IT Risk Management

System for the CRO

Solution Talk Book
November 2013
1
2013 KPMG Services Pty Ltd, a South African company and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis--vis third
parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
FOR INTERNAL USE ONLY
Our clients need help both in understanding and
managing IT Risk
IT risk has matured from a specialist
element of operational risk management
to a recognized and priority strategic risk:
38% of organisations defined top risks
relate to Information Technology
55% have difficulty in dealing with IT risk
57% note that the pace of change in IT
has increased their overall risks
* Identified by KPMG in co-operation with the Economist Intelligence Unit between 2005 and 2013
IT risk is an executive-level concern that should priority in the global
market, but one which our clients are ill prepared to manage
Yet effective IT risk management remains
a key and growing challenge for our
clients:
40% of risk managers rate their
understanding of IT risks as moderate or poor
42% cite poor communication between the
IT and risk functions as a significant difficulty in
managing IT risk
66% of C-levels are dissatisfied with risk
management around IT Systems
2
2013 KPMG Services Pty Ltd, a South African company and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis--vis third
parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
FOR INTERNAL USE ONLY
A gap exists in the market for helping clients setup
and optimise their IT Risk Management systems
Risk Management Information
Systems are outside of the
reach of many of our clients:
36% of organisations find
implementation complexity of available
solutions a key barrier
Typical GRC implementations cost
organisations between $200,000
and $600,000 (including software,
hardware, and implementation services).
Over 70 percent of clients expect to increase their spending on risk
management technology over the next three years ~ from a 2012 Deloitte survey
The only other actor in this space (outside
of GRC solution vendors) is Deloitte -
already a partner with IBM in implementing
their GRC platform OpenPages.

Forrester research shows a lack of
available mature and fit-for-purpose IT
Risk Management solutions only 47% of
needs met.

KPMG has an established relationship with
BWise, a leading GRC platform, and has
the necessary skills and experitse.
3
2013 KPMG Services Pty Ltd, a South African company and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis--vis third
parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
FOR INTERNAL USE ONLY
KPMG can offer our clients an IT Risk Management
system that can scale with the organisation
Clients benefits include:
efficiency benefits
faster report aggregation
decreased audit costs
faster time to remediate control
deficiencies
strategic performance benefits
better strategic decisions using
risk and compliance information
The proposed solution will leverage existing knowledge and systems to
provide clients with the immediate benefit of visibility over the key
Operational and Strategic Risk elements of IT
Charter, TOR, Policy
Gap analysis
IT Risk Framework
Facilitated definition
Industry benchmark
Emerging risks
IT Risk Universe
Risk-appetite linked
Combined assurance
plan
IT Risk Control Catalogue
Indicator identification
Analytics services
Benchmarking
Risk and Control
Indicator Analytics
Loss data aggregation
Risk trend reporting
Risk-based Decision
Support
Report templates
Content vetting
Training
Board Risk Reporting
Services
4
2013 KPMG Services Pty Ltd, a South African company and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis--vis third
parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
FOR INTERNAL USE ONLY
Enhancing KPMGs services and business
Integrates a number of disparate
services and offerings into a single,
client-focused offering, re-uses
existing technology and skills
Leverages a low-cost Centre of
Excellence Software-as-a-Service
model
Is ideally suited to Africa, but has
Global applicability
Creates avenues to leverage our
BWise partnership
Provides a platform to integrate with
other service lines
FRM Enterprise Risk
Framework
Forensics use of CA/CM
Cost of development $100,000
Potential client take-up %25 of advisory clients ~
7 anchor clients
Projected Fees
Risk Framework $9,000 setup
Risk Universe $8,000 setup
Control Catalogue $10,000 setup
Indicator Analytics $12,000 setup, $2,000
p/a
Decision Support $5,000 setup, $1,000 p/a
Board Reporting $4,000 setup, $1,000 p/a
Payback Period 100% @ 7 anchor clients
Thank you
Presentation by Robb Anderson
All information provided is of a general nature and is not intended to
address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information,
there can be no guarantee that such information is accurate as of
the date it is received or that it will continue to be accurate in the
future. No one should act upon such information without appropriate
professional advice after a thorough examination of the particular
situation.
2013 KPMG Services Pty Ltd, a South African company and a
member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative, a Swiss entity. All
rights reserved.
The KPMG name, logo and cutting through complexity are
registered trademarks or trademarks of KPMG International.