Professional Documents
Culture Documents
India9-12c-India9 12c 773 Wheatmen Os
India9-12c-India9 12c 773 Wheatmen Os
Jeffrey Wheatman
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in
any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on
gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner di sclaims all warranties as to the accuracy, completeness
or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research
organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a
discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these
firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information
on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
GRC Is Wasteland
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
GRC — From Platform
to Architecture
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Definition of GRC
• Governance: The process through
GRC is an integrated which policies and decision rights
program that enables are set, maintained, and effectively
the assessment, communicated.
monitoring, and • Risk management: The process
reporting of risks for ensuring that important business
and controls in support processes and behaviors remain within
acceptable tolerances, going beyond
of decision making, which creates an unacceptable level
business performance, of uncertainty to strategic objectives.
and adherence to • Compliance: The process of adherence
regulations, policies, to policies and decisions through related
and other mandates controls. Policies can be derived
and agreements. from internal directives, procedures,
and requirements, or external laws,
regulations, standards, and contractual
agreements.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Enterprise GRC Platform Use Cases
Enterprise GRC Platform Use Cases
Enterprise and Operational Risk Management 61%
Audit Management 53%
IT Risk Management 34%
Case or Incident Management 32%
Policy Management 30%
Integrated Performance and Risk… 29%
SOX Compliance (and similar regs. globally) 28%
Anti-bribery, -fraud, -corruption Compliance 24%
Third-party Risk Management 22%
Financial Services Regulations Compliance 22%
Business Continuity 18%
Project Risk Management 17%
Regulatory Change Management 17%
EHS and Sustainability 16%
Privacy Compliance 16%
0% 10% 20% 30% 40% 50% 60% 70%
Source: Gartner Enterprise GRC Platform Reference Survey — July 2013
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
GRC Reference Architecture Principles
GRC
Accountability
Effectiveness
Consistency
Simplicity
Alignment
Never more Assign the Link to business Define and Tolerance and
controls than required people requirements and risks. balance risk appetite
required. for operational roles and will guide
support. Controls related to responsibilities.
risks and mandates. policy.
Least-invasive
approach. Use what Policies and controls Someone A single
we have if — enforceable, accountable for version of
Use it works. measurable, audible, the truth.
standardized any policy or
transparent, reportable control.
methods. Don't be and relevant.
hamstrung by
sunk costs. Best practices assessed Someone will
#GartnerSYM for relevance. own any risk.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Digital Business Requires Integrating
Big Data Into GRC
Increase in types of data Making better
(e.g., transactions, security informed decisions
intelligence, email, social, (e.g., risk data for strategic
images, video, voice) planning, risk informed
decisions)
Application
Integration
Policy Versus
Controls Analysis
Compliance and Policy Management
Continuous
Controls Monitoring
(Business Rules)
Regulatory Change Management
Complex-event
Processing
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Governance Has Four "Faces,"
Each Linked to Business Outcomes
Decision
Rights
Strategy for
Risk
Investment Business Management
Outcomes
Compliance
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Innovation, Disruption — What Is It That
You Really Want to Do?
U.S. Holland and Russian battleship Retvizan entering the New York Navy Yard dry dock
http://pigboats.com/subs/holland.html
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk Management 101 —
No. of Surfacings = No. of Dives
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk Management Priorities
and Business Priorities Are the Same
A Seawolf class nuclear submarine returns to port with a broom lashed to the
bridge, indicating a "clean sweep" — that is "mission fully accomplished"
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Risk-adjusted Value Management
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Manufacturing — Lost Cars
Systems Revenue
Supporting the
Lost Inventory
Production Impact
Manufacturing Quotas
Line
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Inflection Point of Business Value
Business
Value of
GRC
Risk Management +
Compliance
-
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
ERM/GRC Blueprint
Information Technology
Operations
Legal
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
10 A's of Successful Risk Management
& Compliance
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Applications and Architecture
Applications
Architecture
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Action Plan for Enterprise Architects
Monday Morning:
- Evaluate current risk management and compliance program
against the ERM/GRC Blueprint.
- Develop list of key stakeholders and program areas to include
in integration effort.
Next 90 Days:
- Identify gaps and/or integration opportunities using the 10 A's.
- Engage board members, senior management and business
operations management to answer key questions.
Next 12 Months:
- Define ERM framework and GRC infrastructure
build requirements.
- Begin ERM/GRC integration effort.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Introducing the ERM/GRC Blueprint for a Successful
Risk Management and Compliance Program
John A. Wheeler, French Caldwell (G00247205)
Gartner Defines 'Governance'
Julie Short, Tina Nunno, French Caldwell (G00237914)
Using Risk-Adjusted Value Management to Close the
Strategy Gap and Gain Competitive Advantage
Michael Smith, Paul E. Proctor (G00225727)
Case Study: How ING's Intermediary Division Links IT
Performance to Business Strategy
Michael Smith (G00155406)
Highlights of 2013 Gartner IT Risk Managers Survey
Reveal Less Maturity and Missed Business Priorities
French Caldwell (G00259661)
For more information, stop by Gartner Research Zone.
#GartnerSYM
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.