2. Why the GRC emphasis in the last 5-10
years?
• Lots of reasons:
– Worldwide complexity and
specialization. Risk is less
“bounded.”
– Global trend of transparency
for both emerging and industrialized
nations.
– The usual suspects, Enron, World Com, Madoff, etc. widely reported;
stakeholders demand more accountability.
– Changing structure of work. Industrial management models do not fit
today’s less hierarchical, more distributed structures. Appropriate GRC
systems provide flexibility while keeping risk in check.
– Higher accountability for the Board of Directors.
– Calls for increased regulation and control spawned by recession.
2
3. Is GRC really a luxury good?
• Risks don’t decrease in hard times.
• Cost management is always in style.
• If there was ever a bad time for a major project to
fail, that time is now.
• Could be a CLM. Auditors are quick to note
declines in governance and they report to the BOD.
• GRC tools are growing in power and value every
day, but “home grown” is better than nothing.
3
4. Frameworks & Tools
• Frameworks: mental constructs – not
dependent on time, place or
technology. Mostly words.
• Tools: programs, databases and other
artifacts that allow the framework to be
realized.
4
6. Frameworks often sound like bureaucrat-speak,
but when properly implemented, they work ….
6
7. CobiT
Common IT framework,
accepted by the “Big 4” and
other auditing firms as a
reliable framework.
Source: CobiT 4.1, Information Systems Auditing
and Control Association
7
8. A Plethora of Governance Mechanisms
Information Systems Control Journal, volume 2, 2008, p. 25 8
11. Match your framework(s) to your IT
strategy/architecture – layer by layer
-Network management/monitoring: iCIMS’ Applicant Tracking
Solar Winds, What’s Up Gold
-Approva
-Alertlogics: IDS
-Oracle
-Alertlogics: Log Manager
-- SAP GRC
-Antivirus:SOD reporting, using Excel
-- Custom McAfee
--AON Risk Service
-Email Spam: CISCO Ironmport,
Vamsoft: ORF, Baracuda
11
11
12. GRC is the glue that keeps the architecture
together
12
18. PMO challenges
• Changing the culture.
• Making projects & progress visible to the right people.
• Prevents use of “enhanced” numbers by project
sponsors – with no follow up.
• Creates metrics to measure success.
• Develops structure to force logical
rather than emotional estimates.
• Enforces the methodology.
18
23. GRC Packages – Narrow Focus/vertical
Examples:
• Applicant tracking system. Office of Federal
Contract Compliance Programs (OFCCP) can levy
fines if hiring practices are not in compliance.
• Risk tracking (focus on insurance). Feeds from
insurance carriers interfaced with fleet information,
such as number of miles logged, hours driven,
accidents, claims.
23
24. GRC packages …. A few suggestions
• GRC touches so many groups
-- the chances of duplication
are high.
• Make sure your package has
hooks for customization (SDK,
API, etc.).
• Decision point:
industry specific or generic
package.
24
25. GRC package selection is no different from
other software – do your due diligence
25
31. Some examples of improving GRC “on the
cheap”
• Use your accounting system to improve
granularity of expenditure reporting.
• Create as many accounts/sub accounts
as you need.
• “Chunk” projects for better control.
31
32. GRC tools include not only software/consulting from
providers but also in-house documents and strategies.
You can do a lot with existing resources.
• Policies and procedures may
be tedious. Yet thinking
through P&P forces a useful
governance discipline.
• Technical architecture. It can
be five pages or five hundred
but you need one. A stable
delivery platform requires
structure rather than ad hoc
decisions in times of stress. 32
33. Another in-house example
• Security turnaround
document – send an
access rights listing to
supervisors and have
them send back deletions
for employees &
contractors who are gone
or who no longer need
specific access (consider
it as backup for your
primary security process)
33
35. Actively Manage Contracts – a win/win in
the long run
• Note that contracts from large vendors are not necessarily fixed in stone.
They will often work with you.
• Facilitate negotiations by converting draft vendor contracts in PDF format
to an editable document. After both sides reach agreement, the final
document can be converted to PDF.
• Set up a repository/tracking system.
• Centralize hardware/software purchases.
• Think through the entity name (Corporate entity or subsidiary) used in the
purchase, as well as “affinity language” or assignments.
• Insert price lists and price holds if appropriate.
• Work with your vendor to explicitly address auto-renewals.
• Include downturn scenarios in the final agreement.
35
36. Actively Manage Contracts – Work with
your vendors to:
• Build mutually satisfactory caps on maintenance
increases.
• Keep audit clauses reasonable and practical so that
your vendor can be assured of compliance but the
audit itself is not burdensome.
• Manage the accuracy of data that drives billing. You
owe no more and no less than the contract requires.
User name changes and confusion between
Corporate and subsidiary use of software should be
monitored.
• Specify explicitly the pricing variance between “true
up” and unanticipated growth. 36
37. Actively manage contracts
• Routinely include non-disclosure
agreements in your contracts (works both
ways).
• Work with supplier to layout contract
maintenance going forward.
• Obtain agreement on who owns the code.
The decision could go either way,
depending on a number of factors.
37
39. Getting in front of your auditors
• GRC, including self audits, lets
you know where you stand
before the audit.
• Aside from fraud investigations,
IT audits should not be a
surprise … work with IA to separate best
practices from essential governance
requirements.
39
40. Wrap up. In difficult times:
• Don’t let GRC go
• Do your homework (formal analysis) and acquire the tools
that fit your business
• Think beyond IT – your enterprise needs GRC (both
vertical and horizontal) for many activities
• Maintain/develop PMO
• Develop an architecture/roadmap
• Avoid fragmented/duplicated efforts
• Work with your auditors (internal and external)
40