slide heading the psychology of grc matthew chalmers marshfield clinic december 2013
TRANSCRIPT
Slide HeadingThe Psychology of GRC
Matthew ChalmersMarshfield ClinicDecember 2013
Hello, My Name Is _______
Matthew Chalmers– CISM, CISA, CRMA, GSNA, GCFA, CCSK, CEH, CCISO, ACE…
– Chief Auditor-Information Technology
Marshfield Clinic– 501(c)3 charity incorporated in 1916 with over 50
locations, over 80 specialties, over 700 physicians, over 7000 employees, over 400,000 patients, over $1B annual gross receipts
Agenda
Slide Heading
Introduction
G
R
C
Conclusion
Level Set
• This is not a primer• There will be a brief introduction
Level Set
• This is not a primer• There will be a brief introduction
• This is not a how-to• I am not a vendor and have no product to ‘demo’
Level Set
• This is not a primer• There will be a brief introduction
• This is not a how-to• I am not a vendor and have no product to ‘demo’
• I am not a psychologist• I don’t even play one on TV
Level Set
• This is not a primer• There will be a brief introduction
• This is not a how-to• I am not a vendor and have no product to ‘demo’
• I am not a psychologist• I don’t even play one on TV
• I was told there would be no math• Some people think my favorite function is tangent
What GRC Is
• The IIA says…• Governance, Risk, and Control
What GRC Is
• The IIA says…• Governance, Risk, and Control
• Pretty much everyone else says…• Governance, Risk, and Compliance
What GRC Is
• Who came up with the term and when?
What GRC Is
• Who came up with the term and when?• PricewaterhouseCoopers (PwC)?• OCEG (formerly Open Compliance and Ethics Group)?• Some guy named Michael Rasmussen?
What GRC Is
• A definition• “The ability to reliably achieve objectives while
addressing uncertainty and acting with integrity”
What GRC Is
• A definition• “The ability to reliably achieve objectives…”
• Governance
• “…while addressing uncertainty…”• Risk (management)
• “…and acting with integrity”• Compliance
What GRC Is
• Is GRC really a thing?
• Do companies do GRC?
What GRC Is
“Organizations have been doing GRC since the dawn of business. We did not need a three-letter acronym to all of a sudden do GRC. Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned. GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all. The question to consider is how mature is your organization’s GRC practices.”
--Michael Rasmussen, GRC 20/20
GOVERNANCE
• Who• What• When• Where• Why• How
• Bonus: To What Extent
What Governance Is
• The dictionary says…• “The way that a city, company, etc., is controlled by the
people who run it” (Merriam-Webster)• “The way that organizations or countries are managed
at the highest level, and the systems for doing this” (Cambridge)
What Governance Is
• The ITGI says…• “Governance includes the elements required to provide
senior management assurance that its direction and intent are reflected in the…organization by utilizing a structured approach.”
What Governance Is
• Much less formally…• Governance is the process of governing processes
What Governance Is
• Is governance really a thing?
• Do companies do governance?
What Governance Is
• Corporate governance is a lot like government:• The people elect representatives
• Who direct appointed/hired managers• To implement processes compliant with policy
set by representatives• Which themselves should reflect the
“direction and intent” of the people
What Governance Is
• In public companies:• Shareholders elect board members
• Who appoint/hire managers• To implement processes compliant with policy
set by the board• Which should reflect the “direction and intent”
of the shareholders
What Governance Is
• Your organization IS doing governance• It is not always apparent, or formalized
• It is done slightly differently everywhere• It is not any more or less important due to the size
of the organization• But it may be more or less complex
How Governance Is Done
• There are standardized frameworks and methodologies for general governance, however…• They are purposely high-level or vague
• There is a lot of variation from organization to organization• Organizations and their needs change over time
How Governance Is Done
• Some example frameworks/methodologies:• COSO? Not really…
How Governance Is Done
• Some example frameworks/methodologies:• Principles of Corporate Governance
• Organization for Economic Cooperation and Development (OECD)• Not to be confused with the Open Compliance and Ethics Group
(OCEG)
How Governance Is Done
• Some example frameworks/methodologies:• Principles of Corporate Governance
• Organization for Economic Cooperation and Development (OECD)• Not to be confused with the Open Compliance and Ethics Group
(OCEG)
• Key Agreed Principles• National Association of Corporate Directors (NACD)
How Governance Is Done
• Too philosophical?• Too nebulous?
How Governance Is Done
• Some example frameworks/methodologies:• For information technology:
• COBIT 5• ISACA
How Governance Is Done
• Some example frameworks/methodologies:• For information technology:
• COBIT 5• ISACA
• For information security:• ISO 27014: Governance of Information Security
• International Organization for Standardization
How Governance Is Done
• Some example frameworks/methodologies• For information technology:
• COBIT 5• ISACA
• For information security:• ISO 27014: Governance of Information Security
• International Organization for Standardization
• Lower-level and more concrete but not general-purpose
Back To What Governance Is
• Governance is not technical• Governance is not internal control• Governance is not really even management
Back To What Governance Is
• Governance is not technical• Governance is not internal control• Governance is not really even management
• This way of thinking can lead to over-control… inefficiency… even attrition
How Governance Is Done
• Organization of the organization is part of the organization’s governance
• How did the organization of your organization get organized the way it is today?
How Governance Is Done
• Articles of incorporation• Bylaws• Charters• Resolutions• Policies
How Governance Is Done
• Owners• Partners• Shareholders
• Board(s)• Officers• Executives• Managers• Committees
Organizational Example
Audit Committee
Board of Directors
CEO
CFO
CAE
Does this look familiar?
Organizational Example
Audit Committee
Board of Directors
CEO
CFO
CAE
Does this look any better?
Organizational Example
Audit Committee
Board of Directors
CEO
CFO CAE
Does this look any better?
Organizational Example
Audit Committee
Board of Directors
CEO
CFO CAE
Does this look any better?
Organizational Example
InfoSec Mgmt Committee
Board of Directors
CEO
CIO
CSO
Does this look familiar?
Organizational Example
InfoSec Mgmt Committee
Board of Directors
CEO
CIO CSO
Does this look any better?
Organizational Example
InfoSec Mgmt Committee
Board of Directors
CEO
CIO CSO
Does this look any better?
Audit Committee
Organizational Example
InfoSec Mgmt Committee
Board of Directors
CEO
CIO CSO
Does this look any better?
Audit Committee
Organizational Example
InfoSec Mgmt Committee
Board of Directors
CEO
CIO
CSO
Does this look any better?
Audit Committee
How Governance Is Done
• The audit committee is typically in the bylaws• Where do other committees, councils, etc. get
their authority?• Is the authority documented or implied?• Where do officers, managers, etc. get their authority?
How Governance Is Done
• Policies help doers know the extent of their authority
• Policies help governors know the scope of doers’ responsibility
How Governance Is Done
• Policies help doers know the extent of their authority
• Policies help governors know the scope of doers’ responsibility
• Doers should not have to ask permission to do something that fits under policy
• Governors should not feel compelled to approve something that fits under policy
How Governance Is Done
• Depending on company culture…• A doer might be given the “creative latitude” to
implement using his/her judgement• A doer might struggle to implement using his/her
judgement because there is no policy giving the authority, and “governing bodies” or senior managers may disapprove, be slow to approve, require consensus, etc.
• May go for both implementing processes and establishing policy, depending on who the doer is
How Governance Is Done
• What is one to do then? It depends…• Organizations are run by people; people are subject to
perception and influence
How Governance Is Done
• What is one to do then? It depends…• Organizations are run by people; people are subject to
perception and influence• Know yourself, find ways to play to your strengths
How Governance Is Done
• What is one to do then? It depends…• Organizations are run by people; people are subject to
perception and influence• Know yourself, find ways to play to your strengths• Know others, find ways to play to their strengths
• Manage up
How Governance Is Done
• What is one to do then? It depends…• Organizations are run by people; people are subject to
perception and influence• Know yourself, find ways to play to your strengths• Know others, find ways to play to their strengths
• Manage up
• Know the organization, find ways to play to its strengths• If you can’t beat ’em, join ’em
How Governance Is Done
• Does this sound like playing politics?• Does this sound like social engineering?• Does this sound like The Art of War?
• “Know yourself and know your enemy…”
How Governance Is Done
• The principles are the same whether your perspective is from the bottom or the top• Those at the top:
• Are influential by virtue of their position even if not intrinsically• Are concerned with creative rule-benders• Ask “why”
How Governance Is Done
• The principles are the same whether your perspective is from the bottom or the top• Those at the top:
• Are influential by virtue of their position even if not intrinsically• Are concerned with creative rule-benders• Ask “why”
• Those at the bottom:• Must find a way to be intrinsically influential, despite position• Are concerned about status quo• Ask “why not”
How Governance Is Done
• Those who “do” G, R, C, or some combination are often in the middle• It is rare for governance to be someone’s responsibility
• E.g., Vice President of Governance, Chief Governance Officer
• Governance is more conceptual than operational• The framework typically pre-dates every employee and
changes very little, over very long periods
• There are pockets of specialized governance• Project governance• IT governance
How Governance Is Done
• It is more common for someone to be assigned the responsibility of maintaining policies• Unfortunately not always a prestigious job• Can be done without any specialized tools, however,
with the right tool(s) it can be almost completely automated• All your policy are belong to us
RISK
• Who• What• When• Where• Why• How
• Bonus: To What Extent
What Risk Management Is
• The dictionary says:• “The activity of calculating and reducing risk, so that an
organization does not fail or lose money” (Cambridge)• “The forecasting and evaluation of financial risks
together with the identification of procedures to avoid or minimize their impact” (Oxford)
What Risk Management Is
• The RIMS says:• “A management discipline, the goal of which is to
protect the assets and profits of an organization by reducing the potential for loss before it occurs, and financing, through insurance and other means, potential exposures to catastrophic loss.”
What Risk Management Is
• The RIMS says:• “The process consists of logical steps: risk or exposure
identification; measurement and evaluation of exposures identified; control of those exposures through elimination and/or reduction; and financing the remaining exposures so that the organization, in the event of a major loss, can continue to function without severe hardship to its financial stability.”
What Risk Management Is
• Is risk management really a thing?
• Do companies do risk management?
What Risk Management Is
• Your organization IS doing risk management• It is not always apparent, or formalized
• It is done slightly differently everywhere• It is not any more or less important due to the size
of the organization• But it may be more or less complex
How Risk Mgmt Is Done
• There are standardized frameworks and methodologies for risk management, however…• They are purposely high-level or vague
• There is a lot of variation from organization to organization• Organizations and their needs change over time
• OR… They are highly specialized• E.g. for insurance or investment
How Risk Mgmt Is Done
• Some example frameworks/methodologies:• COSO? Yes!
How Risk Mgmt Is Done
• Some example frameworks/methodologies:• Enterprise Risk Management – Integrated Framework
• Committee Of Sponsoring Organizations (COSO)
How Risk Mgmt Is Done
• Some example frameworks/methodologies:• Enterprise Risk Management – Integrated Framework
• Committee Of Sponsoring Organizations (COSO)
• ISO 31000: Risk Management Principles & Guidelines• International Organization for Standardization
How Risk Mgmt Is Done
• Too philosophical?• Too nebulous?
How Risk Mgmt Is Done
• Some example frameworks/methodologies:• For information technology:
• COBIT 5• ISACA
• For information security:• SP 800-39: Managing Information Security Risk
• National Institute for Standards and Technology
Back To What Risk Mgmt Is
• Risk management is not technical• Risk management is not internal control• Risk management is not really even management
Back To What Risk Mgmt Is
• Risk management is not technical• Risk management is not internal control• Risk management is not really even management
• Wait…what?
• Okay, it is really management• But do not confuse risk analysis/assessment with risk
management
Back To What Risk Mgmt Is
• Some other confusing terms and processes:• Threat analysis/assessment/modeling• Business impact analysis (BIA)• Business continuity planning (BCP)• Disaster recovery planning (DRP)
How Risk Mgmt Is Done
• While (E)RM is arguably more concrete and focused than GRC, not all companies do it• Even some companies with a CRO are only focused on
managing liability and insurance• Risk management is more often stove piped
• IT risk, M&A risk, investment risk…• Even within stove pipes it’s not always holistic
• E.g. IT risk doesn’t always consider opportunity risk, or weigh risk vs. reward
How Risk Mgmt Is Done
• It is not black and white, or an exact science• Risk management is done by people; people are
subject to perception and influence
• To reiterate:• Know yourself, find ways to play to your strengths• Know others, find ways to play to their strengths
• Manage up
• Know the organization, find ways to play to its strengths• If you can’t beat ’em, join ’em
How Risk Mgmt Is Done
• The principles are the same whether your perspective is from the bottom or the top• Those at the top:
• Are influential by virtue of their position even if not intrinsically• Are concerned with creative rule-benders• Ask “why”
How Risk Mgmt Is Done
• The principles are the same whether your perspective is from the bottom or the top• Those at the top:
• Are influential by virtue of their position even if not intrinsically• Are concerned with creative rule-benders• Ask “why”
• Those at the bottom:• Must find a way to be intrinsically influential, despite position• Are concerned about status quo• Ask “why not”
COMPLIANCE
• Who• What• When• Where• Why• How
• Bonus: To What Extent
What Compliance Is
• The dictionary says:• “Obeying an order, rule, or request; obeying a particular
law or rule, or…acting according to an agreement” (Cambridge)
• “Conformity in fulfilling official requirements” (Merriam-Webster)
• “Excessive acquiescence” (Oxford)
What Compliance Is
• The professional association says:• <crickets>
What Compliance Is
• Is compliance really a thing?
• Do companies do compliance?
What Compliance Is
• Your organization IS doing compliance• It is not always apparent, or formalized
• It is done slightly differently everywhere• It is not any more or less important due to the size
of the organization• But it may be more or less complex
How Compliance Is Done
• Are there standardized frameworks and methodologies for compliance?
Back To What Compliance Is
• It may or may not be technical• It may or may not be internal control• It may or may not be management
How Compliance Is Done
• Often stove piped• Legal compliance, contract compliance, regulatory
compliance, financial compliance, industry compliance…
How Compliance Is Done
• It may seem black and white, but much is still subject to interpretation
• Compliance is (or can be seen as) part of risk management
• It can be just as expensive to comply as not to comply
Conclusion
• “A person is smart. People are dumb, panicky, dangerous animals…” (Men In Black, 1997)
• “It’s wind, man. It blows all over the place.” (The Weather Man, 2005)
• “All I want is compliance with my wishes, after reasonable discussion.” (Winston Churchill)
Questions?
Matthew [email protected]
Thank you!
Matthew [email protected]
References• Brotby, W. K. (2008). Information security governance: Guidance for information security managers.
Rolling Meadows, IL: IT Governance Institute.• Buckingham, M. & Clifton, D. (2001). Now, discover your strengths. New York, NY: The Free Press.• Buckingham, M. & Coffman, C. (1999).
First, break all the rules: What the world’s greatest managers do differently. New York, NY: Simon & Schuster.
• Davies, T. (2008). Governance risk and compliance (GRC): The great risk con. Risk Management Magazine, 2008.
• Gelbstein, E. (2012). Strengthening Information Security Governance. ISACA Journal, 2012(2), 25-30.
• Institute of Internal Auditors. (2010). What GRC could mean to your organization. Tone at the Top, 2010(48), 1-3.
• Jones, E. & Mendenhall, A. (n.d.). Do directors have an oversight responsibility for workplace culture? [n.p.]: Littler Mendelson.
• Marks, N. (2010). The Institute of Internal Auditors' Tone at the Top defines GRC and gets it right. Retrieved from Institute of Internal Auditors web site.
• Marks, N. (2010). What is the best framework for Governance? Retrieved from Institute of Internal Auditors web site.
• Marks, N. (2013). Is it time to call the term “GRC” dead? Retrieved from Norman Marks on Governance, Risk Management, and Audit web site.
References• Miles, R. (2013). Catching moonbeams: The quest to stop the creative rule-breakers. [n.p.]:
Thomson Reuters Accelus.• Mitchell, R. (2010). The crucial difference between governance and management
[PDF document]. Retrieved from University of San Diego web site.• National Association of Corporate Directors.
Key agreed principles to strengthen corporate governance for U.S. publicly traded companies. Washington, DC: Author.
• Organisation for Economic Co-operation and Development. OECD Principles of Corporate Governance. Paris, France: Author.
• Pareek, M. (2011). Technology risk measurement and reporting. ISACA Journal, 2011(6), 26-31.• Proctor, P. (2013). Why I hate the term GRC. Retrieved from Gartner web site.• Rasmussen, M. (2010). Why GRC & what is it? Retrieved from GRC 20/20 web site.• Rasmussen, M. (2013). GRC 3.0: A history of GRC. Retrieved from GRC 20/20 web site.• Strikwerda, H. (Ed.). (2005). Growth, governance and organisation: On power strategy and modular
organisation. In H. Strikwerda (Ed.), Annual 2005: Growth, governance and organisation 24-25. Zeist, The Netherlands: Nolan, Norton & Co.
• Tomhave, B. (2012). The absurdity that is EGRC. Retrieved from The Falcon’s View web site.• Wilkins, B. R. (2013). Compliance vs. security. @ISACA, 2013(20), 5-6.
Resources• https://www.linkedin.com/in/mdchalmers• https://www.marshfieldclinic.org/• http://www.mchealthis.com/• https://www.securityhealth.org/• https://na.theiia.org/Pages/IIAHome.aspx• https://www.isaca.org/Pages/default.aspx• http://www.itgi.org/• http://www.rims.org/Pages/Default.aspx• http://www.oceg.org/• http://www.oecd.org/• http://www.nacdonline.org/• http://www.coso.org/• http://www.iso.org/iso/home.html• http://www.nist.gov/• http://suntzusaid.com/• http://www.allyourbasearebelongtous.com/