The Critical Links Between

Business Performance and

Governance, Risk & Compliance

Jeffrey Wheatman

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in
any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on
gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner di sclaims all warranties as to the accuracy, completeness
or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research
organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a
discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these
firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information
on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
 GRC Is Wasteland

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues

1. What is GRC and why is it important

for enterprise architects?
2. How does GRC deliver targeted
business outcomes?
3. How should EA teams approach integrating
GRC in enterprise architecture?

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
GRC — From Platform
to Architecture

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Definition of GRC
• Governance: The process through
GRC is an integrated which policies and decision rights
program that enables are set, maintained, and effectively
the assessment, communicated.
monitoring, and • Risk management: The process
reporting of risks for ensuring that important business
and controls in support processes and behaviors remain within
acceptable tolerances, going beyond
of decision making, which creates an unacceptable level
business performance, of uncertainty to strategic objectives.
and adherence to • Compliance: The process of adherence
regulations, policies, to policies and decisions through related
and other mandates controls. Policies can be derived
and agreements. from internal directives, procedures,
and requirements, or external laws,
regulations, standards, and contractual
agreements.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
 Enterprise GRC Platform Use Cases
Enterprise GRC Platform Use Cases
Enterprise and Operational Risk Management 61%
Audit Management 53%
IT Risk Management 34%
Case or Incident Management 32%
Policy Management 30%
Integrated Performance and Risk… 29%
SOX Compliance (and similar regs. globally) 28%
Anti-bribery, -fraud, -corruption Compliance 24%
Third-party Risk Management 22%
Financial Services Regulations Compliance 22%
Business Continuity 18%
Project Risk Management 17%
Regulatory Change Management 17%
EHS and Sustainability 16%
Privacy Compliance 16%
0% 10% 20% 30% 40% 50% 60% 70%
Source: Gartner Enterprise GRC Platform Reference Survey — July 2013

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
GRC Reference Architecture Principles

GRC

Accountability
Effectiveness

Consistency
Simplicity

Alignment
Never more Assign the Link to business Define and Tolerance and
controls than required people requirements and risks. balance risk appetite
required. for operational roles and will guide
support. Controls related to responsibilities.
risks and mandates. policy.
Least-invasive
approach. Use what Policies and controls Someone A single
we have if — enforceable, accountable for version of
Use it works. measurable, audible, the truth.
standardized any policy or
transparent, reportable control.
methods. Don't be and relevant.
hamstrung by
sunk costs. Best practices assessed Someone will
#GartnerSYM for relevance. own any risk.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Digital Business Requires Integrating
Big Data Into GRC
Increase in types of data
(e.g., transactions, security
intelligence, email, social,
images, video, voice)
Quickening speed of data
(e.g., social risks,
continuous controls monitoring,
high frequency trading)
Growing quantity of data
(e.g., risk oversight, regulatory
compliance, discovery, social
compliance, third-party risk
monitoring, OT monitoring,
behavioral)
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Making better
informed decisions
(e.g., risk data for strategic
planning, risk informed
decisions)
Optimizing business
performance
(e.g., reputational risk
mgmt., risk-adjusted
performance,
anti-bribery, anti-fraud)
Discovering hidden
insights
(e.g., early identification
of emerging risks, discover
causal linkages between
KPIs and KRIs)
Enabling Advanced Analytics in the GRC
Reference Technology Architecture
Business Intelligence/Performance Integrated
Performance and
Management Integration Risk Management
GRC Management Dashboards
and Reporting
Audit Management
Risk Versus
Controls Analysis
Risk Management

Application
Integration
Policy Versus
Controls Analysis
Compliance and Policy Management
Continuous
Controls Monitoring
(Business Rules)
Regulatory Change Management
Complex-event
Processing

Process Controls System

Social Analytics
#GartnerSYM
Access Transaction Behavioral
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Getting to
Business
Outcomes

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Governance Has Four "Faces,"
Each Linked to Business Outcomes

Decision
Rights

Strategy for
Risk
Investment Business Management
Outcomes

Compliance
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Innovation, Disruption — What Is It That
You Really Want to Do?

U.S. Holland and Russian battleship Retvizan entering the New York Navy Yard dry dock
http://pigboats.com/subs/holland.html

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk Management 101 —
No. of Surfacings = No. of Dives

The Hunley — Charleston Harbor

Photograph: Friends of the Hunley

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk Management Priorities
and Business Priorities Are the Same

A Seawolf class nuclear submarine returns to port with a broom lashed to the
bridge, indicating a "clean sweep" — that is "mission fully accomplished"
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk-adjusted Value Management

Performance Performance Performance Performance

Indicators Indicators Indicators Indicators

Value Value Value

Added Added Added

Risk Risk Risk

Indicators Indicators Indicators

Order Trucks Package Package

Received Dispatched Pick-up Delivered

Value Chain Example

(Michael Porter)

Putting Performance and Risk Metrics

Together Creates a Value Model
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner Business Risk Model (KRI)
Business Business
Leading Risk Indicators
Aspect Outcomes
Market
Channel Costs Marketing Online Reputation Transparency
Responsiveness
Sales
Demand Lost Sales Forecast Inaccuracy Lost Customers
Effectiveness
Management
Product
Development Product Management R&D Failure Aging Products
Effectiveness
Service Performance Privacy Returns Material Quality Late Delivery
Customer
Responsiveness Agreement Customer Care
Order Fill Failures Service Inaccuracy
Effectiveness Failure
Supply Supplier Supply Chain Vendor Risk Supplier Agreement Supplier Service
Enterprise Sourcing
Management Effectiveness Planning Management Effectiveness Performance
Risk Management Strategic Planning Internal Controls Quality Management
Operational
Efficiency Business Continuity Facilities
Asset Management Manufacturing
Management Management
Human
Identity and Access
Resources IT Workforce Skills Inventory Training
Management
Responsiveness
Infrastructure and Service-level
Information Applications Information Security IT Investment
Operations Effectiveness
Technology
Support Responsiveness Project and Portfolio
Services Change Management Cloud Availability Internal Audit (IT)
Management
Environmental, Internal Audit Records
Compliance E-discovery
Finance and Health and Safety (Finance) Management
Regulatory
Governance Insurance Ethics Financial Integrity
Responsiveness
Legal Liquidity Policies Sustainability

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Manufacturing — Lost Cars

System Production Operations

Downtime — Line — KRI Impact — KPI
KRI/ LPI

Systems Revenue
Supporting the
Lost Inventory
Production Impact
Manufacturing Quotas
Line

Leading Leading Leading Miss

Indicator Indicator Indicator
That … That … That … the
Quarter

A car rolls off the line every 90 seconds.

One hour of line stoppage due to IT is 40 "lost" cars.
IT reports lost inventory, not IT downtime.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Financial Services — Trading Ops.
IT Trading Desk Treasury
Key Risk Settlement Negative
Indicator — Errors Increase Impact KPI
LPI — KRI

Confirmation Business Process Uncertainty to Liquidity Risk

Services Slowdown Actual Exposure
Automation to Individual
Delay Order Backlog Counterparties

Leading Leading Leading Liquidity

Indicator Indicator Indicator Problem in
That … That … That … the Event of
Severe
Stress Event

Addressing IT dependencies in trading operations

provides confidence in the process and a context
that non-IT parts of the business care about.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Integrating GRC

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Inflection Point of Business Value

Business
Value of
GRC

Risk Management +
Compliance
-

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
ERM/GRC Blueprint

Enterprise Risk Management

Governance Risk Compliance

Finance

Information Technology

Operations

Legal

Business Operations Management

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
10 A's of Successful Risk Management
& Compliance

Enterprise Risk Management

Appetite Aggregation Assessment Analytics

Governance, Risk and Compliance

Applications Architecture Assurance

Business Operations Management

Accountability Action Achievement

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Applications and Architecture
Applications

• What technology is required to enable collaboration and

communication of risk and compliance related information
to support business performance and decision making?
• What technology enables automation of risk management
and compliance processes and reporting?
• What technology enables automation of controls and risk
monitoring?

Architecture

• Are risk management and compliance projects and initiatives

aligned with governance objectives?
• How are GRC applications, automated and manual controls,
risk monitoring, and risk and compliance reporting
incorporated into enterprise architecture?
• How does the GRC program contribute to targeted business
outcomes?
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
 GRC professionals need your help. Collaborate with
them to develop a GRC architecture that supports
both regulatory mandates and business value.
 Use the ERM/GRC Blueprint to integrate GRC
requirements, principles and capabilities into EA
guidance and deliverables.
 For each new business initiative assess how GRC
principles and technology can be incorporated into
EA deliverables in order maximize risk-adjusted
value of the business outcomes.

#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Action Plan for Enterprise Architects
Monday Morning:
- Evaluate current risk management and compliance program
against the ERM/GRC Blueprint.
- Develop list of key stakeholders and program areas to include
in integration effort.
Next 90 Days:
- Identify gaps and/or integration opportunities using the 10 A's.
- Engage board members, senior management and business
operations management to answer key questions.
Next 12 Months:
- Define ERM framework and GRC infrastructure
build requirements.
- Begin ERM/GRC integration effort.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
 Introducing the ERM/GRC Blueprint for a Successful
Risk Management and Compliance Program
John A. Wheeler, French Caldwell (G00247205)
 Gartner Defines 'Governance'
Julie Short, Tina Nunno, French Caldwell (G00237914)
 Using Risk-Adjusted Value Management to Close the
Strategy Gap and Gain Competitive Advantage
Michael Smith, Paul E. Proctor (G00225727)
 Case Study: How ING's Intermediary Division Links IT
Performance to Business Strategy
Michael Smith (G00155406)
 Highlights of 2013 Gartner IT Risk Managers Survey
Reveal Less Maturity and Missed Business Priorities
French Caldwell (G00259661)
For more information, stop by Gartner Research Zone.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.