Академический Документы
Профессиональный Документы
Культура Документы
enablingitwithGRCTechnology
DebbieLew(debbie.lew@ey.com),SeniorManager,E&Y
StevenJones(steven.jones@ey.com),SeniorManager,E&Y
Overview
1.
2.
3.
4.
5.
6.
7
7.
8.
9.
10.
11.
Whatisriskmanagement?Commonunderstanding
ITriskmanagementlifecycle
KeycomponentsofanITriskmanagementprogram
ResourcesandenablersforITriskmanagement
g
Whatdoestechnologyenablementmean?
Industryperspective
Business drivers
Businessdrivers
Trendsandchallenges
Riskprocessimplementation
GRCtechnologyimplementationconsiderations
Valueconsiderations
Whatareyourchallengeswith
ITriskmanagementinyour
ik
i
organization?
IndustryPerspective
Riskmanagement,regulatory,andcompliancerequirementsare increasinglycomplex
andintrusive (especiallyforfinancialservicesinstitutions)andhavebecome agrowing
operationalandfinancialburden.Theserequirementsarenotoptionalandmustbe
addressed.
addressed
Institutionshaveoftenapproachedtherequirementsinsilos,leadingtothecreationof
multipleriskgovernanceprocesses,methodsandinfrastructure.
Typicalcontrolfunctionsareexperiencingscopecreep duetoacombinationofexternal
andinternalpressures.Highexpectationshaveblurredthelinesofauthorityand
responsibilityamongthecontrolunits.
Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeep
pacewithbusinessgrowth.
Linesofbusinessareexperiencing
Lines
of business are experiencing risk
riskmanagementprocessfatigue.
management process fatigue Significant
Significant
amountsoftimeandmoney arespentcomplyingwithriskrequirements,whichcanbe
furtherburdenedbymultiplerequestsandduplicativeefforts.
Boardsofdirectorsandseniormanagementaredemandingmorecomprehensive,
Boards
of directors and senior management are demanding more comprehensive
consolidated,andactionable governance,riskandcomplianceinformation.
Riskmanagementlifecycle
ITriskmanagementprogram
What is it?
Whatisit?
ITriskgovernanceandstrategy,andthesupportingorganization,resourcesandcomponents
usedtoestablishaneffective,operationalandsustainableITriskmanagementprogram
Componentscaninclude:
C
t
i l d
DefinedbusinessdriversthataligntoRiskStrategy,CharterandReportingoncritical
successfactors
Defineregulatoryrequirementsandindustrystandardsforadherence
CharterthatreflectsmandateforITriskmanagementprogram,riskprinciplesand
Charter that reflects mandate for IT risk management program risk principles and
governancestructureforoperatingtheprogram
ITriskmanagementstrategicplanthatdefinesprogramobjectives,businessdrivers
alignment,criticalsuccessfactorsandmeasurements,riskgovernancestructure,risk
managementprocesses,rolesandresponsibilities,riskappetiteandtoleranceguidance,
strategicandtacticalinitiatives,timelinesandworkeffortfordesignand
t t i
d t ti l i iti ti
ti li
d
k ff t f d i
d
implementations,interdependencieswithotherfunctionaloperations ERM/ORM,
Security,BCM,Compliance,SOX,etc.
Definedriskmanagementpoliciesandstandards
Definedanddocumentedtaxonomy
Defined and documented taxonomy
DefinedITRisk&ControlFramework Process/Risk/ControlModel
Rating,scoringandweightingmodelorquantificationmodel
Riskidentificationprocess internalandexternaldataminingfortrends,analysisand
classification
Riskprofilingattributesandprocess
BusinesscaseandvalueofanITRisk(GRC)
Management Framework
ManagementFramework
Effective,documentedresponsetonumerousregulatory/industry/audit/compliance
requirements
Lowercost
Lower cost
Repeatableprocessesandriskbasedtechnologydecisionsproduce812%costsavings
AveragefromvarioussourcesincludingGartner,Forrester,andtheRiskManagement
Association
Reducesiloedandduplicativeefforts
Reduce siloed and duplicative efforts
Linesofbusiness/functionsexperiencingassessmentfatigue
Consistentcontrolsandconsistenttestingstrategyfocusedjustonhigherriskareasdeemed
keyfortheorganization
Betterallocationoftechnologyspendandresources
Defensible,riskbaseddecisionstoproperlyallocatetechnologyspendtohighestriskareas
Manageunknownrisk
Quicklyidentifynewrisksandquantifycostofexposurethroughconsistentprocesses
(newsystems,newtechnologies)
Enablegotomarketfornewventures,emergingtechnologies,andbusinessproducts
Systemstability/performance
Reducesystemfailureswithriskbasedapproachtosystemandarchitectureinvestments
e.g.,identificationandcategorizationoffailuretrendsandissueswithsystemsallowing
risk ranked remediation across the enterprise
riskrankedremediationacrosstheenterprise
ISACAsRiskITFrameworkandPractitionersGuide
RiskITisaframeworkbased
onasetofguidingprinciples
andfeaturingbusiness
df t i b i
processesandmanagement
guidelinesthatconfirmthese
p
principles.
p
RiskITframeworkistobe
usedtohelpimplementIT
governance.
Organisationsthathave
adopted(orareplanningto
adopt)CobiTastheirIT
Governanceframeworkcan
f
k
useRiskITtoenhancerisk
management.
RiskITFramework
COBIT5
y TheCOBIT5governanceor
managementpracticesare
equivalenttotheRiskIT
q
processes.
y TheCOBIT5activitiesare
equivalenttotheRiskIT
managementpractices.
y COBIT5followsthesamegoal
andmetricconceptsasRiskIT,
butthesearerenamed
enterprisegoals,ITrelatedgoals
andprocessgoalsreflectingan
d
l fl ti
enterpriselevelview.
y COBIT5providesRACIcharts
describingrolesand
responsibilities in a similar way
responsibilitiesinasimilarway
toRiskIT.
y FutureenablerincludesCOBIT5
forRisk
12
MeetingStakeholderNeeds
Principle1.MeetingStakeholderNeeds
y Enterprisesexisttocreatevalue
E t
i
i tt
t
l fortheirstakeholders.
f th i t k h ld
13
COBIT5:EnablingProcesses
14
EnablingProcessAPO12 ManageRisk
Whenyouheartheterm,GRC,whatdoesit
meantoyouandyourorganization?
WhatdoesGRCtechnologyenablement
mean?
Technology enablement
Technologyenablement
Thedevelopmentofbusinessalignedrequirementstodrivetheuseof
technologytodesign,enhance,implementandoperationalize
Governance Risk and Compliance processes
Governance,RiskandComplianceprocesses
OrganizationsthatusetechnologytoenabletheirGRCprocesseshavethepotentialto
reducethecostofriskmanagement,enhancecomplianceandaudit,streamline
reporting,bettermanagerisk,anddeliverinsightforbetterdecisionmaking.By
enablingtechnology,companiescanbuildaneffectivefoundationthatallowsthemto
buildefficiency,integrityandconsistencyintotheirprocesses:
Datamappingtoidentifycriticalrelationshipsbetweencorporateobjectives,risksand
controls;
t l
Workflowtooptimallycoordinateactivitiesacrossmultiplelayersoftheorganization;
Decisionsupportnecessaryforplanningandreporting;
Managementofrisksfromidentification,toassessmentandtreatment;
Modelmultipleriskhierarchiesandintegrateriskintelligencewithotherassetandrisk
M d l
l i l i k hi
hi
di
i k i lli
ih h
d ik
informationsystems;
UnderstandingtheholisticITProcess,RiskandControlenvironmentinplacewithinan
organization;and
Reporting,monitoringanddashboardingofrisk(inherentrisk,residualriskandkeyrisk
Reporting monitoring and dashboarding of risk (inherent risk residual risk and key risk
indicators)acrosstheITenvironment.
Governance,Risk&Compliance
toolspace
l
Businessdriversfortechnology
enablement
Businessdrivers
Increasinglycomplexandupdatedriskmanagement,regulatoryandcompliance
requirements,andBoardandshareholderexpectations
Duplicationofriskgovernanceprocesses,methodsandinfrastructure
p
g
p
,
Toomanysiloedassessmentsacrossfunctionalareasoftechnology
Nonaggregatedreportingacrossmultiplesourcesofriskintelligence
Inconsistentrisktaxonomies
Controlfunctionsexperiencingscopecreepandhighexpectationshaveblurredlinesof
authority/responsibilityamongstcontrolunits
PendingDoddFranklegislation
A i
AnincreasedpressuretocomplywithNIST
d
t
l ith NIST
RegulatoryupdatesacrossFFIECandBITS
PCIDSSv2.0
DuplicationofcontrolsacrossmultipleITunits
Multiplesharedcontrolsthatcouldbecondensed
Di i t
DrivingtowardscontrolconvergenceandautomatedcontrolmonitoringthroughGRCtechnology
d
t l
d t
t d
t l
it i th
h GRC t h l
Costreductionimperativesarelimitingtheabilityofriskmanagementfunctionstokeep
pacewithbusinessgrowth
ITriskmanagementrequirementshaveincreasedwhilepressureisfacedacrossavailablebudget
g
q
p
g
andheadcount
Linesofbusinessareexperiencingriskmanagementprocessfatigueduetotheamountof
timeandmoneyspentcomplyingwithriskrequirements
Managementisdemandingmorecomprehensive,consolidated,andactionable
governance,riskandcomplianceinformation
Repeatandoverlappingassessmentsoverfunctionalareasoftechnology
Timecommitmentrequiredtofolloworganizationalriskmanagementprocessesisplacingaburdenonthefirstline
ofdefense
Nonprioritizedapproachtoriskmitigationleadingtopotentialimproperallocationoffunds
ReportingofriskmanagementactivityandoutcomesacrossmultiplehierarchiesisachallengeforITriskfunctions
Organizationsarefacingchallengeswhenattemptingtoincorporateriskintelligenceacrosstheorganization
i i
f i
h ll
h
i
i
i k i lli
h
i i
Mergers&Acquisitions
Multipleriskprogramsrequiringconsolidationandaggregation
ITrisksinheritedfromlegacyenvironments
External regulators,analysts,investors
Boardoversight
Audit
committee
Board/seniormanagementoversight
Risk
Risk
committee
Other
committees
Risk
committees
Other
committee
Executivemanagement
CEO
CFO
CRO
GeneralCounsel
Intternal
co
ontrol
Audit
committee
Compensation
committee
Internal
audit
Risk
management
Compliance
Internal
control
Information
technology
Legaland
regulatory
External
audit
Internal
audit
External
audit
Alignedmandateandscope
Coordinated infrastructure and people
Coordinatedinfrastructureandpeople
Consistentmethodsandpractices
Commoninformationandtechnology
Business
unit
Business
unit
Business
unit
Business
unit
Business
unit
Business
unit
Business
unit
Business
unit
Trendsandchallenges
KeyissuesandtrendsfacingGRCtools
LackofaGRCstrategy,visionandholisticbusinessandfunctional
requirementscanleadtoincorrecttoolselections,overbudget
l d
l l
b d
implementationsofGRCtools,ormisuseofGRCtechnology.
ThereisacontinuedevolutionandbroaderuseoftechnologyforGRC
across IT
acrossIT.
Therehasbeenarecententranceofsoftwareheavyweightsintothe
GRCmarket.
GRC tools are being leveraged for business process management and
GRCtoolsarebeingleveragedforbusinessprocessmanagementand
assessmentrulesenginesalongwithcontinuousauditing,monitoringand
controltesting.
GRCvendorsaredevelopingrelationshipswithotherapplicationvendors
(competitorsandcomplementaryproducts)toextendtherangeofthe
software.Othershavebeenacquiredtocombineproductofferingsinto
larger,morecomprehensivepackages.
KeyissuesandtrendsfacingGRCtools
AlackofgovernanceandaccountabilityforGRCtoolscanlimitthereturn
oninvestmentfromaGRCsolution.OwnershipofGRCtechnologyis
crucialtodrivingconsistencyinmethodology,reportingandpresentation.
l d
h d l
d
ManyorganizationsaredesigningaholisticGRCtechnologyecosystemto
achieveholisticriskintelligenceacrosstheenterprise.
TherearemultipleregulatoryenvironmentsthatcanbecoveredbyGRC
tools,andnotoneGRCvendorprovidescontenttocoverallthe
environments.
ThereisincreasedboardliabilityasitpertainstoITrisk.
OrganizationsarelookingatleveragingGRCtechnologytofacilitatea
centralcorporatepolicymanagementportal.
Thereisoutsourcingofcompliancemonitoringfortheinternaland
externalbusinessenvironments.
Consultingfirmsareeithertoolagnosticortheyarenot.Manyfirmshave
g
g
y
y
strategicrelationshipswithGRCvendorsthatmayskewtheirperspective.
Currentstatelimitations
DefinitionofGRC
ThedefinitionofGRCdiffersfromclienttoclientandvendortovendor,leadingtoan
inabilitytostandardizeGRCrequirementsandguidefuturedevelopment.
IsolationoffinancialriskmanagementfunctionalityfrommainstreamGRCsolutions
Nosinglesolutionavailable
AllsolutionsperformwellforcertainaspectsofGRC,butnoonesolutionprovidesa
complete holistic solution for all GRC requirements
completeholisticsolutionforallGRCrequirements.
Immaturedashboardingandmetrics
Notalltoolsprovidewebenabledreportinganddashboards.
NonfinancialRMtoolsdonotprovideadvancedchartingcapabilitiestoaddresscomplex
riskscenarioanalysis.
Virtuallynonexistentglobalregulatorycontent
Inconsistentframeworkmappingandcontent
Assessment methodology
Assessmentmethodology
Onlyaselectfewtoolsallowforlogicbasedassessments(questionnaires,surveys,etc.),
whichintegratebusinessworkflowandriskcalculationsdrivenbyassessmentresults.
Riskcontrollibrarymanagementisnotintegratedintoassessmentstodriverisk
convergence.
Keyissues&trendsfacingGRC
tools no silver bullet!
toolsnosilverbullet!
Issues
Trends
Nosilverbullet
Continuedevolutionandbroaderuseof
t h l
technologyforGRC
f GRC
NonstandarddefinitionofGRChampersability
todefinefuturestateanddriverequirements
Entranceofsoftwareheavyweights
intoGRCmarket
Multipleregulatoryenvironments
ArchitectingaholisticGRCtechnology
ecosystem
y
Increasedboardliability
Manyofthesystemscurrentlyinusewere
f h
l
developedforaspecificfunctionorsectorneed.
Thesevendorsarechallengedwithfinding
alternativeusesfortheirapplications
Immaturedashboardsandmetrics
Immaturecapabilitiestogainrealtimedata
feeds
Inconsistentframeworkmapping
Configurationflexibility
Assessmentmethodologyandmaturity
Initiativeshouldbeadirectivefrom
executivemanagementwithagreement
fromallkeystakeholders
Marketissuesare
drivingproduct
trends
Integrationofwebservicestoenablerisk
andregulatoryintelligence
Implementationofacentralcorporate
policymanagementportal
Useofbusinessprocessmanagement
andrulesenginesalongwithcontinuous
auditing,monitoringandcontroltesting
Outsourcingofcompliancemonitoring
fortheinternalandexternalbusiness
environments
Acquisitionsandalliancesareformingto
extendorenhanceproductoffering
Whatareyourchallenges
y
g
(anticipated)inselecting,configuring
andimplementingGRCtechnology?
GRCtoolimplementationchallenges
Functionalrequirementsalongwithorganizationalandprocessconvergenceshouldbe
definedpriortotoolselectionbyperformingafeasibilitystudy
Organizationspurchasingasolution,andthenattemptingtoconvergetherisk
organization and processes contains many challenges
organizationandprocessescontainsmanychallenges
MaturityofvendorsolutionsisnotwhereitneedstobetomeetallGRCfunctional
requirements
AlackofunderstandingofhowotherbusinesstoolscanintegrateintoGRCsolutions
andoffutureGRCstaterequirementsstillexist
ManyorganizationswillneedtocustomizetheirselectedGRCtoolorchangetheir
currentmethodologies,businessprocesses,andhierarchiestohaveasuccessfulGRC
toolimplementation
Contentmanagementdecision ifaligningtoleadingpractices,frameworks,and
regulations,adecisionneedstobemadetodetermineifyouwillrelyonavendorto
g
,
y
y
provideandmanagecontentgoingforwardorwillitbecustomizedandmanagedbythe
id
d
i f
d
ill i b
i d d
db h
client
Timeframesforimplementationisoftenunderestimatedmostorganizationstake
between12 24monthsforsuccessfulimplementationandforoperational
competenciestoberealized
GRCtoolcostisoftenunderestimatedduetoimpropercalculatingofcustomizationor
functionalandprocessmodificationsthatwillbeneededbythefirm
LackofexperienceandknowledgeableresourcesthatarededicatedtoGRCtool
implementation
Vendorsupportandexperienceatbusinessaligneddeploymentsislimited
Vendor support and experience at business aligned deployments is limited
AkeyconsiderationwhenanalyzingGRCsolutionsistheconceptofcustomization
vs.configuration.Thesearetwoverydistinctterms,andhavesignificantimpacton
a GRC solutions ability to meet or exceed business and functional requirements
aGRCsolutionsabilitytomeetorexceedbusinessandfunctionalrequirements.
ConfigurationreferstotheprocessofalteringaGRCsolutionbymakingbasicchangestothe
outoftheboxcapabilitytomeetbusinessrequirements.Thisprocesswillnotgreatly
enhanceaGRCsolutionsfunctionality.Examplesofconfigurationinclude:
Changingcolors
Ch i
l
Changingfieldproperties(i.e.,text,number,length,etc.)
Addingfields
Creatingbasiccalculations
CustomizationreferstotheprocessofalteringandenhancingaGRCsolutionbymaking
advancedchangestotheoutoftheboxcapabilitytomeetbusinessrequirements.This
processcangreatlyenhanceaGRCsolutionsfunctionality.Examplesofcustomizationinclude:
Buildingcustombusinessworkflow
g
UsingJavaScriptorHTMLtoenhancethefunctionalityoftheGRCsolution
Usingadvancedcalculationsandlogic
Integratingdatafrommultiplesystemsandsources
GRC
solution cost balance
GRCsolutioncostbalance
Complexity
Support
Customization
Administration
Customization
Administration
Whatstherightbalancefor
your organization?
yourorganization?
Needtoincreasecostto
achievebalance
Complexity
Support
GRCtoolfunctionalcoverage
Governance
Policy management
Standards
Procedures
PRC framework
Asset and hierarchy
management
Process accountability
Data management
Awareness training
Project management
Financial risk
Scenario analysis
Risk modeling
Financial risk impact
analysis
Risk management
Compliance
Regulatory content
Management
Leading practice content
Management
Compliance monitoring
Compliance assessment
Program management
Scheduling
Attestation
Evidence capture
SAS 70/SOC 2
Risk treatment
Risk acceptance
Policy exceptions
Risk transference
Dashboards
Ad-hoc reporting
Notifications
User interface
Statistical analysis
Historical trending
Triggered calculations
Audit tracking
Data export
Incidentmanagement
Issuesmanagement
Audit
Risk profiling
Risk assessment
Risk identification
Risk analysis
KRIs
Threat and vulnerability
management
Information security
BCP/DR
Internal control
management
KRI/KPI management
V d managementt
Vendor
Service delivery
management
Metrics, presentation
and reporting
Event capture
Loss capture
ITGRCtoolvendorgeographic
footprint
Leader:RSAArcher,Thompson
Reuters
Presence:Allothers
Leader:Bwise
Presence: RSA Archer
Presence:RSAArcher,
ThompsonReuters
Leader:Bwise
Presence:RSAArcher,
ThompsonReuters
Leader:RSAArcher
P
Presence:ThompsonReuters
Th
R t
Leader:Modulo
Presence:RSAArcher,
ThompsonReuters,Bwise
Leader:None
Presence:BWise
Leader:None
Presence:RSAArcher,
Thompson Reuters
ThompsonReuters
Riskprocessimplementation
Populations/inventories/authorityinformation
Businesshierarchy
Considerationsaroundfunctional,lineofbusiness(LOB)orentityhierarchyembeddedwithinthe
GRCtool
Determinationofdepthandbreadthofhierarchy
SSOintegration
DeterminationofCMDB(ConfigurationManagementDatabase)andassetmanagementtool
D
t
i ti
f CMDB (C fi
ti M
tD t b ) d
t
tt l
integrationforapplicationsandsupportinginfrastructure,databases,operatingsystemsanddata
centers
Identificationofrelevantindustryregulationsandbestpracticestoalignwith
IntegrationwithLDAP(LightweightDirectoryAccessProtocol)tosimplifyuserauthenticationand
g
( g
g
y
)
p y
useraccessadministration
Accesscontrolstrategy
Potentialtechnologyenablement
coverage
ITRisk
Op Risk
ERM
InternalAudit
Regulatory
Risk
Legal&
Compliance
InfoSecurity
PRCFramework
Assessments
Assessments
ProgramMgmt
IssuesMgmt
CaseMgmt
KRIs
ContentMgmt
UI/Metrics/
Dashboards
Other
GRCtechnologyimplementation
considerations
KeyGRCfunctionalrequirements
Policy,StandardsandProceduresMgmt.
RiskMgmtProcesses(Assessments,KRIs,Event
Capture,RiskProfiling,etc)
ContentManagement
V d M
VendorManagement
t
RiskAssessmentandRiskAnalysisCapabilities
RiskIdentificationandProfiling
Issues,Mitigation,RiskAcceptanceLifecycle
Management
TrainingandAwareness
Risk Identification Methodology
RiskIdentificationMethodology
Frameworks&HierarchyStructure(Org,
Process,Risk,Control)
AssetManagementCapabilities
HierarchyStructureOrganizational,Process,Risk,
Control,MetricsandReporting
Best Practice Content
BestPracticeContent
TechnologyControls/InformationSecurity
RegulatoryMapping
RegulatoryMappings
RegulatoryComplianceCapabilitiesandLeading
Practices Standards
SOX,BaselII,GLBA&DataProtectionLaws,
SOX Basel II GLBA & Data Protection Laws
PCI,FFIEC,BITS,COSO,ISO27002,CobiT,
ITIL,etc.
ComplianceMonitoring
BusinessProcessManagement
BusinessWorkflowManagement
AuditProcesses
AuditProcessesandWorkflow
AttestationCapabilities
Archival
C t lA t
ControlAutomation&Monitoring
ti & M it i
AutomatedControlTesting
RealTimeMonitoring
NotificationServices
Metrics,Measurements,andReporting
Quantity&qualityoftemplatereports
AdhocReporting
RiskSimulationCapability
RiskWeighting&Calculations
StatisticalAnalysis
Dashboards
FinancialRiskManagement
Financial
Risk Management
FinancialRiskModeling
FinancialRiskImpactAnalysis
QuantificationEngine
EventLoss/Capture IncidentManagement
FinancialRiskContent(i.e.ratings)
Configuration Flexibility
ConfigurationFlexibility
Interoperability/ApplicationInterface/Open
Standards
ConfigurationCapabilities
CustomizationCapabilities
KeyGRCfunctionalrequirements
(cont )
(cont.)
AvailableModulesanddescriptions
AdditionalFunctionality
Financials
ClientBase
Marketratingsandrankings
ReleaseCycle
ImplementationRequirements
p
q
ProductTraining
RiskBasedServices
Maintenance&Support
EnterpriseScalability
p
y
EndUserExperience/Interface
TeamingandSupportfromVendor
IndustrySaturation/Customerloyalty
SystemAdministration
ManagementAssurance
EaseofUse
AuditingandLogging
VendorQualifications
TechnicalArchitecture
Backup&Recovery
System Performance
SystemPerformance
UserAdministration
Documentation&Guidance
SecurityConfiguration
InfrastructureRequirements
ApplicationRequirements
IntegrationCapabilities
DataOwnership&Management
Performance and Scalability
PerformanceandScalability
SingleSignOnIntegration
DataIntegrityandAudit
FutureProductRoadmap
Deployment&Migration
Fees,ContractsandSoftware
Arrangements
Note:TheprovidedGRCFunctionRequirementsareasampleonly,afullrequirementsgatheringandweighting
Note:
The provided GRC Function Requirements are a sample only a full requirements gathering and weighting
exercisemustbedonetoensurepropertoolselection.
Designconsiderations
g
Convergenceofrisks,controls,processes,issues
and themes
andthemes
Roadmapandstrategicapproach
Solutionownershipandgovernance
Solution ownership and governance
Reportingrequirementsanddataconsiderations
Processandworkflowrequirements
Process and workflow requirements
Sourceofrecordvs.datafeeds
Implementationmanagement
p
g
Functionalandtechnicalrequirementvalidation
Supportpersonnel
GRCtechnologyenablement
approach
Suggested key milestones
Organizational hierarchy
Process hierarchy
Risk Hierarchy
Control Hierarchy
Valueconsiderations
Valueproposition
Measurableanddocumented
enterprise commitment to
enterprisecommitmentto
transparencyandcompliance
Decreasedexposuretofraud,
catastrophiclossesandthefull
compliment of operational risks
complimentofoperationalrisks
Preparedtoanticipateandrespondto
newandchangingregulatorymatters
Greaterinsightandmoreeffective
decisionsupport
Betterequippedtolowercostand
improveperformance
More effective management and use of
Moreeffectivemanagementanduseof
enterpriseinformation
Questions?
Thankyou!