GRC - Governance, Risk MANAGEMENT, and Compliance
"Governance, Risk Management, and Compliance Governance : Combination of processes established and executed by the BOD and how it is managed and led towards achieving goals. Risk management : Identify, analyse and manage risks that could hinder the organization from achieving its objectives. Compliance : Conforming to company's policies, procedures, laws and regulations .
GOVERNANCE The system of rules, practices and processes by which a company is directed and controlled. Involves balancing the interests of the many stakeholders in a company. Also provides the framework for attaining a company's objectives. Action plans and internal controls to performance measurement and corporate disclosure.
Governance Principles Rights and equitable treatment of shareholders Interests of other stakeholders Roles and responsibilities of the board Integrity and ethical behaviour Disclosure and transparency
RISK MANAGEMENT Identify , assess , prioritize , control, exploit , finance and monitor risks. Coordinated and economical application of resources . To minimize, monitor and control the probability and/or impact of unfortunate events . Eliminates uncertainties. RISK MANAGEMENT vs GOVERNANCE Are they same ?
RISK TYPES Hazard risk Liability torts, Property damage, Natural catastrophe Financial risk Asset risk, Currency risk, Liquidity risk Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk, Knowledge drain. Strategic risks Competition, Social trend, Capital availability.
RISK MANAGEMENT PROCESS Establishing Context. Identifying Risks. Analysing/Quantifying Risks. Integrating Risks. Assessing/Prioritizing Risks. Treating/Exploiting Risks. Monitoring and Reviewing.
COMPLIANCE Conforming to a rule, such as a specification, policy, standard or law. Compliance audit : Review of an organization's adherence to regulatory guidelines. Organization must be able to demonstrate compliance by producing an audit trail. Auditors review security polices, user access controls and risk management procedures CIOs, CTOs and IT administrators answers a series of pointed questions over the course of an audit. Event log managers and robust change management software allows tracking and documentation of authentication and controls in IT systems.
Some prominent regulations, standards : Sarbanes-Oxley Act (SOX) of 2002: To protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Can Spam Act of 2003: Requires businesses to label commercial emails as advertising, use legitimate return email addresses, provide recipients with opt-out. Payment Card Industry Data Security Standard (PCI DSS): Created in 2004 by Visa, MasterCard, Discover and American Express to ensure the security of credit, debit and cash card transactions. Information Security Management System (ISMS : ISO 27001): Design, implement and maintain a coherent set of policies, processes and systems to manage risks to the information assets.
COBIT (Control Objectives for Information and Related Technology) Created by ISACA (Information Systems Audit and Control Association) Bridge the gap between control requirements, technical issues and business risks. More comprehensive definition of roles and responsibilities
Principles
ENABLERS
Governance x Management EDM (Evaluate , Direct and Monitor) Management PBRM (Plan, Build, Run, Monitor )
Other standards Risk Management Standards : ISO/IEC 27005 : Information security risk management ISO 31000 NIST 800-30 Risk IT by ISACA
NIST SP 800 - 30
THANK YOU