homework andrew goodwinloousmith
 
Client+server side bean validation
Client+server side bean validationClient+server side bean validation
Client+server side bean validationAleksandr Zhuikov
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluationloousmith
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC
 
Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide EMC
 
Learnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-packLearnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-packandresopaez
 
Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook EMC
 
Information is the new oil
Information is the new oilInformation is the new oil
Information is the new oilEMC
 

Destacado (15)

แนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัดแนะนำแบบบ้านราคาประหยัด
แนะนำแบบบ้านราคาประหยัด
 
Media homework andrew goodwin
Media homework andrew goodwinMedia homework andrew goodwin
Media homework andrew goodwin
 
Client+server side bean validation
Client+server side bean validationClient+server side bean validation
Client+server side bean validation
 
Chance1
Chance1Chance1
Chance1
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data Analytics
 
Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide Big Data: A CIO’s Cut Out and Keep Guide
Big Data: A CIO’s Cut Out and Keep Guide
 
Tms ppt
Tms pptTms ppt
Tms ppt
 
Formulario clientes
Formulario clientesFormulario clientes
Formulario clientes
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
Informe general
Informe generalInforme general
Informe general
 
Learnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-packLearnenglish podcasts-themes-commonwealth-support-pack
Learnenglish podcasts-themes-commonwealth-support-pack
 
Barrokko
BarrokkoBarrokko
Barrokko
 
Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook Managing Data Center Connectivity TechBook
Managing Data Center Connectivity TechBook
 
Information is the new oil
Information is the new oilInformation is the new oil
Information is the new oil
 

Más de EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 

Más de EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

2013 RSA Archer GRC Executive Forum Key Findings

  • 1. ® KEY FINDINGS RSA, the Security Division of EMC, hosted its secondannual RSA Archer® GRC Executive Forum, an invitation-only event attended by more than 50 business leaders responsible for their organizations’ enterprise risk management, corporate compliance, audit, information technology, or security programs (GRC for shorthand). GRC “integration” continued to be top-of-mind at this year’s Forum. Participants typically used this phrase to mean either applying the same GRC solutions across organizational siloes or to pulling outputs of disparate solutions together, to create a unified view of risk management information. The idea of GRC integration (used interchangeably by some speakers with “harmonizing” GRC or employing a “consistent approach”) referred to the process and technology aspects of GRC; it did not necessarily mean unifying all GRC activities under one director or one cross-company team. As with 2012’s inaugural Forum, GRC program owners from this year’s event reported they’re creating consistency in their GRC frameworks so that
  • 2. information extracted from different organizational siloes share a common data structure and provide a bigger-picture view of risk and performance. “There’s no debate on the importance of integrating risk and governance silos,” said one participant. “Getting the broader view is what’s needed to promote the good and prevent the bad.” Another theme carried over from last year’s Forum is the idea that GRC may be fading as a discrete discipline. Forum participants reported they’re continuing to drive responsibility for risk management into business units. They’re looking for ways to embed risk monitoring and controls into everyday business processes, to the point that one speaker at the event said, “Your objective should be to be invisible to the business.” In contrast with last year’s Forum, in which GRC program managers shared strategies for winning board support, the emphasis at this year’s event shifted toward winning support for GRC initiatives from business leaders and front-line managers. This shift is consistent with the broader trend of enfolding GRC into “the business.” Many other trends were discussed at the 2013 RSA Archer GRC Executive Forum. This document highlights recurring themes and important observations from the event.
  • 3. ORGANIZATIONS FACE RAPID RATE OF REGULATORY CHANGE In an informal audience poll (not scientific), about three-quarters of the Forum’s participants said they operate within highly regulated industries. Forum participants reported that rising regulatory oversight and complexity has driven them to improve transparency across risk domains and organizational units. “It’s very challenging to cope with a doubling in what we have to track with no change to process, approach or staff,” said a Forum participant. Many companies are intensifying their efforts to create efficiencies in GRC policy and procedure management across different parts of the company and to improve how they map those policies and procedures to laws and regulations. GRC researcher Michael Rasmussen shared statistics on the accelerating rate of regulatory change. In 2008, the banking industry saw 8,704 changes to key regulations; in 2012, there were 17,000+ changes. “We’re dealing with increased regulatory complexity with fewer resources, so we’re [pushing for a consistent GRC approach] because we can’t afford not to do it,” said a participant from the financial services industry. International expansion has compounded regulatory complexity for many companies’ GRC programs. “There’s a crazy velocity in emerging markets to regulate,” said one participant whose company is expanding its operations in China and India. “You need in-country leads where you operate whose job it is to work with legislators and regulators. That’s pretty resource-intensive.” DECENTRALIZE GRC TO ADAPT TO REGULATORY CHANGE AND COMPLEXITY To enable their organizations’ GRC capabilities to accommodate the accelerating rate of regulatory change, Forum participants said they’re decentralizing some GRC functions. They’re distributing responsibilities such as tracking changes in regulations to regional teams. They’re also driving risk monitoring to lower levels of the business. One participant stated, "The GRC program may be owned by the chief compliance officer, but ownership really comes down to the business owners. It has helped us to have these owners documented so we know where to go when new regulatory changes come down the line and who should manage exceptions associated with the new reg. … We also have [GRC responsibilities] divided up regionally. Then, it’s divided by country managers. There are people on the ground doing regional translations to identify impacts." Another shared, "To assume we’ve captured all our risks is naïve. We’re constantly looking for what we’ve missed. It has to start with relationships at the local level. Risk leaders at the local level are key to getting the data we’re missing. … At first, we were surprised how many green dots we had on our dashboards and how quiet the meetings were. As trust developed, more reds and yellows popped up and communications began to flow. As trust develops among teams, a more honest picture of risk emerges because of better, more transparent data sharing."
  • 4. FOCUS INTEGRATION PROGRAMS ON CONVERGENCE, NOT CONVERSION Organizations are rationalizing multiple siloed compliance programs by mapping linkages across regulations, policies, rules, assets (such as facilities and IT infrastructure), and controls. While individual parts of the organization may have their own GRC methodologies and tools, it’s up to the GRC executive owner to help harmonize approaches among groups. “GRC maturity centers on collaboration. It’s up to the GRC facilitator to get people to play in the same sandbox.” A couple of Forum participants, drawing from their experiences, suggested that the most productive first step in GRC integration is to focus on converging data streams from disparate groups, not converting everyone to new processes and technologies. “We are starting at the elementary level to come to agreement [with various business] teams. We don’t change how they are doing things, but bring them together into an enterprise view,” said a participant who recently began a crossenterprise GRC integration program. Another participant said, “We realized we needed to share GRC vocabulary, the taxonomy and then we can pull that through to other departments. We can’t afford not to do this.” DRIVE RESPONSIBILITY FOR GRC DEEPER INTO THE BUSINESS Expanding beyond last year’s discussions on winning board- and C-level support for GRC programs, this year’s Forum attendees shared strategies for enlisting active participation from business leaders and front-line managers. “You can’t just have a top-down risk structure. … The more people that buy in, the better your chances to succeed.” The focus on front-line business leaders at this year’s Forum did not mean GRC leaders didn’t value top-level support. “Having the message top-down from senior leadership allows you to pull risk education down to all employees. You don’t want to ask them to do a lot more, but make them aware. Make it easy. Get senior leaders to say, ‘What does Risk think?’ As soon as this is stated, you no longer have to chase people down.” Yet, beyond top-level executive support, this year’s Forum attendees seemed to acknowledge that their enterprise GRC programs depended on the cooperation of lower-level business leaders. One Forum speaker observed, “You can have the best (GRC) policies but ultimately you control nothing. The business controls implementation … so you have to show how what you’re doing can make their job easier and build knowledge there.” Forum participants expressed a growing sense that everyone in the company should have an ownership stake in GRC. Involving different parts of the business in GRC processes was diplomatically described by some as requiring “thoughtful planning” and by others as “painful.” To enlist broader business participation in GRC initiatives, a couple of speakers said GRC program owners should focus on the process of risk and compliance assessments, not on organizational actors. “Don’t let ownership get in the way, because if you get stuck on organizational change up front, you won’t succeed. We looked at the process, what part [each team] had to
  • 5. play, and we tried not to get wrapped around the wheel on ownership. After all, the business owner is the one who needs to be compliant.” INJECT A "SO WHAT?" INTO PROGRAM MEASUREMENTS In an informal audience poll, just about everyone said they wanted better metrics for measuring GRC impact. In subsequent discussions, Forum participants said they do not have good ways to measure GRC success. Many felt their existing metrics focused on “project management” or process measurements. They would prefer to re-orient their program measurements on business impacts or on evidence of ethical outcomes. “What’s important is that we report in ‘human-speak’ and what it means to the business,” said a Forum participant. Another speaker at the Forum disclosed, “We force our risk owners to have ‘so-what’ sessions to synthesize what risk data to evaluate. This way, it’s not just a simple red/yellow status indicator. We all benefit from having conversations about the risk so-whats.” For assessing ethical compliance, for which it may be difficult to develop hard metrics, several speakers encouraged GRC program owners to “avoid the ‘checkbox’ programs—that is, just checking the box and that makes everything okay. Think instead about the letter and spirit of law. Ethical precepts are at the base of laws. Compliance structures support ethical outcomes.” Another speaker said, “In audits, the ethical response might not be the one that checks the box. You may have to ask if you’re complying with the intent of the law or regulation.” TIE GRC TO ENTERPRISE PERFORMANCE Customers with more advanced GRC programs expressed their intent to combine enterprise and operational risk management with performance management. These customers are in the process of transitioning from reporting on risk- and controlthresholds to reporting performance-focused metrics. Said one Forum participant, “Keep it as simple as possible. Collaborate with key risk stakeholders. Limit impact to the business when designing a measurement process.” Many GRC program owners seem to be in the exploratory phase: experimenting with ways to tie compliance and risk metrics to business processes and business outcomes. They acknowledge their GRC programs are more mature in some processes than others, so metrics and measurement quality will differ. “Operational risk is vast. Legal is more qualitative. We have different measurements for different types of risk. Our overarching goal, however, is that we make [what’s measured] meaningful to business first, not risk managers.” The push to link GRC programs to enterprise performance metrics may be driven in part by the scrutiny and support that corporate governance and risk management functions are getting from boards of directors. “We report up to the board through the board’s audit committee. So, we have to match measurements to management’s expectations and report at the appropriate level.”
  • 6. CALIBRATE CULTURE SO RISK ISN’T SEEN AS BAD Forum participants emphasized the importance of cultivating organizational cultures that encourage openness and disclosure—even if what’s being disclosed is bad news. “This a cultural shift, bringing information forward and not being penalized when you bring issues up. People often are afraid when they see [red metrics], but we have to be able to define our emerging risks in order to deal with them. Risk cannot be seen as bad.” A culture of openness begins at the top. Said one Forum speaker, “If management admits issues, then the rank and file will see it’s okay to do so. It takes courage to do the right thing.” ASSIMILATE THREAT MONITORING AND DETECTION INTO GRC PROGRAMS Cyber risks have expanded, with BYOD, mobile, and cloud computing all introducing new security threats and risk management challenges. Along with external exposures, organizations must also contend with employee misbehavior. Echoing a familiar refrain often heard in the information security industry, a Forum participant said, “There are two kinds of companies: companies who have been breached and companies who know they have been breached.” GRC program owners recognize their inputs, tools, and processes must evolve with the threat. For that reason, they’re exploring using a wider range of data sources and advanced analytics to make threat detection and risk assessments timelier, more comprehensive and accurate. In addition to ingesting traditional types of structured information (logs and events), GRC tools must also accommodate unstructured information, such as audit findings, social media reports, and external threat intelligence feeds. PREPARE FOR BIG DATA IN RISK ASSESSMENTS The data analytics methods, Big Data inputs, and data visualization tools used in other enterprise functions are now making their way into enterprise GRC programs. The use of advanced analytics tools in this domain, though, is still nascent. “It’s definitely an evolution. There is overlap in the maturity elements. Take stochastic modeling … we’re enamored with the results, but there’s a false impression that we are going to run business by these results. It’s just not there yet. We need to take a look farther into the distribution to use it for modeling.” Another Forum participant noted, “Risk measurements are becoming more analytical … not just for assessments but also for forecasting.” Applying big data for predictive risk analytics, not just historic analyses, will become increasingly important in the coming years.
  • 7. CONTACT US To learn more about how EMC and RSA products, services and solutions can help solve your business and IT challenges, contact your local representative or authorized reseller—or visit us at www.EMC.com/rsa. EMC2, EMC, the EMC logo, Archer, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2013 EMC Corporation. All rights reserved. Published in the USA. 09/13 EMC Perspective. H12373 EMC believes the information in this document is accurate as of its publication date. The information is subject to change without notice. www.EMC.com/rsa