View
220
Download
1
Category
Preview:
Citation preview
7/30/2019 IT Governance Risk and Compliance GRC
1/30
ITGRCWORKSHOP
7/30/2019 IT Governance Risk and Compliance GRC
2/30
ITGOVERNANCE,RISK&COMPLIANCE
BRINGINGITALLTOGETHER
7/30/2019 IT Governance Risk and Compliance GRC
3/30
WhatisGovernance,Risk&Compliance?
ITGovernance,Risk&Compliance
EnterpriseGovernance,Risk&Compliance
ITControlFrameworks
InformationProtectionManagementDiv.1
2
3
4
5
PRESENTATIONOUTLINE
7/30/2019 IT Governance Risk and Compliance GRC
4/30
WHATISGOVERNANCE,RISK&
COMPLIANCE?
GENERALPERSPECTIVE
7/30/2019 IT Governance Risk and Compliance GRC
5/30
GovernancevIstheprocessbywhichpoliciesaresetanddecisionmakingisexecuted.
RiskManagementvIstheprocessofiden:fica:on,analysisandeitheracceptanceor
mi:ga:onofuncertaintyindecision-making.
CompliancevIstheprocessofadherencetopoliciesanddecisions.
GOVERNANCE,RISK,ANDCOMPLIANCE
7/30/2019 IT Governance Risk and Compliance GRC
6/30
Risk Compliance
GRC
Governance
INTERRELATIONSHIPBETWEENGOVERNANCE,RISK,ANDCOMPLIANCE
Governancemanagesthe
strategicdirec7vesacompany
wantstofollow.
Complianceisthetac7cal
ac7ontomi7gaterisk.
Riskmanagement
assessestheareasof
exposureandpoten7al
impacts.
7/30/2019 IT Governance Risk and Compliance GRC
7/30
WHYFOCUSONGRCNOW?
Riskshavebecomemorediverseandinterrelated.Lawsandregula:onshavebecomemorecomplicated.
Boards,execu:vesandmanagementhavebecomemoreaccountable.
Thisputsorganiza:onsatgreaterriskandmakesitdifficult
andcostlyforManagementtodotheirjobseffec:vely.
7/30/2019 IT Governance Risk and Compliance GRC
8/30
PROBLEMSFACEDBYORGANIZATIONS
ToomuchriskforthereturnwearegeJngTooliKlevaluefrombusiness-ITinvestments
Slowdecisionmaking
Projectoverrunsanddelays
Lackofstability,availability,protec:onandrecoverability
7/30/2019 IT Governance Risk and Compliance GRC
9/30
GRCSPECIFICPROBLEMSFACEDBYORGANIZATIONS
GRCac:vi:esandcontrolsarefragmentedandmanagedinsilos
Organiza:onsusereac:ve,one-offapproachestoaddresscomplianceissues
Riskandcomplianceconsidera:onsarenotintegratedintocorebusinessprocessesandmainstreamdecision-making
Leadersoenlackanenterpriseviewofrisks
ITassetsarenotwellalignedwithriskorcompliancemanagementneeds
Managementdoesnothavethehigh-qualityinforma:ontheyneed
7/30/2019 IT Governance Risk and Compliance GRC
10/30
IMPROVINGEFFICIENCYANDEFFECTIVENESSREQUIRESIMPROVEMENTINTHREEASPECTSOFGRC
A?en7on
Awareness&People
Effec7veness
Governance&Processes
Efficiency
Automa:on&Tools
Improvementsaredependentonprogressinotherareas.
7/30/2019 IT Governance Risk and Compliance GRC
11/30
ESSENTIALELEMENTSOFAGRCPROGRAM
Centralized repository of policies and controlsIntegrated database of major regulations, standards and best practicesComprehensive policy management with awareness campaigns and attestationControls management and reporting
Governance
Risk management, including key risk indicators and risk dashboardsRisk
Compliance assessment, monitoring and reportingCompliance
7/30/2019 IT Governance Risk and Compliance GRC
12/30
BENEFITSOFINTEGRATINGGRC
Makerisk-informedstrategicdecisions.Analyzeriskbasedonquan:ta:vedata.
Managecompliance.
Priori:zeremedia:onac:vi:es.
7/30/2019 IT Governance Risk and Compliance GRC
13/30
ENTERPRISEGOVERNANCE,RISK&
COMPLIANCE
TOUNDERSTANDITGRCYOUMUSTFIRST
UNDERSTANDENTERPRISEGRC
7/30/2019 IT Governance Risk and Compliance GRC
14/30
ENTERPRISEGRC
Governance
Strategy
Planning
RiskManagement
Assessment
Mitigation
Compliance
Assessment Reporting
7/30/2019 IT Governance Risk and Compliance GRC
15/30
EnterpriseGRCPlatform
Auditors
RiskManagement
AuditManagement
Risk&ControlsMatrix
Boards
ComplianceManagement
RemediationManagement
PolicyManagement
PROCESSES
PEO
PLE
MANAG
EMEMT
ANENTERPRISEGRCPLATFORM
7/30/2019 IT Governance Risk and Compliance GRC
16/30
ITGOVERNANCE,RISK&COMPLIANCE
TOESTABLISHMOREACCOUNTABLEAND
EFFECTIVEITFUNCTIONS
7/30/2019 IT Governance Risk and Compliance GRC
17/30
ITGRCTIESTOGETHERTHEPROGRAMSOF..
ITGovernancev AnITgovernanceprogramtoleveragethedevelopedrisk-basedop:onsin
supportofanorganiza:onsdecision-makingprocess.
ITRiskmanagementv AnITriskmanagementprogramperformsriskassessmenttodevelopand
priori:zeop:onsforremedia:on
ITCompliancev AnITcomplianceprogramtomeasurethelevelofcompliancewithinanIT
environment
7/30/2019 IT Governance Risk and Compliance GRC
18/30
IT-GRC
7/30/2019 IT Governance Risk and Compliance GRC
19/30
ITstrategy
ITservices
Systemsinfrastructure
Informa:onmanagement
Informa:onsecurity
Resourceavailability(hardware,soware&data)
Dataintegrity
Technologyrisk
Legalandregulatorycompliance
ITGRCMEANSMANAGING
7/30/2019 IT Governance Risk and Compliance GRC
20/30
GRCMATURITYMODELCurrentIT-GRCMaturity. NextPhase
7/30/2019 IT Governance Risk and Compliance GRC
21/30
REACTIVE,FRAGMENTEDIMPLEMENTATIONPHASE
GRCac:vi:esarelargelymanual,notstandardizedandnotwellintegratedintocorebusinessprocesses
GRCac:vi:eshavenotreceivedasmuchaKen:oninthepast
Mostorganiza:onshavetreatedgovernance,riskandcomplianceasdiscreteac:vi:es,separatefrommainstreambusinessprocessesanddecisionmaking
Exis:ngITinfrastructures,applica:onsandprocessesdonotprovidesufficientsupportforeffec:veriskmanagementandefficient
compliance
7/30/2019 IT Governance Risk and Compliance GRC
22/30
ITGRCMUSTBEDRIVENFROMTHETOP-DOWN
CorporateGRCisanimportantinputfordefiningITGRC. ITGRCrequiresseniorbusinesspar:cipa:on,especiallyatthe
boardlevel.
7/30/2019 IT Governance Risk and Compliance GRC
23/30
ITCONTROLFRAMEWORKS
COBIT
CONTROL
OBJECTIVES
FOR
INFORMATION
ANDRELATEDTECHNOLOGY
7/30/2019 IT Governance Risk and Compliance GRC
24/30
COBITANDOTHERITMANAGEMENTFRAMEWORKS
7/30/2019 IT Governance Risk and Compliance GRC
25/30
WHEREDOESCOBITFIT?
7/30/2019 IT Governance Risk and Compliance GRC
26/30
THECOBITFRAMEWORKWASDESIGNEDTOPROVIDE..
Acomprehensivecontrolframeworktocover
ITorganiza:on
ITusers ITprofessionals ITgovernance ITrisks ITprocesses
7/30/2019 IT Governance Risk and Compliance GRC
27/30
SUMMARY
ITGRCisasubsetofCorporateGovernance
ITGRCcomprisesofvITGovernancevITRiskvITCompliance
Withoutoneyoucannothavetheother..vGovernance,RiskandComplianceare
interrelated
GRC
Risk Compliance
Governance
7/30/2019 IT Governance Risk and Compliance GRC
28/30
DOYOUHAVE
ANYQUESTIONS?
7/30/2019 IT Governance Risk and Compliance GRC
29/30
Thankyou!
7/30/2019 IT Governance Risk and Compliance GRC
30/30
BREAK
Recommended