moving governance, risk management and compliance from a ...€¦ · management – management...
TRANSCRIPT
Proprietary/Confidential
MovingGovernance,RiskManagementandCompliancefromaCosttoaStrategicBenefit
Presenters
2
KevinMalickiDirectorofProductManagement,HarlandClarke
SamAbadirDirectorofProductAlliances,LockPath®
WhatYouWillLearn
● Howfinancialinstitutionsrealizedifferenttypesofriskandhowtheyaddresstheirrisk
● Howfinancialinstitutionsmanageseeminglydisparatedatatobettermanagedifferent
typesofrisk
● Howcomplianceandriskneedstobemessageddifferentlyacrosstheorganization
● Howefficientandeffectivegovernance,complianceandriskmanagementmoves
beyond‘checkingthebox’toprovidingcompetitiveadvantage
> > >ITRiskManagement
asaCompetitiveAdvantage
Casestudyatalargebank
DisparateDataThroughouttheBusiness
VulnerabilityScanner
ThreatFeed
Tactical&StrategicActivities
BusinessPriorities
PollQuestion- ITRiskManagementMaturity
6
• Notmanaged• Nottiedtorisk
• Attemptatsimilarmanagement• Oneormanyscanningtools,allmanagedindividuallyinthetool• Noinformationabouttheassets
• Assetsclassifiedandgrouped• Metrics/SLAsdefinedandmanaged• Manualassessments• Manualprocess• Limitedscaleduetohighcost• Vulnerabilityassessmentsmanagedindividually
AdHoc Considered Defined
• Assetstiedtocomplianceandinternalcontrols• Assessmenttoolsused• Workflowusedforcommunication• Standardizedreporting• Automationprovidesforscalability• Standardizedprocess• Automaticdeduplicationofscans• Datadriveworkflowtriagescans
Managed
• ITthreatsandriskstranslatedtooperationalrisks• Agileapproachtoriskmanagement–managementdefinedbyrisklevel• Outsourcedprocesseslinkedtostrategicgoals,risks,andprocessrequirements• BusinessContinuityplansextendedtovendors• Riskreportingandanalytics• Integratedauditmanagement
Optimized
BusinessOperationsSupportedbyTechnology
IT Infrastructure
Operations
Value
OperationalRisks
ITRisks
ITSupportsBusiness
RisktoValue
ThreatstoProcessesPutValueAtRisk
ThreatstoSupportingTechnologyPutValueAtRisk
8
§ CRM System§ Marketing
Systems
§ CRM System§ Account
Management
§ Credit Systems§ CRM Systems
§ Accounting Systems
§ CRM Systems
§ Accounting Systems§ CRM Systems§ Trading Systems
TargetedMarketingNew
AccountCreation
CreditProcessing
AccountFunding
TradingandSettlement
IT Threats• System vulnerabilities• Applicatiaon vulnerabilities• Inadequate security• Data integrity
Operational Threats• Poor execution• Reputation• Expensive compliance• Regulatory
5/11/17
ITandBusinessDataAreInputstoRiskManagement
9
GRC
5/11/17
GRCArchitecture
GRCPlatform ContextualizedActionableInfo
BusinessMetrics
• Incidents• KPIs• OtherBusinessRecords
ITMetrics
• VulnerabilityScanners
• WebAppScanners• ConfigurationScanners
• Syslog• SIEM
GRCPlatform
• RiskRegister• RiskThresholds• Workflow• Reporting• Dashboards
ContextualizedActionableInfo
• StaffReports• ManagementReports
• BoardofDirectorReports
EnterpriseData
ITRiskManagementAcrosstheOrganization
11 5/11/17
OperationalReports
Whichassetsaremostatriskto…
● Vulnerabilityfindings?
● Scannerfindings?● SIEMfindings?● Etc.?
Assetprioritization● WhatdoIfixfirst?
Assetriskhistory
ManagementReports
Averageincidentresponsecost?
Areresourcesdeployedeffectively?
Whatistheaveragepatchlatency?
Areassetsenrichedwithbusinessinformation?
BOD/AuditReports
Howmuchvalueisatrisk?
DoIneedtomakeadditionalinvestmentstomanagerisk?
Arecurrentriskmanagementeffortseffective?
BenefitstoITOrganization
● Movefrom“supportingthebusiness”to“partofthebusiness”
● Fasterandmorefrequentfunding
● BetterITandoperationalriskmanagement
5/11/1712
> > >
13 5/11/17
ComplianceManagementasaCompetitiveAdvantage
Casestudyatafinancialservicesorganization
ComplianceManagement
14
Internal/CustomerAudits
Attestations
ManualReporting
SharePoint
TechnologySecurity
LegalRequirements
CustomerRequirements
PublishedPolicy
IntegratedRisk
IntegratedRequirements
RequirementsUpdates
IntegratedControls
IntegratedIncidents
ContinuousMonitoring
Risk-basedWorkflowReview
EfficientEffective
ComplianceManagement
5/11/17
ProblemsWithManualComplianceManagement
15
Customer
State
Internal
Local
National
5/11/17
TheManualProcessandItsResults
16 5/11/17
PollQuestion- PolicyManagementMaturity
17
• Policiesaddressedonacase-by-casebasis
• Policiestemplatesexist• Policiesnotcomplete,• Dependenceonorganizationalknowledge
• Policieshavebeenstandardized• Policiespartoftrainingprogram• Employeestestedonpolicymatters• Policiesstoredindedicatedshareddrives/sharedspaces
Reactive Controlled Defined
• Policiesaremonitored• Policyeffectivenessmeasured• Policiestiedtoassetsandprocesses• PoliciesstoredandaccessedinGRCtools• AttestationprocessformalizedandinGRCplatform• Policiesmappedtointernalcontrolsandframeworks
Scalable
• Policiesarestrategicallycreatedtominimizecontrolsandremovecontrolrepetition• Policiesreflectstrategicgoalsandriskregister• Policyworkflowskickoffreviewbasedonrisklevels• Policymanagementintegratedwithauditmanagementandincidentmanagement
Optimized
5/11/17
StreamlinePolicyAuditManagement
● HistoryofComplianceDocuments
● CorporateControls
● Incidents
● IncidentRemediation/Acceptance
● RiskManagement
● Technology&SecurityCompliance
18
GRCPlatformManagingComplianceRequirements,
Policies,Incidents,Exceptions,RisksandRelatedTransactions
TypesofData
ComplianceAuditWorkPapers
RelevantEvidence
5/11/17
GRCinAction
19
WorkflowSimplifiesComplexity
AuditImprovement&Simplification
ComplianceSimplification
5/11/17
GRCforCompetitiveAdvantage
20
DecreasedtimespentonCompliance
SavedonpilotprojectIncreasedNumberofZeroFindingAudits
90%>5%
+$500,0000
ProjectManagersmovedtomoney-makingprojects
3
5/11/17
> > >ITVendorRiskManagementas
CompetitiveAdvantage
CaseStudyatafinancialservicesorganization
21
VendorRiskManagementManualProcess
22
+ +
= 30vendors
5/11/17
DemandforVendorRiskManagement
23
IntegraltoSeveralVendorNetworks
IncreasingRegulatoryDemand
5/11/17
PollQuestion- VendorRiskManagementMaturity
24
• Notmanaged• Nottiedtorisk
• Attemptatsimilarmanagement• Random,manualassessments
• Vendorsclassified• Metrics/SLAsdefinedandmanaged• Manualassessments• Manualprocess• Limitedscaleduetohighcost
AdHoc Considered Defined
• Vendorstiedtocomplianceandinternalcontrols• Assessmenttoolsused• Vendorportalsusedforcommunication• Standardizedreporting• Automationprovidesforscalability• Standardizedprocess
Managed
• Vendorriskmanagementisadefinedprincipal• Agileapproachtoriskmanagement–managementdefinedbyrisklevel• Outsourcedprocesseslinkedtostrategicgoals,risks,andprocessrequirements• Vendorduediligencetiedtoprocessrequirements• BCplansextendedtovendors• Riskreportingandanalytics• Fourth-partyriskmanagement
Optimized
GRCinAction
25
WorkflowSimplifiesComplexity
Integrated,dynamicassessments
Dedicatedanalyticsengine
Scalable,robustriskmanagement
5/11/17
Results
26
LimitedStaffandLimitedProcesses
LimitedandRestrictedRiskManagement
SavedandExpandedBusiness
Opportunities
5/11/17
IncreasedProductivity
650%
Effective,EfficientThirdPartyRiskManagement
Summary
● GRCtakesinputsfromacrosstheenterpriseandthirdpartiestoefficientlymanageareas
ofriskandallowthebusinesstofocusonothervaluecreatingactivities
● GRCautomatesmessagingofriskandcompliancedatatostakeholdersacrossthe
organizationinanefficient,effectiveandrisk-specificmanner
● GRCtoolsremovethecomplexityofcomplianceandallowthebusinesstofocusonits
coreobjectives
27 5/11/17
TheGRCSpotlightEcosystem
• Automatebusinessprocesses • Reduceenterpriserisk • Eliminateredundancy
28 5/11/17
GRCSpotlightPlatform
GRCSpotlightAdvantage
29
OperationalRiskManagement
Compliance&PolicyManagement
ITRiskManagement
BusinessContinuityManagement&Planning
AuditManagement
VendorRisk Management
ConfigurableWorkflow
DedicatedAnalyticsEngine
Integrated,Dynamic
Assessments
ConsumerEnterpriseData
andKPIs
5/11/17
Q&AWrapUp
30
Typeyourquestioninthechatpanel
Presentationmaterialsandvideoreplaywillbeprovidedwithinoneweek.harlandclarke.com/LinkedIn
harlandclarke.com/Twitter
www.harlandclarke.com/webcasts
HCGRC-0036-01
KevinMalickiDirectorofProductManagement,HarlandClarke
SamAbadirDirectorofProductAlliances,LockPath®
ThankYou