SlideShare a Scribd company logo

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

William Yarberry
William Yarberry

Information Week Virtual Trade Show. Topic: Governance, Risk, Compliance. Keynote speech.

1 of 41
Download to read offline
Governance Risk Compliance A Luxury Good in Hard Times? 2/10/10
Why the GRC emphasis in the last 5-10 years? • Lots of reasons: – Worldwide complexity and specialization. Risk is less “bounded.” – Global trend of transparency for both emerging and industrialized nations. – The usual suspects, Enron, World Com, Madoff, etc. widely reported; stakeholders demand more accountability. – Changing structure of work. Industrial management models do not fit today’s less hierarchical, more distributed structures. Appropriate GRC systems provide flexibility while keeping risk in check. – Higher accountability for the Board of Directors. – Calls for increased regulation and control spawned by recession. 2
Is GRC really a luxury good? • Risks don’t decrease in hard times. • Cost management is always in style. • If there was ever a bad time for a major project to fail, that time is now. • Could be a CLM. Auditors are quick to note declines in governance and they report to the BOD. • GRC tools are growing in power and value every day, but “home grown” is better than nothing. 3
Frameworks & Tools • Frameworks: mental constructs – not dependent on time, place or technology. Mostly words. • Tools: programs, databases and other artifacts that allow the framework to be realized. 4
Select the framework(s) that fits. No need to use all of it. Mix & match OK 5
Frameworks often sound like bureaucrat-speak, but when properly implemented, they work …. 6
CobiT Common IT framework, accepted by the “Big 4” and other auditing firms as a reliable framework. Source: CobiT 4.1, Information Systems Auditing and Control Association 7
A Plethora of Governance Mechanisms Information Systems Control Journal, volume 2, 2008, p. 25 8
GRC Maturity Model 9
Match your framework(s) to your IT strategy/architecture – layer by layer 10
Match your framework(s) to your IT strategy/architecture – layer by layer -Network management/monitoring: iCIMS’ Applicant Tracking Solar Winds, What’s Up Gold -Approva -Alertlogics: IDS -Oracle -Alertlogics: Log Manager -- SAP GRC -Antivirus:SOD reporting, using Excel -- Custom McAfee --AON Risk Service -Email Spam: CISCO Ironmport, Vamsoft: ORF, Baracuda 11 11
GRC is the glue that keeps the architecture together 12
PMO 13 The Effective CIO, CRC Press
SDLC – “Post it” Notes for Governance 14
Let the SDLC anchor your governance processes for projects 15
Risk Models for Projects 16
Annual risk assessment 17
PMO challenges • Changing the culture. • Making projects & progress visible to the right people. • Prevents use of “enhanced” numbers by project sponsors – with no follow up. • Creates metrics to measure success. • Develops structure to force logical rather than emotional estimates. • Enforces the methodology. 18
PMO Dashboard 19
PMO History 20
GRC serves IT, general business processes or both 21
GRC focus areas 22
GRC Packages – Narrow Focus/vertical Examples: • Applicant tracking system. Office of Federal Contract Compliance Programs (OFCCP) can levy fines if hiring practices are not in compliance. • Risk tracking (focus on insurance). Feeds from insurance carriers interfaced with fleet information, such as number of miles logged, hours driven, accidents, claims. 23
GRC packages …. A few suggestions • GRC touches so many groups -- the chances of duplication are high. • Make sure your package has hooks for customization (SDK, API, etc.). • Decision point: industry specific or generic package. 24
GRC package selection is no different from other software – do your due diligence 25
GRC Package Examples 1 2 26
One off governance examples Example 1 Example 2 27
Governance using packages augmented with in-house developed tools • Reporting and enforcement tightly coupled with real-time events. • Controls enforcement, credit risk management analytics, SOD, configuration management, fraud alerts, odd behaviors, hierarchical approvals … 28
Metrics are the raw fuel of good governance 29
WIP ….. 30
Some examples of improving GRC “on the cheap” • Use your accounting system to improve granularity of expenditure reporting. • Create as many accounts/sub accounts as you need. • “Chunk” projects for better control. 31
GRC tools include not only software/consulting from providers but also in-house documents and strategies. You can do a lot with existing resources. • Policies and procedures may be tedious. Yet thinking through P&P forces a useful governance discipline. • Technical architecture. It can be five pages or five hundred but you need one. A stable delivery platform requires structure rather than ad hoc decisions in times of stress. 32
Another in-house example • Security turnaround document – send an access rights listing to supervisors and have them send back deletions for employees & contractors who are gone or who no longer need specific access (consider it as backup for your primary security process) 33
Active Management of Contracts 34
Actively Manage Contracts – a win/win in the long run • Note that contracts from large vendors are not necessarily fixed in stone. They will often work with you. • Facilitate negotiations by converting draft vendor contracts in PDF format to an editable document. After both sides reach agreement, the final document can be converted to PDF. • Set up a repository/tracking system. • Centralize hardware/software purchases. • Think through the entity name (Corporate entity or subsidiary) used in the purchase, as well as “affinity language” or assignments. • Insert price lists and price holds if appropriate. • Work with your vendor to explicitly address auto-renewals. • Include downturn scenarios in the final agreement. 35
Actively Manage Contracts – Work with your vendors to: • Build mutually satisfactory caps on maintenance increases. • Keep audit clauses reasonable and practical so that your vendor can be assured of compliance but the audit itself is not burdensome. • Manage the accuracy of data that drives billing. You owe no more and no less than the contract requires. User name changes and confusion between Corporate and subsidiary use of software should be monitored. • Specify explicitly the pricing variance between “true up” and unanticipated growth. 36
Actively manage contracts • Routinely include non-disclosure agreements in your contracts (works both ways). • Work with supplier to layout contract maintenance going forward. • Obtain agreement on who owns the code. The decision could go either way, depending on a number of factors. 37
Some GRC issues are really close to home 38 www.bsa.org
Getting in front of your auditors • GRC, including self audits, lets you know where you stand before the audit. • Aside from fraud investigations, IT audits should not be a surprise … work with IA to separate best practices from essential governance requirements. 39
Wrap up. In difficult times: • Don’t let GRC go • Do your homework (formal analysis) and acquire the tools that fit your business • Think beyond IT – your enterprise needs GRC (both vertical and horizontal) for many activities • Maintain/develop PMO • Develop an architecture/roadmap • Avoid fragmented/duplicated efforts • Work with your auditors (internal and external) 40
Thank You. Questions? 41

Recommended

Strategies for Effective Hardware and Software Asset Management
Strategies for Effective Hardware and Software Asset ManagementStrategies for Effective Hardware and Software Asset Management
Strategies for Effective Hardware and Software Asset ManagementCA Technologies
 
Selecting and Implementing Insurance Advertising Compliance Technology Solutions
Selecting and Implementing Insurance Advertising Compliance Technology SolutionsSelecting and Implementing Insurance Advertising Compliance Technology Solutions
Selecting and Implementing Insurance Advertising Compliance Technology SolutionsMark F. Catone
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsSmart ERP Solutions, Inc.
 
Deloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtDeloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtCAST
 
The eDiscovery Primer for Lotus Domino Admins
The eDiscovery Primer for Lotus Domino AdminsThe eDiscovery Primer for Lotus Domino Admins
The eDiscovery Primer for Lotus Domino AdminsBill Malchisky Jr.
 
Why Adopt Nearshore Agile Development?
Why Adopt Nearshore Agile Development?Why Adopt Nearshore Agile Development?
Why Adopt Nearshore Agile Development?Ciklum Ukraine
 
Detection of Anomalous Behavior
Detection of Anomalous BehaviorDetection of Anomalous Behavior
Detection of Anomalous BehaviorCapgemini
 

Recommended

Strategies for Effective Hardware and Software Asset Management
Strategies for Effective Hardware and Software Asset ManagementStrategies for Effective Hardware and Software Asset Management
Strategies for Effective Hardware and Software Asset ManagementCA Technologies
 
Selecting and Implementing Insurance Advertising Compliance Technology Solutions
Selecting and Implementing Insurance Advertising Compliance Technology SolutionsSelecting and Implementing Insurance Advertising Compliance Technology Solutions
Selecting and Implementing Insurance Advertising Compliance Technology SolutionsMark F. Catone
 
Using COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk AnalysisUsing COBIT PO9 to perform Project Risk Analysis
Using COBIT PO9 to perform Project Risk Analysiswebmentorman
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsSmart ERP Solutions, Inc.
 
Deloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtDeloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtCAST
 
The eDiscovery Primer for Lotus Domino Admins
The eDiscovery Primer for Lotus Domino AdminsThe eDiscovery Primer for Lotus Domino Admins
The eDiscovery Primer for Lotus Domino AdminsBill Malchisky Jr.
 
Why Adopt Nearshore Agile Development?
Why Adopt Nearshore Agile Development?Why Adopt Nearshore Agile Development?
Why Adopt Nearshore Agile Development?Ciklum Ukraine
 
Detection of Anomalous Behavior
Detection of Anomalous BehaviorDetection of Anomalous Behavior
Detection of Anomalous BehaviorCapgemini
 
Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011Paraguay Hits
 
7תהום פדיראק
7תהום פדיראק7תהום פדיראק
7תהום פדיראקamnon
 
Ell writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustineEll writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustineguest17b34e
 
Android
AndroidAndroid
Androidnicolemaroutsos
 
Customer Presentation with a Healthcare Company
Customer Presentation with a Healthcare CompanyCustomer Presentation with a Healthcare Company
Customer Presentation with a Healthcare CompanySplunk
 
Differentiation in the_esl_class
Differentiation in the_esl_classDifferentiation in the_esl_class
Differentiation in the_esl_classWalaa Abdelnaby
 
Strategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly SeefriedStrategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly SeefriedRaeanimal
 
Differentiation and writing
Differentiation and writingDifferentiation and writing
Differentiation and writingValerie Buchanan
 
What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?guestf5a4ef
 
IIA NL IAF.combining functions
IIA NL IAF.combining functionsIIA NL IAF.combining functions
IIA NL IAF.combining functionsMichel Kee
 
PeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for HealthcarePeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for HealthcareJGIshare
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in HealthcareNadeem Baig
 
UniqueSoft Overview
UniqueSoft OverviewUniqueSoft Overview
UniqueSoft Overviewbmskelly
 
Esouag r12 presentation
Esouag r12 presentationEsouag r12 presentation
Esouag r12 presentationIshtiaq Khan
 
Quality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise SystemsQuality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise SystemsPacific Northwest Software Quality Conference
 
Cloud webinar final
Cloud webinar finalCloud webinar final
Cloud webinar finalNess Technologies
 
The Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to AdvisorsThe Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to AdvisorsJesse Stockall
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsoGuild .
 
Agile Development – Why requirements matter
Agile Development – Why requirements matterAgile Development – Why requirements matter
Agile Development – Why requirements matterAgile Austria Conference
 
Jakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda DaysJakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda Dayscamunda services GmbH
 

More Related Content

Viewers also liked

Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011Paraguay Hits
 
7תהום פדיראק
7תהום פדיראק7תהום פדיראק
7תהום פדיראקamnon
 
Ell writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustineEll writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustineguest17b34e
 
Customer Presentation with a Healthcare Company
Customer Presentation with a Healthcare CompanyCustomer Presentation with a Healthcare Company
Customer Presentation with a Healthcare CompanySplunk
 
Differentiation in the_esl_class
Differentiation in the_esl_classDifferentiation in the_esl_class
Differentiation in the_esl_classWalaa Abdelnaby
 
Strategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly SeefriedStrategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly SeefriedRaeanimal
 
Differentiation and writing
Differentiation and writingDifferentiation and writing
Differentiation and writingValerie Buchanan
 
What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?guestf5a4ef
 
IIA NL IAF.combining functions
IIA NL IAF.combining functionsIIA NL IAF.combining functions
IIA NL IAF.combining functionsMichel Kee
 
PeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for HealthcarePeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for HealthcareJGIshare
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013FixNix Inc.,
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in HealthcareNadeem Baig
 

Viewers also liked (14)

Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011Acere music - Gira de medios Febrero 2011
Acere music - Gira de medios Febrero 2011
 
7תהום פדיראק
7תהום פדיראק7תהום פדיראק
7תהום פדיראק
 
Ell writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustineEll writing presentation m.ganje-augustine
Ell writing presentation m.ganje-augustine
 
Android
AndroidAndroid
Android
 
Customer Presentation with a Healthcare Company
Customer Presentation with a Healthcare CompanyCustomer Presentation with a Healthcare Company
Customer Presentation with a Healthcare Company
 
Differentiation in the_esl_class
Differentiation in the_esl_classDifferentiation in the_esl_class
Differentiation in the_esl_class
 
Strategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly SeefriedStrategies To Support ESl Writers By Holly Seefried
Strategies To Support ESl Writers By Holly Seefried
 
Differentiation and writing
Differentiation and writingDifferentiation and writing
Differentiation and writing
 
What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?What Classroom Practices Best Promote ELLs Writing Development?
What Classroom Practices Best Promote ELLs Writing Development?
 
IIA NL IAF.combining functions
IIA NL IAF.combining functionsIIA NL IAF.combining functions
IIA NL IAF.combining functions
 
PeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for HealthcarePeopleSoft Accelerate for Healthcare
PeopleSoft Accelerate for Healthcare
 
GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013GRC 101 ISACA Bengaluru on 28th Dec 2013
GRC 101 ISACA Bengaluru on 28th Dec 2013
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in Healthcare
 

Similar to Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

UniqueSoft Overview
UniqueSoft OverviewUniqueSoft Overview
UniqueSoft Overviewbmskelly
 
Esouag r12 presentation
Esouag r12 presentationEsouag r12 presentation
Esouag r12 presentationIshtiaq Khan
 
The Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to AdvisorsThe Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to AdvisorsJesse Stockall
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsoGuild .
 
Agile Development – Why requirements matter
Agile Development – Why requirements matterAgile Development – Why requirements matter
Agile Development – Why requirements matterAgile Austria Conference
 
Jakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda DaysJakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda Dayscamunda services GmbH
 
Rethinking business decisions and processes for digital transformation
Rethinking business decisions and processes for digital transformationRethinking business decisions and processes for digital transformation
Rethinking business decisions and processes for digital transformationJudy Breedlove
 
SI Alliance Marketing - Insurance Analytics Solution Webinar
SI Alliance Marketing - Insurance Analytics Solution WebinarSI Alliance Marketing - Insurance Analytics Solution Webinar
SI Alliance Marketing - Insurance Analytics Solution WebinarDavid Castro
 
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdf
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdfGEP-Supply-Chain-Planning-Guide-Fnl_0.pdf
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdfJamesKumar21
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXSecure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXNGINX, Inc.
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)Maganathin Veeraragaloo
 
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...IBM France Lab
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...Ignyte Assurance Platform
 
An Introduction to econsys
An Introduction to econsysAn Introduction to econsys
An Introduction to econsysAndrew Redfern
 
Agile Governance for Hybrid Programs
Agile Governance for Hybrid ProgramsAgile Governance for Hybrid Programs
Agile Governance for Hybrid ProgramsCprime
 

Similar to Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation (20)

UniqueSoft Overview
UniqueSoft OverviewUniqueSoft Overview
UniqueSoft Overview
 
Esouag r12 presentation
Esouag r12 presentationEsouag r12 presentation
Esouag r12 presentation
 
Quality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise SystemsQuality & Risk Management Challenges When Acquiring Enterprise Systems
Quality & Risk Management Challenges When Acquiring Enterprise Systems
 
Cloud webinar final
Cloud webinar finalCloud webinar final
Cloud webinar final
 
The Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to AdvisorsThe Changing Role of IT: From Service Managers to Advisors
The Changing Role of IT: From Service Managers to Advisors
 
DAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty WordsDAH15 : Bray Goverance - Not Dirty Words
DAH15 : Bray Goverance - Not Dirty Words
 
Agile Development – Why requirements matter
Agile Development – Why requirements matterAgile Development – Why requirements matter
Agile Development – Why requirements matter
 
Jakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda DaysJakob Freund: Camunda for IT Executives - Camunda Days
Jakob Freund: Camunda for IT Executives - Camunda Days
 
Rethinking business decisions and processes for digital transformation
Rethinking business decisions and processes for digital transformationRethinking business decisions and processes for digital transformation
Rethinking business decisions and processes for digital transformation
 
SI Alliance Marketing - Insurance Analytics Solution Webinar
SI Alliance Marketing - Insurance Analytics Solution WebinarSI Alliance Marketing - Insurance Analytics Solution Webinar
SI Alliance Marketing - Insurance Analytics Solution Webinar
 
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdf
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdfGEP-Supply-Chain-Planning-Guide-Fnl_0.pdf
GEP-Supply-Chain-Planning-Guide-Fnl_0.pdf
 
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINXSecure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
Secure, Strengthen, Automate, and Scale Modern Workloads with Red Hat & NGINX
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
The Cloud, CPM and the CFO
The Cloud, CPM and the CFOThe Cloud, CPM and the CFO
The Cloud, CPM and the CFO
 
GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)GRC Africa The Paradigm Shift (Technology and GRC)
GRC Africa The Paradigm Shift (Technology and GRC)
 
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...
IBM Cloud Côte d'Azur Meetup - Blockchain Business Processes & Rule-based Sm...
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
 
An Introduction to econsys
An Introduction to econsysAn Introduction to econsys
An Introduction to econsys
 
Agile Governance for Hybrid Programs
Agile Governance for Hybrid ProgramsAgile Governance for Hybrid Programs
Agile Governance for Hybrid Programs
 

Grc (V3) Brown Yarberry For Feb 10th Keynote Presentation

  • 1. Governance Risk Compliance A Luxury Good in Hard Times? 2/10/10
  • 2. Why the GRC emphasis in the last 5-10 years? • Lots of reasons: – Worldwide complexity and specialization. Risk is less “bounded.” – Global trend of transparency for both emerging and industrialized nations. – The usual suspects, Enron, World Com, Madoff, etc. widely reported; stakeholders demand more accountability. – Changing structure of work. Industrial management models do not fit today’s less hierarchical, more distributed structures. Appropriate GRC systems provide flexibility while keeping risk in check. – Higher accountability for the Board of Directors. – Calls for increased regulation and control spawned by recession. 2
  • 3. Is GRC really a luxury good? • Risks don’t decrease in hard times. • Cost management is always in style. • If there was ever a bad time for a major project to fail, that time is now. • Could be a CLM. Auditors are quick to note declines in governance and they report to the BOD. • GRC tools are growing in power and value every day, but “home grown” is better than nothing. 3
  • 4. Frameworks & Tools • Frameworks: mental constructs – not dependent on time, place or technology. Mostly words. • Tools: programs, databases and other artifacts that allow the framework to be realized. 4
  • 5. Select the framework(s) that fits. No need to use all of it. Mix & match OK 5
  • 6. Frameworks often sound like bureaucrat-speak, but when properly implemented, they work …. 6
  • 7. CobiT Common IT framework, accepted by the “Big 4” and other auditing firms as a reliable framework. Source: CobiT 4.1, Information Systems Auditing and Control Association 7
  • 8. A Plethora of Governance Mechanisms Information Systems Control Journal, volume 2, 2008, p. 25 8
  • 10. Match your framework(s) to your IT strategy/architecture – layer by layer 10
  • 11. Match your framework(s) to your IT strategy/architecture – layer by layer -Network management/monitoring: iCIMS’ Applicant Tracking Solar Winds, What’s Up Gold -Approva -Alertlogics: IDS -Oracle -Alertlogics: Log Manager -- SAP GRC -Antivirus:SOD reporting, using Excel -- Custom McAfee --AON Risk Service -Email Spam: CISCO Ironmport, Vamsoft: ORF, Baracuda 11 11
  • 12. GRC is the glue that keeps the architecture together 12
  • 13. PMO 13 The Effective CIO, CRC Press
  • 14. SDLC – “Post it” Notes for Governance 14
  • 15. Let the SDLC anchor your governance processes for projects 15
  • 16. Risk Models for Projects 16
  • 18. PMO challenges • Changing the culture. • Making projects & progress visible to the right people. • Prevents use of “enhanced” numbers by project sponsors – with no follow up. • Creates metrics to measure success. • Develops structure to force logical rather than emotional estimates. • Enforces the methodology. 18
  • 21. GRC serves IT, general business processes or both 21
  • 23. GRC Packages – Narrow Focus/vertical Examples: • Applicant tracking system. Office of Federal Contract Compliance Programs (OFCCP) can levy fines if hiring practices are not in compliance. • Risk tracking (focus on insurance). Feeds from insurance carriers interfaced with fleet information, such as number of miles logged, hours driven, accidents, claims. 23
  • 24. GRC packages …. A few suggestions • GRC touches so many groups -- the chances of duplication are high. • Make sure your package has hooks for customization (SDK, API, etc.). • Decision point: industry specific or generic package. 24
  • 25. GRC package selection is no different from other software – do your due diligence 25
  • 27. One off governance examples Example 1 Example 2 27
  • 28. Governance using packages augmented with in-house developed tools • Reporting and enforcement tightly coupled with real-time events. • Controls enforcement, credit risk management analytics, SOD, configuration management, fraud alerts, odd behaviors, hierarchical approvals … 28
  • 29. Metrics are the raw fuel of good governance 29
  • 30. WIP ….. 30
  • 31. Some examples of improving GRC “on the cheap” • Use your accounting system to improve granularity of expenditure reporting. • Create as many accounts/sub accounts as you need. • “Chunk” projects for better control. 31
  • 32. GRC tools include not only software/consulting from providers but also in-house documents and strategies. You can do a lot with existing resources. • Policies and procedures may be tedious. Yet thinking through P&P forces a useful governance discipline. • Technical architecture. It can be five pages or five hundred but you need one. A stable delivery platform requires structure rather than ad hoc decisions in times of stress. 32
  • 33. Another in-house example • Security turnaround document – send an access rights listing to supervisors and have them send back deletions for employees & contractors who are gone or who no longer need specific access (consider it as backup for your primary security process) 33
  • 34. Active Management of Contracts 34
  • 35. Actively Manage Contracts – a win/win in the long run • Note that contracts from large vendors are not necessarily fixed in stone. They will often work with you. • Facilitate negotiations by converting draft vendor contracts in PDF format to an editable document. After both sides reach agreement, the final document can be converted to PDF. • Set up a repository/tracking system. • Centralize hardware/software purchases. • Think through the entity name (Corporate entity or subsidiary) used in the purchase, as well as “affinity language” or assignments. • Insert price lists and price holds if appropriate. • Work with your vendor to explicitly address auto-renewals. • Include downturn scenarios in the final agreement. 35
  • 36. Actively Manage Contracts – Work with your vendors to: • Build mutually satisfactory caps on maintenance increases. • Keep audit clauses reasonable and practical so that your vendor can be assured of compliance but the audit itself is not burdensome. • Manage the accuracy of data that drives billing. You owe no more and no less than the contract requires. User name changes and confusion between Corporate and subsidiary use of software should be monitored. • Specify explicitly the pricing variance between “true up” and unanticipated growth. 36
  • 37. Actively manage contracts • Routinely include non-disclosure agreements in your contracts (works both ways). • Work with supplier to layout contract maintenance going forward. • Obtain agreement on who owns the code. The decision could go either way, depending on a number of factors. 37
  • 38. Some GRC issues are really close to home 38 www.bsa.org
  • 39. Getting in front of your auditors • GRC, including self audits, lets you know where you stand before the audit. • Aside from fraud investigations, IT audits should not be a surprise … work with IA to separate best practices from essential governance requirements. 39
  • 40. Wrap up. In difficult times: • Don’t let GRC go • Do your homework (formal analysis) and acquire the tools that fit your business • Think beyond IT – your enterprise needs GRC (both vertical and horizontal) for many activities • Maintain/develop PMO • Develop an architecture/roadmap • Avoid fragmented/duplicated efforts • Work with your auditors (internal and external) 40
  • 41. Thank You. Questions? 41