Enterprise Risk Management - GRC as a practice
6 likes1,305 views
Risk management forms the core of many disciplines: compliance management, business continuity planning and disaster recovery. The key to GRC is knowing how, when, where and just exactly how much to apply. Additionally, Risk Management is a practice that matures and grows within the enterprise - always increasing its ability to respond and build resilience.
Enterprise Risk Management - GRC as a practice
- 1. Enterprise Governance, Risk and Compliance Mapping david.daniel@casewise.com David Daniel Leverage Architecture to Drive Consistent Enterprise GRC Management
- 2. 2 息 2015 Casewise - confidential RISKSHAZARDSEvolution of an event from identification to retrospective Risk Lifecycle LIKELIHOOD OF OCCURANCE awareness controls contingencies recovery preparations OUTCOMES IMPACTSCONSEQUENCES TIME
- 3. 3 息 2015 Casewise - confidential Integrated approach encompasses all areas of the enterprise ThreeTiered Risk Management Tier 1: Organization Governance Tier 2: Business Process Information Flows Tier 3: Information Systems Operational Environment People Process Technology Technical Architecture Process Architecture Business Architecture
- 4. 4 息 2015 Casewise - confidential Risk Awareness
- 5. 5 息 2015 Casewise - confidential You cant manage what you dont know Risk Awareness Identify areas of concern Direct risks Indirect risks Outline risk objectives Supports construction of risk appetite model Right sizes risk management practices Establish risk registry Maintain objective catalog Establish ownership Implement systematic identification processes Introduce risk awareness into strategic planning Benchmark against industry standards Inject risk mapping into SDLC TOOLING SERVICES workshops SERVICES workshops SERVICES practice building
- 6. 6 息 2015 Casewise - confidential Guiding Information and Information Systems Security Typical Information Security Objectives Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information A loss of confidentiality is the unauthorized disclosure of information. Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity A loss of integrity is the unauthorized modification or destruction of information. Availability Ensuring timely and reliable access to and use of information A loss of availability is the disruption of access to or use of information or an information system.
- 7. 7 息 2015 Casewise - confidential Risk Controls
- 8. 8 息 2015 Casewise - confidential Understand, implement, govern and monitor controls Risk ManagementControls Framework Categorize Select Implement Assess Authorize Monitor SERVICES practice building TOOLING
- 9. 9 息 2015 Casewise - confidential Market-centric orientation provides solid business guidance Fosters full-spectrum analysis of risk and compliance issues Aligns risk appetite with business goals and objectives Defines strong governance model to support compliance Translates risk into business terms that are easily consumable by stakeholders Control the activities that perform the business Controls Business Architecture P E S T LEGAL ENVIRONMENTAL political economic social technologic
- 10. 10 息 2015 Casewise - confidential Control the processes that operate the business Controls Process Architecture Objectively identifies key areas of concern for continuity planning Builds culture of compliance by overlaying strategic risk and compliance onto day-to-day activities Fosters innovation through risk awareness and response Institutionalizes GRC in the fabric of the enterprise
- 11. 11 息 2015 Casewise - confidential Control the systems that support the business Controls TechnicalArchitecture Risk management becomes core area of concern for solution development Supports objective recovery options in day-to-day operations Facilitates audit/compliance reporting Translates technical risk into business terms Defines both functional and non- functional requirements
- 12. 12 息 2015 Casewise - confidential Risk Mitigation and Response
- 13. 13 息 2015 Casewise - confidential Event handling and residual risk must be addressed systematically Mitigation Prepare systematic recovery response to known risk Reduce Retain Avoid Transfer Map events to contingencies Develop systematic event response methodologies Understand how to respond to unforeseen events Understand Residual Risk Monitor and maintain residual risk register Provide feedback loop for continuous improvement SERVICES workshops SERVICES practice building SERVICES practice building
- 14. 14 息 2015 Casewise - confidential Tell me and I forget.Teach me and I remember. Involve me and I learn. - Benjamin Franklin Continuous Improvement Articulate responses objectively Construct root cause assessments to determine causes/responses to events Identify KRI (Key Risk Indicators) Update and Manage a catalog of KRIs Map new KRIs to risk areas Reduce variability and uncertainty Each event is a learning environment: monitored, measured, analyzed and communicated to risk management teams Maintain Risk Management Maturity Model Managed growth of GRC capability in the enterprise SERVICES practice building TOOLING SERVICES practice building SERVICES practice building
- 15. david.daniel@casewise.com David Daniel If you dont have the time to do something right, where are you going to find the time to fix it? - Stephen King