Enjoy Night⚡Call Girls Patel Nagar Delhi >༒8448380779 Escort Service
Risk Technology Strategy, Selection and Implementation
1. Risk Technology
Strategy, Selection and
Implementation
Scott Farquharson
Principal – Risk Services
RMIA 1st October 2014
2. 1
Todays Agenda…
• Context - Risk Capability
• Why do we need technology and
what can it do?
• Focus on Core components
• Strategy
• Selection
• Implementation
3. 2
Our Approach Today…
From the CRO perspective…..
Governance and
Assurance
Office of CRO
Risk SME’s
Business
Look at Capability across the Organisation
4. 3
A Quick Definition…
So what are we talking about
when we say GRC…?
Who are we talking about? What Processes and
Activities?
What Systems?
Corporate Governance
IT Governance
Financial Reporting Compliance
SOX
P7
Operational Risk
Safety
Legal Compliance
Strategic risk
Privacy
Project Delivery Risk
Ethics
Controls
Security
AML
Environmental Compliance
Enterprise Risk Management
Access Risk
Business Continuity Planning
Whistleblower
Risk Financing
Risk Management
Corporate Compliance
Finance
Internal Audit
Security
IT
Legal
HR
Board Liaison
Business Units
Consultants
Customer
Insurance
Board
Operations
Quality Management
Safety
Company Secretarial
External Audit
Risk Assessments
Audits
Self Assessments
Investigations
Risk Reports
Training
Community Consultation
Advice
Remediation
Stakeholder reporting
Policy Management
Frameworks
Incident Management
Risk Financing
Audit Actions
Board Reporting
Audit remediation
Delegation of authority
Hazard Identification
SoD’s
Risk Database
Security System
Audit System
EHS System
Financial Systems
Portfolio Management
Surveys
Audit issues
Operational Systems
Back Office
Compliance system
Spreadsheets
Access Databases
CRM
Loss Management
Claims Management
Investigations Management
FICO
Plant Management
5. 4
What is the Value of Risk…?
Objective What Examples
Licence to Operate
Meeting our legal, regulatory and
social obligations
Good corporate governance
Compliance
Laws and regulation
Protecting Value
Minimising loss and protecting
shareholder value
brand and reputation
Control frameworks
Contract risk Fraud risk
Insurance BCM
Driving Efficiency
Doing things right
Business efficiency
Understanding Total Cost of Risk
Process risk and control
Prioritising management attention
Creating Value
Doing the right things
Where and When to take a “risk”
Better decision support
Risk appetite Risk Culture
Risk adjusted returns
Scenario Planning
Unrewarded risk –
Provides no premium if managed well.
It relates to risk areas such as financial
misstatement, compliance with laws and
regulation and fraud.
“Must” be done.
Rewarded risk
Provides a premium if managed well.
It relates to risks in areas such as mergers and
acquisitions, product development, investment,
markets and business models, risk adjusted
returns, VaR.
Driving Shareholder Value
Guarding the Balance Sheet – Protecting the Brand
6. 5
However a Siloed Approach Lessens Effectiveness…
Risk Integration has a significant impact on overall Risk Management effectiveness
Source – Corporate Executive Board
7. 6
A Number of Stumbling Blocks…
Timely Assessment and Reporting of
Emerging & Changing Risk Information
Duplication with Multiple Assurance
Activities Across Enterprise
Obtaining Quality Risk Information from
the Business
Lack of Transparency of Key Risks
Disconnect between Risk Appetite and
Risk Profile & GRC Efforts
Risk Information is Siloed Across a
Number of GRC Providers
Manual and inefficient processes
GRC efforts are not aligned to strategy
delivery
Poor cross functional integration and
lack of clarity of accountability
Source – Corporate Executive Board
8. 7
Source Systems
Re-Thinking Risk Capability….
Common Enterprise
GRC Processes
Risk and Obligation
Identification
Analysis and
Evaluation
Risk Mitigation and
Control Design
Control Activities
Corporate Policies
Reporting and
Communication
Incident/Loss
Management
Investigations
Monitoring, Testing
and Assurance
EHS Systems
Security Systems
PMO System
Enterprise Risk
Management
System
Compliance
Management
System
Internal Audit
System
Single
Source of
Truth
Information Flows and
Reporting Channels
Roles and Responsibilities
Accountability Model
(RACI)
Technology
Organisational Reporting and Analytics
Structure
Source Systems
9. 8
Operating Model Components…
Three Lines of
Defence
Organisation
Structure and
Engagement
Cultural
Drivers
People
Process
Defined GRC
Processes
Industry
Standards
Common Risk
Language
Technology
Repository -
Single Source of
Truth
Workflows
Analytics and
Reporting
and
automation
Operating Model
Assessed Through
Capability Maturity Model
Governance
Context
10. 9
The Role of Technology…
Information to support
risk decisions
Efficiency of risk
processes
11. 10
What Else Does it Do…
Single source of truth
Consistency of data
Improved transparency
Speed of Action
12. 11
GRC Capability Maturity Model…
Level 1 Level 2 Level 3 Level 4 Level 5 Level 6
Element Non-Existent Ad Hoc
Initial
Siloed
Top Down
Repeatable
Managed
Systematic
Leading
Optimised
Manual (paper)
Processes
Only
Risk registers
for some risks
in Excel
Qualitative
Only
Overall risk
register in
Excel
Some SME
systems in
place for critical
risks
Qualitative
Only
Overall risk
register in a
GRC Tool
SME systems
in place
Some
Quantitative
Integrated
GRC in place
Integration with
SME systems
Integration with
ERP
Qual and Quat
Automated
CSA
Integrated
GRC and SME
ERP
Integration
Risk Appetite
and Tolerances
KRI’s
Decision
Support
Analytics
Predictive
13. 12
Incorporates Industry Standards…
OCEG
ISO31000
HB158
HB254
AS3806
AS8000
HB221
etc
COSO
Enterprise Risk
Management and
Control Framework
IT Specific Components Built into SAP GRC
ITIL
IT Process Model
COBIT5
IT Control Framework
+
ISO27000
AS8015
HB231
PCIDSS
etc
IT Risk and Compliance Management Standards
ISO31000
Risk Management
14. 13
3 Lines of Defence Provides Basis for the Model…
3rd Line of
Defence
Oversight
Board
Board Risk Audit Committee
Assurance
External Audit
External Providers
Internal Assurance Function
Provides oversight, independent testing, verification and
review on the efficacy of:
• GRC frameworks
• Business management of risk
• Business compliance with Internal/External Obligations
Identifies opportunities for improved business performance
2nd Line of
Defence
Common Risk
Infrastructure
Central GRC Functions
Support Units
Provides the major mechanism for Governance through a central
Policy Framework and repository.
Provides enterprise GRC frameworks
Provides enterprise GRC programs
Provides Subject Matter Experts for enterprise risks
Monitors adherence to frameworks, enterprise risk and
compliance programs and losses/incidents
Escalates and provides aggregated risk and compliance
Reporting
1st Line of
Defence
Risk Ownership
Executive
Management
Business Units
Adheres to enterprise risk and compliance frameworks
Owns the risk, control and losses/incidents
Understands it’s risk profile and control framework
Performs risk/control self assessment
Must meet internal and external obligations – compliance
Clear Lines of
Accountability
for GRC
Activities
15. 14
Technology Support at Each Line of Defence
3rd Line of
Defence
Oversight
Board
Board Risk Audit Committee
Assurance
External Audit
External Providers
Internal Assurance Function
Board Papers and Communication
Audit Planning and Management
CCM
Review Risk and Control Profiles
Review Incident Reports
2nd Line of
Defence
Common Risk
Infrastructure
Central GRC Functions
Support Units and SME’s
Consolidate Risk Reports
Risk Analytics
Update Obligations Register
Plan Assessments
Conduct Surveys
1st Line of
Defence
Risk Ownership
Executive
Management
Business Units
Create Risks and Controls
Assess Risks
Control Self Assessment
Review Risk Profile
16. 15
Model Must be Aligned to the Risk Profile...
Compliance Obligations Risk
Policy
Process
GRC
Risk
Specific
ERP Analytics Integrated
Information Compliance
Privacy PCI/DSS FOI
Records / Archives / ACMA
Information Risk
Technology / Info Security
Records & Archives
Information
Management,
IT Security
× x x ×
Financial Compliance
AML / FSL / APRA / SOX / P7
Financial Integrity Risk
Technology / Security
Crime / Fraud
Fraud
P2P
Retail Ops
× ? × × ×
Commercial Compliance
Trade Practices
Contract Compliance
Commercial Risk
Intellectual Property
Contract Risk
Contract
O2C
× ? ? × ×
Health and Safety
Compliance
OHS TSP
CoR Dangerous Goods
Health and Safety Risk
Physical Security
Hazard Identification
Transport
Operations
× × ? ×
Asset Compliance
Property/Fire Services
Asset Risk
Physical Security
Fire Protection
Security,
Facility Mgmt
× × ×
Sustainability &
Environment
EEO, EPBC, NGERS
CPRS
Sustainability &
Environment
Carbon Reduction
Sustainability Principles
Sustainability,
Transport
× × × ×
Strategic Compliance
Investment Projects
Planning Products External
Strategic Risk
Investment Projects
Planning Products
External
Investment Life
Cycle
Planning
? × × × ×
Risk
Universe
Governance
Strategy and
Planning
Operational
Compliance
Reporting
17. 16
Technology Support Model
Technology Layer Role
eGRC Layer • Core functionality to support Risk,
Compliance, Audit, Controls, Policy, Incident
Management
• Centred around data backbone -
risk/obligation/policy/control/test/incident or
loss
• Reporting and dashboards
• Workflows
Systems Integration
• eGRC
• Point Solutions
• Transactional
Systems
• Data and Analytics
• Corporate Reporting
Interface
Risk/Obligation
Specific Layer
HSE/Security Fraud Crime /Plant and Equip/IT
Security/Environmental
ERP Layer Transactional systems
Data and Analytics
Layer
Data warehouse combining eGRC and other
data including transactional/external/social
18. 17
Risk and Compliance Profile sits at the Core of the Model…
Risk Profile by:
• Business Unit
• Business Process
• Business Scorecard
• Strategic Initiatives
• Program/Projects
Each Risk/Compliance Class
Appetite/Thresholds
Key Risk Indicators
Treatments/Controls
Assurance
Incidents/Claims/Losses
Aggregated Exposure
Single Source of GRC Truth
Standard Risk, Control and Policy Library
Aggregated Corporate Profile and Reporting
Bottom Up - Individual Risk Profile for each BU overlays Business Process and Business Objective
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Risk Dashboard
Risk Appetite Key Risk Indicators
Control Monitoring
Governance
Strategy and
Planning
Operations
Infrastructure
Compliance Reporting
Top Down
Business Unit Business Unit Business Unit Business Unit
19. 18
Multi Risk and Compliance Framework…
GRC Operating Model
Overarching Enterprise Risk and Compliance Framework
Common Risk Library – Risks can be aggregated for reporting and analysis
Risk can be assessed by multiple methods including control effectiveness
Process Focus
Procure to Pay Hire to Retire Order to Cash Financial Close
etc
External
Legal, Industry and Community Stds
IT and
Information
CoBit
PCIDSS
ISO27000
Cyber
FOI
Privacy
Archives
Integrated Control Library
Cultural, Performance Stds
Control Library with Controls that can be linked to multiple Risk and Compliance Requirements
Control Testing can then satisfy multiple “Regulations” or “Risks”
Functional Focus
Risk and Compliance Profiles by Business Unit
Corporate Policy Framework
Policy Lifecycle Management Linked to:
• Risk and Compliance Framework
• Control Library
Financial
Reporting
SOX
Principal 7
SoD’s
DoA’s
IFRS
Crime
Fraud
Fraud
Austrac
AML
Transport
SoD’s
Cyber
Human
Capital
OHS
Environment
EEO
CoR
Property
Food
Medical
Commerce
Contract
Consumer
Contract
Lease
Liquor
Tobacco
Lotteries
IP
Obligations
Internal
Strategic
Strategic Risk
Strategy
Execution
Project and
Portfolio
BCM
Integration with Other Systems
Continuous testing can be undertaken across the SAP Platform including - EHS SSM ECC HCM etc
Interfaces can also be setup with Non-SAP Systems and Manual Entry
Analytics and Reporting – Dashboards, KRI’s, Aggregated Risk Profiles
Powered By SAP GRC
Provides:
Risk Management
Enterprise Wide Risk
Management Capability
Process Control
Supports Risk and
Compliance control
Frameworks
Policy Framework
Supports
Multiple Regulations
Range of Testing
Methods
Range of Assessment
Techniques
Common Risk
Language
Each
Risk/Compliance
Class
Appetite/Thresholds
Key Risk Indicators
Response
Plans/Controls
Assurance
Incidents/Claims/Losse
s
Aggregated Exposure
Risk Adjusted
Performance
Audit Issues
20. 19
You need a (strategy) road map…
Phase One -
Quick Wins
• Compliance
Obligations
• Training
Phase 2 – Risk
Management
• Risks and
Controls
• Risk
Assessment
Phase 3 - Policy
Management
• Life cycle
• Policy
Surveys
• Mobility –
iPad App
Phase 4 - Risk
Analytics
• Risk Appetite
• KRI’s
• CCM
• Dashboards
Year One Year Two Year Three Year Four
22. 21
The eGRC Core…
Core functionality to support common
enterprise risk, compliance, and
assurance activities
• Governance
• Enterprise Risk Management
• Compliance Obligations and Risks
• Risk and Compliance Control Framework
• Policy Management
• Incident and Loss Management
• Internal Audit Practice Management
Plus…
• HSE
• Fraud/Financial Crime
23. 22
5 Key Underpinning Technologies
Workflow
Management
Database
Document
and Content
Management
Analytical
and
Reporting
Tools
Data
Warehouse
24. 23
Typical eGRC Functionality…
Overall
Considerations
Risk Control
Data Architecture
Data Aggregation
Workflows
Monitoring and Alerting
Triggers
Analytics and Reporting
Risk Modelling
Risk Data
Risk Creation
Risk Library
Risk Analysis Methods
Risk Assessment
Process
Loss and Incident Data
Risk Appetite
Issues Management
Control Attributes
Control Creation
Control Library
Control Assessment
Link to Risks or
Obligations
25. 24
The User Experience
• Who is going to use it?
• Are they going to log into the
application?
• How often?
• What will they do on the system?
• How is data to be entered?
• How much data?
• How do they run reports?
• Ad Hoc Analysis?
• What platforms? PC Only?
30. 29
Key risk analytics techniques:
• Rules-based quantification of
known profiles
• Statistical modelling
• to understand drivers of known
behaviors,
• raise awareness of unknown
behaviors
• predict future behaviors
• Visualisation to easily
communicate data insights into
informed decision-making
31. 30
Moving to Real Time Risk Analytics…
Source – SAP Analytics
36. 35
Engage with Internal Processes
• Engage Your IT Group
- Architecture
- Data
- Cloud vs On Prem
- Program
• Project Funding
- Capital vs Opex
- Business Case Process
- Benefits
- Gaining Support
37. 36
Elements of a Risk Technology Strategy
• Organisational context
• Maturity of current capability
• Specific problems to be addressed
• Scope of application of the
toolsets
• The current technology
environment
- Data Management
- Application Architecture
• Establish priorities
• The desired end-state and timing
• Benefits and Budget
40. 39
The Market
• Now 00’s of GRC products in the
market place – 40+ in enterprise
• Strengths based on their origins
and focus
• Continued convergence of
products around core functionality
• Addition of more SME functionality
• Bigger not necessarily better
• Niche players
41. 40
Get to Know Your Vendor…
• Industry Knowledge
• Thought Leadership
• Origins – product history
• Their sweet spot
• Customer base
• Drive the product – make sure it
just doesn’t run best on
Powerpoint
42. 41
Some of the Products…Just a Sample
• Nasdaq Bwise
• IBM Open Pages
• Thomson Reuters Accelus
• RSA Archer
• Protecht
• SAP GRC
• Oracle GRC
• MetricStream
• SAI Global
• Wolters Kluwer
• Cura
• Enablon
• Wynard
• Risk Cloud
• Protiviti
• Resolver
• ACL
• Teamate
• Modulo
44. 43
The Role of the Analysts and Industry Pundits
The Analysts
• Gartner – Magic Quadrant
• Forrester – Wave
The Pundits
• GRC20/20 – Michael Rasmussen
• Norman Marks – Marks on Governance
Other Sources
• Linkedin Groups
• Forums
• Consultants
• Vendors
• Existing Customers
45. 44
Other Considerations..
• You don't know what you don't
know
• Products typically capture IP and
better practice
• Is there opportunity for
improvement?
• Do a POC with the shortlist – pay
if you have to
46. 45
Define Business
Requirements
Identify
Potential
Vendors
Establish
Market
Response
Requirements
Issue
To
Market
Complete
Market
Sounding
Questionnaire
Develop & Test
Analysis
Toolkit
Conduct
Analysis
Prepare
Market
Sounding
Report
Vendor
Processes
Procuring Authority
Processes
• Define the solution scope
• Review existing flow of
information and reporting output
• Identify potential data sources
• Establish risk information and
reporting needs (including
current and future out to approx.
3 years)
• Consider leading risk practice
functionality across various
software vendor tiers
[integrated/ point solution/
stand-alone]
• Confirm refine system
requirements for market
communication
2 weeks 2 weeks 2 weeks
• Conduct initial
vendor research
based on
Customer
requirements,
using better
practice research
• Consider
appropriate
vendors
• Finalise vendor
list
• Seek registration
of interest (if
required)
• Construct
questionnaire for
responses by
vendors
• Seek review and
approval for
submission of
questionnaire for
approach to
market
• Issue
questionnaire to
finalised vendor
list
• Communicate
nominated contact
person
• Communicate
response times
and requirements
• Consider IT
Architecture and
IT Strategy for
system
integration
• Build response
analysis and
scoring
mechanism
• Determine
visualisation
methods
• Conduct test
analyses
• Map vendor
system
functionality to
business needs
• Receive
completed
questionnaires
• Participate in
vendor
presentations
• Analyse results
• Add qualitative
analysis from
supplementary
material (if
appropriate)
• Communicate
preliminary
analysis results
• Produce formal
Market Sounding
Report
• Issue for review
and comment
• Finalise document
for executive
• Develop a plan to
document,
consolidate, refine
and transform data
pre-implementation
Technology Selection Process
48. 47
Project Structure
• IT PMO Engagement
• Project Manager
• Business Representative
- Each Functional area
• Implementation Partner
- Solution Architect
- Technical Consultants
• IT Representative
49. 48
Design
Selection should have
confirmed fit
Detailed Requirements
Defined
4 Key Elements in Blueprint
• Selecting Configuration Options
• Defining Master Data
• Defining Processes and Workflows
• Roles and Authorisations
50. 49
Build
Typically the easy bit:
• Data Preparation
- Clean Your Data
- What to do with Historic Data?
• Testing – UAT
• Watch for:
- Performance issues – screen refresh
- Interfaces
51. 50
Roll Out…
Key for Success
• Don’t skimp on Change
Management effort
- Clear Change plan
- Tailored Communication
- Follow up support
• Tailor Training to Users
• Ongoing Support
• Measure Take Up and Feedback
52. 51
Pitfalls and Problems…
Requires major transformation effort across the
enterprise…
Organisation system legacies…
• Lots of different Stakeholders
• Lots of different Systems
• No one owns all the benefits
It’s better to…
• Start.
• It will never be perfect.
So where do you start?
• Big bang usually not possible (or advisable…)
• Need to show value – clear about benefits
• Need an Influential Cross Org Sponsor who sees the value
• Develop Roadmap with incremental benefits
• Sell the vision…needs everyone on board
Governance, Risk, & Compliance (GRC) is more than a catchy acronym used by technology providers and consultants to market their solutions – it is an approach to business. An approach that permeates the organization: its oversight, its processes, its culture, its boundaries. Ultimately, GRC is about the integrity of the organization:
Is the organization properly managed and governed?
Does the organization take and manage risk within boundaries of risk appetite and tolerance?
Does the organization meet its legal/regulatory compliance obligations? Its social responsibility and sustainability commitments?
Does the organization make its code of ethics, policies, and procedures clear to its employees and business partners?
Are the values of the organization clear and understood across the business and its relationships?
Does risk and compliance contribute to corporate performance, strategy, & objectives?
The challenge of GRC is that each individual term – governance, risk, and compliance – has varied meanings across the organization. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance, ethics, social responsibility . . . the list of mandates and initiatives goes on and on.
It is easier to define what GRC is NOT:
GRC is not about silos of risk and compliance operating independently of each other;
GRC is not solely about technology – though technology plays a critical role;
GRC is not just a label of services that consultants provide;
GRC is not just about financial controls;
GRC is not another label for enterprise risk management (ERM), although GRC encompasses ERM; and, furthermore,
GRC is not about a single individual owning all aspects of governance, risk, and compliance.
GRC IS an approach to business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, policies, training, and losses across these business roles and processes. GRC’s purpose is to show a 360° view of risk and compliance and to identify interrelationships in today’s complex and distributed business environment. GRC is a federation of business roles and processes – the corporate secretary, legal, risk, audit, compliance, IT, ethics, finance, line of business, and others – working together in a common framework, collaboration, and architecture to achieve agility, effectiveness, and efficiency across the organization. GRC is a three-legged stool: governance, risk, and compliance are all necessary to effectively manage and steer the organization.
Primarily Measured Through
Total “Cost” of Risk (TCOR)
Losses/Incidents + Risk Management Cost + Premiums
Claims/Recoveries = TCOR
“Cost” is based on Impact Categories
i.e. Profit, Carbon, Safety, Reputation etc
Information
The main role of technology in risk management is to deliver the right type and amount of information to the right people in a timely manner, distilled in ways that help them to understand the risk associated with particular decisions
To this end, technology can deliver reliable, high-quality information from dispersed operations; integrate operational, transactional, and financial information to help identify and resolve risk-related issues; and facilitate prediction, prevention, detection, management, and reporting of internal and external risks.
Efficiency
To automate risk processes – improve productivity
Whether it is a CSA, risk analysis, compliance training or audit planning
HSE/Security Fraud Crime /Plant and Equip/IT Security/Environmental
eGRC/Point Solutions/Transactional Systems
Layer beneath Enterprise Governance model
Common risk language and structure
Single Risk, Compliance, Control and Assurance Model (single source of truth through SAP GRC System)
Risk Profile for each SBU/FBU Built with SBU/FBU, (Each L2 could have a risk/control profile)
Risk Profile Linked to Business Process (EPEO), Business Objective (Scorecard) and Strategic Initiative
Greater Use of Control Self Assessment in the SBU/FBU
Supported by Risk and Compliance Culture Framework
Risk Assessments for Investment, Projects, Contracts, New Products, Acquisitions etc
Integrated with EPMO (investment and project risk profiles will be in GRCS and linked to benefits)
Integration to be built with each process
Risk Assessment by Process
Focus on process improvement and business performance – link with EPEO essential
Integrated/Dependence on Process Excellence
Basis for Process Risk Assessments
Requires robust Process Governance Model
Process improvement/change due to changing compliance/control requirements
Risk assessment of any ongoing process improvement/change to identify any compliance or risks
Integrated with Targets and Metrics
Risks associated with score card by BU with KRI’s (leading indicators) associated with key measures
Integration with P&C Training Approach
Incorporate key risk and compliance training programs into enterprise training program
Linked directly to Risk Financing Strategies – Risk Appetite/Tolerance to be developed for each SBU
Improved Risk Reporting Including Dashboards, Key Risk Indicators, Control Monitoring (automated and manual)
Integrate Risk Compliance and Assurance Reporting with Existing Management Reporting to EC, SLT’s
Direct access form SAP GRCS to SAP source systems (HR Enabled, Finance, EC, Event Management etc)
Corporate Compliance Framework
Incorporated into GRC Model
Internal and External Obligations (Mandatory and Voluntary)
Obligations Database and Workflows in SAP GRCS
Compliance Development and Implementation Process (AS3806)
Greater focus on Monitoring, Reporting and Incident Management (enabled thru CSA and GRC)
Corporate Policy Framework
Incorporated into GRC Model
Standardised approach to development, documentation, implementation and compliance with Corporate Policy
Centralised Repository – Linked to PostNet
Improved Monitoring, Reporting and Incident Management
Business Continuity and Emergency Planning
Standardised approach to Business Continuity Planning
Business Continuity Portal (Sharepoint)
Overlay Process Model (move from asset basis to process basis)
Corporate Emergency Management Protocol to be updated to address SBU/FBU structure
Risk Financing
Overall corporate umbrella in place
Risk financing solutions to meet risk tolerance/appetite of individual SBU’s
Single integrated solution (includes subsidiaries)
Integrated approach to claims management/incident loss data (outsouced MV claims, central claims admin)
Contract Management
Contract Risk
Standardised approach to Contract Management and Compliance (Part of Compliance Framework)
Central Contracts Register to facilitate compliance (Customer and Procure contracts)
Update Contract Governance and Risk Process to improve speed and reduce exposure
Why is it good?
Easy
Cheap
Everyone knows how to use it
Flexible – easily changed
Why is it bad?
Data integrity
No transparency
Hard to analyse
Flexible - Easily changed
Only workflow is email…
Risk and Control Repositories
With a core GRC system we now have baseline risk, control and compliance data
Data warehouse – combine eGRC and other data
Other data could include transactional/external/social
Risk Analytics helps companies leverage their data assets to improve decisions, streamline regulatory reporting, and enhance risk-based performance monitoring.
Risk analytics identify and proactively manage financial, operational, regulatory, and security risk. Regulatory reform, data management, and consumer protection are three trends driving the demand for risk analytics.
Rapid and dynamic change in the business and regulatory environment can generate new and unknown risks. Organizations need to identify and mitigate the risks emerging in external and internal data from structured and unstructured sources and develop analytic strengths that span the organization
Driven by the risk profile, value risk and efficiency
Development of a strategy and roadmap detailing how risk technology will support an organisations risk, compliance and assurance capability. It considers
Vision of what risk technology is to do
How does it fit with the risk capability
Information is a key element
Not sequential process
How does in
Key elements
Typical approach is water fall, that is a serial
However we will also discuss a RDS approach as well.
Typically a water fall approach
Based on your strategy produce a high level project brief:
High level areas to be addressed
Key functional areas
Look at the market
Compliance product
Risk and strategy
Some from HSE or IT GRC
Some from Insurance, SoD, data analysis, compliance, audit management
Some from FS – good at banking specific risk but is that what you need?
FS
$10m 3-4m 500 to 1.5 100 to 500k
$4 to $6m 1 - 2m 500 <100
Analysts
Are you a bank or a airline?
What functional coverage? What is G, R and C? Why only these things?
What requirements have they used?
Is integration important? Or not?
The Pundits
Great source of ideas and debate
6 – 9 months
Assume that the technical details have been determined
RDS vs waterfall