Embed Size (px)
Citation preview
Turning risk into resultsUnlocking the power of GRC technology
What we are seeing in the marketOrganizations today are struggling with managing risks across the enterprise. External and internal risk management requirements are becoming increasingly complex and intrusive, while the demand for more comprehensive, consolidated and actionable governance, risk and compliance (GRC) information continues to increase. The historic approach of managing risk in silos across different teams, processes, methods and infrastructure cannot keep up with these requirements. Risk management has become a growing operational and financial burden, limiting its ability to keep pace with business growth and transformational initiatives.
This is the right time to learn about opportunities to transform your risk management program by enabling GRC technology that can:
• Create improved visibility and integration by linking various risk and control frameworks• Lower the cost of risk management through the elimination of duplicate and fragmented risk
activities and reduction of manual processes• Increase efficiencies through automation and end-to-end process centralization
What are the opportunities at your company?Typical current state Mature state
Our recent EY global survey of more than 250 leading organizations found a direct link between effective risk management practices and improved financial performance. Harnessing the power of GRC technology to improve risk information, streamline processes and reduce cost was both the biggest challenge and opportunity in achieving the needed risk management maturity.
Increasing complexity Simplified
Reactive Proactive
Failure and fear of unknown
Visibility
Cost pressures
Cost- efficient
Inconsistent approach Consistent
Multiple and manual risk and access management processes
Significant workflow automationCentralized risk and risk assessment managementTop-down and bottom-up risk integration
Fragmented, manual and ad hoc reportingInability to produce a consolidated heat map
Consistent and real-time reportingCentralized and consolidated heat mapDrill-down capabilities
High instances of segregation of duties violationsLack of confidence that all risks were captured
Compliant role design and user provisioning activitiesConsolidated views and end-to-end risk management processes
Lack of centralizationSignificant impact on business
Centralized processesReasonable impact on businessAbility to manage risks at multiple organizational levels
Inconsistent approach to capture and assess risks across the organization
Central end-to-end processAutomated risk activities linked to controls and outcomes
GRC technology enables four key objectives of the risk agenda
Significant workflow automationCentralized risk and risk assessment managementTop-down and bottom-up risk integration
Resulting in the following benefits:
• Improved alignment to the objectives and strategy of the business
• Central management of financial, operational and compliance risks and controls across organization
• Increased integration and coordination among business, IT and compliance
• Improved control mix that addresses key business risks while driving process efficiencies
• Sustainability of risk management process
• Effective top-down and bottom-up reporting
• Elimination of duplicate and fragmented risk management activities
• Reduced level of effort associated with performing and testing controls
• Reduction in compliance and audit costs, including those associated with audit failure
• Increased control and process efficiencies enabled through automation and continuous monitoring
• Improved return on investment due to reliance on application controls rather than manual controls
• Comprehensive and continuous risk management and monitoring
• Proactive identification of risks
• Improved visibility and integration across manual and fragmented risk activities
• Better aligned risk coverage, including the identification of stronger, more pervasive controls
• Improved visibility to risks that matter most to the organization, enabling resources to focus proactively on the most significant risks
Improve controls and processes
Better aligned risk coverage,including the identification of stronger, more pervasive controls
Reduced level of effort associated with performing and testing controls
Increased control and process efficiencies enabled through automation and continuous monitoring
Improved control mix that addresses key business risks while driving process efficiencies
Embed risk management Comprehensive and continuous
risk management and monitoring
Central management of financial, operational and compliance risks and controls across organization
Enhance risk strategy
Improved alignment to the objectives and strategy of the business
Improved visibility to risks that matter most to the organization
Proactive identification of risks
Enhanced decision-making
Optimize risk managementfunctions
Elimination of duplicate and fragmented risk management activities
Increased integration and coordination among business, IT and compliance
Sustainability of risk management process
Effective top-down and bottom-up reporting
Turning risk into results
Enhance risk
strategy
Embed risk
management
Optimize risk management
functions
Improve controls and
processes
Risk agenda
Risk
Cost
Value Risk Value
Cost Cost
ValueRisk
Next steps to improve your risk management landscape
Maturity models: industry-specific maturity models to assist with mapping the current state to leading practices (enterprise-wide technology, GRC technology and processes/controls).
Leading-practice benchmarks: access to leading practices and industry-specific benchmarks to help assess the current state and identify improvement opportunities.
RiCAP™: collects and analyzes process, risk and controls data to help align risk spend to strategic and business objectives by maximizing risk coverage and identifying control cost drivers.
GRC tool evaluation: a detailed evaluation of 14 leading GRC vendors.
GRC tool Functionality
Tool 1
Tool 2
Tool 3
Tool 4
Tool 5
Tool 6
Tool 7
Tool 8
Tool 9
Tool 10
Tool 11
Tool 12
Tool 13
Tool 14
Reporting capabilities
► General reporting – How maturity is the reporting engine, and how effective is the tool at reporting in a variety of formats such as tables, spreadsheets, summary, column, row and hierarchical tree formats?
► Statistical reporting – How effective is the tool at statistical reporting including support for bubble, bar, column, line, and pie charts as well as heat maps? How effective is the tool at plotting multiple parameters (greater than three) on any one report?
► Dashboard presentation – How effectively can reports be dynamically displayed into dashboards and updated in real time. Can the information presented in a dashboard be “drilled into” to bring up the underlying data to support the dashboard.
► Content access control – How effective is the tool at dynamically enforcing content restriction based on roles (RBAC) and dynamically calculated permissions?
► Report display and print – How good is the on-screen and print quality of reports? How effective are the report customization options for both visual and data manipulation?
► Report export – How effective are the report exporting capabilities? ► Scheduling – How effective is the report scheduling feature whereby
batches of reports can be executed? ► Integration – Can the tool directly integrate with crystal or business
objects “out of the box”.
Leading trend: the ability to provide real time reporting in multiple formats including heat maps and the ability to chart
“N” number of attributes within any report
GRC technology spend, effectiveness and efficiency assessment KPIs
0
10
20
30
40
50
60
70
Close process cycle time Days sales outstanding Audit / compliance testing cycle time
Risk assessment cycle time
Reporting cycle time
Industry peer
Company X
0%
10%
20%
30%
40%
50%
60%
70%
80%
Automated primary controls
Manual testing of controls
IT portfolio spend (% of revenue)
Business intelligence spend (% of revenue)
Risk technology spend (% of revenue)
Industry peer
Company X
GRC tool functional coverage
Governance Financial risk Risk management Metrics, presentation and reporting
► Policy management ► Standards ► Procedures ► PRC framework ► Asset and hierarchy
management ► Process accountability ► Data management ► Awareness training ► Project management
► Scenario analysis ► Risk modeling ► Financial risk impact
analysis
► Risk profiling ► Risk assessment ► Risk identification ► Risk analysis ► KRIs ► Threat and vulnerability
management ► Information security ► BCP/DR ► Internal control
management ► KRI/KPI management ► Vendor management ► Service delivery
management
► Dashboards ► Ad-hoc reporting ► Notifications ► User interface ► Statistical analysis ► Historical trending ► Triggered calculations ► Audit tracking ► Data export
Compliance Audit Issues management Incident management
► Regulatory content Management
► Leading practice content Management
► Compliance monitoring ► Compliance assessment
► Program management ► Scheduling ► Attestation ► Evidence capture ► SAS 70/SOC 2
► Risk treatment ► Risk acceptance ► Policy exceptions ► Risk transference
► Event capture ► Loss capture
Rapid GRC technology diagnostic provides accelerated current state assessment of your GRC processes and technology, allowing you to identify realizable value and develop a future state road map to achieve it.
Why EY?
• Global and flexible approach with a focus on SAP GRC, Oracle GRC and RSA Archer eGRC solutions
• Knowledgeable team with practical experience in process, risk and technology disciplines
• Industry-specific content and enablers
• Leading-practice assessment diagnostics and leverage models
• Service delivery model design and key performance indicators
Our services• Rapid GRC technology diagnostic
• GRC technology vendor selection
• GRC technology implementation and assessments
• Risk transformation enabled by GRC technology
Baseline enterprise-wide GRC technology maturity model
Optimize enterprise application landscape
► Single ERP vendor as primary choice for global corporate functions
► Aggressively rationalize application portfolio and licensing
► Centrally developed architectural blueprints and standards adopted
Simplify enterprise application landscape
► Rationalize application portfolio and licensing alignment
► Single ERP vendor by function ► Architectural standards and blueprints
alignment
Leverage enterprise application landscape
► Some application rationalization ► Leverage unused ERP functionality and
integration ► Limited adoption of architectural standards
Deployment options
► Application rationalization/ Decommissioning
► Point solutions and custom applications ► Inconsistent architectural landscape
Maximize IT organizational efficiency
Status quo
Maximize cost reduction
Maximize organizational effectiveness Deploy technology
Leverage technology
Simplify technology
Optimize technology
Tech
nolo
gy e
nabl
emen
t
Benefits
Simplify
Deploy
Leverage
Optimize
Where is Co? X
What is your future state?
GRC technology benchmarking metrics
Top
66% 9% 20%
Metrics Low Median
Percentage (%) of primary controls that are automated.
46% 17% 30% Percentage (%) of IT budget related to providing IT support services.
30 Days 74 Days 55 Days Average cycle time in days (including weekends) from identification of a change in risk till risk response.
2 Days 14 Days 5 Days Average cycle time in days (including weekends) from the identification of a control violation until its reported.
0.2 3.8 1.1 Technology cost associated with reporting on internal controls and compliance per $100,000 revenue.
‘Co X’ current state
Note: Cross-industry technology, internal controls, and process benchmarks obtained from APQC.
Automation
Portfolio rationalization
Automation
Automation
Portfolio simplification
EY | Assurance | Tax | Transactions | Advisory
About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
© 2014 EYGM Limited. All Rights Reserved.
EYG/OC/FEA no. XX0000
1403-1222661 EC
ED 0115
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com
