Enterprise-wide GRC Implementation - Dell EMC · We using many solutions of RSA Archer eGRC Compliance Management Document your control framework, assess design and operational effectiveness,

1© Copyright 2013 EMC Corporation. All rights reserved.

Enterprise GRC ImplementationOur journey so far… implementation observations and learning points

Derek WalkerCorporate Risk ManagerNational Grid


Introduction to National Grid

One of the world’s largest 100% listed utilities focused on regulated transmission and distribution activities in electricity and gas in the

United Kingdom and the United States



Electricity generators Gas producers and importers

National GridTransmission UK

Regional electricitydistribution networks

National GridGas Distribution UK

Other regional gasdistribution networks

Commercial and domestic customers

National Grid’s principal UK businesses


Introduction to National GridNational Grid UK



Electricity generators Gas producers and importers

National Grid ElectricityDistribution US

National GridGas Distribution US

Other electricity/gas distribution networks

Commercial and domestic customers

National Grid Transmission US

Gas Transmissionpipelines

Other Electricity Transmission networks

National Grid’s principal US businesses


Introduction to National GridNational Grid US


GRC Selection & ImplementationBackground National Grid conducted a review of governance, risk and

compliance functions across the enterprise Broad consolidated review initiated to understand benefits of

pulling together governance, risk and compliance Review included governance, risk and compliance:

– Processes– Culture– Information and data– Systems

Review found areas were fit-for-purpose Potential for improvement and closer integration


GRC Selection & ImplementationProcesses, information and systems review

Conducted a wide review involving many GRC business departments within the enterprise (UK and US)

The process-systems-information workstream looked at– Current systems and data– Products on the market which could support governance, risk

and compliance processes independently– Integrated “eGRC” products

Full procurement exercise

Company organisational change

Business programme change


GRC Implementation Sponsorship, ownership and governance

Start-up of the GRC programme Ensure clear rationale understood “at the top” of the company Sponsorship

– Executive sponsor– Formed Steering Group with sponsorship across the governance, risk and

compliance groups benefiting from GRC…– …including GRC business areas in planned future implementation Stages– Group Audit and Risk Committees

Ownership– Steering Group nominated lead business SMEs within each of the business

areas – the Business Leads

Governance– Programme and project governance – Business Leads, RSA Archer and IS– Independent programme review and implementation assurance


GRC Implementation ObjectiveImplement an integrated, company-wide, cost-effective GRC system capable of adequately managing information to meet our current and future risk, compliance and assurance requirements

Configured GRC will… Enable controlled data sharing and alignment Use common information – ‘single source of the truth’ Facilitate automated monitoring, action-tracking and reporting Help ensure that the Company is acting in accordance with its rules and controls


GRC ImplementationDefining the implementation roadmap

Strategy Roadmap exercise– optimum start point for full future GRC configuration– Start ‘small’ and build from stable core– Take account of ‘final’ system configuration at the outset– Start with the business areas which derive the greatest benefit

from using the solutions– Final roadmap influenced by business areas best able to

support programme

Strategy Roadmap produced with business SMEs and RSA Professional Services





Roadmap an optimum balance of,– starting small, and yet…– large enough business critical-mass to

– ensure visibility at the highest level– justify the enterprise licence costs

– generating value– generating ‘speed-to-value’

Full project scope divided in two to reduce implementation risk (Stages 1 & 2)

Sanction initially sought for Stage 1 as part of the full programme


We using many solutions of RSA Archer eGRC

Compliance ManagementDocument your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues.

Policy ManagementCentrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance.

Threat ManagementTrack threats through a centralized early warning system to help prevent attacks before they affect your enterprise.

Enterprise ManagementManage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.

Risk ManagementIdentify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance.

Incident ManagementReport incidents and ethics violations, manage their escalation, track investigations and analyse resolutions.

Business Continuity ManagementAutomate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution.

Audit ManagementCentrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency.

Vendor ManagementCentralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls.


To support the GRC processes in the first stage of implementation

Compliance ManagementDocument control framework and respond to policy and regulatory compliance issues

Policy ManagementCentrally manage policies, map them to objectives andguidelines, and promote awareness to support a culture of corporate governance

Threat ManagementTrack threats through centralised warning to help ensure reduced impact on enterprise

Enterprise ManagementManage relationships and dependencies within hierarchy and infrastructure to support GRC initiatives.

Incident ManagementReport incidents and ethics violations, manage their escalation, track investigations and analyse resolution

Risk ManagementIdentify and capture risks, evaluate them and respond with remediation or acceptance

Corporate Risk Management

Group Compliance

IS Digital Risk & Security

Information Records M’ment

US Regulatory Compliance

US Network Strategy

Incident Management (Ethics)


GRC ImplementationOriginal stages and phases

Stage 1

Phase 1

Enterprise Management

Risk Management

Incident Management

{Risk Management, IS DR&S, Ethics Case Management}

Stage 2

Phase 2

Compliance Management

Policy Management

{Group Compliance, US Regulatory Compliance, IS DR&S}

Phase 3

Policy Management

{Information Records Management, IS DR&S}

Phase 4

Issues Management

Policy Management

{IS DR&S, Regulatory Support & Reporting, US Controls and Governance}

Phase 5

Audit Management and extending Stage 1 solutions

{Project Management and Construction (UK, US)}

Phase 6

Threat Management and extending Stage 1 solutions

{Global Security, Group Finance and Controls, IS DR&S}


Targeted Benefits

Improved review and change-tracking capability

Improved ease of data entry

Closer integration with other assurance-related processes

Risk Management


Targeted Benefits

Help ensure consistent adherence to the corporate Compliance Management Procedure

Enable more efficient and timely Compliance reporting and resolution actions

Promote improved compliance information to enable the more effective monitoring and challenging of controls

Reduce the compliance management administrative burden

Increase transparency of ownership and trace-ability of controls across the enterprise

Group Compliance


Targeted Benefits

Provide a central database for managing and tracking regulatory requirements

Centralise action tracking for issues management reducing administrative burden

Provide automated workflows across the organisation

Link identified risks and internal audit findings to associated compliance action plans

Provide dashboard reports to aid both executive and business oversight of compliance obligations and corrective action plans

US Regulatory Compliance


Targeted Benefits

Provide a more timely and efficient reporting mechanism

Reduction of administrative burden Improved collaboration on more complex

cases/ incidents Opportunity for further flexibility and

adaptability to changing business needs and requirements

Ethics and Compliance Office


Targeted Benefits

Single repository of compliance documentation Enhanced transparency and ownership of

compliance requirements Improved compliance reporting Reduced risk of non-compliance with standards

US Network Strategy - Regulatory Support & Reporting


Learning points from our implementation experience so far…

Know your organisation’s hierarchy Need for business collaboration and potential

compromise on shared solutions Significant effort and time required from Business

SMEs Business priorities will change Business areas may not have the same GRC process

maturity Enterprise GRC implementation is not the panacea to

resolve organisational process challenges alone Potential for integrated reporting is a step on path

towards improved assurance-community interactions but not the sole enabler

Allow time to get through the governance and procurement processes

Thank you

Documents

Enterprise-wide GRC Implementation - Dell EMC · We using many solutions of RSA Archer eGRC Compliance Management Document your control framework, assess design and operational effectiveness,