®
DRIVING PRINCIPLED PERFORMANCE ®
GRC Capability Model “Red Book” 2.0 April, 2009
OCEG Basic Member Edition
GRC Capability Model™ Open Compliance & Ethics Group (OCEG)
Basic Member Edition --DOES NOT INCLUDE Appendix C OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules in the online version of the Model (located within each Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC system. The Technology Arenas and Modules in the Model represent a bridge between the GRC professional and the IT professional. GRC professionals can use the Technology Arenas and Modules as a basis for discussing technology options with their IT counterparts. Enterprise member IT professionals can use the Technology Arenas and Modules as a bridge from the Model into the GRC Blueprint™. While the downloadable version of the Model available to all OCEG members provides high level guidance on which Technology Arenas and Modules support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and Modules as well as visual representation of how they relate to each other. The GRC-IT Blueprint™ also is available as a downloadable stand-alone document. To sign up: For OCEG Premium Membership go to: https://www.oceg.org/subscribe/PremiumUpgrade For OCEG Enterprise Membership contact
[email protected]
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
The continuing work of OCEG is made possible in part by the generosity of the following organizations. Please join us in thanking these leading organizations and their representatives: Leadership Council /Charter Members:
Leadership Council:
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
®
DRIVING PRINCIPLED PERFORMANCE
TM
GRC Capability Model™ Version 2.0 Principal Authors:
Scott L. Mitchell, OCEG Chairman and CEO Carole Stern Switzer, Esq., OCEG President
© Copyright 2006-2009 Open Compliance & Ethics Group. All rights reserved. This document contains copyrighted information and remains the property of Open Compliance & Ethics Group. Unauthorized duplication or electronic transmission is strictly prohibited. OCEG is a registered trademark of the Open Compliance & Ethics Group. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
LEGAL NOTICE This is NOT Legal or Professional Advice. This Document, including its appendices, is provided for general information purposes only. The application of law to individual circumstances must be addressed for each unique situation. In preparing and providing this document, neither OCEG nor any of its Contributors are engaged in rendering legal, tax or any other professional advice or services. OCEG and its Contributors do not purport to identify all conceivable compliance requirements or recommended controls. It is the responsibility of each organization to understand which legal; accounting and other compliance requiremen ts apply to its activities. Users of this document are advised to seek specific legal advice by contacting members of relevant and applicable bar associations regarding any specific legal issues. Using the document or any part herein does not create a lawyer-client relationship or any other type of professional relationship. While OCEG and its Contributors attempt to provide accurate, complete and up to date content, errors or omissions may occur. This document is offered AS IS, WHERE IS. Neither OCEG nor any Contributor makes any representations or warranties regarding the completeness, accuracy or timeliness of the contents, and each disclaims all implied warranties (including merchantability, fitness for a particular purpose and non-infringement) and all liability for any loss, damage or claim, whether due to an error or omission or otherwise.
To the fullest extent permitted by applicable law, neither OCEG nor the Contributors (including their officers, directors, partners and employees, and their affiliates, related entities and successors and assigns) warrant or guarantee the quality, accuracy or completeness of any information on this document. Neither OCEG nor its Contributors shall be liable for any damages or costs, including any direct, consequential, incidental, indirect, punitive or special damages (including loss of profits, data, business or good will) in connection with use of this product, whether or not liability is based on breach of contract, tort, strict liability, breach of warranty, failure of essential purpose or oth erwise, and even if a party is advised of the likelihood of such damages. This document or custom report versions of this document may contain links to third party websites. Monitoring the vast information disseminated and accessible through those links is beyond our resources and neither OCEG nor any Contributors attempt to do so. This Document provides links for convenience only and nothing herein shall constitute an endorsement of the information contained in linked web sites nor guarantee its accuracy, timeliness, or fitness for a particular purpose. OCEG and its Contributors disclaim all warranties and liability for the content of any such other sources.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Table of Contents Table of Contents ....................................................................................................................... 4 RED BOOK INITIATIVE LEADERSHIP ................................................................................ i OCEG Leadership Council (2008)........................................................................................... i Red Book 2.0 Initiative Leadership .......................................................................................... i Red Book Steering Committee Co-Chairs.............................................................................. i Steering Committee .................................................................................................................ii Task Force and Review Panel .................................................................................................iii Task Force Members ..............................................................................................................iii Review Panel Members ...........................................................................................................iv Executive Summary ................................................................................................................ viii Corporate Misconduct and Regulatory Reform ....................................................................... viii Striving for Principled Performance .......................................................................................... viii GRC: An Integrated Approach to Governance, Risk Management and Compliance .............. viii The GRC Capability Model™.................................................................................................... ix The OCEG Framework for Principled Performance ® ....................................................... 2 The Red Book ............................................................................................................................. 2 The Burgundy Book .................................................................................................................... 2 Additional Resources Available from OCEG ............................................................................. 2 Content Domains ....................................................................................................................... 2 GRC Requirements Database..................................................................................................... 3 GRC-IT Blueprint™.................................................................................................................... 4 Changing Times: The Evolution of GRC ............................................................................... 5 Corporate Misconduct and Regulatory Reform ......................................................................... 5 Value and Stakeholders............................................................................................................... 6 The Rise of Principled Performance® .................................................................................... 6 Defining the Boundaries of Conduct .......................................................................................... 7 GRC: Governance, Risk Management, Compliance and Beyond ............................................... 8 GRC: Breaking it Apart and Pulling it All Together ........................................................ 10 The Corporate Governance Discipline: The G in GRC .......................................................... 10 The Risk Management Discipline: The R in GRC ............................................................................ 11 A Brief Detour: Sustainability .................................................................................................... 11 The Compliance Discipline: The C in GRC.............................................................................. 13 Other Critical Components of GRC ........................................................................................ 13 A Unified Framework ............................................................................................................... 14 An Integrated Approach ........................................................................................................... 15 Embedded in the Business ........................................................................................................ 16 High-Performing GRC ............................................................................................................. 16 Efficient, Effective and Responsive ............................................................................................ 17 Specific GRC Benefits ............................................................................................................... 18 Integrated GRC: A Pathway to Principled Performance .......................................................... 18 Key Roles and Accountability ................................................................................................ 19 The Role of the Board .............................................................................................................. 19 The Role of Management .......................................................................................................... 19
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
The Role of Assurance.............................................................................................................. 19
The Anatomy of the GRC Capability Model ...................................................................... 21 Universal GRC System Outcomes ....................................................................................... 24 U1. Achieve Business Objectives.......................................................................................... 24 U2. Enhance Organizational Culture .................................................................................... 24 U3. Increase Stakeholder Confidence .................................................................................. 24 U4. Prepare and Protect Organization................................................................................. 24 U5. Prevent, Detect, and Reduce Adversity and Weaknesses ............................................ 24 U6. Motivate and Inspire Desired Conduct ......................................................................... 24 U7. Improve Responsiveness and Efficiency ......................................................................... 24 U8. Optimize Economic & Social Value................................................................................ 24 Component Overview ............................................................................................................. 25 CULTURE & CONTEXT (C) ................................................................................................... 25 ORGANIZE & OVERSEE (O) ................................................................................................... 25 ASSESS & ALIGN (A) ................................................................................................................ 25 PREVENT & PROMOTE (P) ..................................................................................................... 25 DETECT & DISCERN (D) ........................................................................................................ 25 RESPOND & RESOLVE (R) ...................................................................................................... 25 MONITOR & MEASURE (M) .................................................................................................... 25 INFORM & INTEGRATE (I) ..................................................................................................... 25 How to Read the GRC Capability Model Report (1) ....................................................... 26 How to Read the GRC Capability Model Report (2) ....................................................... 27 How to Read the GRC Capability Model Report (3) ....................................................... 28 GRC Capability Model™ Version 2.0.................................................................................. 29
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
RED BOOK INITIATIVE LEADERSHIP OCEG enjoys the expertise of an elite group of individuals and organizations who provide their invaluable wisdom and advice as we pursue serving the knowledge and resource needs of GRC and related professionals.
OCEG Leadership Council (2008) Please join us in thanking these leading organizations and their representatives. Aon • Approva Archer Daniels Midland Company Axentis Baker Hughes CA, Inc Cisco Systems • Compliance Initiatives Corpora te Integrity Dell • Deloitte • Dow Chemical Company Ernst & Young • EthicsPoint •
Freddie Mac Gevity HR Global Compliance Services• Grant Thornton • Interactive Alchemy Kalorama Partners Kraft Foods Levick Stra tegic Marketing Communications Littler Mendelson • LRN • Marsh• Metricstream • Microsoft • OpenPages
Oracle • PETCO PricewaterhouseCoopers • Qwest Communications.• Raytheon SAP• Staples Sun Microsystems Temple-Inland Toyota Motor Sales, U.S.A UHY Advisors Unilever Ventura Foods Wal•Mart XPLANE
• denotes OCEG Charter Members in 2008
Red Book 2.0 Initiative Leadership A select group of individuals representing cross-disciplinary, cross-industry, and transglobal perspectives committed substantial time and expertise to shaping the OCEG Capability Model™. We would like to take this opportunity to thank each of our contributors. OCEG accepted the input of each of the individuals in the following roles as individual contributions, recognizing that their views and perspectives may not represent official views of the organizations with which they are affiliated.
Red Book Steering Committee Co-Chairs Mr. Larry Harrington, CPA, CIA
Vice President, Internal Audit, Raytheon Company (Professional Issues Committee – IIA) Mr. Brad Jewett
Vice President, Enterprise Risk Management, BMC Software (Formerly during this process - Director, Enterprise Risk Management, Microsoft Corporation) Mr. Scott Roney, Esq.,
Vice President, Compliance and Ethics, Archer Daniels Midland Company Mr. John Steer
Partner, Allenbaugh Samini LLP (Vice Chair US Sentencing Commission, 1999-2007)
Intro - i LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
We would like to thank the OCEG executives and staff members (present and past) who helped to make Red Book 2.0 possible, especially: Avi Fichman Kelly Ray Carole Waesche Stephane Legay Vinaya Mayya Jeanna Mitchell Lane Leskela We appreciate all that you do to support our members and our work. With our thanks, Carole and Scott
Steering Committee Steering Committee members attended several drafting and review sessions, and individually prepared comments on each draft of the Red Book document throughout the development process. A special thank you to Jose Tabuena, VP Integrity and
Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc. for his contributions to the narrative overview.
Mr. Michael Horowitz — Partner, Cadwalader Wickersham & Taft LLP and U.S. Sentencing Commission Member Mr. Eric Moorehead, Assistant General Counsel, United States Sentencing Commission Mr. Richard Steinberg – CEO, Steinberg Governance Advisors, Inc. (Author, COSO Internal Control & COSO ERM and formerly corporate governance practice leader of PricewaterhouseCoopers) Mr. Carlo di Florio - Partner, Advisory, PricewaterhouseCoopers LLP Mr. Lee Dittmar – Principal, Deloitte Mr. Randy Nornes – Executive Vice President, Aon Corporation Mr. Trent Gazzaway - Managing Partner of Corpora te Governance, Grant Thornton LLP Mr. Norman Comstock, CIA, CISA, CISSP, CCSA, CSOXP - Managing Director, UHY Advisors TX LLC Mr. Gaurav Kapoor – CFO and General Manager, MetricStream, Inc. Mr. Jose Tabuena - VP Integrity and Compliance/Corporate Secretary, MedicalEdge Healthcare Group, Inc. Mr. Mark S. Beasley - Deloitte Professor of Enterprise Risk Management and ERM Initiative Director Professor of Accounting College of Management - COSO Board Member Mr. David B. Crawford, CIA, CCSA - Audit Manager Emeritus, System Audit Office, The University of Texas System Mr. Ronald Berenbeim -Director of Ethics Research, The Conference Board Mr. Earnie Broughton - Executive Director/Ethics Program Coordinator, USAA Mr. David Koenig - Past Chairman of The Board of Directors, PRMIA Ms. Melissa Lea - Chief Global Compliance Officer, SAP AG Mr. Paul Liebman - Chief Compliance Counsel, Dell Corporation Mr. Dave Ferguson - VP of Operations Compliance, Wal-Mart Stores, Inc. Mr. Pete Fahrenth old -Managing Director Risk Management, Continen tal Airlines Mr. Eugene Fredriksen – CISO, Tyco International Mr. Abdel Krim Hamou-Lhadj, Manager, Regulatory Compliance & Quality Assurance Cognos Products – IBM Mr. David Heller, VP Risk and Chief Ethics and Compliance Officer, Qwest Communications Mr. Allen Stewart - Managing Director Ethics, Duke Energy Ms. Nan Stout - Vice President, Business Ethics, Staples Mr. Kendall Tieck - Audit Director, Business Groups,-Microsoft Corporation
Intro - ii LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Ms. Shirley Yoshida - SVP, Internal Audit, Macy’s Inc. Mr. Chet Young - Divisional VP Audit Compliance and Loss Prevention, Walgreen Co Mr. Brian Chevlin - Deputy General Counsel, Unilever Ms. Mary Doyle - Ethics & Compliance, Intel Corporation Ms. Kathleen Edmond - Chief Ethics Officer, Best Buy Mr. Rick Kulevich - Sr. Director, Ethics and Compliance, CDW Corporation Mr. Jay Martin - VP CCO & Sr Deputy Gen Counsel, Baker Hughes Inc. Mr. Xunlez Nunez - Ethics and Compliance Business Consultant, Baker Hughes, Inc. Ms. Haydee Olinger - VP Chief Compliance Officer, McDonalds Mr. Paul C Palmes – President, Business Standards Architects, Inc. Ms. Xenia Ley Parker - Senior Director, Marsh & McLennan Cos Ms. Tian Peng, CIA - Audit Manager, China National Offshore Oil Corporation LtdMs. Deborah Penza - VP Corporate Compliance, Elan Pharmaceuticals, Inc. Ms. Janet Sheiner, Director, Ethics & Compliance, PETCO Ms. Faye Stallings - Vice President Audit & Ethics, El Paso Corporation Mr. Michael Rasmussen - President, Corporate Integrity Dr. Parveen Gupta, LL.B., Ph.D.-Professor of Accounting and Chairman Accounting - Lehigh University Prof. Mr. Sanjay Anand - Chairperson, Sox Institute, G R C Group Mr. Robert Chastain - General Council-VP Compliance-Chief Security Officer, Pepperweed Consulting LLC Mr. Andrew Dahle, CPA, CIA, CISA, CFE – Partner, Advisory, Pricewaterh ouseCoopers LLP Ms. Deb Davis - Executive Vice President, Great River Compliance & Advisory Services LLC Mr. Kip Ebel, CFE - Senior Manager, Health Sciences, Fraud Investigations & Dispute Services, Ernst & Young LLP Mr. David Gebler – President, Skout Group, LLC Mr. Allan Goldstein - Retired Managing Director Risk Advisory, ARGUS Holdings Ltd Mr. Steven Helwig - Director Professional Services, Compliance Spectrum Mr. David Hess – Director, Internal Audit and Controls, Jefferson Wells International, Inc. Ms. Sara A. Liftman - Senior Manager, AABS Advisory Services, Ernst & Young LLP Mr. Worth MacMurray, Esq. – Principal, Compliance Initiatives, LLC Mr. Bruce McCuaig - Chief Risk Officer/Principal Consultant, Paisley Consulting Ms. Andrea McElroy - Sr. Director Compliance System Integrity, Golden Living Mr. Robert N. Merrill, JD – Senior Manager, Fraud Investigation and Dispute Services, Ernst & Young LLP Mr. Tom Wardell – Partner, McKenna Long & Aldridge LLP Mr. F. Richard Ricketts, JD -Director of Finance, Workforce Development Council Snohomish County Ms. Carole Basri - President, The Corporate Lawyering Group LLC
Task Force and Review Panel Task Force members attended online review meetings and both Task Force and Red Book Review Panel contributors provided their focused review of the Red Book 2.0 drafts throughout the process.
Task Force Members Mr. Ted Banks – Compliance & Competition Consultants, LLC (formerly Chief Counsel Global Compliance, Kraft Foods) Mr. Dinesh O. Bareja - Program Director, CSI eSecure, Inc. (Canada) Mr. Hadi Beski – PM, Hashem Co Mr. Matthew Blake – Analyst, Ikobo Mr. Wayne Brody - CCO VP Legal Affairs, Arrow Electronics, Inc Mr. Mark Carey - Partner, Deloitte & Touche LLP Mr. Glenn Carleton - Director National Consulting, RSM McGladrey Mr. Nick Ciancio - Vice President Marketing, Global Compliance Mr. Paul Cogswell – Vice President ERC, Comdata Network, Inc. Mr. Brett Curran – Vice President GRC and Regulatory Practices, Axentis LLC
Intro - iii LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Mr. Ronald De Boer - Senior Sales Executive GRC, SAP Nederland (Netherlands) Mr. Stephen Donovan - Chief Counsel - International Compliance, International Paper Company Ms. Christine Doyle - SVP Senior Compliance Director, Bank of America Mr. Rocky Dwyer, PhD, CMA – Principal, Chief Review Services, National Defence (Canada) Ms. Catherine Finamore Henry, CIA – Ethics Officer and VP, Business Development, SmartPros Legal & Ethics, Ltd. Mr. John Fons, Esq. – Attorney, John Fons Solo Practice Mr. Christopher Fox – Senior Principal Manager, Governance Risk and Compliance, CA Mr. Arnold Galit - VP Risk and Compliance, Ikobo, Inc Mr. Jason Garelli - Head of Operational Risk and Sox Management, Och-Ziff Capital Management Mr. Joe Grettenberger - Compliance Solutions Integration Manager, Quest Software Mr. Eric Hespenheide - Internal Audit Services – Global Leader, Audit and Enterprise risk Services, Deloitte & Touche LLP Mr. Eric Hong – Manager, Security Consulting, A3 Security (Republic of Korea) Mr. Jawaid Iqbal - System Analyst, Saudi Pan Gulf (Saudi Arabia) Mr. Dennis Irwin, CIA - Internal Audit Manager, Health Care Practice, Wipfli LLP Mr. Bob Jacobson - Managing Director National Consulting, RSM McGladrey Ms. Colleen Lyons, MBE, CCEP – Principal, Ethical Stability™ Mr. John MacKessy – President & CEO, Prism Risk Advisors, Inc. Mr. Eamonn Maguire - Managing Director, PricewaterhouseCoopers LLP Mr. Paul McGreal - Prof of Law, Southern Illinois University School of La w Mr. Ashish Mehta - IT Manager, BP (United Arab Emerates) Mr. Jeffrey Miller - Chief Compliance Officer, Synthes Mr. Bruce R. Millman - Shareholder, Littler Mr. James O'K eeffe - Consulting Manager, Sycor Americas Mr. Brin Odell - Director - Client Services, EthicsPoint Ms. Mary Pruitt - Associate Director Firm Compliance, Americas Office of Ethics and Compliance, Ernst & Young Mr. Azwar Ritonga - OSS Eng, TELKOM (Indonesia) Mr. David Mace Roberts - Vice President and Gen Counsel, Elbit Systems of America LLC Mr. Roy Robinson - Vice President Communications Education, Archer Daniels Midland Company Mr. Sayed Sadjady - Partner, PricewaterhouseCoopers LLP Mr. Suvendu Samantaray - Business Consultant, Infosys Consulting Mr. William Shenkir, Ph.D., CPA - William Stamps Farish Prof Emeritus, McIntire School of Commerce, University of Virginia Mr. Ratan Sonti - Software Engineer, SAP Ms. Andrea Spudich, CCEP – Principal, The Responsible Leader Group Ms. Darla Stanley – Wal-mart Stores, Inc. Ms. PJ Sullivan - Sr Technical Mgr-IT Compliance, Freight System, FedEx Corporation Mr. Lou Tinto - Engagement Manager Technology Risk Management, Jefferson Wells Ms. Patricia Towers - Senior Manager, Global Ethics & Compliance, Procter & Gamble Ms. Juven Zeng – Consultant, Smartdot Tech
Review Panel Members Mr. Mr. Mr. Ms. Ms. Mr. Mr. Mr. Mr. Mr. Mr.
Daoud Abu-Joudom, MBA, CISA, CISM – VP, Head of IT Audit, Group Internal Audit, Arab Bank (Jordan) John Adamsons – Coordinator, WHO Mani Akella - Director, Technology, Consultantgurus Julia Allen - Senior Researcher, Carnegie Mellon University Sam Apps - Group Manager Compliance, Origin Energy Limited (Australia) Toks Azeez - Compliance Business Consultant, Legal Department, Baker Hughes Inc Timour Baiazitov – Head of Risk Management and Control, Severstal (Russia) Brian Barnier – GRC, IBM Corporation Stephen Baruch, CBCP – Disaster Preparedness, Business Continuity, Enterprise Risk Management Bob Bassetti - Senior Manager, BearingPoint, Inc. Indarduth Beejah – Deputy Director Internal Control, US Government (Mauritius)
Intro - iv LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Mr. Jose Antonio Rubio Blanco - Rey Juan Carlos University (Spain) Mr. Robert Bordynuik - Sr Security Consultant, Versatile Solutions LLC (Saudi Arabia) Mr. Bruce Buckley -G eneral Counsel, IIR Mr. French Caldwell - VP – Analyst, Gartner, Inc. Dr. Joseph V. Carcello – Ernst & Young Professor and Director of Research - Corporate Gov ernance Center, University of Tennessee Mr. Anthony Chalker - Director, Protiviti Mr. Derek Cherneski - Business Continuity & Security Analyst, Federal Communications Commission (Canada) Mr. Mandar Chitre - Solution Architect, Infrastructure Management Services, Patni (India) Mr. Tom Cleary (Australia) Mr. Richard Cohan, FACHE, CHC, CCEP - Director of Integrity and Compliance and Chief Privacy Officer, Providence Health & Services Mr. Marco Colonna (Italy) Mr. Brian Conrey, CISA - Program Manager, Controls Integrity LLC Ms. Laura Cote - Senior Auditor, Allergan Mr. Doug Cotton - MD Business Ethics & Compliance Program, American Airlines Mr. Kevin Crimmins - VP GC, Software Impressions LLC Mr. John Cross - Lecturer, California State University Fullerton Ms. Yo Delmar, CMC, CISM - Chief Marketing Officer, Brabeion Software Corporation Ms. Andrea Dias – Manager, ICTS Global (Brazil) Mr. Patrick Donovan – Chief Compliance Officer, Airbus SAS (France) Mr. Rory Douglas - Ethics Analyst Mr. Robert Drolet - Oracle Financials and GRC Professional, OraApps Consulting, Inc. Mr. Tim Elliott – Senior Vice-President, Operational Risk Director, Financial Intelligence Division, Comerica Bank Ms. Sheila Fields - Knowledge Management , HS FIDS Ms. Cyndi Fleming - Director of IM/IT, DTSSAB (Canada) Mr. Russ Gates – President, Dupage Consulting LLC Mr. Leon Goldman - Chief Compliance and Privacy Officer, Beth Israel Deaconess Medical Center Mr. Royd Graham - Corporate Controller and Senior Director of Accounting, Academy Sports + Outdoors Mr. Luis Guadarrama - Sr Data Security Consultant (Mexico) Mr. Richard Gudoi Gid'Agui, CIA, CGFM, CFSA, MSc. Audit(UK), MBA - Senior Lecturer / Program Coordinator Internal Auditing, School of Accountancy, Witwatersrand University (South Africa) Mr. Miguel Gutierrez, CISA, CISM - Director Global IT Risk & Compliance, International Information Technology, Brink's Incorpora ted Mr. Rodrigo Hayvard, Esq. (Chile) Mr. Michael Helmantoler – Business Continuity, Helmantoler.net Mr. Arnold Hill - Project Manager, Property Developmen t Division – WPC, US General Services Administration Mr. Peter Hillier - Principal Consultant, Hillier Security Services (Canada) Mr. David Hoberg - Corporate Finance Manager, Voith Paper, Inc. Mr. Matthew Hourin, - Senior Manager, Deloitte Mr. Jörgen Jarleman - Principal, JMC Management Consulting (Sweden) Mr. Anil Jhumkhawala – Director-Compliance, Secure Matrix I Pvt Ltd. (India) Mr. Jim Jolley - Training and Research Manager, Office of Communication and Professional Development, Florida Department of Revenue Mrs. Christiane Jourdain - Business Continuity Planning Project Manager, Sussex HIS, NHS (United Kingdom) Mr. Rodriguez Julio - Chief Compliance Officer, Banco Pastor (Spain) Mr. Daniel Karrer - E-Loan Inc (Brazil) Ms. Marion Keraudren Ms. Cary Klafter - VP Legal and Corporate Affairs and Corporate Secretary, Intel Corporation Mr. Sam Koh - Technical Manager, Vasco (Singapore) Mr. Alon Kohalny - CAE, Municipality of Kadima-Zoran (Israel) Mr. Richard Levy - Vice President of Engineering, Mitratech Holdings, Inc. Ms. Adlinna Liang – Director, MetLife
Intro - v LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Mr. Peter Liria – Director, Global Ethics & Compliance, Avaya Inc. Ms. Anna Luszpinska – Director, Prudential Regulations Department, Bank Zachodni WBK SA (Poland) Mr. Andre Macieira – Director, ELO Group (Brazil) Prof. Andre Macieira- Assistant Professor, Concordia University Ms. Marjorie A. Maguire-Krupp, CPA, CIA, CFSA – President, Coastal Empire Consulting Mr. Jorge Soeiro Marques - Chief Risk Officer, Lusitania Seguros (Portugal) Mr. Gabe Mazzarolo - VP – Technology, Pareto (Canada) Ms. Amelia McCarty - VP Ethics and Compliance, Cardinal Health, Inc. Mr. Tlhabano Mmusi - Compliance Trainee (Botswana) Mr. Paul Moxey - Head of Corporate Governance and Risk Management, ACCA (Association of Chartered Certified Accountants)(United Kingdom) Ms. Florie Munroe - Vice President for Compliance, Health Quest Mr. Joe Nadivi - CEO, SBS (Israel) Mr. Warren Nelson - Risk Advisor, Risk & Assurance, Inland Revenue Department (New Zealand) Mr. Peter Parmenter – Director, Internal Controls, Biomed Realty Trust, Inc. Ms. Alice Peterson – President, Syrus Global Ms. Diane Pettie - Vice President General Counsel & Corporate Secretary, Legal, Canexus Limited (Canada) Ms. Judy Pokorny – Director, Utilities Consulting, Huron Consulting Mr. Tobin Pospisil - Chief Financial Officer, Gallatin Steel Company Mr. Richard Poworski – ITA, SGI (Canada) Ms. Monika Rajh Mladenov – Auditor, The Court of Audit of the Republic of Slovenia (Slovenia) Mr. Bala Ramanan, -.Sr. Consultant, Microland Ltd (India) Mr. Javvadi H Rao, FICWA, ACA, CMA, CFM(USA) - Head of Risk Management, Agri Business Division, ITC Ltd. (India) Dr. Peter Reichard - Group Compliance Officer, Allianz Risk Transfer (Switzerland) Ms. Kim Rivera - VP Associate GC, The Clorox Company Mr. Joel Rog ers – Director, Ethics & Corporate Compliance, Kaplan EduNeeringMs. Johanna Rogers Chief Compliance Officer, SunGard Mr. Peter Rosen zweig - Senior Manager, Advisory Services, Ernst & Young LLP Mr. Stefano Rossi – Dott, Guidance SRL (Italy) Ms. Mary Roth - Executive Director, RIMS (Risk and Insurance Management Society) Mr. Paul Russo - Systems Engineer, BAE Systems Ms. Karen Rutledge, -.Ethics & Compliance Specialist, PNM Resources, Inc. Mr. Richard Sanzin - Company Secretary, Royal Automotive Club of Victoria (RACV) Limited (Australia) Mr. Ram Sastry - Director - IT Audits Mr. James Sehloff - Information Security Analyst, Holy Family Memorial Mr. Bob Semple - PricewaterhouseCoopers LLP (Ireland) Mr. Jerry Shafran - CEO, Compliance Assurance Corporation Mr. Ken Shaurette - Engagement Manager, Jefferson Wells Ms. Monica Shilling – Partner, Proskauer Rose LLP Mr. Jay Shinde, Assistant Professor, Eastern Illinois University Ms. Elizabeth Siemens - Senior Legal Advisor Governance, Cameco Corporation (Canada) Mr. Samir Singh Mr. Mark Snyderman - Chief Ethics & Compliance Officer & Assistant General Counsel, The Coca-Cola Company Ms. Barbara Stegun Phair – Partner, Abrams Fensterman Fensterman Eisman Greenberg Formato & Einiger, LLP Ms. C Karen Stopford - AVP Information Security, The Commerce Insurance Company, Inc. Mr. Geoffrey Storms - Chief Internal Auditor, Cameco Corporation (Canada) Mr. Dan Swanson - President and CEO, Dan Swanson & Associates (Canada) Ms. Celia Szelwach - Ethics and Compliance Manager, PBS&J Ms. Heidi Teresi - Compliance Manager, Alcatel-Lucent Mr. Tim Tesluk - SVP, Greater China Legal & Compliance, DBS Bank (China) Mr. Calvin Thompson - Manager, TSWCCUL (Bahamas) Mr. Kevin Tisdel - Director of Corporate Compliance, Shaw Industries Group, Inc.
Intro - vi LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Mr. Mr. Mr. Mr. Mr. Mr. Ms. Mr. Mr. Mr. Ms. Ms. Ms. Mr.
Dan Twing – COO, EMA (South Africa) Pieter Van Hout, Ing Mba Mbci - Essent Corporation (Netherlands) Surya Vangara – SCSL (Trinidad and Tobago) Kishore Vekaria - Director.Secure Keys Consulting (Mauritius) Nitish Verma - Director Dean Wagers -SOX Compliance, The Kroger Co. Kathy Washenberger – IPSO, Hennepin County David Wassel - VP, Business Development, ZeroTouchWare Ian Lawrence Webster - Governance Officer, Performance Technologies (Bra zil) Chip Weiant – Chair, American Center for Civic Character Mary Karen Wills – Partner, Consulting, Argy Wiltse & Robinson ChunHua Yang - Student, Southern Illinois University Jie Yang, MBA (China) Gunter Zimmermann – Consultant, Controlware Gmbh (Germany)
Intro - vii LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Executive Summary Problems always have solutions. And the very simple solution to the almost unimaginably complex challenges organizations face as they do business in an increasingly complicated global marketplace is this: Step back, get a good look at the challenges and develop an integrated approach to managing risks and maximizing opportunities throughout the enterprise. The result: what the Open Compliance and Ethics Group calls Principled Performance®1 . The simple step of adopting an integrated approach to setting operational standards and making sure they’re met – by integrating activities that are now siloed and often duplicative or contradictory – enhances the corporation’s value by making its governance, risk management and compliance activities more efficient and effective.
Corporate Misconduct and Regulatory Reform The rise in incidents of corporate misconduct in recent years led to numerous reforms in organizational legal and regulatory regimes. Yet, even with increased regulatory control, organizations have shown themselves to remain unprepared for the wide-ranging risks they face. A big part of the problem is too much of too many companies’ efforts to eradicate misconduct focuses on the individuals and their supposed malicious intent rather than on the systems and processes that should have kept the misconduct from happening in the first place. So, despite warning signs, companies often fail to see an emerging calamity, even when it is fully predictable. Threats that should have been recognized and avoided continue to catch them by surprise, a state of affairs that has emphasized the importance of establishing an ethical culture and a more integrated approach to organizational oversight, comprehensive risk management and compliance efforts.
Striving for Principled Performance Organizational balance of power relies on the interrelationship of management, the Board of Directors (or other governing body) and key stakeholders. That interrelationship depends on mutual accountabilities and an unfettered exchange of information. When the parties work together well, they provide an authoritative set of checks and balances that enables the organization to achieve Principled Performance, which is the outcome of clearly articulating an enterprise’s objectives, both financial and nonfinancial, and defining the methods by which it establishes and stays within the boundaries it will observe while driving toward those objectives. Principled Performance is achieved by defining “right” for your company, then doing the “right” things the “right” way — not only to create value in the traditional view, but to protect value, address uncertainty and help the organization stay within its customized boundaries of conduct.
GRC: An Integrated Approach to Governance, Risk Management and Compliance A number of key business processes help organizations achieve Principled Performance, and processes under the areas of governance, risk management and compliance are particularly critical to its success. Because there is significant overlap in the activities that underlie and support those broad areas, addressing them and all others that contribute to Principled Performance in an integrated fashion allows a consistent view of information and efficient application of resources that greatly enhance the power each individual process brings to the organization. We call that integrated approach “GRC”. 1
Principled Performance is a registered trademark of OCEG.
Intro - viii LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
GRC activities are fundamentally interconnected and dependent on similar processes, people and technology. It is important to note that integration of these activities does not mean consolidation. Rather, integration means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC processes. It also means coordinating the activities that ensure a flow of consistent information throughout the organization and that enhance efficient use of resources. By establishing an integrated GRC system of people, processes and technologies, an organization can replicate improvements in one GRC area across other GRC areas in the enterprise, enabling the organization to achieve Principled Performance. And once the GRC system is in place, companies can fine-tune their efforts as they move forward, reallocating human and capital resources to the GRC areas that their ongoing monitoring tell them need the most attention.
The GRC Capability Model™ At the heart of the OCEG Framework is the GRC Capability Model™. Although various standards and guidance frameworks exist that address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed Practices for an integrated GRC system. Those Practices address the many Elements that make up a complete GRC system.
Figure 1 – GRC Capability Model Elements View
Applying the Elements in the GRC Capability Model™ and the Practices within them enables an organization to: • Achieve Business Objectives • Enhance Organizational Culture • Increase Stakeholder Confidence • Prepare & Protect the Organization
• Prevent, Detect & Reduce Adversity • Motivate & Inspire Desired Conduct • Improve Responsiveness & Efficiency • Optimize Economic & Social Value
1
Intro - ix LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
The OCEG Framework for Principled Performance® The shortest distance between any organization and Principled Performance is application of the guidance and resources provided by OCEG. The OCEG Framework for Principled Performance® (commonly referred to as the OCEG Framework) is relevant to those in oversight, strategic, operational and assurance positions. The OCEG Framework is centered on the GRC Capability Model™ (commonly known as the Red Book), which describes key elements of an effective GRC system that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control. The OCEG Framework also includes the Burgundy Book, which details the assessment criteria and procedures for evaluating GRC systems under OCEG’s GRC Capability Assessment Program™. Here are important content and format details:
The Red Book The Red Book contains the GRC Capability Model™, the central piece of the OCEG Framework. It provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system – including those involved in compliance, training, hotlines and investigations. The Model also is contained in a searchable database on the OCEG site, where OCEG enterprise members can mine the data it contains and create custom reports to include content from the additional resources described below. Premium members may also view the online version but do not have access to custom report creation. As a downloadable document on the OCEG site available to all OCEG members, the Red Book also includes a narrative overview about achieving Principled Performance through an integrated approach to governance, risk management and compliance. This narrative also provides a basic understanding of the principles and structure of the OCEG Framework. OCEG also makes the narrative overview available as a separate downloadable document that can serve as a quickstart guide to orient leadership and new GRC team members about GRC and the OCEG Framework.
The Burgundy Book The Burgundy Book provides procedures and assessment criteria to facilitate management and evaluation of a GRC system. It identifies the key aspects of a GRC system that an organization should evaluate to provide assurance of system design and baseline operations to management and the Board and it establishes common procedures for conducting an independent assessment of the system. The Burgundy Book’s procedures also serve as the basis for evaluations that support an application for certification of GRC system design by OCEG. The Burgundy Book is available for download by all OCEG enterprise members and may be purchased for download by premium members.
Additional Resources Available from OCEG OCEG offers additional resources to enterprise members that supplement the OCEG Framework. The searchable and downloadable resources include:
Content Domains Content Domains provide application guides (supplements) that offer additional information to use with the OCEG Framework when addressing topical or industry-specific aspects of a GRC
Intro - 2 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
system. They delineate practices for applying the GRC Capability Model that are bundled either broadly for a particular area of risk applicable to any number of entities or specifically for a unique area of risk applicable within a particular industry. In that way, the Content Domains address the nuances and exceptions in applying the Model to the unique activities of an organization. OCEG members may download GRC Content Domain materials as discrete electronic publications based on a single industry issue or a single area of risk. Alternatively, enterprise members may search across multiple Content Domains and download a customized comprehensive report. The GRC Capability Model can be used as a common backbone to support compliance and risk management of common and industry specific risk areas.
common compliance risk area domains (apply to most organizations)
industry or geography specific domains
GRC Capability Model™ (People, Process & Technology)
GRC Requirements Database The OCEG Requirements Database under development contains detailed information about Requirements that are related to the Elements of the GRC Capability Model or to Content Domains, which OCEG has identified from specific laws, rules, cases, treaties, standards and other guidance. OCEG maps these “Related Requirements” to the specific Elements of the Model or Domain Practices to which they relate. In that way, enterprise members can use the OCEG resources to ensure that they are aware of relevant Requirements. During 2009, OCEG is reviewing publications — Authority Documents — of more than 100 standards bodies and other industry organizations, as well as governments in numerous countries, to identify additional global Requirements relevant to the Model. Given the enormity of the task of addressing a global audience, Transnational standards and those from the following
Intro - 3 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
15 countries and regional bodies, based on their position in global affairs and OCEG member priorities, represent the starting point for Requirements that will be added to the database: Germany India Italy Japan Mexico
Australia Brazil Canada China France
Russia South Africa United Kingdom United States European Union
OCEG will provide citations to relevant portions of Related Requirements with links to the text when available and depending upon agreements reached with issuing authorities. An example of this format, available only through custom reports generated by Enterprise members through use of the OCEG Requirements Database, is presented in Appendix A.
GRC-IT Blueprint™ OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules in the online version of the Model (located within each Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC system. The Technology Arenas and Modules in the Model represent a bridge between the GRC professional and the IT professional. GRC professionals can use the Technology Arenas and Modules as a basis for discussing technology options with their IT counterparts. Enterprise member IT professionals can use the Technology Arenas and Modules as a bridge from the Model into the GRC Blueprint™. While the downloadable version of the Model available to all OCEG members provides high level guidance on which Technology Arenas and Modules support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and Modules as well as visual representation of how they relate to each other. The GRC-IT Blueprint™ also is available as a downloadable stand-alone document.
Intro - 4 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Changing Times: The Evolution of GRC The globalization of financial markets, rapid expansion of outsourcing, and growth of layer upon layer of regulatory oversight within governments across the globe make today’s business environment as challenging as any has ever been. The global economic systems in which organizations now operate have become profoundly complex and inter-related, and it is not always clear where requirements originate and responsibilities lie for various aspects of governance, risk management, compliance, and oversight of controls. That lack of clear accountability has resulted in abuses of power, compliance failures and other dysfunction that affect shareholder capital, employees and the social environment at large. When accountability in an organization breaks down, it can have severe consequences. Not surprisingly, investors have indicated they are willing to pay a premium for well-governed companies. The problem that most corporate executives see when it comes to staying on top of changing legal requirements, business circumstances and economic realities is this: There are too many fragmented solutions to too many problems, a micro approach if you will. What they too often don’t see is that there is a unified solution – a macro solution to a macro problem – that addresses all the separate problems that come up as the business environment changes. Application of OCEG’s GRC Capability Model™ is every organization’s key to developing key systems and processes, required controls around them and assessments that help ensure that the organization can adapt to address every business risk it faces. The bottom line: An integrated approach to governance, risk management and compliance that’s embedded in an organization’s day-to-day operations will maximize its performance and minimize its risk.
Corporate Misconduct and Regulatory Reform By most accounts, the prominent lapses associated with companies that lost their way in recent years were due in large part to corporate governance failures, including all too common and undue pressure to meet short-term objectives and not enough pressure to build long-term value. That lack of attention to fundamentals and appropriate oversight led to the destructive behavior that undermined the financial market’s credibility and, in turn, inspired numerous reforms in legal and regulatory regimes imposed on organizations. The Sarbanes-Oxley Act of 2002 was just the start of an onslaught of regulatory and other reforms that regulatory bodies have put in place globally in an attempt to improve corporate governance. Public companies are not alone. Although not required to comply with the provisions of SOX or its regulatory counterparts in other countries, reforms around the world also have addressed various areas of private company business practices. Likewise, though the stated goal for not-for-profits is fulfilling a mission rather than maximizing share price, they too have faced increased regulatory oversight. But even with that increased regulatory control, organizations have proved themselves unprepared for the wide-ranging risks they face these days. Even with warning signs, companies still fail to see emerging calamities, even when they’re fully predictable. Often, threats that should have been recognized and avoided still catch too many companies by surprise. This state of affairs emphasizes the importance of effective organizational oversight, comprehensive risk management and a more integrated approach to controls & compliance. Organizations have struggled to manage the myriad of governance, risk management and
Intro - 5 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
compliance requirements they face and many continue to apply fragmented approaches to those critical functions resulting in suboptimal performance. However, some are successfully reducing their vulnerability and managing the complexity of requirements by employing a more integrated approach to governance, risk management and compliance.
Value and Stakeholders To best see the path ahead — the path to integrated governance, risk management and compliance — it’s necessary to look back to see why it’s critical to embark on the integration journey. Organizations and business enterprises are formed and exist for a variety of reasons, but at their core, they function to achieve a common goal or set of goals. All organizations whether publicly traded corporations, private entities, not-for-profits or governmental units exist to provide value for their stakeholders. They all must strive for strong performance to safeguard and grow value while ensuring sustainable operations. But while organizations exist to provide value to stakeholders, the actions they must take and goals they must achieve to provide that value are constantly changing. In the past, it was generally accepted that the “social responsibility” of business is a duty to maximize profits, particularly in the case of corporations. Today, though, the free market view that business decisions should be based solely on a narrowly defined notion of what is good for a single category of stakeholders, namely the shareholder, is eroding. Some businesses are adopting an emerging perspective that behaving in a different type of “socially responsible” manner reduces legal risks, enhances employee satisfaction and generally reflects good management practices — all things that ultimately maximize long-term shareholder value while benefiting all stakeholders of the organization. That emerging perspective holds that in today’s global markets, where shareholders and other stakeholders are diverse and widely dispersed, a stakeholder is anyone who is affected by, or who can affect, the organization. That includes internal stakeholders, or employees, and those in the value chain, suppliers and customers, as well as external influencers such as investors, communities, regulators and the media. Stakeholder concerns, including non-financial concerns, have become more important as all types of stakeholders have gained credibility and influence. That evolving approach to value, and to the holistic and comprehensive view of stakeholder demands, is contributing to a drive toward an integrated approach to governance, risk management and compliance and, ultimately, to what OCEG calls Principled Performance®.
The Rise of Principled Performance® Organizational balance of power relies on the relationship between management, the Board of Directors or other such governing body and key stakeholders. That relationship in turn, depends on mutual accountabilities and an unfettered exchange of information. When the parties work together, they provide an authoritative set of checks and balances that enables the organization to achieve Principled Performance. Principled Performance is the outcome of a clear articulation of an enterprise’s objectives, both financial and non-financial, and application of the GRC methods by which it establishes and stays within the boundaries it will observe while driving toward those objectives. Principled Performance goes beyond ethical performance, economic
Intro - 6 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
performance, or corporate social responsibility. Principled Performance represents achievement of all of the objectives an organization chooses to pursue while employing an effective, efficient, and responsive approach to governance, risk management and compliance that supports those objectives.
Defining the Boundaries of Conduct All organizations must operate within defined boundaries. Outside forces, such as legal and regulatory requirements, establish the mandated boundaries that some refer to as “externally driven mandates.” Similarly, entities must also determine the voluntary boundaries within which they should function. Those are often called “internally driven mandates.” A company’s Board and management assess the organization’s voluntary boundaries — which include public socioeconomic commitments, standards, certifications, contractual and representational obligations such as warranties and guarantees and organizational ethics and values. It is important that organizations treat voluntary boundaries as seriously as they do the mandated boundaries, as violations of either can carry equally significant adverse consequences. In the course of conducting business and managing risk, an organization must understand the internal and external obstacles that may get in the way of achieving its objectives and it must recognize the opportunities that may transform either the objectives themselves or the business model required to achieve the objectives. An organization must be adept at operating within boundaries, overcoming obstacles — or preventing them from undermining its efforts — and seizing upon opportunities to attain its objectives. But few companies have a handle on the wide range of policies, processes, and controls needed to manage compliance with both internal and external boundaries and its risks. The integration of governance, risk management, and compliance (“GRC”) helps an organization more effectively and efficiently drive performance. Governance, of course, establishes objectives and, at a high level, the boundaries inside which the entity must operate. A strong culture of ethical culture, as an aspect of internal governance, provides a safety net when formal controls and structures are weak or nonexistent — while, at the same time, providing an environment that helps the workforce reach its highest level of productivity. Risk management helps the organization identify and address potential obstacles to achieving objectives. A healthy Enterprise Risk Management discipline can enhance the value protection and value creation decision making within an organization. Compliance management ensures that the boundaries are well set, and that the organization does indeed conduct business within them through established policies and controls. For an organization to achieve Principled Performance it must: • clearly define its mission, vision and values; • define what it seeks to achieve; • define how it will pursue those objectives while addressing risks and uncertainty, protecting and creating value, identifying new opportunities and staying within defined boundaries of conduct along the way; • make these choices transparent to appropriate internal and external stakeholders; and • do all of that using an integrated approach where the “whats” and “hows” are continuously improved for the highest level of performance.
Intro - 7 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
It is important to note that achieving Principled Performance means each entity defining what is “right” for it, then doing the “right” things the “right” way. Principled Performance, then, is about enhancing the traditional shareholder view of financial performance to include desired outcomes that are not directly or exclusively financial, but that address other stakeholder interests that secure long-term success.
GRC: Governance, Risk Management, Compliance and Beyond A number of key business processes help organizations achieve Principled Performance. While there are many activities and functions that contribute, such as internal controls, audit, assurance, quality, IT, HR and others, GRC (the acronym drawn from the three primary contributors – governance, risk management and compliance) stands in for all of those critical functions and represents the synergistic effect of an integrated approach; the creation of a whole that is far more than merely the sum of its parts. Within the context of the integrated GRC system, all the individual functions share a mutuality of interest, a common need for information and contribution to the organization’s efforts to achieve Principled Performance. There are many reasons an organization seeks to integrate and align its governance, risk and compliance efforts into a GRC system. Here are a few examples: • The global footprint of the business requires an understanding of additional laws, rules and regulations beyond the headquartered domicile. • The cost of complying with an increasingly complex, voluminous and ever-changing patchwork of legal mandates is always rising. • There is a lack of visibility into not only operational issues, but also risk and compliance activities. • There is unnecessary complexity and duplication of effort taking place to address risks and requirements. • The Board and senior management face increased accountability and liability. • There is redundancy in some areas and possible gaps in coverage for critical risks in others. • The cost of maintaining duplicate sets of information for different purposes and reconciling information when necessary is high. To address such drivers, many organizations are integrating GRC activities to achieve Principled Performance in an effective, efficient and responsive manner. To most effectively accomplish that, it’s important to understand the nomenclature. Formally defined, GRC is a system of people, processes and technology that enables an organization to: • understand and prioritize stakeholder expectations; • set business objectives congruent with values and risks; • achieve objectives while optimizing risk profile and protecting value; • operate within legal, contractual, internal, social and ethical boundaries; • provide relevant, reliable and timely information to appropriate stakeholders; and • enable the measurement of the performance and effectiveness of the system. A “GRC activity,” then, is any process or activity that contributes to or is part of the system. Processes and functions that are typically included include: • Governance • Strategy and Business Performance Management
Intro - 8 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
• Risk Management • Compliance • Internal Control • Corporate Security • Legal • Information Technology • Business Ethics • Sustainability and Corporate Social Responsibility • Quality Management • Human Capital and Culture • Audit and Assurance • Finance Each contributes to an organization’s ability to drive Principled Performance, and all can benefit from improved communication, shared strategy, common processes, coordinated schedules and integrated technology. Processes under the areas of governance, risk management and compliance are particularly critical to system success, so a deeper look at their definitions is helpful: • Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels throughout the organization also play a critical role. The tone that is set, followed and communicated at the top is critical to success. • Risk, in this context, is the measure of the likelihood of something happening that will have an effect on achieving objectives; most importantly, but not exclusively, an adverse effect. Thus, Risk Management is the systematic application of processes and structures that enable an organization to identify, evaluate, analyze, optimize, monitor, improve, or transfer risk while communicating risk and risk decisions to stakeholders. The overriding goal of risk management is to realize potential opportunities while managing adverse effects of risk. • Compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. There is some overlap among these functions, but they have distinct areas of focus and each has activities dispersed throughout an organization. For example, the definition of governance characterizes the maintenance of “culture” as a feature, even though many US-based companies incorporate ethical culture concepts into their compliance programs as defined by the US Federal Organizational Sentencing Guidelines.
Intro - 9 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
GRC: Breaking it Apart and Pulling it All Together Most companies historically have approached the GRC components separately and have tacked them on top of the business rather than embedding them into operations. Many have designed and implemented risk assessments and compliance policies and processes within narrow risk areas and at distinct locations, without consideration of how or when the organization has addressed similar issues in other areas. As a result, numerous processes and controls are buried in isolated silos, leading to complexity, duplication and major gaps. To better understand the power of integration, it is useful to more closely examine the individual GRC components of governance, risk management and compliance, as well as some of the significant supporting functions that contribute to GRC goals.
The Corporate Governance Discipline: The G in GRC The Organisation for Economic Co-operation and Development defines corporate governance as “the system by which business corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the Board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing [so], it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance.” Traditionally, governance processes were constrained to “what happens in the Boardroom.” Contemporary views expand that, though, to encompass key governance activities that may take place throughout the organization — and even those of some external stakeholders — to support Board responsibilities, including the company’s system of internal control and oversight of compliance. Conventional corporate governance standards attempt to balance the goals of protecting the interests of shareholders and stakeholders with the requirement to respect the duty of Boards and managers to direct the affairs of the organization. As owners of securities, shareholders rely on the Board to protect their interests. The Board acts as an active monitor for shareholders’ and stakeholders’ benefit with the goal of Board oversight to make management accountable, and thus more effective. The key to corporate governance is the distribution of rights and responsibilities across the entire business. All too often, however, organizations still apply governance principles solely to Board processes and Boardroom issues. Yet critical to good governance are the systems “below the Board” and the distribution of rights and responsibilities that ensure tone, objectives and expectations cascade throughout the organization and down to every individual. In the context of GRC, effective corporate governance is supported and in layers throughout the organization, with the emphasis on processes that affect and influence Board understanding of critical information that allows good decision-making. Those systems and processes help the organization:
Intro - 10 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
• understand entity vulnerabilities; • provide insight and intelligence to the right people, at the right time, to make the right “risk-aware” decisions; • reduce the likelihood that unauthorized decisions will be made; • identify and reduce entity vulnerability to specific risks; • reduce the likelihood and impact of undesirable events; and • produce evidence about effectiveness to management, the Board and stakeholders.
The Risk Management Discipline: The R in GRC Between the direction and authority of governance and the requirements and boundaries of compliance lie a plethora of obstacles and opportunities that may affect an organization’s ability to achieve desired objectives. To be effective, organizations need to take control of the risks they face. The Committee of Sponsoring Organizations (COSO) ERM Report defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.”2 The COSO report further defines enterprise risk management as “a process, effected by an entity’s Board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage [that] risk to be within [the entity’s] risk appetite to provide reasonable assurance regarding the achievement of entity objectives.” The Australia and New Zealand risk management standard3 uses a more concise, yet arguably broader definition of risk: “The chance of something happening that will have an impact on objectives.” It defines risk management as “the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analyzing, evaluating, treating, monitoring and reviewing risk.”
A Brief Detour: Sustainability The con cept of sustainability is so metimes mingled with other, similar expressions that have become widely used. Fo r example, many businesspeople, authors and scholars refer to “co rporate social responsibility” to mean a company’s obligations to society a t large. Oth ers p refer “sustainability” because “responsibility” emphasizes the benefits to groups outside the o rganization, while “sustainability” gives equal importan ce to the ben efits enjoyed by the corpora tion itself. In that respect, sustainability can be viewed as related to business ethics, and thereby corpo rate compliance and ethics progra ms, bu t on a scale that emphasizes b roader so cial issu es such as poverty, edu cation and human rights, versus specific choices by individual managers. Other terminology usage includes “corpo rate responsibility,” perhaps more commonly seen in Europe, “environ mental so cial governan ce” and “sustainable developmen t,” to name a few. Sustainability addresses the wid e and diverse range of business concerns about the environment, wo rkers’ rights and consumer pro tection and the impact of business decisions on those b road social issues – and ultimately th e decision-making process itself and the relationship of the issues to p rofit o r other organizational purposes. As su ch, th e Governance role and setting of voluntary boundaries in cludes decisions about th e organization’s commitment to sustainability.
A group of UK organizations in “A Risk Management Standard” uses the definition set forth in ISO/IEC Guide 73 for risk as “the combination of the probability of an event and its consequences.” British Standards in the forthcoming BS 31100
2 3
COSO ERM definition, page 16. AU/NZS 4360 is the basis for the forthcoming ISO 31000 standard on enterprise risk management.
Intro - 11 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
standard define risk as “something that might happen and its effect(s) on the achievement of objectives.”4 There are other definitions to note, including one from the Institute of Internal Auditors: “Enterprise-wide risk management is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives.”5 This multitude of definitions suggests that there is a divide in the risk management profession around the concepts and definition of risk and how risk relates to uncertainty, opportunities, threats and obstacles. The most striking difference is how authorities include or exclude various types of risk outcomes. Some emphasize risk as the potential negative events that an organization may experience as it pursues objectives. Others define risk as the potential negative or positive events that may be experienced. Some of that is not so much a debate about “risk” as it is about the context thereof. For example, the insurance community is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. Personal behavior mirrors that. When someone buys automobile or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and also to seek better returns. Notably, despite those differences, nearly all risk management frameworks and risk management professionals themselves agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result. In that sense, the fundamental difference in how different frameworks and organizations define risk becomes functionally irrelevant. Indeed, in the context of GRC, most organizations have implemented at least minimal strategic planning processes and have developed an approach to pursue opportunities. What is often lacking is an integrated approach to: • identifying the obstacles and threats along the way, • assessing their potential impact, • making risk-intelligent decisions and • implementing governance structures to ensure that the organization appropriately opportunities in light of those obstacles and threats.
pursues
In the context of GRC, there is a need to make governance and business performance more “risk-aware.” In relationship to corporate governance, companies struggle in determining the appropriate risk oversight role of the Board of directors. Various functions have been proposed with respect to the Board regarding risk, including approving the company’s risk appetite as a component of its strategy-setting and ensuring robust risk oversight by senior management. In other words, it is not the Board’s responsibility to identify and assess actual risks, but to monitor line management’s competence in doing so.
4 5
BS 31100 public draft, July 31, 2007 IIA definition in the Role of Internal Auditing in ERM
Intro - 12 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
The Compliance Discipline: The C in GRC Boards of directors in the United States have focused heavily on meeting the financial reporting requirements of the Sarbanes-Oxley Act and are likely facing compliance fatigue. Yet financial reporting is just one aspect of compliance, and the Sarbanes-Oxley Act is just one regulatory scheme, and many organizations are facing increasing regulatory demands, especially as they extend into global markets. Every country, of course, has laws and regulations for conducting business within its borders. Neighboring and economically interdependent countries also draft treaties and other legal instruments to govern cross-border transactions. As the focus of business becomes increasingly global, non-government organizations concerned with the world economy and with corporate sustainability increasingly promote principles that multiple countries agree to abide by and thereby bind the organizations that operate within their borders to operate under those principles. Other branches of government, in their interpretation and enforcement of laws and regulations, also create compliance requirements at a more granular level. In many cases, a law may tell a company what it should be doing, but it is the enforcing agency or a court that details the how, when, why and to what standard it’s looking to know that an organization has met both the letter and the spirit of the law or regulation. Compliance requirements are not solely the province of nations. Individual organizations work together through industry and trade associations and standards bodies to create best practices and guidance on how to execute processes, make products or deliver services. By subscribing to those bodies’ ideas, and in many cases, publicizing adherence to particular standards or practices, entities themselves shape both the requirements they operate under and the expectation that they will conform to those requirements. Most directly, organizations agree to and impose upon themselves requirements through their contracts with employees, agents, partners, suppliers and customers. There are more formal definitions of “compliance” as well, of course. The Australian standard 3806 defines it as “an outcome of an organization meeting its obligations” and a compliance program as “a series of activities that, when combined, are intended to achieve compliance.”6 The United States Sentencing Commissions more narrowly defines a compliance program as one “to prevent and detect violations of law,” although the amended organizational sentencing guidelines added the promotion of “an organizational culture that encourages ethical conduct and commitment to compliance” in its definition of an effective compliance and ethics program. In the context of GRC, compliance is the act of adhering to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. In other words, compliance is all about identifying requirements, legal or otherwise, and taking steps to ensure that the organization addresses all of them.
Other Critical Components of GRC There are certain other components of GRC that merit special attention, and the internal control discipline is one of them. The concept of internal controls has a long history and has been addressed in various legislative and regulatory standards. The COSO Internal Control Report defines internal controls as “a process, effected by an entity’s Board of directors, 6
AU 3806, definitions
Intro - 13 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
management and other personnel, designed to achieve reasonable assurance regarding the achievement of objectives in: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; and (3) compliance with applicable laws and regulations.” In its ERM integrated framework, COSO expanded the concept of internal control to addressing the management of risk. Internal control is clearly a common thread among the GRC components, and an organization should employ a system of internal controls that specify the policies, procedures and practices that guide it in its efforts to achieve its objectives. Internal controls inform management whether processes are being performed as intended and with the intended outcomes. The assurance discipline is another critical component of GRC. To maintain stakeholder confidence, an organization must provide some level of assurance that it has appropriate governance, risk management and compliance capabilities. The critical question is what level of assurance the stakeholders, especially the Board and shareholders, demand. What satisfies the request for assurance? Is a clear authoritative statement from management sufficient? Or is independent assurance required? Does an objective internal department – such as internal audit – suffice? Or does the required level of assurance compel review by a completely independent third party? The answers to those questions tend to vary by stakeholder constituency, and they may also vary over time, given the organization’s history of favorable or unfavorable findings. In the context of GRC, an organization must provide objective, reasonable assurance that the underlying GRC system or any aspect of the system is designed and operating effectively. A focus on human behavior and conduct is yet another critical component of GRC. As much focus as there is on risk assessments, policies and controls, perhaps the most significant factor in achieving Principled Performance is understanding and addressing what motivates human behavior. How organizations intentionally prize, cultivate and reinforce both high character and high competence behaviors is critical. Organizations must recognize that behavior cannot be completely controlled or even managed, but that they can influence it through leadership example, effective two-way communications and the implementation of processes that motivate people to follow rules and apply ethical decision-making to their actions. There is more recognition that behavior and corporate culture have a significant impact on company performance. Culture can be defined and it generally develops out of tangible and controllable actions within a company. Human resource professionals, particularly in conjunction with compliance and ethics officers, are a critical part of the GRC team, as they design and implement procedures to educate the workforce and enhance their capabilities, appraise individual and team performance and work to develop a culture of high competence, good character, openness and accountability.
A Unified Framework GRC encompasses a wide range and scope of functions, equally wide variations in approaches taken by organizations and a vast number of existing frameworks and guidance approaches. This presents a number of problems for those seeking to implement GRC, including the following limitations: 1. Framework developers often create them from a particular point of view to enable a narrow aspect of GRC. 2. Frameworks overlap in their coverage, so complete implementation of multiple frameworks could cause confusion and duplication of effort. 3. Management often implements frameworks narrowly, in one area of the business.
Intro - 14 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
4. Frameworks from one discipline may have weaknesses that frameworks from another discipline address more fully. For example, compliance frameworks tend to provide little guidance around conducting risk assessments. Risk frameworks, on the other hand, provide a great deal of guidance around risk assessments, but offer little if any linkage to compliance requirements, with the exception of some frameworks that address IT, banking and business continuity risks.7 5. Internal control frameworks tend to focus primarily on controls rather than incentives. Compliance frameworks have always included powerful ideas around using incentives to motivate positive conduct. 6. Some frameworks still leave many wondering how to translate their principles into practice. Organizations need a clear understanding of what to do in the face of voluminous frameworks. The good news is that the fundamental principles behind the frameworks often are similar. Consistent principles readily emerge, but just as often the sound, practical guidance on how to implement them is unclear or absent. So GRC professionals, particularly those who support multinational organizations that have adopted or are required to meet a multitude of frameworks, need to determine what is practical and identify what does not work. By pulling together different points of view about business processes and practices into an integrated GRC approach, a greater depth of view is gained and the best aspects of each can be used to drive Principled Performance. That’s the goal and benefit of the OCEG Framework.
An Integrated Approach It is important to note that “integration” does not mean “consolidation.” Rather, integration means applying a common vocabulary, approach and, ideally, technology infrastructure to GRC processes. It also means coordinating those activities that ensure a flow of consistent information throughout the organization and that enhance efficient use of resources. In that manner, an organization can replicate improvements in one GRC area across other GRC areas in the enterprise. The term “integration” refers to several ideas, all of which are important to establishing a GRC system: 1. Integration of GRC disciplines. Disciplines including corporate governance, risk management, compliance, internal control, assurance and quality management all use powerful yet separate frameworks to conduct their work. But those frameworks are more similar than different, and organizations can apply an integrated approach to them, using a common “backbone” to enable their varying GRC activities. 2. Integration of GRC activities across risk categories and departments. The various risk silos – strategic, cultural, operational, financial, compliance and external — and the departments that handle specific risk areas — business strategy, treasury, IT, employment, environmental, corruption, etc. — can be addressed using a common approach to cross silos, reduce the burden on the business and bring the organization together around business objectives. 3. Integration of GRC activities with business processes. GRC activities should augment strategic planning, product design, development, logistics, service, support and other mainline business 7
An exception to this “rule” can be seen in some industry or risk area specific risk frameworks in the IT, banking and business continuity areas.
Intro - 15 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
processes. Management can integrate risk assessments with strategic planning, for example, and HR can integrate education about and awareness of GRC-related topics with general skills development programs. Perhaps most importantly, integration provides “a single version of the truth.” That’s essential when senior executives and the Board ask questions like: • Are we achieving our objectives? • How are we achieving them relative to risk? • What are the most important risks that we face? • How are we addressing them and who is accountable? • Is the organization operating within defined boundaries? • Are we experiencing any material issues?
Embedded in the Business Clarifying GRC is not about dissecting the acronym itself, of course, just as integrating its components is not about consolidating effort inappropriately. Rather, clarifying GRC is about understanding the underlying business issues that have given rise to the widespread use of the term. GRC activities must work with and be embedded in mainline business processes. In that manner, GRC becomes part of the organizational DNA. Just as there are matched chromosome pairs in each living thing’s DNA, wherever there are business activities and decisions, there are related GRC activities and decisions. Just as the tens of thousands of genes contained in chromosomes carry information throughout the organism, the GRC system consists of interrelated yet distinct components that carry information throughout the organization. And integration includes incorporating coordination requirements into mainstream business processes and decision-making. The rationalization of controls and testing and the increased use of automation reduce the burden on line-of-business operations, thus decreasing the risk of non-compliance. An enterprise perspective is required to reduce redundancy across lines of businesses and functions, enabling enterprise-wide oversight of key risks while enhancing operational effectiveness and use of resources.
High-Performing GRC A high-performing GRC system will always deliver value. Organizations typically assess the value of an activity by determining if it’s contributing to business objectives. For that reason, in achieving Principled Performance, it is not sufficient to focus only on the GRC activities themselves. Rather, primary focus must be on the desired system outcomes that result from those activities. Each organization is unique, of course, and pursues unique business objectives. As a result, every GRC system has a different mix of business objectives that it is expected to support and, thus, a different mix of desired GRC system outcomes. However, surveys of experts and historical evidence of the key system outcomes stated in mission and vision statements suggest that most organizations share several desired outcomes that appear to be universal across GRC systems. Among them are the desire to: 1. Meet Business Objectives 2. Enhance Leadership and Organizational Culture 3. Increase Stakeholder Confidence
Intro - 16 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
4. Prepare and Protect the Organization 5. Prevent, Detect and Reduce Adversity 6. Motivate and Inspire Desired Conduct 7. Improve Responsiveness and Efficiency 8. Optimize Economic and Social Value
Efficient, Effective and Responsive A high-performing GRC capability will deliver those universal system outcomes while being effective, efficient and responsive. Effectiveness describes the quality of a system along two dimensions: • Design effectiveness describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system or process contain all the necessary elements to thoroughly evaluate risk? Has it been designed for maximum effectiveness? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks and boundaries and determines if the system is appropriately designed. • Operating effectiveness describes the degree to which a system or process operates as designed. If the system was designed well, does it function correctly? Does it operate the way it was designed to? If not, how must it be managed to elevate its level of operation? Operating effectiveness helps management understand if, given a strong design, the system is operating as intended. Efficiency captures the cost of the process or system — not simply the amount of money spent, but also the cost of human capital expended. • Financial efficiency describes the total amount of financial capital required to execute a process. • Human capital efficiency describes the type and level of individuals required to participate in the process. While human capital costs can be partially captured in purely financial terms, intangible opportunity costs must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just the purely financial costs of salary, benefits and other overhead. An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention and customer loyalty. Responsiveness describes the system’s ability to operate quickly and flexibly in response to changing circumstances. • Cycle time describes the total amount of time it takes to execute a process. Cycle time is extremely important in a few program processes. For example, it is critical to minimize the lag time from when a problem occurs to the time it is detected. The program should also minimize the lag time from when an issue is detected to the time it takes to respond. For other processes, it is difficult to define clear lag time rules. For example, it is difficult to say how long it should take to investigate a particular issue, because each issue will have its own facts and circumstances.
Intro - 17 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
• Flexibility and adaptability describe the degree to which the system can integrate changes — including new requirements, such as a new law, rule or regulation, and/or new business units due to merger and acquisition activity. Those changes may be internal, as managers study the results of past performance evaluations and make needed alterations, or they may be external. New regulatory environments, changing market conditions or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment and develops a long-range perspective, foresees more distant changes and prepares for them.
Specific GRC Benefits When an organization integrates its approach to GRC by rationalizing its GRC processes and increasing employee awareness of them, it creates opportunities for increased value through: • reduced cost, as redundant activities are identified and streamlined or eliminated; • reduced need and cost for reconciling information across the organization; • reduced gaps and errors, as the integration creates a holistic system of checks and balances; • increased quality of risk-based information on which strategic and tactical decisions are based; • enhanced employee motivation as contribution to achieving objectives becomes clear: • trust resulting from consistent organizational positions and actions, from oversight through operations; • agility driven by a clear delineation of who handles what activities in what sequence; • more effective management of stakeholder expectations; and • assurance that expectations and objectives are met.
Integrated GRC: A Pathway to Principled Performance Principled Performance really does matter. GRC has emerged because traditional siloed governance, risk and compliance approaches are not sufficient for new business realities. GRC is widely discussed because it is relevant in all industries and sectors, all over the world, and because it affects all functions in a modern enterprise. Executive leadership must drive the move to GRC with direct CEO sponsorship and Board oversight. Ultimately, the aim for greater accountability is to increase value for shareowners and other stakeholders. Principled Performance provides the means for organizations to forge stronger relationships between the Board, management and shareholders and stakeholders for a better-balanced governance system. And a well-designed GRC system offers a pathway to Principled Performance.
Intro - 18 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Key Roles and Accountability Who should drive integration? What should it look like? To realize a high-performing GRC system, several key players must be actively involved in the design, implementation, and management of the system.
The Role of the Board The Board has oversight of the system and ultimately is the primary beneficiary of it, since a strong GRC system enables the flow of accurate information necessary to effective governance.8 In most countries, the Board must be an active monitor for shareholder and stakeholder benefit. The Board must: • direct the purpose and desired outcomes of the system; • set a charter for its involvement in the system; • vet business objectives and ensure they are congruent with values and risks; • be knowledgeable about the design and operation of the system; • obtain regular assurance that the system is effective; • gain reasonable assurance that management’s representations are sound; and • operate aspects of the system that require Board perspective and independence. Some of those aspects are: • overseeing senior management’s override of control activities; • selecting, evaluating, compensating and terminating senior management; and • addressing long-term issues that may exceed senior executive tenure. To fulfill those responsibilities, the Board needs effective governance practices. Under US law, good governance is essential to directors’ meeting their duty of care, which they must exercise in good faith.
The Role of Management Management must undertake strategic planning and implementation of the GRC system. Taken as a whole, management must: • design, implement and operate an effective system or some aspect of a system; • provide regular assurance about the effectiveness of the system; • communicate with key stakeholders about the effectiveness of the system; and • evaluate and optimize the performance of the system.
The Role of Assurance Management should obtain and provide regular assurance about the effectiveness and performance of the GRC system. An independent review can open up a view of the system that reveals not only weaknesses in design or operation, but also opportunities for further integration and exchange of best practices from one area of the organization to another. For its 8
“Board” as used in this document refers to the highest governing authority in the organization, which may be a board of directors, board of trustees or some other governing body of a business unit that provides oversight independent of management. In some countries, there are multiple tiers and types of boards. In this case, “Board” refers to that structure which represen ts shareholders or external stakeholders.
Intro - 19 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
part, the Board is required to obtain regular assurance about the effectiveness of the system and should use information developed independently of management to form impressions of the system’s effectiveness. Independent review is required; internal or external personnel can conduct independent reviews, but external personnel provide the highest level of independence. In either case, knowledge of GRC goals and systems is required to engage in a meaningful review. For purposes of reviewing a GRC system, internal personnel are “independent” if they are independent of the underlying activity on which they provide assurance. According to The Institute of Internal Auditors, independence and objectivity are two critical components of effective internal audit activity. Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. External personnel, such as an outside auditor, are “independent” if certain professional standards of conduct are met. The American Institute of Certified Public Accountants requires a member’s relationship with a client to be analyzed to determine whether it poses an unacceptable risk to the member’s independence. Risk is unacceptable if the relationship would compromise, or would be perceived as compromising by an informed third party having knowledge of all relevant information, the member’s professional judgment when rendering an attestation service to the client. Those providing assurance (hereinafter assurance personnel), whether internal or external, should: • provide assurance that risks are appropriately identified, evaluated, managed and monitored; • provide regular assurance to the Board and management that the GRC system or some aspect of it is effectively designed to address identified risks and requirements in light of the organization’s culture and objectives; • provide regular assurance to the Board and management that the system or some aspect it is effectively operating as designed.
Intro - 20 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
The Anatomy of the GRC Capability Model To realize a high-performing GRC system, the GRC Capability Model™ — the Red Book — provides the key Components, Elements and Practices that every organization should implement and manage. Here are definitions of key terms used in the Red Book.
Components Components embody integrated Elements of a high-performing GRC system. They operate in a somewhat sequential manner; however, a user may begin to apply the Red Book at any one or more of the various Component points as a means of maturing its existing capability. All Components must operate constantly and consistently to realize a high-performing GRC system.
Universal System Outcomes Universal System Outcomes are the expected and measurable results of a high-performing GRC system.
8 INTEGRATED COMPONENTS
8 UNIVERSAL OUTCOMES Achieve Business Objectives
ORGANIZE & OVERSEE MONITOR & MEASURE RESPOND & RESOLVE
INFORM & INTEGRATE
Enhance Organizational Culture ASSESS & ALIGN PREVENT & PROMOTE
DETECT & DISCERN
Increase Stakeholder Confidence Prepare & Protect the Organization Prevent, Detect & Reduce Adversity Motivate & Inspire Desired Conduct Improve Responsiveness & Efficiency Optimize Economic & Social Value
Elements Each Element embodies a number of related Practices in a high-performing GRC system. Each Element includes a discussion of Principles and Common Sources of Failure, as well as the Practices that support success. Each Element also includes a listing of the Key Deliverables and Technologies relevant to the Element, and in a custom report may include Related Requirements pulled from the OCEG Requirements Database.
Intro - 21 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Figure 1 – GRC Capability Model Elements View
Principles The Principles behind each Element provide the “essence,” at a high level, of what the Element should accomplish. The Principles reflect the consensus of the community of practice in light of its knowledge of both common requirements and practical experience across industries.
Common Sources of Failure The Common Sources of Failure behind each Element provide practical advice from the GRC community of practice on the most common oversights or actions that pose significant obstacles to achieving the desired outcomes of the Element. While they may overlap with Principles, they are not simply the opposite of the stated Principles.
Practices Practices are specific bundles of activity that together address the Principles described in the Element. Practice titles are succinct to communicate the essence of the Practice and are detailed by the Sub-practices identified within them.
Sub-Practices Sub-practices are key observable actions that, taken together, are hallmarks of an effective capability. While one organization may follow a 5-step process and another organization may follow a 20-step process to accomplish the same thing, the identified Sub-practices should be present in both. OCEG Sub-practices are generally accepted practices that help an organization effectively and efficiently address Principles and prevalent Related Requirements. Often, external mandates are not specific regarding business practices; rather, they articulate broad Principles that an organization must address. Sub-practices help an organization address those Principles.
Intro - 22 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Related Requirements Requirements are references to specific action items required by law or by another authority document external to OCEG such as standards, guidelines, or listing requirements. Requirements may be included in customized versions of the Red Book produced by use of the online custom reporting function available to OCEG Enterprise members (example set out in Appendix A). Related Requirements include the citation and a link to the text of each requirement, when available to OCEG.
Key Deliverables Deliverables are documents that an organization creates, uses, transforms or supersedes while executing the activities in the GRC Capability Model™. An organization may call a particular Deliverable by a different title, but the purpose of the Deliverables portion of the Model is not to dictate what things are called. The kinds of documents that will likely be used and their contents are described in Appendix B. Because a given Deliverable may be used in a number of Elements, each bears a reference number that is distinct from the numbering schema associated with other parts of the Model.
Technology Modules Technology Modules describe infrastructure, business applications and GRC specific applications that an organization could use to enable the Practices and Sub-practices within each Element. Each Technology Module is defined in OCEG’s GRC-IT Blueprint™ (which may be accessed through custom search and reporting function by Enterprise members or in a downloadable print version by Premium members). The Modules are categorized within nine key Technology Arenas and within one of the following Technology Levels: - Business Applications — fundamental applications and information management tools for organizational operation, - GRC Core Applications — applications designed and implemented for governance, risk and compliance-specific purposes or - Infrastructure — foundation systems for all other information management components and applications. Technology Modules represent the gamut of technologies useful to organizations, depending on the maturity of the entity’s capabilities. Because organizations vary in their preferences on technology approaches, OCEG intentionally avoids reflecting a “buy” versus “build” or “custom” versus “composite” bias in the Technology Modules. Often useful across many Practices, Technology Modules bear reference numbers distinct from the numbering schema associated with other parts of the Model.
Intro - 23 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Universal GRC System Outcomes Universal System Outcomes are the expected and observable results of a high-performing GRC system.
U1. Achieve Business Objectives Organizations exist to achieve their desired business objectives. Every GRC system must contribute to attaining those business objectives.
U2. Enhance Organizational Culture Inspire and promote an organizational culture of performance, accountability, integrity, trust, and open communication.
U3. Increase Stakeholder Confidence Increase stakeholder confidence and trust in the organization.
U4. Prepare and Protect Organization Prepare the organization to address risks and requirements; and protect the organization from negative consequences of adverse events, noncompliance, and unethical behavior.
U5. Prevent, Detect, and Reduce Adversity and Weaknesses Discourage, prevent, and provide consequences for misconduct; reduce the tangible and intangible damage caused by adverse events (both those that can be controlled and those that cannot such as natural disasters), noncompliance and unethical behavior and the likelihood of similar events happening in the future.
U6. Motivate and Inspire Desired Conduct Provide incentives and rewards for desirable conduct, especially in the face of challenging circumstances.
U7. Improve Responsiveness and Efficiency Continuously improve the responsiveness (timeliness and agility) and efficiency (speed and quality) of all GRC system activities while improving effectiveness (ability to meet objectives and requirements).
U8. Optimize Economic & Social Value Optimize the allocation of human and financial capital to GRC system activities to maximize the value generated, benefitting the organization and the society in which it operates.
Intro - 24 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Component Overview A GRC system is made up of integrated components that enable the organization to: 1. Understand and prioritize stakeholder expectations; 2. Optimize business objectives to be congruent with values and risks; 3. Achieve objectives while addressing risks; 4. Operate within legal, contractual, internal, social and ethical boundaries; 5. Provide relevant, reliable and timely information to appropriate stakeholders; and 6. Provide assurance that the system is effective. CULTURE & CONTEXT (C) Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes. ORGANIZE & OVERSEE (O) Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals. ASSESS & ALIGN (A) Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities. PREVENT & PROMOTE (P) Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives. DETECT & DISCERN (D) Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques. RESPOND & RESOLVE (R) Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future. MONITOR & MEASURE (M) Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment. INFORM & INTEGRATE (I) Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.
Intro - 25 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
How to Read the GRC Capability Model Report (1) Component Pages Component pages identify Elements of a high performing GRC capability.
Component Name
Component Description
CULTURE & CONTEXT
Understand the current culture and the internal and external business contexts i n which the organization operates, so that the GRC syste m can address current rea lities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes. C1 External Business Context
C4 Values & Objectives
C1.1
Define the External Business Contex t
C4.1
Define Mission & Vision
C1.2
Analyze External Stakeholder and Influen cer Needs
C4.2
Define Values
C4.3
Define Business Objectives
C4.4
Define Indicators, Targets and Tolerances
C4.5
Obtain Comm itment to Mission, Vision, Values and Objectives
C4.6
Comm unicate Mission, Vision and Values
C2 Internal Business Context C2.1
Define the Internal Context
C2.2
Determine Changes Needed to Alig n the Internal Context and GRC System
C C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
C3 Culture C3.1
Analyze Ethical Culture
C3.2
Analyze Ethical Leadership
C3.3
Analyze Risk Cultu re
C3.4
Analyze Board and Governance Culture
C3.5
Analyze Management Style
C3.6
Analyze Workforce Engagement
Practice within the Element
Element within the Component
Intro - 26 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
How to Read the GRC Capability Model Report (2) Element Pages Element pages identify key Principles, Sources of Failure, Practices and technologies that should be addressed to establish and continuously improve GRC capability.
Element name
Element description EXTERNAL BUSINESS CONTEXT
Understand and, when necessary, influence the exte rnal business context i n which the orga nization operates .
Principles 01 02
C1 C1 External Business Context C2 Internal Business C ontext C3 Culture C4 Values & Objectives
Principles Beliefs that underlie the Element and Unders tanding the ever -changing external co ntext is critical to d esigning a GRC syst em that is r esilient to change represent at a high level what its and can evolve wit h it . Some aspects o f the external co ntext will c hange despite the organization’s best effor ts to maintain the statusshould quo. Practices accomplish
03
Certain aspects of external context can, and in some cases should, be influenced by the organization.
04
The organization should r ecognize that there ar e exte rnal influencers , such as the media or comm unity groups who can shape stakeholder o pinion.
Common Sources Of Failure 01
Not considering changes in the external context, including industry, market and geopolitical forces
02
No t unders tanding exte rnal stakeholder needs and r equirements
03
No t unders tanding how changes in the exte rnal co ntext can affect GRC sys tem design and performa nce
04
No t identifying the r equirements to sa tisfy all exte rnal stakeholders
Common Sources of Failure The most common oversights or actions that pose significant obstacles to achieving the desired outcomes of the Element.
Practices C1.1
Define the External Business Contex t
C1.2
Analyze External Stakeholder and Influencer Need s
Practices Bundles of activity that together address the Principles described in C ollaboration/Knowledge Management , C ontact/Customer Relationship the Element Management (CR M)
Enabling Technology Components Bu siness A pplicati ons GRC C or e A pplicati ons
Corporate Social Responsibility (CSR), N ews Feeds (GRC C ontent)
Technology Applications or Infrastructure A logical grouping of technology types by a general description
Enabling Technology Components Infrastructure, applications and information services that an organization could use to enable the Practices and Sub-practices within each Element.
Intro - 27 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
How to Read the GRC Capability Model Report (3) Practice Pages
Practice Name
Practice Description
C1 EXTERNAL BUSINESSCONTEXT
C1.1 DEFINETHE EXTERNAL BUSINESSCONTEXT Identify the relevant external business context factors. Sub -Practices 01 Identify factors in the external business context that can affect the organizatio ’s n ability to meet its objectives, including: • industry forces (competitors, supply chain, labor markets, etc.); • market forces (customer demographics, economic conditions, etc.); • technology forces (technological shifts and breakthroughs, etc.); • societal forces (community needs, media trends, etc.); • regulatory environment; and • geopolitical forces(current enforcement posture, etc.). 02 Identify reasons and opportunitiesto influence the external context.
Sub-practice
Intro - 28 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
GRC Capability Model™ Version 2.0
Intro - 29 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Model Index C Culture & Context
1
C1 External Business Context
3
C2 Internal Business Context
6
C3 Culture
2
C4 Values & Objectives
18
O Organize & Oversee
22
O1 Outcomes & Commitment
24
O2 Roles & Responsibilities
28
O3 Approach & Accountability
35
A Assess & Align
39
A1 Risk Identification
41
A2 Risk Analysis
49
A3 Risk Optimization
55
P Prevent & Promote
61
P1 Codes of Conduct
62
P2 Policies
68
P3 Preventive Controls
73
P4 Awareness & Education
79
P5 Human Capital Incentives
87
P6 Risk Financing/Insurance
93
P7 Stakeholder Relations & Requirements
98
D Detect & Discern
104
D1 Hotline & Notification
106
D2 Inquiry & Survey
111
D3 Detective Controls
116
R Respond & Resolve
123
R1 Internal Review & Investigation
126
R2 Third-Party Inquiries & Investigations
132
R3 Corrective Controls
139
R4 Crisis Response, Continuity and Recovery
144
R5 Remediation & Discipline
149
M Monitor & Measure
153
M1 Context Monitoring
154
M2 Performance Monitoring & Evaluation
158
M3 Systemic Improvement
163
M4 Assurance
168
I Inform & Integrate
170
I1 Information Management & Documentation
171
I2 Internal & External Communication
177
I3 Technology & Infrastructure
181
APPENDIX A - Custom Reporting Example
186
APPENDIX B - Deliverables
187
APPENDIX C - Technology Components
193
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX B - Deliverables
187
APPENDIX C - Technology Components
193
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
1
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C CULTURE & CONTEXT
Understand the internal and external business contexts and current culture in which the organization operates, so that the GRC system can address current realities - and identify opportunities to adapt the context and culture, and to define the organization's values, to better achieve desired outcomes. C1 External Business Context
C C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
C1.1 Define the External Business Context C1.2 Analyze External Stakeholder and Influencer Needs
C2 Internal Business Context C2.1 Define the Internal Context C2.2 Determine Changes Needed to Align the Internal Context and GRC System
C3 Culture C3.1 Analyze Ethical Culture C3.2 Analyze Ethical Leadership C3.3 Analyze Risk Culture C3.4 Analyze Board Involvement C3.5 Analyze Governance Culture and Management Style C3.6 Analyze Workforce Engagement
C4 Values & Objectives C4.1 Define Mission & Vision C4.2 Define Values C4.3 Define Business Objectives C4.4 Define Indicators, Targets and Tolerances C4.5 Obtain Commitment to Mission, Vision, Values and Objectives C4.6 Communicate Mission, Vision and Values
C1 EXTERNAL BUSINESS CONTEXT This is not legal or professional advice. Please contact a professional regarding your specific needs.
C1 driving principled performance ®
2
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Understand and, when necessary, influence the external business context in LICENSED operates. TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. which the organization
C1 External Business Context C2 Internal Business Context
C4.6 Communicate Mission, Vision and Values
C1 EXTERNAL BUSINESS CONTEXT
Understand and, when necessary, influence the external business context in which the organization operates.
Principles
C1 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
01 Understanding the ever-changing external context is critical to designing a GRC system that is resilient to change and can evolve with it. 02 Some aspects of the external context will change despite the organization’s best efforts to maintain the status quo. 03 Certain aspects of external context can, and in some cases should, be influenced by the organization. 04 The organization should recognize that there are external influencers, such as the media or community groups who can shape stakeholder opinion.
Common Sources Of Failure 01 Not considering changes in the external context, including industry, market and geopolitical forces 02 Not understanding external stakeholder needs and requirements 03 Not understanding how changes in the external context can affect GRC system design and performance 04 Not identifying the requirements to satisfy all external stakeholders 05 Not understanding the organization's weakness in ability to effectively and efficiently react to external factors.
Guidelines and Practices Red Book 2.0 - GRC Capability Model C1.1 Define the External Business Context C1.2 Analyze External Stakeholder and Influencer Needs
Enabling Technology Components Technology Arenas
Corporate Governance (CG)
Business Applications
Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Intellectual Property (IP) Management
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Employment Compliance Management (EC) , Environmental, Health & Safety (EH&S) Management , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure Identity and Access Management (IAM) This is not legal or professional advice. Please contact a professional regarding 3 C1 EXTERNAL your specific needs. BUSINESS CONTEXT
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C1.2 Analyze External Stakeholder and Influencer Needs
Enabling Technology Components Technology Arenas
Corporate Governance (CG)
Business Applications
Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Intellectual Property (IP) Management
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Employment Compliance Management (EC) , Environmental, Health & Safety (EH&S) Management , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure
Identity and Access Management (IAM)
C1 EXTERNAL BUSINESS CONTEXT
C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT Identify the relevant external business context factors. Core Sub-practices
l
l
C1.1.01 Identify factors in the external business context that can affect the organization’s ability to meet its objectives , including: • industry forces (competitors, supply chain, labor markets, etc.); • market forces (customer demographics, economic conditions, etc.); • technology forces (technological shifts and breakthroughs, etc.); • societal forces (community needs, media trends, etc.); • regulatory environment; and • geopolitical forces (current enforcement posture, etc.). C1.1.02 Identify reasons and opportunities to influence the external context.
C1 EXTERNAL BUSINESS CONTEXT
C1.2 ANALYZE EXTERNAL STAKEHOLDER AND INFLUENCER NEEDS Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their needs and requirements. Core Sub-practices C1.2.01 l Identify key external stakeholders and influencers, including: • shareholders; • ratings agencies; • creditors and other underwriters; • customers; • suppliers / partners; • community; • media; and This is not legal or professional advice. • government. Please contact a professional regarding 4 your specific C1.2.02 needs. l
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Analyze external stakeholder and influencer needs and perceptions for explicit or derived requirements. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Infrastructure
Identity and Access Management (IAM)
C1 EXTERNAL BUSINESS CONTEXT
C1.1 DEFINE THE EXTERNAL BUSINESS CONTEXT Identify the relevant external business context factors. Core Sub-practices
l
l
C1.1.01 Identify factors in the external business context that can affect the organization’s ability to meet its objectives , including: • industry forces (competitors, supply chain, labor markets, etc.); • market forces (customer demographics, economic conditions, etc.); • technology forces (technological shifts and breakthroughs, etc.); • societal forces (community needs, media trends, etc.); • regulatory environment; and • geopolitical forces (current enforcement posture, etc.). C1.1.02 Identify reasons and opportunities to influence the external context.
C1 EXTERNAL BUSINESS CONTEXT
C1.2 ANALYZE EXTERNAL STAKEHOLDER AND INFLUENCER NEEDS Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their needs and requirements. Core Sub-practices
l
C1.2.01 Identify key external stakeholders and influencers, including: • shareholders; • ratings agencies; • creditors and other underwriters; • customers; • suppliers / partners; • community; • media; and • government.
l
C1.2.02 Analyze external stakeholder and influencer needs and perceptions for explicit or derived requirements.
l
C1.2.03 Identify opportunities where the organization can affect stakeholder and influencer perceptions and requirements.
C2 INTERNAL BUSINESS CONTEXT
This is not legal or professional advice. Please contact a professional regarding your specific needs.
C2
driving principled performance ®
5
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C2 INTERNAL BUSINESS CONTEXT
Understand the existing people, processes, technology, organizational structure, stakeholders and key assets that drive organizational value.
Principles
C2 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
01 Internal context analysis should focus on key aspects that drive organizational value. 02 The organization should design a GRC system that aligns with the internal context. 03 The organization should use the GRC system to identify and change certain aspects of the internal context to better support organizational objectives. 04 Some aspects of the internal context will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must identify triggers that will require or cause it to evolve.
Common Sources Of Failure 01 Not considering the internal context and existing operating model when designing the GRC system, thus designing a system that stands apart from mainline operations 02 Not understanding how changes in the internal context add, change or remove risks that the GRC system must address 03 Not understanding internal stakeholders needs
Guidelines and Practices Red Book 2.0 - GRC Capability Model C2.1 Define the Internal Context C2.2 Determine Changes Needed to Align the Internal Context and GRC System
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Business Applications
Collaboration/Knowledge Management (KM), Enterprise Asset Management (EAM), Intellectual Property (IP) Management , Legal Entity Management (LEM)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Information Technology Risk & Compliance (ITRC) Management , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure Business Continuity Management (BCM), Configuration and Change This is not legal or professional advice.Management (CCM), Enterprise Architecture Standards (EAS) , Identity and driving principled Please contact a professional regardingAccess Management (IAM) , Retention & Storage Management (RSM) performance ® 6 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. C2 INTERNAL BUSINESS CONTEXT LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C2.1 DEFINE THE INTERNAL CONTEXT
C2.2 Determine Changes Needed to Align the Internal Context and GRC System
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Business Applications
Collaboration/Knowledge Management (KM), Enterprise Asset Management (EAM), Intellectual Property (IP) Management , Legal Entity Management (LEM)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Information Technology Risk & Compliance (ITRC) Management , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Retention & Storage Management (RSM)
C2 INTERNAL BUSINESS CONTEXT
C2.1 DEFINE THE INTERNAL CONTEXT Identify the key structures and assets that define the Internal Context. Core Sub-practices
l
l
l
l
C2.1.01 Identify the organizational structure: • key business units, • key departments, • key job families and roles, and • temporary and cross functional teams. C2.1.02 Identify key human capital assets: • job families, positions, roles and temporary assignments that have substantial authority over key processes, information and assets, • contract employees and any other agents who act on behalf of the entity, and • key personnel including senior executives and other key employees. C2.1.03 Identify key technology assets: • networking infrastructure, • computer hardware / software, • research equipment, and • other operational equipment. C2.1.04 Identify key information assets: • confidential and trade secret data, • customer data, and • employee data.
C2.1.05 This is not legal or professional advice. l Identify key physical assets: Please contact a professional regarding • buildings, your specific •needs. facilities, and
driving principled performance ®
7
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• operational equipment. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Access Management (IAM) , Retention & Storage Management (RSM) C2 INTERNAL BUSINESS CONTEXT
C2.1 DEFINE THE INTERNAL CONTEXT Identify the key structures and assets that define the Internal Context. Core Sub-practices
l
l
l
l
l
l
C2.1.01 Identify the organizational structure: • key business units, • key departments, • key job families and roles, and • temporary and cross functional teams. C2.1.02 Identify key human capital assets: • job families, positions, roles and temporary assignments that have substantial authority over key processes, information and assets, • contract employees and any other agents who act on behalf of the entity, and • key personnel including senior executives and other key employees. C2.1.03 Identify key technology assets: • networking infrastructure, • computer hardware / software, • research equipment, and • other operational equipment. C2.1.04 Identify key information assets: • confidential and trade secret data, • customer data, and • employee data. C2.1.05 Identify key physical assets: • buildings, • facilities, and • operational equipment. C2.1.06 Identify key business processes: • financial, • sales and marketing, • manufacturing, • supply, • distribution and fulfillment, • customer service, • research and development, and • employment. C2.1.07
. This is notllegal or professional advice. driving principled Identify key products and services Please contact a professional regarding performance ® 8 C2.1.08 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Identify the interrelationships between and among elements of the structure, people, processes, technology, information and physical LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. assets to understand how the resources work together to accomplish objectives.
• employment. C2.1.07 l
Identify key products and services . C2.1.08
l
Identify the interrelationships between and among elements of the structure, people, processes, technology, information and physical assets to understand how the resources work together to accomplish objectives.
C2 INTERNAL BUSINESS CONTEXT
C2.2 DETERMINE CHANGES NEEDED TO ALIGN THE INTERNAL CONTEXT AND GRC SYSTEM Identify possible changes to the internal context that may affect design aspects of the GRC system or ensure alignment. Core Sub-practices
l
C2.2.01 Determine what aspects of the internal context can, and should be, changed to enable the GRC system to support organizational objectives.
l
C2.2.02 Determine how the GRC system design will align with the structure of the internal context.
l
C2.2.03 Identify triggers for consideration of changes in the GRC system, in response to changes in the internal context.
C3 CULTURE
Understand the existing culture including the organizational climate and individual mindsets about integrity, compliance, risk, and approach to management.
C3 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
Principles 01 Leadership must set the tone at the top and provide consistent and repeated commitment to integrity in both words and deeds. 02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have any regard for the established values. 03 The GRC system can, and in some instances should, change certain aspects of the culture. 04 Some aspects of the culture will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must have triggers that will tell it when to evolve to respond to cultural changes. This is not legal or professional advice. driving principled Common Sources Of Failure Please contact a professional regarding performance ® 9 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. 01 Not considering the culture of the organization as it exists before change is attempted LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. 02 Not realizing that there are often multiple “sub cultures†and different approaches to risk,
C3 CULTURE
Understand the existing culture including the organizational climate and individual mindsets about integrity, compliance, risk, and approach to management.
C3 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
Principles 01 Leadership must set the tone at the top and provide consistent and repeated commitment to integrity in both words and deeds. 02 Individuals must be convinced that leadership is genuine about its commitment to values or they will not have any regard for the established values. 03 The GRC system can, and in some instances should, change certain aspects of the culture. 04 Some aspects of the culture will change despite the organization’s best efforts to maintain the status quo, thus the GRC system must have triggers that will tell it when to evolve to respond to cultural changes.
Common Sources Of Failure 01 Not considering the culture of the organization as it exists before change is attempted 02 Not realizing that there are often multiple “sub cultures†and different approaches to risk, communication, and value attributed to acting with integrity in different geographic or functional locations of the organization 03 Not recognizing that cultural change may be very difficult and requires continuous example by leadership.
Guidelines and Practices Red Book 2.0 - GRC Capability Model C3.1 Analyze Ethical Culture C3.2 Analyze Ethical Leadership C3.3 Analyze Risk Culture C3.4 Analyze Board Involvement C3.5 Analyze Governance Culture and Management Style C3.6 Analyze Workforce Engagement
Key Deliverables Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Risk Management (ERM) , Human This is not legal or professional advice.Resources Management (HRM)
driving principled Business Applications Management (KM), Please contact a professional regardingBoard Management (BM), Collaboration/Knowledge performance ® 10 Corporate Performance Management (CPM) , Employee Evaluations & Surveys © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. (EES) , Policy & Procedure Management (P&P) LICENSEDCorporate TO CDUCU ONResponsibility TUESDAY, APRIL 28,Ethical 2009. SINGLE USER LICENSE GRANTED. GRC Core Applications Social (CSR), Practices/Corporate Integrity
Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Business Applications
Board Management (BM), Collaboration/Knowledge Management (KM), Corporate Performance Management (CPM) , Employee Evaluations & Surveys (EES) , Policy & Procedure Management (P&P)
GRC Core Applications
Corporate Social Responsibility (CSR), Ethical Practices/Corporate Integrity (ECI) , Global Trade Compliance (GTC)/International Dealings
C3 CULTURE
C3.1 ANALYZE ETHICAL CULTURE Analyze the existing climate (observable, formal elements in the organization) and individual mindsets about the degree to which the workforce believes the organization expects and supports responsible behavior and integrity. Core Sub-practices
l
l
l
C3.1.01 Periodically ask a sufficient sample of employees to assess the ethical climate, including questions about: • perceptions about stated values/principles and organizational support for them, • clarity of procedures by which potential issues can be raised, discussed and reported without fear of retaliation, • how leaders and supervisors are demonstrating ethical fortitude and business acumen, • misconduct observed by employees, • types of misconduct observed, • pressure to engage in unethical conduct or perceived rewards for unethical conduct, • willingness of employees to report misconduct, • satisfaction with organizational response to reports of misconduct, and • when and how leaders and supervisors discuss expected behavior and integrity. C3.1.02 Identify how the organization discusses the following through multiple avenues of communication: • the importance of integrity, values and principles in decision-making, • the importance of asking questions and raising issues when concerns exist, • how to report incidents and ask questions, • assurance that incidents will receive a timely response, • assurance that reporting incidents will not result in any retaliation, • a commitment to anonymous reporting options, and • an approach to ethical decision-making. C3.1.03 Define ethical climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.
C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both deeds. advice. This iswords not legaland or professional driving principled Please contact a professional regarding Core Sub-practices your specific needs.
l
performance ®
11
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C3.2.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Periodically ask a sufficient sample of workforce to understand perceptions about whether the leadership:
(ECI) , Global Trade Compliance (GTC)/International Dealings C3 CULTURE
C3.1 ANALYZE ETHICAL CULTURE Analyze the existing climate (observable, formal elements in the organization) and individual mindsets about the degree to which the workforce believes the organization expects and supports responsible behavior and integrity. Core Sub-practices
l
l
l
C3.1.01 Periodically ask a sufficient sample of employees to assess the ethical climate, including questions about: • perceptions about stated values/principles and organizational support for them, • clarity of procedures by which potential issues can be raised, discussed and reported without fear of retaliation, • how leaders and supervisors are demonstrating ethical fortitude and business acumen, • misconduct observed by employees, • types of misconduct observed, • pressure to engage in unethical conduct or perceived rewards for unethical conduct, • willingness of employees to report misconduct, • satisfaction with organizational response to reports of misconduct, and • when and how leaders and supervisors discuss expected behavior and integrity. C3.1.02 Identify how the organization discusses the following through multiple avenues of communication: • the importance of integrity, values and principles in decision-making, • the importance of asking questions and raising issues when concerns exist, • how to report incidents and ask questions, • assurance that incidents will receive a timely response, • assurance that reporting incidents will not result in any retaliation, • a commitment to anonymous reporting options, and • an approach to ethical decision-making. C3.1.03 Define ethical climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.
C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both words and deeds. Core Sub-practices C3.2.01 l Periodically ask a sufficient sample of workforce to understand perceptions about whether the leadership: • communicates ethical conduct and integrity as a priority, • models ethical conduct, • ensure internal stakeholders are properly trained about ethics and make it a priority, • links ethics to organizational performance metrics, • makes ethical decisions, and This is not legal or professional advice. driving principled • talks about how ethics or integrity relate to organizational objectives, initiatives, and success. Please contact a professional regarding performance ® 12 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific C3.2.02 needs. l
Determine if ethical conduct and integrity is considered when evaluating, promoting and selecting leaders. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C3 CULTURE
C3.2 ANALYZE ETHICAL LEADERSHIP Analyze whether leadership sets an appropriate "tone at the top" and models behavior in both words and deeds. Core Sub-practices
l
l
l
l
C3.2.01 Periodically ask a sufficient sample of workforce to understand perceptions about whether the leadership: • communicates ethical conduct and integrity as a priority, • models ethical conduct, • ensure internal stakeholders are properly trained about ethics and make it a priority, • links ethics to organizational performance metrics, • makes ethical decisions, and • talks about how ethics or integrity relate to organizational objectives, initiatives, and success. C3.2.02 Determine if ethical conduct and integrity is considered when evaluating, promoting and selecting leaders. C3.2.03 Determine if potential and newly-promoted leaders are trained about:: • ethical decision-making, • how ethics tie in with organizational objectives, and • how to communicate the impact of ethics on organizational performance. C3.2.04 Compare ethical leadership objectives, measures, targets and initiatives against results achieved.
C3 CULTURE
C3.3 ANALYZE RISK CULTURE Analyze the existing climate and individual mindsets about how the workforce perceives risk, its impact on their work and the organization as a whole. Core Sub-practices
l
C3.3.01 Periodically ask a sufficient sample of the workforce to assess the risk culture, including: • whether leadership communicates risk appetite, • whether leadership models appropriate risk-taking conduct, • whether individuals encounter risk on the job and what types of risk, and • whether individuals are prepared to handle risks that they face.
l
C3.3.02 Define desired state of risk climate / perceptions indicators.
l
C3.3.03 Define risk climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
C3 CULTURE
driving principled performance ®
13
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C3.4 ANALYZE BOARD INVOLVEMENT
C3 CULTURE
C3.3 ANALYZE RISK CULTURE Analyze the existing climate and individual mindsets about how the workforce perceives risk, its impact on their work and the organization as a whole. Core Sub-practices
l
C3.3.01 Periodically ask a sufficient sample of the workforce to assess the risk culture, including: • whether leadership communicates risk appetite, • whether leadership models appropriate risk-taking conduct, • whether individuals encounter risk on the job and what types of risk, and • whether individuals are prepared to handle risks that they face.
l
C3.3.02 Define desired state of risk climate / perceptions indicators.
l
C3.3.03 Define risk climate objectives, measures, targets and initiatives for inclusion in the GRC system strategic plan.
C3 CULTURE
C3.4 ANALYZE BOARD INVOLVEMENT Analyze the degree to which the Board is involved and engaged in the organization. Core Sub-practices
l
l
l
C3.4.01 Ask the Board: • Do you feel comfortable raising issues? • Do you feel comfortable challenging management? • Do your suggestions get thoughtful consideration? • How involved are you in strategy setting and/or vetting? • Is the Board effective? C3.4.02 Ask management: • Is the Board effective? • Are Board members engaged? • Do they impact the business? C3.4.03 Analyze Board involvement: • passive vs. active, • number of meetings per year, • frequency of meeting without one or more officers, and • extent of independent resources supplied by or made available to Board members, • degree of crossboard involvement among board members (to what extent do board members serve on multiple boards together) .
This is not legal or professional advice. Please contact a professional regarding your specific needs. C3 CULTURE
driving principled performance ®
14
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C3.5 ANALYZELICENSED GOVERNANCE CULTURE AND MANAGEMENT STYLE TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C3 CULTURE
C3.4 ANALYZE BOARD INVOLVEMENT Analyze the degree to which the Board is involved and engaged in the organization. Core Sub-practices
l
l
l
C3.4.01 Ask the Board: • Do you feel comfortable raising issues? • Do you feel comfortable challenging management? • Do your suggestions get thoughtful consideration? • How involved are you in strategy setting and/or vetting? • Is the Board effective? C3.4.02 Ask management: • Is the Board effective? • Are Board members engaged? • Do they impact the business? C3.4.03 Analyze Board involvement: • passive vs. active, • number of meetings per year, • frequency of meeting without one or more officers, and • extent of independent resources supplied by or made available to Board members, • degree of crossboard involvement among board members (to what extent do board members serve on multiple boards together) .
C3 CULTURE
C3.5 ANALYZE GOVERNANCE CULTURE AND MANAGEMENT STYLE Analyze the existing approach to governing, managing and enabling the workforce. Core Sub-practices
l
C3.5.01 Identify where management decision-making authority is delegated.
l
C3.5.02 Determine how accountability and responsibility are assigned and enforced.
l
C3.5.03 Understand how the Board is involved in managing the organization, if at all.
l
C3.5.04 Understand the relative level of formality or informality of management.
l
C3.5.05 Understand the philosophy around centralized or decentralized decision-making.
This is not legal or professional advice. driving principled C3.5.06 Please contact a professional regarding performance ® 15 l Understand the philosophy around enterprise, group, and individual measurement: © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. resistance to measurement; prevalence of measurement; LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. preferences in types of measures (activities versus outcomes);
C3 CULTURE
C3.5 ANALYZE GOVERNANCE CULTURE AND MANAGEMENT STYLE Analyze the existing approach to governing, managing and enabling the workforce. Core Sub-practices
l
C3.5.01 Identify where management decision-making authority is delegated.
l
C3.5.02 Determine how accountability and responsibility are assigned and enforced.
l
C3.5.03 Understand how the Board is involved in managing the organization, if at all.
l
C3.5.04 Understand the relative level of formality or informality of management.
l
C3.5.05 Understand the philosophy around centralized or decentralized decision-making. C3.5.06
l
Understand the philosophy around enterprise, group, and individual measurement: resistance to measurement; prevalence of measurement; preferences in types of measures (activities versus outcomes); what is reported (positive, negative, both); outcomes of measurement (reward focused, consequence focused, balanced).
C3 CULTURE
C3.6 ANALYZE WORKFORCE ENGAGEMENT Analyze the existing workforce culture including the degree of employee satisfaction, loyalty and engagement. Core Sub-practices
l
l
C3.6.01 Assess workforce views on alignment of personal values with organizational mission and values. C3.6.02 Ask a sample of the workforce about satisfaction with: • compensation, • responsibility, • career opportunities, • co-workers, • supervisors, • senior management, and • staff.
This is not legal or professional advice. driving principled C3.6.03 Please contact a professional regarding performance ® 16 l Ask a sample of the workforce about: © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • level of commitment to the organization, • engagement, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • loyalty, and
• supervisors, • senior management, and • staff.
l
l
l
C3.6.03 Ask a sample of the workforce about: • level of commitment to the organization, • engagement, • loyalty, and • willingness to recommend the employer to friends. C3.6.04 Ask a sample of the workforce about their perceptions of: • management's commitment to competence, • hiring policies/practices, • training policies/practices, • measurement policies/practices, • performance evaluation policies/practices, • promotion policies/practices, • mentoring/career path coaching, • compensation policies/practices, and • reward/discipline policies/practices. C3.6.05 Periodically ask management about its commitment to the workforce including views on: • commitment to competence, • hiring policies/practices, • training policies/practices, • performance evaluation policies/practices, • promotion policies/practices, • mentoring/career path coaching, • compensation policies/practices, • reward/discipline policies/practices, • roles/jobs and career paths, and • termination/retirement practices.
C4 VALUES & OBJECTIVES
Define what the organization wants to achieve and the values for which it stands.
Principles
C4 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
01 Absent leadership supported clearly and regularly articulated mission, vision and values, the organization will operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and interests. Values willprofessional vary for every organization -- that said, values must include adherence to legal mandates and This 02 is not legal or advice. driving principled general principles of integrity and ethical conduct. Please contact a professional regarding performance ® 17 03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Board must oversee managment's continual efforts to meet the established objectives. 04 Align objectives to stated values. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C4 VALUES & OBJECTIVES
Define what the organization wants to achieve and the values for which it stands.
Principles
C4 C1 External Business Context C2 Internal Business Context C3 Culture C4 Values & Objectives
01 Absent leadership supported clearly and regularly articulated mission, vision and values, the organization will operate on the values defined, ad hoc, by work groups or individuals according to their own beliefs and interests. 02 Values will vary for every organization -- that said, values must include adherence to legal mandates and general principles of integrity and ethical conduct. 03 Whether the organization authorizes the Board or management, with Board approval, to set objectives, the Board must oversee managment's continual efforts to meet the established objectives. 04 Align objectives to stated values.
Common Sources Of Failure 01 Lack of continual and consistent follow through to ensure behavior meets the intent of stated objectives and values 02 Leadership not serving as role models, or worse yet, allowing leadership to act contrary to the stated values without consequence 03 Not enunciating the organization’s values to all stakeholders, repeatedly and from all levels of leadership 04 Not addressing values and commitment to character ethics when setting and articulating measurable business objectives 05 Not including contributions to meeting business objectives in performance evaluation
Guidelines and Practices Red Book 2.0 - GRC Capability Model C4.1 Define Mission & Vision C4.2 Define Values C4.3 Define Business Objectives C4.4 Define Indicators, Targets and Tolerances C4.5 Obtain Commitment to Mission, Vision, Values and Objectives C4.6 Communicate Mission, Vision and Values
Key Deliverables Statements of Position
Mission/ Vision/ Values Statement, Statement of Organizational Objectives
Enabling Technology Components This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 18 Governance (CG) , Enterprise Content Technology Arenas Business Intelligence (BI) , Corporate © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Management (ECM) Business Applications Board Management (BM), Brand & Reputation Management (BRM), Corporate LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Performance Management (CPM)
Statements of Position
Mission/ Vision/ Values Statement, Statement of Organizational Objectives
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content Management (ECM)
Business Applications
Board Management (BM), Brand & Reputation Management (BRM), Corporate Performance Management (CPM)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management
C4 VALUES & OBJECTIVES
C4.1 DEFINE MISSION & VISION Create a formal statement of the organization†™s mission and vision. Core Sub-practices
l
C4.1.01 Define the mission, what the organization will do.
l
C4.1.02 Define the vision, what the organization will be.
C4 VALUES & OBJECTIVES
C4.2 DEFINE VALUES Create a formal statement of the core values that the organization holds and applies to its business decisions. Core Sub-practices
l
C4.2.01 Involve the Board or a designated subcommittee of the Board and appropriate internal stakeholders in the values development process.
l
C4.2.02 Document the statement of values either separately or as part of another document such as a charter or code of conduct.
l
C4.2.03 Make the statement of values available to internal stakeholders.
l
C4.2.04 Make the statement of values available to external stakeholders.
l
l
C4.2.05 Periodically review the statement of values to consider revisions based upon internal and external business, management, legal or cultural context changes. C4.2.06 Define a procedure and trigger to revisit the statement of values when merging with or acquiring a new entity.
This is not legal or professional advice. Please contact a professional regarding your specific needs. C4 VALUES & OBJECTIVES
driving principled performance ®
19
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO OBJECTIVES CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. C4.3 DEFINE BUSINESS
Environmental, Health & Safety (EH&S) Management C4 VALUES & OBJECTIVES
C4.1 DEFINE MISSION & VISION Create a formal statement of the organization†™s mission and vision. Core Sub-practices
l
C4.1.01 Define the mission, what the organization will do.
l
C4.1.02 Define the vision, what the organization will be.
C4 VALUES & OBJECTIVES
C4.2 DEFINE VALUES Create a formal statement of the core values that the organization holds and applies to its business decisions. Core Sub-practices
l
C4.2.01 Involve the Board or a designated subcommittee of the Board and appropriate internal stakeholders in the values development process.
l
C4.2.02 Document the statement of values either separately or as part of another document such as a charter or code of conduct.
l
C4.2.03 Make the statement of values available to internal stakeholders.
l
C4.2.04 Make the statement of values available to external stakeholders.
l
l
C4.2.05 Periodically review the statement of values to consider revisions based upon internal and external business, management, legal or cultural context changes. C4.2.06 Define a procedure and trigger to revisit the statement of values when merging with or acquiring a new entity.
C4 VALUES & OBJECTIVES
C4.3 DEFINE BUSINESS OBJECTIVES Define a balanced set of measurable business objectives that are congruent with mission, vision and values. Core This is not legal orSub-practices professional advice. driving principled Please contact a professional regarding performance ® 20 C4.3.01 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Define high-level business objectives to be congruent with values and risks, including: • strategic objectives, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
C4 VALUES & OBJECTIVES
C4.3 DEFINE BUSINESS OBJECTIVES Define a balanced set of measurable business objectives that are congruent with mission, vision and values. Core Sub-practices
l
l
l
C4.3.01 Define high-level business objectives to be congruent with values and risks, including: • strategic objectives, • financial objectives, • customer objectives, • operational process objectives, • learning and growth objectives, • compliance objectives, and • reporting objectives. C4.3.02 Cascade high-level business objectives to lower levels in the organization including business units, departments, teams and individuals. C4.3.03 Assign accountability for achieving business objectives at each of the levels.
C4 VALUES & OBJECTIVES
C4.4 DEFINE INDICATORS, TARGETS AND TOLERANCES Define a balanced set of leading and lagging indicators that help management understand if the organization is meeting its business objective targets within defined tolerances. Core Sub-practices
l
C4.4.01 Use indicators (leading and lagging) to help determine what has happened or predict what will happen.
l
C4.4.02 Establish targets that represent the desired indicator value within a particular timeframe.
l
C4.4.03 Determine tolerances that represent acceptable upper and lower thresholds of indicator value.
C4 VALUES & OBJECTIVES
C4.5 OBTAIN COMMITMENT TO MISSION, VISION, VALUES AND OBJECTIVES Obtain commitment from management and Board members about what the organization will while living advice. by its values. This isachieve not legal or professional driving principled Please contact a professional regarding Core Sub-practices your specific needs.
l
performance ®
21
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
C4.5.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Obtain senior management and Board member commitment to the mission, vision, values.
C4 VALUES & OBJECTIVES
C4.5 OBTAIN COMMITMENT TO MISSION, VISION, VALUES AND OBJECTIVES Obtain commitment from management and Board members about what the organization will achieve while living by its values. Core Sub-practices
l
C4.5.01 Obtain senior management and Board member commitment to the mission, vision, values.
l
C4.5.02 Obtain senior management and Board member commitment to objectives.
C4 VALUES & OBJECTIVES
C4.6 COMMUNICATE MISSION, VISION AND VALUES Communicate the mission, vision and values to internal and external stakeholders. Core Sub-practices
l
C4.6.01 Develop a template for communicating the organization’s mission, vision and values, so that there is consistency in each formal communication.
l
C4.6.02 Communicate the mission, vision and values of the organization to management and workforce informally and frequently, at meetings and in presentations by leadership.
l
C4.6.03 Communicate mission, vision and values to internal and external stakeholders formally through: • the code of conduct, • the entity's website, • reports and communications to shareholders & other stakeholders, and • workplace postings. C4.6.04
l
Discuss how each group's, department's, business unit's or function's outcomes support achieving the organization's mission, vision, values, and objectives .
O ORGANIZE & OVERSEE
This is not legal or professional advice. Organize and oversee the GRC Please contact a professional regarding modifies, the yourwhen specific appropriate needs.
O driving principled
system so that it is integrated with, and ® 22 C Culture &performance Context existing operating model of the business and COMPLIANCE ETHICS GROUP © 2003 - 2009 OPENO Organize && Oversee assign to management specific responsibility, decision-making authority, A Assess & Align LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. P Prevent & Promote and accountability to achieve system goals.
O ORGANIZE & OVERSEE
Organize and oversee the GRC system so that it is integrated with, and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals. O1 Outcomes & Commitment O1.1 Define GRC System Scope
O C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
O1.2 Define GRC System Style and Goals O1.3 Obtain Commitment to the GRC System
O2 Roles & Responsibilities O2.1 Define and Enable GRC System Oversight Roles and Accountability O2.2 Define and Enable Management Roles and Accountability O2.3 Define and Enable Leadership Roles and Accountability O2.4 Define and Enable GRC System Operational Roles O2.5 Define and Enable Assurance Roles and Accountability (chief audit executive, external auditor)
O3 Approach & Accountability O3.1 Allocate Accountability to Individuals and Committees O3.2 Define GRC System Processes and Integrate with Business Processes O3.3 Define Measurement and Evaluation Approach O3.4 Define Organizational Change Management Approach O3.5 Develop, Maintain and Authorize a Business Case
O1 OUTCOMES & COMMITMENT
Define the goals of the GRC system and obtain Board and management commitment.
Principles
O1 O1 Outcomes & Commitment O2 Roles & Responsibilities O3 Approach & Accountability
This is not legal or professional advice. driving principled 01 The Board is responsible for establishing the purpose and goals of the GRC system. Please contact a professional regarding performance ® 23 02 Both the Board and management must be committed to the purpose of the GRC system, and lead by example. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. 03 The GRC system is only successful if it contributes to business objectives. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
O3.5 Develop, Maintain and Authorize a Business Case
O1 OUTCOMES & COMMITMENT
Define the goals of the GRC system and obtain Board and management commitment.
Principles
O1 O1 Outcomes & Commitment O2 Roles & Responsibilities O3 Approach & Accountability
01 The Board is responsible for establishing the purpose and goals of the GRC system. 02 Both the Board and management must be committed to the purpose of the GRC system, and lead by example. 03 The GRC system is only successful if it contributes to business objectives.
Common Sources Of Failure 01 Not establishing GRC system objectives and a charter that are aligned to the organization’s enterprise objectives 02 Not obtaining key senior leadership support for the program 03 Defining the GRC system as an internal enforcement agency or police department
Guidelines and Practices Red Book 2.0 - GRC Capability Model O1.1 Define GRC System Scope O1.2 Define GRC System Style and Goals O1.3 Obtain Commitment to the GRC System
Key Deliverables Authorizations
Internal Authorization, GRC System Charter
Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Corporate Governance (CG)
Business Applications
Board Management (BM), Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Geo-Political Risk (GPR) Management , Reporting/eFiling (REF) This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 24 O1 OUTCOMES & COMMITMENT © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
O1.1 DEFINE GRC SYSTEM SCOPE
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Corporate Governance (CG)
Business Applications
Board Management (BM), Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Geo-Political Risk (GPR) Management , Reporting/eFiling (REF)
O1 OUTCOMES & COMMITMENT
O1.1 DEFINE GRC SYSTEM SCOPE Define the scope of the GRC system or subsystem under consideration. Core Sub-practices
l
O1.1.01 Determine whether to define and implement the GRC system enterprise-wide or whether to address it in stages by addressing portions such as: • broad risk area (compliance program, financial risk program, etc.), or • narrow risk area (internal control over financial reporting, employment compliance, fraud risk management).
l
O1.1.02 If using a staged approach, prioritize and coordinate development projects to ensure integration capability.
O1 OUTCOMES & COMMITMENT
O1.2 DEFINE GRC SYSTEM STYLE AND GOALS Define the overall style of the GRC system, what it will achieve, and how it relates to business objectives. Core Sub-practices
l
l
O1.2.01 Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan. O1.2.02 Define the general approach to the GRC system. • enforcing or encouraging approach. • directive or collaborative philosophy.
O1.2.03 l Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that support the following universal objectives: • enhance organizational culture, This is not legal or professional advice. driving principled • increase stakeholder confidence, Please contact a professional regarding performance ® 25 • prepare and protect organization, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • prevent, detect, and reduce adversity, • motivate and inspire desired LICENSED TOconduct, CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • improve responsiveness and efficiency, and
(REF) O1 OUTCOMES & COMMITMENT
O1.1 DEFINE GRC SYSTEM SCOPE Define the scope of the GRC system or subsystem under consideration. Core Sub-practices
l
O1.1.01 Determine whether to define and implement the GRC system enterprise-wide or whether to address it in stages by addressing portions such as: • broad risk area (compliance program, financial risk program, etc.), or • narrow risk area (internal control over financial reporting, employment compliance, fraud risk management).
l
O1.1.02 If using a staged approach, prioritize and coordinate development projects to ensure integration capability.
O1 OUTCOMES & COMMITMENT
O1.2 DEFINE GRC SYSTEM STYLE AND GOALS Define the overall style of the GRC system, what it will achieve, and how it relates to business objectives. Core Sub-practices
l
l
l
l
O1.2.01 Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan. O1.2.02 Define the general approach to the GRC system. • enforcing or encouraging approach. • directive or collaborative philosophy. O1.2.03 Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that support the following universal objectives: • enhance organizational culture, • increase stakeholder confidence, • prepare and protect organization, • prevent, detect, and reduce adversity, • motivate and inspire desired conduct, • improve responsiveness and efficiency, and • optimize economic and social value. O1.2.04 Assign accountability for each GRC system goal, including such in delegation of authority documents where appropriate.
O1.2.05 l Describe how GRC system goals support business objectives. This is not legal or professional advice. Please contact a professional regarding 26 your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. O1 OUTCOMES & COMMITMENT
O1 OUTCOMES & COMMITMENT
O1.2 DEFINE GRC SYSTEM STYLE AND GOALS Define the overall style of the GRC system, what it will achieve, and how it relates to business objectives. Core Sub-practices
l
l
l
O1.2.01 Define the mission and vision of the GRC system as a starting point for the GRC Strategic Plan. O1.2.02 Define the general approach to the GRC system. • enforcing or encouraging approach. • directive or collaborative philosophy. O1.2.03 Define measurable GRC system goals, indicators, thresholds and tolerances for inclusion in the GRC strategic plan that support the following universal objectives: • enhance organizational culture, • increase stakeholder confidence, • prepare and protect organization, • prevent, detect, and reduce adversity, • motivate and inspire desired conduct, • improve responsiveness and efficiency, and • optimize economic and social value.
l
O1.2.04 Assign accountability for each GRC system goal, including such in delegation of authority documents where appropriate.
l
O1.2.05 Describe how GRC system goals support business objectives.
O1 OUTCOMES & COMMITMENT
O1.3 OBTAIN COMMITMENT TO THE GRC SYSTEM Obtain explicit written authorization and high-level support for the GRC system. Core Sub-practices
l
O1.3.01 Obtain commitment and authorization from the Board.
l
O1.3.02 Obtain commitment from senior management to support the GRC system.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
O2 ROLES & RESPONSIBILITIES 27
O2
driving principled performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
O2 ROLES & RESPONSIBILITIES
Define, and enable through decision-making authority and resources, each role accountable for key aspects of the GRC system.
Principles
O2 O1 Outcomes & Commitment O2 Roles & Responsibilities O3 Approach & Accountability
01 The GRC system should be directed, designed, operated, and evaluated by a mix of the Board, management, and individuals independent of management. 02 The organization should screen individuals serving in GRC roles for prior misconduct. 03 Individuals serving in GRC roles should receive specialized training in GRC Fundamentals. 04 Leaders and champions can help to facilitate adoption and acceptance of the GRC system. 05 Leaders and champions should be from many levels in the organization, not just senior executives.
Common Sources Of Failure 01 Not defining key roles, responsibilities, expectations or authorities 02 Not grooming leaders for GRC system responsibilities 03 Assigning accountability or responsibility for GRC to an individual who is unqualified or lacks requisite authority
Guidelines and Practices Red Book 2.0 - GRC Capability Model O2.1 Define and Enable GRC System Oversight Roles and Accountability O2.2 Define and Enable Management Roles and Accountability O2.3 Define and Enable Leadership Roles and Accountability O2.4 Define and Enable GRC System Operational Roles O2.5 Define and Enable Assurance Roles and Accountability (chief audit executive, external auditor)
Key Deliverables Descriptions
Role / Job Descriptions
Plans
Specialized GRC Curriculum Plan
Enabling Technology Components Technology Arenas Business Applications
Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Board Management (BM), Business Activity Monitoring (BAM) , Collaboration/Knowledge Management (KM), Documents & Records This is not legal or professional advice. driving principled Management (DRM) , Employee Evaluations & Surveys (EES) , Learning & Please contact a professional regarding performance ® 28 Training Management (LTM) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. GRC Core Applications Accountability/Responsibility Management (ARM) , Corporate Compliance , Corporate Responsibility Health &GRANTED. Safety LICENSED(CC) TO CDUCU ONSocial TUESDAY, APRIL 28,(CSR), 2009. Environmental, SINGLE USER LICENSE
Plans
Specialized GRC Curriculum Plan
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Business Applications
Board Management (BM), Business Activity Monitoring (BAM) , Collaboration/Knowledge Management (KM), Documents & Records Management (DRM) , Employee Evaluations & Surveys (EES) , Learning & Training Management (LTM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade Compliance (GTC)/International Dealings , Legal Matter Management (LMM) , Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics (RA)
Infrastructure
Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Physical Security (PS) , Retention & Storage Management (RSM)
O2 ROLES & RESPONSIBILITIES
O2.1 DEFINE AND ENABLE GRC SYSTEM OVERSIGHT ROLES AND ACCOUNTABILITY Define oversight roles, responsibilities and accountability for each aspect of the GRC system. Core Sub-practices
l
l
O2.1.01 Define critical attributes of oversight structures (e.g. the board) and personnel (e.g. board members), including: • independence from management, • objectivity in analysis, • integrity and ethical conduct, • diligence, • adequate competence to conduct assigned activities including generally accepted professional credentials consistent with role, • transparency of practices and activities, and • periodic additions of new oversight structure members to ensure new perspectives O2.1.02 Define general oversight responsibilities for: • directing and authorizing the purpose and expected GRC system outcomes, • setting a charter for board (and other oversight structure) involvement in the system, • being knowledgeable about the design and operation of the system, • obtaining regular assurance that the system is effective, and • providing reasonable assurance that management’s representations about the organization and the system are sound using information developed independent of management.
O2.1.03 l Define responsibility for operating aspects of the GRC system that require board perspective and independence including: • vetting and guiding desired system outcomes to be congruent with business objectives, • establishing risk management oversight by the board or a designated committee, which includes approval and periodic review of risk management processes, • establishing risk appetite and tolerances and regularly reviewing risk reports to ensure conformance with such established levels, This is not legal or professional advice. driving principled • independently of highest priority risks, Please contact a professional assessing, regarding or vetting the assessment of, and monitoring performance ® 29 • requiring management to identify, assess and address risks as part of any significant change proposal, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • requiring internal or external auditor assessment of the effectiveness and performance of risk management and compliance LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. processes,
(IAM) , Physical Security (PS) , Retention & Storage Management (RSM) O2 ROLES & RESPONSIBILITIES
O2.1 DEFINE AND ENABLE GRC SYSTEM OVERSIGHT ROLES AND ACCOUNTABILITY Define oversight roles, responsibilities and accountability for each aspect of the GRC system. Core Sub-practices
l
l
l
O2.1.01 Define critical attributes of oversight structures (e.g. the board) and personnel (e.g. board members), including: • independence from management, • objectivity in analysis, • integrity and ethical conduct, • diligence, • adequate competence to conduct assigned activities including generally accepted professional credentials consistent with role, • transparency of practices and activities, and • periodic additions of new oversight structure members to ensure new perspectives O2.1.02 Define general oversight responsibilities for: • directing and authorizing the purpose and expected GRC system outcomes, • setting a charter for board (and other oversight structure) involvement in the system, • being knowledgeable about the design and operation of the system, • obtaining regular assurance that the system is effective, and • providing reasonable assurance that management’s representations about the organization and the system are sound using information developed independent of management. O2.1.03 Define responsibility for operating aspects of the GRC system that require board perspective and independence including: • vetting and guiding desired system outcomes to be congruent with business objectives, • establishing risk management oversight by the board or a designated committee, which includes approval and periodic review of risk management processes, • establishing risk appetite and tolerances and regularly reviewing risk reports to ensure conformance with such established levels, • independently assessing, or vetting the assessment of, and monitoring of highest priority risks, • requiring management to identify, assess and address risks as part of any significant change proposal, • requiring internal or external auditor assessment of the effectiveness and performance of risk management and compliance processes, • monitoring any control activities conducted by senior management, • monitoring senior management’s override of control activities, • providing waiver of system requirements in defined circumstances, • selecting, evaluating, compensating and terminating senior management, and • addressing long-term issues that may exceed senior executive tenure.
l
O2.1.04 Define specific GRC responsibilities of Board members and committees.
l
O2.1.05 Define job descriptions and performance evaluation criteria for oversight personnel.
O2.1.06 This is not legal or professional advice. l Check background of personnel hired or promoted into oversight roles. Please contact a professional regarding 30 your specific O2.1.07 needs. l
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Define and deliver a specialized curriculum plan for oversight personnel that includes relevant portions of OCEG GRC LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Fundamentals course.
l
Define job descriptions and performance evaluation criteria for oversight personnel.
l
O2.1.06 Check background of personnel hired or promoted into oversight roles.
l
l
O2.1.07 Define and deliver a specialized curriculum plan for oversight personnel that includes relevant portions of OCEG GRC Fundamentals course. O2.1.08 Ensure that oversight personnel obtain and maintain professional credentials relevant to their GRC roles.
O2 ROLES & RESPONSIBILITIES
O2.2 DEFINE AND ENABLE MANAGEMENT ROLES AND ACCOUNTABILITY Define management roles, responsibilities and accountability for certain aspects of the GRC system. Core Sub-practices
l
l
l
O2.2.01 Define responsibility for operating aspects of the GRC system that require Board perspective and independence including: • vetting and guiding business objectives to be congruent with desired system outcomes, • independently assessing, or vetting the assessment of, and monitoring highest priority risks, • monitoring any control activities conducted by senior management, • monitoring senior management’s override of control activities, • providing waiver of system requirements in defined circumstances, • selecting, evaluating, compensating and terminating senior management, and • addressing long-term issues that may exceed senior executive tenure. O2.2.02 Define specific GRC responsibilities for management roles, including: • Chief Executive Officer is responsible for supporting or leading the implementation of the GRC system, • Chief Financial Officer is responsible for authorizing and overseeing resource allocation and budgets, and participating in risk assessment process, • Chief Risk Officer is responsible for developing the risk optimization framework and aggregating and analyzing risk at the enterprise level, • Chief Compliance Officer is responsible for leading the compliance risk assessment process, overseeing design and implementation of a compliance program intended to prevent, detect and correct legal noncompliance, • Chief Ethics Officer is responsible for assessing and enhancing ethical culture through training, communication and other controls (this is often combined with the chief compliance officer), and • Chief Legal Officer is responsible for leading the legal risk assessment process, approving policies and controls to assure compliance with legal requirements and to ensure no creation of liability, overseeing and sometimes conducting investigations, ensuring protection of privilege where appropriate. • Chief People Officer is responsible for overseeing and implementing human capital incentives and controls, ethical leadership practices, incorporation of requirements into job descriptions and performance evaluations, internal stakeholder communications, and, possibly, all education and learning initiatives. • Chief Technology Officer is responsible for coordinating selection and application of technologies to support GRC functions. O2.2.03 Define job descriptions and GRC related performance evaluation criteria for management in GRC roles.
This is not legal or professional advice. driving principled O2.2.04 Please contact a professional regarding performance ® 31 l Check background of management personnel hired or promoted into substantial authority or GRC roles. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
l
O2.2.05 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Define and deliver a specialized curriculum plan for management in GRC roles that includes relevant portions of OCEG
l
O2.2.03 Define job descriptions and GRC related performance evaluation criteria for management in GRC roles.
l
O2.2.04 Check background of management personnel hired or promoted into substantial authority or GRC roles.
l
l
O2.2.05 Define and deliver a specialized curriculum plan for management in GRC roles that includes relevant portions of OCEG GRC Fundamentals course. O2.2.06 Ensure that management obtain and maintain professional credentials relevant to their GRC responsibilities.
O2 ROLES & RESPONSIBILITIES
O2.3 DEFINE AND ENABLE LEADERSHIP ROLES AND ACCOUNTABILITY Define individuals to serve in leadership roles to champion the GRC system or certain aspects of the system and establish methods to ensure they possess the desired character ethics. Core Sub-practices
l
l
O2.3.01 Identify and select individuals at various levels of the organization to serve as leaders and champions for the GRC system. O2.3.02 Define responsibilities of leaders and champions to: • break down barriers to change, • develop buy-in for the GRC system, and • communicate the desired outcomes of the system and how they relate to business objectives.
l
O2.3.03 Establish and communicate a defined set of essential character ethics to which executive leaders have made a commitment and require of designated leaders.
l
O2.3.04 Check background of leaders and champions for any incongruence with being an ethical leader (e.g., prior misconduct) and to ensure alignment with established character ethics required of leaders.
l
l
O2.3.05 Regularly engage in discussions with designated leaders about the values they are expected to demonstrate and set expectations about how these will be shared, pursued and monitored, as well as how lapses and trust-eroding events will be redressed. O2.3.06 Define and deliver a specialized curriculum for leaders that includes relevant portions of OCEG GRC Fundamentals course.
O2 ROLES & RESPONSIBILITIES
O2.4 DEFINE AND ENABLE GRC SYSTEM OPERATIONAL ROLES This isDefine not legal the or professional advice. to deliver, operate, and execute GRC System practices. driving principled roles required Please contact a professional regarding performance ® 32 Core Sub-practices © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. O2.4.01 l
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Define roles responsible for the following key GRC activities:
O2 ROLES & RESPONSIBILITIES
O2.4 DEFINE AND ENABLE GRC SYSTEM OPERATIONAL ROLES Define the roles required to deliver, operate, and execute GRC System practices. Core Sub-practices O2.4.01 l
Define roles responsible for the following key GRC activities: • methodology, policy/procedure, standards, vocabulary development and maintenance, • risk and requirements identification, analysis, and optimization, • initiative implementation /project portfolio management, • stakeholder relations, • helpline / hotline, • investigation and resolution, • performance measurement, • communications, including public relations, • information management, and • technology. O2.4.02
l
Define job descriptions and performance evaluation criteria relevant to each GRC operational role . O2.4.03
l
Check background of personnel hired, transferred, or promoted into GRC operational roles. O2.4.04
l
Define and deliver a specialized curriculum plan for GRC operational roles that includes relevant portions of OCEG GRC Fundamentals course . O2.4.05
l
Monitor whether operational personnel have obtained and maintain professional credentials relevant to their GRC roles.
O2 ROLES & RESPONSIBILITIES
O2.5 DEFINE AND ENABLE ASSURANCE ROLES AND ACCOUNTABILITY (CHIEF AUDIT EXECUTIVE, EXTERNAL AUDITOR) Define assurance roles, responsibilities and accountability for certain aspects of the GRC system. Core Sub-practices
l
O2.5.01 Define critical attributes of assurance personnel, including: • independence from management, • objectivity in analysis, • integrity, • diligence, • adequate competence to conduct assigned activities including generally accepted professional credentials consistent with role, and • direct and unfettered access to the Board for senior executive responsible for independent assurance.
O2.5.02 This is not legal or professional advice. driving principled general responsibilities for assurance personnel to provide independent assurance to the Board and management l Define Please contact a professional regarding performance ® 33 that: © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • risks and requirements (external and internal) are identified, evaluated, managed, reported and monitored via effective methods, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
O2 ROLES & RESPONSIBILITIES
O2.5 DEFINE AND ENABLE ASSURANCE ROLES AND ACCOUNTABILITY (CHIEF AUDIT EXECUTIVE, EXTERNAL AUDITOR) Define assurance roles, responsibilities and accountability for certain aspects of the GRC system. Core Sub-practices
l
l
O2.5.01 Define critical attributes of assurance personnel, including: • independence from management, • objectivity in analysis, • integrity, • diligence, • adequate competence to conduct assigned activities including generally accepted professional credentials consistent with role, and • direct and unfettered access to the Board for senior executive responsible for independent assurance. O2.5.02 Define general responsibilities for assurance personnel to provide independent assurance to the Board and management that: • risks and requirements (external and internal) are identified, evaluated, managed, reported and monitored via effective methods, • they have quality information needed to make GRC system decisions and reduce the cost of control, • the GRC system is appropriately designed to address identified risks and requirements, • the risk management process is designed to identify, evaluate, manage, report and monitor a comprehensive set of risks to (and requirements for) the achievement of the organization’s objectives within the organization’s values, and • the GRC system is operating as designed.
l
O2.5.03 Define job descriptions and performance evaluation criteria for assurance personnel.
l
O2.5.04 Check background of personnel hired or promoted into assurance roles.
l
O2.5.05 Define and deliver a specialized curriculum plan for assurance personnel that includes relevant portions of OCEG GRC Fundamentals course.
O3 APPROACH & ACCOUNTABILITY
Define an approach to embed, integrate and align the GRC system with the business, and establish accountability for each aspect of the system.
O3 O1 Outcomes & Commitment O2 Roles & Responsibilities O3 Approach & principled driving Accountability performance ®
This is not legal or professional advice. Principles Please contact a professional regarding 34 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. 01 Where possible, the GRC system should use people, processes, and technologies already serving other needs. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
O3 APPROACH & ACCOUNTABILITY
Define an approach to embed, integrate and align the GRC system with the business, and establish accountability for each aspect of the system.
Principles
O3 O1 Outcomes & Commitment O2 Roles & Responsibilities O3 Approach & Accountability
01 Where possible, the GRC system should use people, processes, and technologies already serving other needs. 02 Irreconcilable conflicts of interests or legal mandates may preclude consolidatig responsibilities into a single role. 03 When consolidating responsibilities into a single role, put in place controls to make sure the consolidation does not jeopardize any required objectivity and independence. 04 The degree of integration across risk areas and with existing business processes vary based on organizational needs.
Common Sources Of Failure 01 Not assigning accountability for all key aspects of the GRC system 02 Not appropriately aggregating or segregating roles 03 Not integrating the GRC system with the business 04 Not identifying potential resistance to any change that the GRC system may imply or require 05 Not establishing clear reporting lines and strong inter-department knowledge sharing 06 Not developing and maintaining a business case for the GRC system with adequate resources to achieve its goals
Guidelines and Practices Red Book 2.0 - GRC Capability Model O3.1 Allocate Accountability to Individuals and Committees O3.2 Define GRC System Processes and Integrate with Business Processes O3.3 Define Measurement and Evaluation Approach O3.4 Define Organizational Change Management Approach O3.5 Develop, Maintain and Authorize a Business Case
Key Deliverables Authorizations
Internal Authorization, Segregation of Duties
Plans
GRC Strategic Plan
Enabling Technology Components This is not legal or professional advice. driving principled Technology Arenas , Corporate Governance (CG) , Enterprise Please contact a professional regardingBusiness Process Management (BPM) performance ® 35 Content Management (ECM) , Enterprise Resource Management (ER) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Business Applications Budget & Finance Management (BFM), Business Activity Monitoring (BAM) , LICENSEDCorporate TO CDUCU ON TUESDAY, APRIL 28, 2009., Documents SINGLE USER LICENSE GRANTED. Performance Management (CPM) & Records
Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER)
Business Applications
Budget & Finance Management (BFM), Business Activity Monitoring (BAM) , Corporate Performance Management (CPM) , Documents & Records Management (DRM) , Legal Entity Management (LEM), Strategic Planning (SP)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Legal Matter Management (LMM) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Identity and Access Management (IAM) , Information Technology Operations (ITO) Management
O3 APPROACH & ACCOUNTABILITY
O3.1 ALLOCATE ACCOUNTABILITY TO INDIVIDUALS AND COMMITTEES Allocate GRC roles and responsibilities to individuals and committees. Core Sub-practices
l
l
l
O3.1.01 Allocate responsibilities to individuals and committees with other primary roles, if doing so will achieve synergies and efficiencies while ensuring required objectivity and independence. O3.1.02 Segregate certain roles as follows: • roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an interest in legally protecting the organization (general counsel), • roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an interest in quarterly business performance objectives and incentives that may compromise objectivity, • roles that involve implementing and operating preventive and detective controls (finance, compliance) from roles that evaluate the effectiveness of those controls and structures (internal audit), and • roles involved in investigations of alleged misconduct and weaknesses from individuals that are alleged to have been, or have potential to have been, involved in the alleged misconduct, and from those who have direct reporting relationships with such individuals. O3.1.03 Design adequate reporting relationships that ensure required independence and objectivity are respected including assuring: • individuals charged with managing compliance risk have direct access to the Board, and • individuals charged with assurance have direct access to the Board.
l
O3.1.04 Develop a proposed organizational structure for the GRC system that enables objective reporting of results.
l
O3.1.05 Vet the proposed structure with individuals who would serve in key roles within the GRC system.
O3.1.06 This is notllegal or professional advice. driving principled Finalize and document GRC system structure including reporting lines in the GRC strategic plan. Please contact a professional regarding performance ® 36 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific O3.1.07 needs. l Obtain approval of structural plan from appropriate authority. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
(ITO) Management O3 APPROACH & ACCOUNTABILITY
O3.1 ALLOCATE ACCOUNTABILITY TO INDIVIDUALS AND COMMITTEES Allocate GRC roles and responsibilities to individuals and committees. Core Sub-practices
l
l
l
O3.1.01 Allocate responsibilities to individuals and committees with other primary roles, if doing so will achieve synergies and efficiencies while ensuring required objectivity and independence. O3.1.02 Segregate certain roles as follows: • roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an interest in legally protecting the organization (general counsel), • roles that have an interest in uncovering misconduct and weaknesses (compliance, internal audit) from roles that have an interest in quarterly business performance objectives and incentives that may compromise objectivity, • roles that involve implementing and operating preventive and detective controls (finance, compliance) from roles that evaluate the effectiveness of those controls and structures (internal audit), and • roles involved in investigations of alleged misconduct and weaknesses from individuals that are alleged to have been, or have potential to have been, involved in the alleged misconduct, and from those who have direct reporting relationships with such individuals. O3.1.03 Design adequate reporting relationships that ensure required independence and objectivity are respected including assuring: • individuals charged with managing compliance risk have direct access to the Board, and • individuals charged with assurance have direct access to the Board.
l
O3.1.04 Develop a proposed organizational structure for the GRC system that enables objective reporting of results.
l
O3.1.05 Vet the proposed structure with individuals who would serve in key roles within the GRC system.
l
O3.1.06 Finalize and document GRC system structure including reporting lines in the GRC strategic plan.
l
O3.1.07 Obtain approval of structural plan from appropriate authority.
O3 APPROACH & ACCOUNTABILITY
O3.2 DEFINE GRC SYSTEM PROCESSES AND INTEGRATE WITH BUSINESS PROCESSES Define GRC system processes and synchronize with existing business processes. Core Sub-practices O3.2.01 l Define a GRC system process model. This is not legal or professional advice. driving principled Please contact a professional regarding O3.2.02 performance ® 37 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Define how and when key GRC system processes will be conducted relative to existing business processes, including: • when risk assessments will occur and integrate with existing business planning activities, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • generally how preventive, detective and corrective activities will integrate with existing business processes,
O3 APPROACH & ACCOUNTABILITY
O3.2 DEFINE GRC SYSTEM PROCESSES AND INTEGRATE WITH BUSINESS PROCESSES Define GRC system processes and synchronize with existing business processes. Core Sub-practices
l
l
l
O3.2.01 Define a GRC system process model. O3.2.02 Define how and when key GRC system processes will be conducted relative to existing business processes, including: • when risk assessments will occur and integrate with existing business planning activities, • generally how preventive, detective and corrective activities will integrate with existing business processes, • how GRC system information will be used in conjunction with business information to judge performance, • how GRC system information (internal and external) will integrate with existing communication channels and reporting, • when GRC system monitoring will occur and synchronize it with existing performance monitoring, and • how technology that enables the GRC system will leverage existing business applications and infrastructure. O3.2.03 Create a unified calendar for key GRC system processes and related business processes.
O3 APPROACH & ACCOUNTABILITY
O3.3 DEFINE MEASUREMENT AND EVALUATION APPROACH Define an approach to measure and evaluate the effectiveness, efficiency, and responsiveness of the GRC system. Core Sub-practices
l
O3.3.01 Refine desired GRC system outcomes to ensure they are capable of measurement or evaluation.
l
O3.3.02 Allocate accountability for achieving GRC system outcomes to key personnel.
l
O3.3.03 Design reports for senior management and the Board.
l
O3.3.04 Define schedule for conducting ongoing and periodic evaluation of the GRC system.
l
O3.3.05 Define targets and thresholds for each measurement indicator and maturity milestones.
O3 APPROACH & ACCOUNTABILITY This isO3.4 not legal or professional advice. DEFINE ORGANIZATIONAL Please contact a professional regarding your specific needs.
CHANGE MANAGEMENT APPROACH 38
driving principled performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Define an approach to ready the organization for any changes that the GRC system may require to people, processes, andTO technology. LICENSED CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
O3 APPROACH & ACCOUNTABILITY
O3.4 DEFINE ORGANIZATIONAL CHANGE MANAGEMENT APPROACH Define an approach to ready the organization for any changes that the GRC system may require to people, processes, and technology. Core Sub-practices
l
O3.4.01 Identify key areas where the GRC system may significantly affect existing business units, departments, people, stakeholder relationships, processes, and technology.
l
O3.4.02 Assess the readiness of key impacted areas and the organization as a whole to integrate changes.
l
O3.4.03 Define specific change management plans to address any anticipated challenges and risks.
O3 APPROACH & ACCOUNTABILITY
O3.5 DEVELOP, MAINTAIN AND AUTHORIZE A BUSINESS CASE Develop a business case for the GRC system and obtain authorization from senior management and the Board. Core Sub-practices
l
O3.5.01 Create a strategic plan and business case that summarizes: • the desired outcomes of the GRC system, • why it is needed and how it adds value, • how it will be structured, • how it will be resourced with people, funding and technology (and how much), • how it relates to business objectives and the existing operational model, • when system components, elements, processes, practices, and enabling technology will be implemented, • how performance will be measured, and • how assurance will be provided.
l
O3.5.02 Obtain authorization from senior management and the Board.
l
O3.5.03 Obtain funding for the approach.
A ASSESS & ALIGN This is not legal or professional advice. Please contact a professional regarding your specific needs.
A
driving principled performance ®
39
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Assess risks and LICENSED optimize organizational risk with a portfolio of TO the CDUCU ON TUESDAY, APRIL 28,profile 2009. SINGLE USER LICENSE GRANTED.
C Culture & Context
A ASSESS & ALIGN
Assess risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities. A1 Risk Identification A1.1
Identify Affected Business Objectives and Operations
A1.2
Identify Changes in Internal and External Factors that Drive Risk
A1.3
Identify Integrity and Ethical Culture Risks
A1.4
Identify Compliance Risks
A1.5
Identify Operational Risks
A1.6
Identify Economic Risks
A1.7
Identify Risks that May Afford Opportunities
A1.8
Identify Risk Trends and Interrelatedness
A1.9
Categorize Risks
A C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
A1.10 Assign Accountability to Monitor Changes in Underlying Factors
A2 Risk Analysis A2.1 Analyze Inherent Risk A2.2 Analyze Current Approaches to Risk Optimization A2.3 Determine Current Residual Risk A2.4 Prioritize Risks
A3 Risk Optimization A3.1 Evaluate Risk Optimization Tactics and Activities A3.2 Determine Planned Residual Risk A3.3 Determine Optimizing Activities A3.4 Develop Key Risk Indicators A3.5 Develop Risk Optimization Plan
A1 RISK IDENTIFICATION
Identify events, forces, and factors that may affect the achievement of
A1
This is not legal or professional advice. principled A1 Risk driving Identification business objectives, including those arising from noncompliance with Please contact a professional regarding A2 Risk Analysis performance ® 40 requirements established by law, standards, internal policies or other COMPLIANCE & ETHICS GROUP © 2003 - 2009 OPENA3 your specific needs. Risk Optimization
mandatory or voluntary boundaries.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A3.5 Develop Risk Optimization Plan
A1 RISK IDENTIFICATION
Identify events, forces, and factors that may affect the achievement of business objectives, including those arising from noncompliance with requirements established by law, standards, internal policies or other mandatory or voluntary boundaries.
A1 A1 Risk Identification A2 Risk Analysis A3 Risk Optimization
Principles 01 Given limited resources, the risk identification process should focus on key business objectives, assets, and operations. 02 Bottom-up participation from the workforce and line managers helps to gather information about what “really happens†in the business and the risks that the workforce and agents actually face. 03 Categorizing risks can help to structure the identification process and ensure that the organization identifies risks uniformly across departments and silos. 04 Risks rarely fall into singular categories, but rather tend to be multi-faceted, so management should use multiple techniques to identify all relevant risks.
Common Sources Of Failure 01 Not identifying risks by failing to identify and consider all: • products or services offered, • geographies and locations in which the organization operates, • legal requirements related to operations, • contractual or voluntary obligations made by the business, • risks related to failures in integrity and ethical culture • internal and external factors, forces, events or trends, including opportunity for natural disasters or other uncontrollable events,or • risks arising in the extended enterprise 02 Not evaluating risks faced by peers (based on industry, revenues, workforce size, and geography) currently or in the past 03 Not identifying new or changing risks in a timely manner 04 Not understanding weaknesses in the capability to react to various types of external factors 05 Not considering identification of opportunities as part of risk identification 06 Not recognizing that cultural weaknesses can present great risk
Guidelines and Practices Red Book 2.0 - GRC Capability Model A1.1
Identify Affected Business Objectives and Operations
A1.2
Identify Changes in Internal and External Factors that Drive Risk
A1.3
Identify Integrity and Ethical Culture Risks
A1.4
Identify Compliance Risks
A1.5 Identify Operational Risks This is not legal or professional advice. driving principled A1.6 Identify Economic Risks Please contact a professional regarding performance ® 41 A1.7 Identify Risks that May Afford Opportunities © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. A1.8 Identify Risk Trends and Interrelatedness LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. A1.9 Categorize Risks
A1.4
Identify Compliance Risks
A1.5
Identify Operational Risks
A1.6
Identify Economic Risks
A1.7
Identify Risks that May Afford Opportunities
A1.8
Identify Risk Trends and Interrelatedness
A1.9
Categorize Risks
A1.10 Assign Accountability to Monitor Changes in Underlying Factors
Key Deliverables Matrices
Prioritized Risk Matrix
Enabling Technology Components Technology Arenas
Assurance & Audit Management (AAM) , Business Intelligence (BI) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Business Applications
Contract Management (CM), Documents & Records Management (DRM) , Legal Entity Management (LEM), Loss Management (LM), Project Portfolio Management (PPM) , Quality Management & Monitoring (QMM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Helpline , Hotline/Whistleblower , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Identity and Access Management (IAM) , Physical Security (PS) , Retention & Storage Management (RSM) , Systems Log Management (SLM)
A1 RISK IDENTIFICATION
A1.1 IDENTIFY AFFECTED BUSINESS OBJECTIVES AND OPERATIONS Identify key business objectives and operations that may be affected by risks. Core Sub-practices
l
A1.1.01 Review business objectives.
A1.1.02 l Identify the key: • lines of business, • projects, • physical and information assets, • people and jobs at all levels of the organization, • business processes, • infrastructures, and • technologies. This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
42
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
A1 RISK IDENTIFICATION LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Storage Management (RSM) , Systems Log Management (SLM) A1 RISK IDENTIFICATION
A1.1 IDENTIFY AFFECTED BUSINESS OBJECTIVES AND OPERATIONS Identify key business objectives and operations that may be affected by risks. Core Sub-practices
l
l
A1.1.01 Review business objectives. A1.1.02 Identify the key: • lines of business, • projects, • physical and information assets, • people and jobs at all levels of the organization, • business processes, • infrastructures, and • technologies.
A1 RISK IDENTIFICATION
A1.2 IDENTIFY CHANGES IN INTERNAL AND EXTERNAL FACTORS THAT DRIVE RISK Imagine and identify potential adverse events arising from changes in internal and external factors that affect risk. Core Sub-practices
l
l
A1.2.01 Identify and analyze potential events that would change internal factors that affect risk, including changes in: • people / personnel, • processes, • technology, • information, and • infrastructure. A1.2.02 Identify and analyze potential events that would change external factors that affect risk, including changes in: • economic context, • natural environment, • political events, • social mores and expectations, and • technological advances.
A1 RISK IDENTIFICATION
IDENTIFY INTEGRITY AND ETHICAL CULTURE RISKS This isA1.3 not legal or professional advice. driving principled Please contact a professional regarding performance ® 43 - 2009 OPEN COMPLIANCE © 2003 your specific needs. Imagine and identify situations where individuals working alone or with others will attempt to & ETHICS GROUP break the rules - whether the rules are mandated by an external source or internal, voluntary LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. policies.
A1 RISK IDENTIFICATION
A1.3 IDENTIFY INTEGRITY AND ETHICAL CULTURE RISKS Imagine and identify situations where individuals working alone or with others will attempt to break the rules - whether the rules are mandated by an external source or internal, voluntary policies. Core Sub-practices
l
A1.3.01 Identify areas in the cultural analysis that indicate weaknesses.
l
A1.3.02 Identify opportunities and scenarios for financial fraud.
l
A1.3.03 Identify opportunities and scenarios for operational fraud.
l
A1.3.04 Identify opportunities and scenarios for corruption and self-dealing.
l
A1.3.05 Identify opportunities and scenarios for intimidating or harassing behavior.
l
A1.3.06 Identify opportunities and scenarios for criminal mischief or retribution.
A1 RISK IDENTIFICATION
A1.4 IDENTIFY COMPLIANCE RISKS Imagine and identify situations where risks arise due to noncompliance with externally mandated requirements or organizational commitments under contracts, voluntary agreements, and internal policies. Core Sub-practices
l
A1.4.01 Identify key legal compliance areas that apply to the organization, such as: • employment, • information management, privacy and security, • environmental, health and safety, • foreign corrupt practices, • antitrust, • government contracting, and • regulated industry requirements.
A1.4.02 l Identify explicit and derived legal requirements that apply to the organization, including those contained in: • laws, rules and regulations, • administrative rulings, This is not legal or professional advice. driving principled • judicial rulings, regarding Please contact a professional performance ® 44 • contracts, and © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • settlement or consent orders and integrity agreements. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A1 RISK IDENTIFICATION
A1.4 IDENTIFY COMPLIANCE RISKS Imagine and identify situations where risks arise due to noncompliance with externally mandated requirements or organizational commitments under contracts, voluntary agreements, and internal policies. Core Sub-practices
l
l
l
l
A1.4.01 Identify key legal compliance areas that apply to the organization, such as: • employment, • information management, privacy and security, • environmental, health and safety, • foreign corrupt practices, • antitrust, • government contracting, and • regulated industry requirements. A1.4.02 Identify explicit and derived legal requirements that apply to the organization, including those contained in: • laws, rules and regulations, • administrative rulings, • judicial rulings, • contracts, and • settlement or consent orders and integrity agreements. A1.4.03 Identify other explicit and derived external requirements potentially applicable to the organization, including those contained in: • safe harbor standards, • international, national and industry standards, • trade association commitments, • stock exchange listing commitments, • prosecution, enforcement, penalty and sentencing guidelines, • customary practices in the industry, and • customary practices in the geography and national culture. A1.4.04 Identify explicit and derived internal requirements set forth in: • mission, vision, values, • code of conduct, • policies, and • established procedures.
A1 RISK IDENTIFICATION
A1.5 IDENTIFY OPERATIONAL RISKS identify situations where risk results from inadequate or failed internal processes,driving principled This isImagine not legal orand professional advice. technologies. Pleasepeople, contact a and professional regarding performance ® 45 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specificCore needs.Sub-practices A1.5.01
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A1 RISK IDENTIFICATION
A1.5 IDENTIFY OPERATIONAL RISKS Imagine and identify situations where risk results from inadequate or failed internal processes, people, and technologies. Core Sub-practices
l
A1.5.01 Identify risks from misalignment of people, processes, and technology.
l
A1.5.02 Identify events that could give rise to information management or technology risk.
l
A1.5.03 Identify risks from inadequate resources, documentation, or education.
A1 RISK IDENTIFICATION
A1.6 IDENTIFY ECONOMIC RISKS Imagine and identify situations where financial risk could surface. Core Sub-practices
l
A1.6.01 Identify events that give rise to market risk.
l
A1.6.02 Identify events that give rise to credit risk.
l
A1.6.03 Identify events that give rise to liquidity risk.
l
A1.6.04 Identify events that give rise to interest rate risk.
A1 RISK IDENTIFICATION
A1.7 IDENTIFY RISKS THAT MAY AFFORD OPPORTUNITIES Identify areas where effective management of a risk will afford the organization strategic or tactical opportunities. Core Sub-practices A1.7.01 l Identify opportunities for: • better coordination of business functions, • facilitating businessadvice. efficiencies, This is not legal or professional • improvements quality, and Please contact a professional to regarding 46 • improved information on business activities that can result in improved management. your specific needs. A1.7.02
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A1 RISK IDENTIFICATION
A1.7 IDENTIFY RISKS THAT MAY AFFORD OPPORTUNITIES Identify areas where effective management of a risk will afford the organization strategic or tactical opportunities. Core Sub-practices
l
l
A1.7.01 Identify opportunities for: • better coordination of business functions, • facilitating business efficiencies, • improvements to quality, and • improved information on business activities that can result in improved management. A1.7.02 Identify key business areas where opportunities may be presented such as: • new product development, • sales and distribution, • import-export processes, • financial controls, and • controls surrounding kickback and bribery requirements.
A1 RISK IDENTIFICATION
A1.8 IDENTIFY RISK TRENDS AND INTERRELATEDNESS Identify the trend of each risk and how risks relate to each other. Core Sub-practices
l
A1.8.01 Identify how the occurrence and magnitude of each risk has trended in the organization.
l
A1.8.02 Identify how the occurrence and magnitude of each risk has trended in peers and the industry.
l
A1.8.03 Identify instances of changed expectations of risk occurrence or magnitude from repeated incidents or correlated risks.
A1 RISK IDENTIFICATION
A1.9 CATEGORIZE RISKS Identify the type and order of magnitude estimate of impact for each identified risk. Core Sub-practices A1.9.01 This is notllegal or professional driving principled Identify the types ofadvice. impact from each risk, such as risk of: Please contact a professional regarding • physical injury to people, performance ® 47 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific •needs. physical injury to facilities or other physical assets, • business Interruption (including, lost “qualified to do business” status, delisting, and debarment), TO CDUCU 28, 2009. SINGLE USER LICENSE GRANTED. • civil or criminalLICENSED liability, fines, penaltiesON andTUESDAY, restitutionAPRIL orders,
A1 RISK IDENTIFICATION
A1.9 CATEGORIZE RISKS Identify the type and order of magnitude estimate of impact for each identified risk. Core Sub-practices
l
l
A1.9.01 Identify the types of impact from each risk, such as risk of: • physical injury to people, • physical injury to facilities or other physical assets, • business Interruption (including, lost “qualified to do business” status, delisting, and debarment), • civil or criminal liability, fines, penalties and restitution orders, • reputational damage, • business quality or reliability, or • economic loss. A1.9.02 Identify risks that require crisis response planning.
l
A1.9.03 Identify risks that present significant vulnerability to the organization based on trends, likelihood, correlated effects, or degree of impact.
l
A1.9.04 For each identified significant risk, identify the roles or jobs that are in a position to affect the likelihood or impact of the risk.
l
A1.9.05 Begin development of the prioritized risk matrix by documenting the identified risks and their related attributes: • risk category, • related requirements, • nature of impacts, and • related roles.
A1 RISK IDENTIFICATION
A1.10 ASSIGN ACCOUNTABILITY TO MONITOR CHANGES IN UNDERLYING FACTORS Assign accountability for monitoring the underlying conditions and sources of risks. Core Sub-practices A1.10.01 l Assign responsibility to monitor and identify changes to internal factors that affect risks, including: • mergers and acquisitions, • new product development, • expansion into new markets, • new contracts or voluntary commitments, • key personnel or management changes, and This is not legal or professional advice. driving principled • business process changes. Please contact a professional regarding performance ® 48 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. A1.10.02 to monitor and identify changes to APRIL external that affect risks, including: l Assign responsibility LICENSED TO CDUCU ON TUESDAY, 28,factors 2009. SINGLE USER LICENSE GRANTED. • macroeconomic events and cycles,
A1 RISK IDENTIFICATION
A1.10 ASSIGN ACCOUNTABILITY TO MONITOR CHANGES IN UNDERLYING FACTORS Assign accountability for monitoring the underlying conditions and sources of risks. Core Sub-practices
l
l
A1.10.01 Assign responsibility to monitor and identify changes to internal factors that affect risks, including: • mergers and acquisitions, • new product development, • expansion into new markets, • new contracts or voluntary commitments, • key personnel or management changes, and • business process changes. A1.10.02 Assign responsibility to monitor and identify changes to external factors that affect risks, including: • macroeconomic events and cycles, • new laws, rules, regulations, • shifts in regulatory climate, • natural or health hazards, • political events and changes, • shifts in societal attitudes and perceptions, and • shifts in stakeholder attitudes, perceptions and expectations.
A2 RISK ANALYSIS
Define the current risk profile by analyzing the inherent risk and residual risk after considering current risk optimizing activities.
Principles
A2 A1 Risk Identification A2 Risk Analysis A3 Risk Optimization
01 Use top-down analysis and input from senior executives to scope risk analysis activities, but rely on bottomup information from individuals “on the ground†to ensure that operational reality drives risk analysis. 02 Use risk criteria to determine if current residual risk is acceptable or unacceptable. 03 Document risk analysis so others can use it for other purposes such as audit and assurance activities. 04 Analyze inherent risk so that management can rationalize current and future resource allocation based on the underlying level of risk, and so that risks are not over-managed or under-managed.
Common Sources Of Failure This is not legal or professional advice. driving principled 01contact Not using consistentregarding methodologies to analyze and categorize similar risks across various risk silos Please a professional performance ® 49 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP Notneeds. using both top-down and bottom-up risk analysis techniques your02 specific 03 Not using both quantitative and qualitative risk analysis techniques LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. 04 Not analyzing both the inherent and current residual risk
A2 RISK ANALYSIS
Define the current risk profile by analyzing the inherent risk and residual risk after considering current risk optimizing activities.
Principles
A2 A1 Risk Identification A2 Risk Analysis A3 Risk Optimization
01 Use top-down analysis and input from senior executives to scope risk analysis activities, but rely on bottomup information from individuals “on the ground†to ensure that operational reality drives risk analysis. 02 Use risk criteria to determine if current residual risk is acceptable or unacceptable. 03 Document risk analysis so others can use it for other purposes such as audit and assurance activities. 04 Analyze inherent risk so that management can rationalize current and future resource allocation based on the underlying level of risk, and so that risks are not over-managed or under-managed.
Common Sources Of Failure 01 Not using consistent methodologies to analyze and categorize similar risks across various risk silos 02 Not using both top-down and bottom-up risk analysis techniques 03 Not using both quantitative and qualitative risk analysis techniques 04 Not analyzing both the inherent and current residual risk
Guidelines and Practices Red Book 2.0 - GRC Capability Model A2.1 Analyze Inherent Risk A2.2 Analyze Current Approaches to Risk Optimization A2.3 Determine Current Residual Risk A2.4 Prioritize Risks
Key Deliverables Matrices
Prioritized Risk Matrix
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Enterprise Risk Management (ERM)
Business Applications
Contract Management (CM), Enterprise Asset Management (EAM), Learning & Training Management (LTM) , Loss Management (LM)
GRC Core Applications
Audit Analytics (AA), Crisis Management (CMT) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection & This is not legal or professional advice.Prevention (FDP) , Geo-Political Risk (GPR) Management , Information driving principled Please contact a professional regardingTechnology Audit (ITA) , Information performance ® 50 Technology Risk & Compliance (ITRC) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Management , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Assurance LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Matrices
Prioritized Risk Matrix
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Enterprise Risk Management (ERM)
Business Applications
Contract Management (CM), Enterprise Asset Management (EAM), Learning & Training Management (LTM) , Loss Management (LM)
GRC Core Applications
Audit Analytics (AA), Crisis Management (CMT) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Systems Log Management (SLM)
A2 RISK ANALYSIS
A2.1 ANALYZE INHERENT RISK Analyze the inherent vulnerability to the organization from likelihood and impact of risks without consideration of current controls, incentives and other risk optimization activities. Core Sub-practices
l
A2.1.01 Analyze the likelihood that a risk will materialize including identification of likely: • single vs. multiple events, and • short-term vs. long-term events.
l
A2.1.02 Analyze likely speed of onset and momentum once the risk occurs.
l
A2.1.03 Analyze inherent relationship with other risks.
l
l
A2.1.04 Use history of the organization and peers (based on industry, geography, business activities, and workforce scale and footprint) to analyze vulnerability considering likelihood and impact. A2.1.05 Augment the prioritized risk matrix with a synopsis of the inherent risk analysis.
A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION Identify the current approaches to optimize risk by mitigating the negative impact of risks and identifying opportunities presented by risks. Core Sub-practices A2.2.01 This is not legal or professional advice. driving principled and evaluate current application of risk optimization 51 tactics to: Please contact a professional regarding l Identify performance ® • ACCEPT the risk at the current residual level, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • AVOID the risk and cease activities (or change requirements) that give rise to the risk, LICENSED TO CDUCU ONrisk TUESDAY, APRIL 28, 2009. SINGLE GRANTED. • SHARE the impact or optimization of the with other entities, including useUSER of riskLICENSE financing, or SHIFT the risk to
Infrastructure
Systems Log Management (SLM)
A2 RISK ANALYSIS
A2.1 ANALYZE INHERENT RISK Analyze the inherent vulnerability to the organization from likelihood and impact of risks without consideration of current controls, incentives and other risk optimization activities. Core Sub-practices
l
A2.1.01 Analyze the likelihood that a risk will materialize including identification of likely: • single vs. multiple events, and • short-term vs. long-term events.
l
A2.1.02 Analyze likely speed of onset and momentum once the risk occurs.
l
A2.1.03 Analyze inherent relationship with other risks.
l
l
A2.1.04 Use history of the organization and peers (based on industry, geography, business activities, and workforce scale and footprint) to analyze vulnerability considering likelihood and impact. A2.1.05 Augment the prioritized risk matrix with a synopsis of the inherent risk analysis.
A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION Identify the current approaches to optimize risk by mitigating the negative impact of risks and identifying opportunities presented by risks. Core Sub-practices
l
A2.2.01 Identify and evaluate current application of risk optimization tactics to: • ACCEPT the risk at the current residual level, • AVOID the risk and cease activities (or change requirements) that give rise to the risk, • SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to another business partner (via joint ventures or risk financing structures), • REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the probability that undesirable activities occur, or • REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from accelerating into high impact levels.
A2.2.02 l Identify and evaluate current risk optimization activities including use of: • incentives for desired conduct, • preventive, detective and corrective controls to address undesired conduct or events, • issue identification and management , This is not legal or professional advice. driving principled • monitoring activities, Please contact a professional regarding performance ® 52 • policies and procedures, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • education and awareness programs, and • risk financing. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A2 RISK ANALYSIS
A2.2 ANALYZE CURRENT APPROACHES TO RISK OPTIMIZATION Identify the current approaches to optimize risk by mitigating the negative impact of risks and identifying opportunities presented by risks. Core Sub-practices
l
l
l
A2.2.01 Identify and evaluate current application of risk optimization tactics to: • ACCEPT the risk at the current residual level, • AVOID the risk and cease activities (or change requirements) that give rise to the risk, • SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to another business partner (via joint ventures or risk financing structures), • REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the probability that undesirable activities occur, or • REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from accelerating into high impact levels. A2.2.02 Identify and evaluate current risk optimization activities including use of: • incentives for desired conduct, • preventive, detective and corrective controls to address undesired conduct or events, • issue identification and management , • monitoring activities, • policies and procedures, • education and awareness programs, and • risk financing. A2.2.03 Identify and evaluate who, or what department, is accountable for managing each risk optimization approach in: • mainline business functions, departments and staff, • risk management, ethics and compliance departments and staff, • assurance departments and staff, and • oversight (Board).
l
A2.2.04 Identify any gaps and unnecessary overlaps in risk optimization approaches.
l
A2.2.05 Augment the prioritized risk matrix with a synopsis of the current approach to optimization of each risk.
A2 RISK ANALYSIS
A2.3 DETERMINE CURRENT RESIDUAL RISK Determine the level of risk remaining after application of currently applied optimization approaches to risk. Core Sub-practices This is not legal or professional advice. driving principled A2.3.01 Please contact a professional regarding performance ® 53 Analyze the effect of current approaches on the likelihood and magnitude of impact of each risk or category of risk. l © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. A2.3.02
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A2 RISK ANALYSIS
A2.3 DETERMINE CURRENT RESIDUAL RISK Determine the level of risk remaining after application of currently applied optimization approaches to risk. Core Sub-practices
l
A2.3.01 Analyze the effect of current approaches on the likelihood and magnitude of impact of each risk or category of risk.
l
A2.3.02 Determine the cost to maintain current approaches.
l
A2.3.03 Determine current level of residual risk.
l
A2.3.04 Augment prioritized risk matrix with analysis of the current residual risk.
A2 RISK ANALYSIS
A2.4 PRIORITIZE RISKS Evaluate inherent and residual risks based on risk criteria, and the effectiveness, efficiency and responsiveness of current optimizing activities so that priorities can be established. Core Sub-practices
l
l
A2.4.01 Identify risks that call for high prioritization for improved or additional optimization, including: • when current residual risk is unacceptable based on the organization’s risk appetite, • when current residual risk is unacceptable and immediate action is required, • when current optimizing activities are ineffective, inconsistently effective, or inefficient, • when an inherently high risk requires optimizing activities that must be constantly monitored, and • when risks require crisis response plans such as workplace violence, natural disasters, and significant reputational issues. A2.4.02 Augment the priority risk matrix with the prioritization analysis, specifically identifying key risks based on either classification of the risk as inherently high or high vulnerability as a residual risk.
A3 RISK OPTIMIZATION
This is not legal or professional advice. Evaluate and implement Please contact a professional regarding your specific needs.
Principles
selected risk optimization options.
A3 driving principled
performance ® A1 Risk Identification © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP A2 Risk Analysis A3 Risk Optimization LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. 54
A3 RISK OPTIMIZATION
A3
Evaluate and implement selected risk optimization options. A1 Risk Identification A2 Risk Analysis A3 Risk Optimization
Principles 01 Priority risks should include both inherently high risks and unacceptably high residual risks. 02 A layered approach may result in a more efficient use of resources and more effective risk optimization. 03 Where appropriate, embed optimizing activities in mainline business planning and processes.
Common Sources Of Failure 01 Not prioritizing or prioritizing every risk as high resulting in resources disproportionately allocated given the actual level of risk 02 Not monitoring inherently high risks, regardless of the current residual risk level, so that the organization will not be exposed to catastrophic impact 03 Selecting a single optimizing option when a multifaceted, multilayered approach may be more appropriate 04 Not assigning accountability for implementing or maintaining optimizing activities and assuming it will just get done 05 Not obtaining authorization and funding resulting in ineffective or nonexistent optimizing activities 06 Not adequately considering the need for ongoing and pervasive approaches to controllong ethical and behavioral risks
Guidelines and Practices Red Book 2.0 - GRC Capability Model A3.1 Evaluate Risk Optimization Tactics and Activities A3.2 Determine Planned Residual Risk A3.3 Determine Optimizing Activities A3.4 Develop Key Risk Indicators A3.5 Develop Risk Optimization Plan
Key Deliverables Matrices
Prioritized Risk Matrix
Plans
Risk Optimization Plan
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Enterprise Risk Management (ERM) , Security Management (SM)
Business This is not legal or Applications professional advice.Budget & Finance Management (BFM), Documents & Records Management driving principled (PPM) , Strategic Planning (SP) Please contact a professional regarding(DRM) , Project Portfolio Management performance ® 55 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific GRCneeds. Core Applications Crisis Management (CMT) , Geo-Political Risk (GPR) Management , Information Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC) LICENSEDManagement TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Plans
Risk Optimization Plan
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Enterprise Risk Management (ERM) , Security Management (SM)
Business Applications
Budget & Finance Management (BFM), Documents & Records Management (DRM) , Project Portfolio Management (PPM) , Strategic Planning (SP)
GRC Core Applications
Crisis Management (CMT) , Geo-Political Risk (GPR) Management , Information Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC) Management
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR)
A3 RISK OPTIMIZATION
A3.1 EVALUATE RISK OPTIMIZATION TACTICS AND ACTIVITIES Evaluate risk optimization tactics and activities when the current residual risk is unacceptable or when current optimizing activities can be improved to perform more efficiently and effectively. Core Sub-practices
l
l
A3.1.01 Evaluate and select risk optimization tactics including decisions to: • ACCEPT the risk at the current residual level (which may be a change in risk appetite), • AVOID the risk and cease activities (or change requirements) that give rise to the risk, • SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to another business partner (via joint ventures or risk financing structures), • REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the probability that undesirable activities occur, or • REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from accelerating into high impact levels. A3.1.02 Evaluate and select specific risk optimization activities, including: • incentives for desired conduct, • preventive, detective and corrective controls to address undesired conduct or events, • issue identification and management , • monitoring activities, • policies and procedures, • education and awareness programs, and • risk financing.
l
A3.1.03 Design a layered approach to avoid “single response biasâ€
l
A3.1.04 Identify areas where optimizing tactics and activities can address more than one risk.
l
A3.1.05 Design optimizing activities so that they generate information that can be used for monitoring.
in optimizing key risks.
A3.1.06 This is not legal or professional advice. driving principled l If the primary risk optimization option for a particular risk will take some time to implement, define interim risk Please contact a professional regarding performance ® 56 optimization options including consideration of delaying the action that presents the risk. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
l
A3.1.07 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Estimate the cost associated with planned risk optimization activities and determine if the cost is appropriate given the
Management (CCM), Disaster Recovery (DR) A3 RISK OPTIMIZATION
A3.1 EVALUATE RISK OPTIMIZATION TACTICS AND ACTIVITIES Evaluate risk optimization tactics and activities when the current residual risk is unacceptable or when current optimizing activities can be improved to perform more efficiently and effectively. Core Sub-practices
l
l
A3.1.01 Evaluate and select risk optimization tactics including decisions to: • ACCEPT the risk at the current residual level (which may be a change in risk appetite), • AVOID the risk and cease activities (or change requirements) that give rise to the risk, • SHARE the impact or optimization of the risk with other entities, including use of risk financing, or SHIFT the risk to another business partner (via joint ventures or risk financing structures), • REDUCE likelihood of the risk by implementing incentives, controls and other activities that prevent or reduce the probability that undesirable activities occur, or • REDUCE impact by more quickly detecting and responding to undesirable activity, or otherwise preventing risks from accelerating into high impact levels. A3.1.02 Evaluate and select specific risk optimization activities, including: • incentives for desired conduct, • preventive, detective and corrective controls to address undesired conduct or events, • issue identification and management , • monitoring activities, • policies and procedures, • education and awareness programs, and • risk financing.
l
A3.1.03 Design a layered approach to avoid “single response biasâ€
l
A3.1.04 Identify areas where optimizing tactics and activities can address more than one risk.
l
A3.1.05 Design optimizing activities so that they generate information that can be used for monitoring.
in optimizing key risks.
l
A3.1.06 If the primary risk optimization option for a particular risk will take some time to implement, define interim risk optimization options including consideration of delaying the action that presents the risk.
l
A3.1.07 Estimate the cost associated with planned risk optimization activities and determine if the cost is appropriate given the prioritization of the risk and the level of risk optimization achieved.
A3 RISK OPTIMIZATION
A3.2 DETERMINE PLANNED RESIDUAL RISK This is not legal or professional advice. driving principled PleaseAnalyze contact a professional regarding performance ® 57 the anticipated effect that planned optimizing activities will have on likelihood and © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
impact to determine planned residual risk.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Core Sub-practices
A3 RISK OPTIMIZATION
A3.2 DETERMINE PLANNED RESIDUAL RISK Analyze the anticipated effect that planned optimizing activities will have on likelihood and impact to determine planned residual risk. Core Sub-practices
l
A3.2.01 Assess the planned residual risk anticipated when the proposed risk optimization options are put in place.
l
A3.2.02 If planned residual risk is not acceptable, reconsider optimizing options.
l
A3.2.03 If planned residual risk is acceptable, implement the selected risk optimization activities.
l
A3.2.04 Analyze the costs and benefits of planned optimizing activities.
A3 RISK OPTIMIZATION
A3.3 DETERMINE OPTIMIZING ACTIVITIES Identify current and planned optimizing activities that specifically address inherently high risks and that, should they cease to perform effectively, will expose the organization to unacceptable levels of risk. Core Sub-practices
l
l
A3.3.01 Identify optimizing activities that currently are in place or are planned to address inherently high risks. A3.3.02 Design additional monitoring activities to ensure that these optimizing activities continue to be effective and operate according to plan.
l
A3.3.03 Augment the prioritized risk matrix with the planned risk optimization activities and planned residual risk analysis.
l
A3.3.04 Include these risks and optimizing activities in assurance plans.
A3 RISK OPTIMIZATION
A3.4 DEVELOP KEY RISK INDICATORS Develop risk indicators that inform management when key risk events have occurred, are or will potentially occur. This isimminent, not legal or professional advice.
driving principled Please contact a professional regarding performance ® 58 Core Sub-practices © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. A3.4.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l Identify risk indicators for each key risk, or category of key risk.
A3 RISK OPTIMIZATION
A3.4 DEVELOP KEY RISK INDICATORS Develop risk indicators that inform management when key risk events have occurred, are imminent, or will potentially occur. Core Sub-practices
l
l
A3.4.01 Identify risk indicators for each key risk, or category of key risk. A3.4.02 Identify thresholds for each indicator that trigger: • escalation / reporting, • compensating controls, or • reevaluation of optimization approaches.
l
A3.4.03 Assign accountability to periodically, or continuously, monitor each established risk indicator.
l
A3.4.04 Design management reports and dashboards to inform appropriate personnel about risk indicator values and changes.
l
A3.4.05 Provide objectives and indicators for key risks to executive management for consideration in enterprise strategic planning.
A3 RISK OPTIMIZATION
A3.5 DEVELOP RISK OPTIMIZATION PLAN Develop an implementation and management plan for optimizing activities. Core Sub-practices
l
A3.5.01 Identify opportunities to consolidate risk-optimizing activities into fewer actions.
l
A3.5.02 Identify opportunities to embed risk-optimizing activities into business processes.
l
A3.5.03 Identify opportunities to leverage existing programs, projects, processes, and resources (people, budgets, and technology) before creating new structures.
l
A3.5.04 Define initiatives that address related risk optimizing activities in a coordinated fashion.
l
A3.5.05 Establish a timeline to implement each initiative.
A3.5.06 Assign accountabilityadvice. for each initiative and for monitoring events that may require changes to initiatives. This is notllegal or professional Please contact a professional regarding A3.5.07 your specific needs. l Obtain approval for each initiative.
driving principled performance ®
59
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
A3 RISK OPTIMIZATION
A3.5 DEVELOP RISK OPTIMIZATION PLAN Develop an implementation and management plan for optimizing activities. Core Sub-practices
l
A3.5.01 Identify opportunities to consolidate risk-optimizing activities into fewer actions.
l
A3.5.02 Identify opportunities to embed risk-optimizing activities into business processes.
l
A3.5.03 Identify opportunities to leverage existing programs, projects, processes, and resources (people, budgets, and technology) before creating new structures.
l
A3.5.04 Define initiatives that address related risk optimizing activities in a coordinated fashion.
l
A3.5.05 Establish a timeline to implement each initiative.
l
A3.5.06 Assign accountability for each initiative and for monitoring events that may require changes to initiatives.
l
A3.5.07 Obtain approval for each initiative.
P PREVENT & PROMOTE
Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives. P1 Codes of Conduct P1.1 Develop the Code of Conduct P1.2 Implement and Manage the Code of Conduct P1.3 Develop and Implement Ethical Decision-Making Guidelines
P C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
P2 Policies P2.1 Establish Policy Structure Policies This is not P2.2 legal orDevelop professional advice. P2.3a professional Implement regarding and Manage Policies Please contact your specific needs.
P3 Preventive Controls
driving principled performance ®
60
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P PREVENT & PROMOTE
Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives. P1 Codes of Conduct P1.1 Develop the Code of Conduct P1.2 Implement and Manage the Code of Conduct P1.3 Develop and Implement Ethical Decision-Making Guidelines
P C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
P2 Policies P2.1 Establish Policy Structure P2.2 Develop Policies P2.3 Implement and Manage Policies
P3 Preventive Controls P3.1 Establish Preventive Process Controls P3.2 Establish Preventive Human Capital Controls P3.3 Establish Preventive Technology Controls P3.4 Establish Preventive Physical Controls
P4 Awareness & Education P4.1 Define an Awareness and Education Plan P4.2 Define a Curriculum Plan P4.3 Develop or Acquire Content P4.4 Implement Education P4.5 Provide Helpline P4.6 Provide Integrated Support
P5 Human Capital Incentives P5.1 Foster Ethical Leadership P5.2 Develop Incentive Based Evaluation and Promotion Decisions P5.3 Develop Compensation Plans that Consider Conduct Expectations P5.4 Develop Reward Programs
P6 Risk Financing/Insurance This is not P6.1 legal orAssess professional advice. Need and Options Risk Financing Please contact a professional regarding P6.2 Set Risk Financing Objectives your specific needs. P6.3 Design Risk Financing Strategy
driving principled performance ®
61
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
TO CDUCU P6.4 ImplementLICENSED Risk Financing Strategy ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P5.4 Develop Reward Programs
P6 Risk Financing/Insurance P6.1 Assess Risk Financing Need and Options P6.2 Set Risk Financing Objectives P6.3 Design Risk Financing Strategy P6.4 Implement Risk Financing Strategy
P7 Stakeholder Relations & Requirements P7.1 Understand Stakeholders P7.2 Develop Stakeholder Relations Plans P7.3 Identify and Track Activity by Requirement Issuing Authorities P7.4 Comment on Planned or Proposed Items P7.5 Propose Mandates, Standards or Guidance
P1 CODES OF CONDUCT
Implement a code or codes of conduct and ethical decision guidelines for the Board, the workforce and the extended enterprise.
Principles 01 It is critical to have in place all codes of conduct mandated for specific positions or purposes. 02 Using the code development process to mold champions and secure commitment and buy-in can help to drive its acceptance and strengthen the overall GRC system.
P1 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
03 There is an opportunity to include decision guidelines so people can act responsibly and with integrity when the code, policies or applicable law are not specific. 04 Expecting internal stakeholders and the extended enterprise to performing according to the code is only reasonable if the Board and senior management have committed to live by and model the code.
Common Sources Of Failure 01 Not drafting the code in language (both type and level) appropriate to its audience 02 Not communicating the code to all who are expected to abide by it 03 Not documenting receipt of the code 04 Not measuring understanding of the code’s content 05 Not adapting the code for local culture, norms, and needs 06 Not addressing key ethical risks in addition to compliance-driven content
Guidelines and Practices Red Book 2.0 - GRC Capability Model This is not legal or professional advice. driving principled P1.1 Develop the Code of Conduct Please contact a professional regarding performance ® 62 P1.2 Implement and Manage the Code of Conduct © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P1.3 Develop and Implement Ethical Decision-Making Guidelines LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P7.5 Propose Mandates, Standards or Guidance
P1 CODES OF CONDUCT
Implement a code or codes of conduct and ethical decision guidelines for the Board, the workforce and the extended enterprise.
Principles 01 It is critical to have in place all codes of conduct mandated for specific positions or purposes. 02 Using the code development process to mold champions and secure commitment and buy-in can help to drive its acceptance and strengthen the overall GRC system.
P1 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
03 There is an opportunity to include decision guidelines so people can act responsibly and with integrity when the code, policies or applicable law are not specific. 04 Expecting internal stakeholders and the extended enterprise to performing according to the code is only reasonable if the Board and senior management have committed to live by and model the code.
Common Sources Of Failure 01 Not drafting the code in language (both type and level) appropriate to its audience 02 Not communicating the code to all who are expected to abide by it 03 Not documenting receipt of the code 04 Not measuring understanding of the code’s content 05 Not adapting the code for local culture, norms, and needs 06 Not addressing key ethical risks in addition to compliance-driven content
Guidelines and Practices Red Book 2.0 - GRC Capability Model P1.1 Develop the Code of Conduct P1.2 Implement and Manage the Code of Conduct P1.3 Develop and Implement Ethical Decision-Making Guidelines
Key Deliverables Reports
Findings and Recommendations Report
Statements of Position
Code of Conduct, Ethical Decisions Guidelines
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Security Management (SM)
Business Applications Documents & Records Management (DRM) , Email Management (EM), Employee This is not legal or professional advice.Evaluations & Surveys (EES) , Policy & Procedure Management (P&P) , Supply driving principled Please contact a professional regardingChain & Procurement Management63 performance ® (SCM) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. GRC Core Applications Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade
Statements of Position
Code of Conduct, Ethical Decisions Guidelines
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Security Management (SM)
Business Applications
Documents & Records Management (DRM) , Email Management (EM), Employee Evaluations & Surveys (EES) , Policy & Procedure Management (P&P) , Supply Chain & Procurement Management (SCM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Information Privacy Management (IPM) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Identity and Access Management (IAM) , Physical Security (PS) , Retention & Storage Management (RSM)
P1 CODES OF CONDUCT
P1.1 DEVELOP THE CODE OF CONDUCT Work with appropriate stakeholders to develop a code of conduct that addresses the organizational mission, vision, values, key policies and expected business conduct. Core Sub-practices
l
l
l
P1.1.01 Define a repeatable methodology for developing the code of conduct. P1.1.02 Develop the code of conduct with the participation of stakeholders representing various levels of authority within the organization. P1.1.03 Develop all codes of conduct required by legal or other mandates or one code that addresses all such requirements.
l
P1.1.04 Identify stakeholders (including those whose behavior may affect the entity's integrity) who are target recipients of the code of conduct.
l
P1.1.05 Establish procedures for globalization and localization of the code of conduct that consider local issues while preserving management’s intended message.
l
P1.1.06 Correlate the code of conduct to sources of requirements, principles, and values.
l
P1.1.07 If there is more than one code of conduct, ensure consistency of language and intent between like content.
l
P1.1.08 Have appropriate experts review the code of conduct and implementation approach for compliance with mandates.
P1.1.09 This is not legal or professional advice. driving principled relevant policy owners approve code of conduct and implementation approach to confirm adherence to principles. performance ® l Have Please contact a professional regarding 64 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P1.1.10 addressed in the code of conduct APRIL based 28, on risk LICENSED TO CDUCU ON TUESDAY, 2009.analysis. SINGLE USER LICENSE GRANTED. l Prioritize the subjects
(PS) , Retention & Storage Management (RSM) P1 CODES OF CONDUCT
P1.1 DEVELOP THE CODE OF CONDUCT Work with appropriate stakeholders to develop a code of conduct that addresses the organizational mission, vision, values, key policies and expected business conduct. Core Sub-practices
l
l
l
P1.1.01 Define a repeatable methodology for developing the code of conduct. P1.1.02 Develop the code of conduct with the participation of stakeholders representing various levels of authority within the organization. P1.1.03 Develop all codes of conduct required by legal or other mandates or one code that addresses all such requirements.
l
P1.1.04 Identify stakeholders (including those whose behavior may affect the entity's integrity) who are target recipients of the code of conduct.
l
P1.1.05 Establish procedures for globalization and localization of the code of conduct that consider local issues while preserving management’s intended message.
l
P1.1.06 Correlate the code of conduct to sources of requirements, principles, and values.
l
P1.1.07 If there is more than one code of conduct, ensure consistency of language and intent between like content.
l
P1.1.08 Have appropriate experts review the code of conduct and implementation approach for compliance with mandates.
l
P1.1.09 Have relevant policy owners approve code of conduct and implementation approach to confirm adherence to principles.
l
P1.1.10 Prioritize the subjects addressed in the code of conduct based on risk analysis.
l
P1.1.11 Include an endorsing statement from the Board and senior management.
l
P1.1.12 Address the goals and philosophy of the code of conduct and how they align with the overall mission, vision, and values of the organization.
P1.1.13 l At a minimum, provide for the code of conduct to address: • compliance with all applicable laws and regulations, • conflicts of interest, • proper use of organizational property, information and opportunities, This is not legal professional advice. dealings, driving principled • fairortreatment in business Please contact a professionaltimeliness regardingand accuracy of public disclosures 65 • transparency, and regulatory reporting, performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific •needs. prompt internal reporting of violations, • accountability for adherence to the code provisions, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • substance abuse,
• compliance with all applicable laws and regulations, • conflicts of interest, • proper use of organizational property, information and opportunities, • fair treatment in business dealings, • transparency, timeliness and accuracy of public disclosures and regulatory reporting, • prompt internal reporting of violations, • accountability for adherence to the code provisions, • substance abuse, • political contributions and activities, • the importance of ethical values and principles in decision making, • the importance of asking questions and raising issues when concerns exist, • how to report misconduct, • how to report incidents and ask questions, and • a guarantee of non-retaliation for reporting incidents.
l
P1.1.14 Define a procedure to waive and depart from the code of conduct.
P1 CODES OF CONDUCT
P1.2 IMPLEMENT AND MANAGE THE CODE OF CONDUCT Distribute and manage a code of conduct to ensure that all relevant stakeholders receive the code of conduct, certify that they will follow it that the practices and principles are honored, observed, and enforced, and that it continues to be relevant. Core Sub-practices
l
l
P1.2.01 Develop a launch plan to distribute the code of conduct. P1.2.02 Before implementing the code of conduct, train help desk personnel and others who are designated to answer questions about the content of the code of conduct.
l
P1.2.03 Distribute the code of conduct to all targeted stakeholders.
l
P1.2.04 Confirm that targeted stakeholders received the code of conduct.
l
P1.2.05 Design and deliver training and communication for continual reinforcement of the code of conduct.
l
P1.2.06 Ensure that the code of conduct is disclosed to the public and available to external stakeholders (e.g., post on the internet).
l
P1.2.07 Disclose, report or file the code of conduct as required by legal mandates.
l
P1.2.08 Periodically re-evaluate and define events that trigger re-evaluation of the code of conduct, including changes in laws, operating conditions and policies.
This is not legal or professional advice. driving principled P1.2.09 Please contact a professional regarding Define a methodology for the periodic review and modification of the code of conduct, including identification of specific performance ® 66 l © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific personnel needs. to monitor legal factors and internal factors that may necessitate modifications. P1.2.10
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
l
l
Periodically re-evaluate and define events that trigger re-evaluation of the code of conduct, including changes in laws, operating conditions and policies. P1.2.09 Define a methodology for the periodic review and modification of the code of conduct, including identification of specific personnel to monitor legal factors and internal factors that may necessitate modifications.
l
P1.2.10 Include code of conduct related criteria in standard individual performance evaluation criteria.
l
P1.2.11 Determine scope of code of conduct application in extended enterprise.
l
P1.2.12 Be prepared to produce evidence of knowledge or awareness, support and understanding of the code of conduct.
l
P1.2.13 Ensure that critical stakeholders understand the code of conduct (via some form of assessment, certification, communication, and/or training).
l
P1.2.14 Make adherence to the code of conduct, or to a similar code, a condition of doing business for key suppliers and other partners.
P1 CODES OF CONDUCT
P1.3 DEVELOP AND IMPLEMENT ETHICAL DECISION-MAKING GUIDELINES Work with appropriate stakeholders to develop and implement guidelines on how to choose a course of action consistent with the organization's mission, vision, values, key policies and expected business conduct when the circumstances are not explicitly covered by the code of conduct, policies, or procedures. Core Sub-practices
l
P1.3.01 Develop the ethical decision guidelines with participation of stakeholders representing various levels of authority within the organization.
l
P1.3.02 Develop the ethical decision guidelines with participation of stakeholders representing a variety of the cultures (subcultures) that exist across the organization.
l
P1.3.03 Identify the ethical and cultural factors to be considered in reaching a decision about a course of conduct, including: - congruence with the organization's mission, vision and values; - compliance with the organization's requirements; - consideration of all relevant viewpoints; - completeness of all facts needed to reach a decision; - consistency with prior organization behavior and anticipated future decisions under analogous circumstances; - comfort with others broadly knowing which individual made the decision; - consideration of likely implications to and reactions of stakeholders, influencers or the public; and - criticism is anticipated and preempted through clear and cogent explanation.
This is not legal or professional advice. driving principled P1.3.04 Please contact a professional regarding performance ® 67 l Include an endorsing statement from the Board and senior management. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P1.3.05 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l Make the ethical decision guidelines accessible to the workforce and the extended enterprise together with any
P1 CODES OF CONDUCT
P1.3 DEVELOP AND IMPLEMENT ETHICAL DECISION-MAKING GUIDELINES Work with appropriate stakeholders to develop and implement guidelines on how to choose a course of action consistent with the organization's mission, vision, values, key policies and expected business conduct when the circumstances are not explicitly covered by the code of conduct, policies, or procedures. Core Sub-practices
l
P1.3.01 Develop the ethical decision guidelines with participation of stakeholders representing various levels of authority within the organization.
l
P1.3.02 Develop the ethical decision guidelines with participation of stakeholders representing a variety of the cultures (subcultures) that exist across the organization.
l
l
l
l
l
P1.3.03 Identify the ethical and cultural factors to be considered in reaching a decision about a course of conduct, including: - congruence with the organization's mission, vision and values; - compliance with the organization's requirements; - consideration of all relevant viewpoints; - completeness of all facts needed to reach a decision; - consistency with prior organization behavior and anticipated future decisions under analogous circumstances; - comfort with others broadly knowing which individual made the decision; - consideration of likely implications to and reactions of stakeholders, influencers or the public; and - criticism is anticipated and preempted through clear and cogent explanation. P1.3.04 Include an endorsing statement from the Board and senior management. P1.3.05 Make the ethical decision guidelines accessible to the workforce and the extended enterprise together with any supplemental resources and information on how to engage someone for further guidance. P1.3.06 Provide awareness and education on how to obtain, apply and secure additional guidance in connection with the ethical decision guidelines simultaneously and consistent with communications and education on code(s) of conduct, policies, and procedures. P1.3.07 Establish procedures for globalization and localization of the ethical decision-making guidelines that consider local issues and language needs while preserving management’s intended decision factors.
P2 POLICIES This is not legal or professional advice. Please contact a professional regarding your specific needs.
P2
driving principled performance ®
68
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Develop,implement and manage policies which address risks and LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. requirements.
P1 Codes of Conduct
P2 POLICIES
Develop,implement and manage policies which address risks and requirements.
Principles 01 The policy development process can mold champions and secure buy-in. 02 Policies can both prohibit certain conduct and promote desired behavior. 03 Ethical decision guidelines help people decide what to do in the absence of an explicit policy or procedure.
P2 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
04 Having evidence that formal policies are communicated and enforced protects the organization when violations occur.
Common Sources Of Failure 01 Not formalizing or documenting policies and assuring they are known and accessible to employees(i.e., allowing “secret policies†that are only uncovered once violated) 02 Not establishing a plan implementing policies, so they just “sit on the shelf†03 Not synchronizing all copies with authoritative “master†04 Not ensuring that policies neither “under-controlâ€
policies
nor “over-controlâ€
risks
05 Not sufficiently communicating or training about new, current, and revised policies 06 Not periodically reviewing and revising policies 07 Not auditing for compliance with policies
Guidelines and Practices Red Book 2.0 - GRC Capability Model P2.1 Establish Policy Structure P2.2 Develop Policies P2.3 Implement and Manage Policies
Key Deliverables Matrices
Policies and Related Procedures Matrix
Enabling Technology Components Technology Arenas Business Applications
Enterprise Content Management (ECM) , Security Management (SM)
Documents & Records Management (DRM) , Learning & Training Management (LTM) , Policy & Procedure Management (P&P) , Supply Chain & Procurement Management (SCM) This is not legal or professional advice. driving principled GRC aCore Applications Social Responsibility (CSR), Please contact professional regardingCorporate Compliance (CC) , Corporate performance ® 69 Environmental, Health & Safety (EH&S) Management , Environmental Monitoring © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. & Reporting (EMR) , Global Trade Compliance (GTC)/International Dealings , , Hotline/Whistleblower , Information PrivacyUSER Management , LICENSEDHelpline TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE LICENSE(IPM) GRANTED.
Matrices
Policies and Related Procedures Matrix
Enabling Technology Components Technology Arenas
Enterprise Content Management (ECM) , Security Management (SM)
Business Applications
Documents & Records Management (DRM) , Learning & Training Management (LTM) , Policy & Procedure Management (P&P) , Supply Chain & Procurement Management (SCM)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Environmental Monitoring & Reporting (EMR) , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Information Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics (RA)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Information Technology Operations (ITO) Management , Retention & Storage Management (RSM)
P2 POLICIES
P2.1 ESTABLISH POLICY STRUCTURE Establish an organizing structure for identifying and creating policies that support the GRC system. Core Sub-practices
l
P2.1.01 Develop a list of policies required by applicable mandates, standards, and voluntary commitments.
l
P2.1.02 Develop a list of desired policies based on internal decisions.
l
P2.1.03 Develop a list of existing policies.
l
P2.1.04 Determine redundancies and overlaps in existing policies.
l
P2.1.05 Conduct gap analysis against existing policies.
l
P2.1.06 Establish methodology to update policy needs analysis.
P2 POLICIES
P2.2 DEVELOP POLICIES Develop a mix of preventative and directive policies to address requirements, risks, and other This is not legal or professional advice. program objectives. Please contact a professional regarding your specificCore needs.Sub-practices P2.2.01
driving principled performance ®
70
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
(RSM) P2 POLICIES
P2.1 ESTABLISH POLICY STRUCTURE Establish an organizing structure for identifying and creating policies that support the GRC system. Core Sub-practices
l
P2.1.01 Develop a list of policies required by applicable mandates, standards, and voluntary commitments.
l
P2.1.02 Develop a list of desired policies based on internal decisions.
l
P2.1.03 Develop a list of existing policies.
l
P2.1.04 Determine redundancies and overlaps in existing policies.
l
P2.1.05 Conduct gap analysis against existing policies.
l
P2.1.06 Establish methodology to update policy needs analysis.
P2 POLICIES
P2.2 DEVELOP POLICIES Develop a mix of preventative and directive policies to address requirements, risks, and other program objectives. Core Sub-practices
l
P2.2.01 Ensure that only individuals with appropriate authority issue and modify policies.
l
P2.2.02 Define the objective of each policy.
l
P2.2.03 Define the target audience for each policy.
l
P2.2.04 Have appropriate experts approve policies that must satisfy mandates.
l
P2.2.05 Understand business model elements that are affected by each policy.
P2.2.06 Define when to review, revisit, modify, or expire each policy. This is notllegal or professional advice. Please contact a professional regarding 71 P2.2.07 your specific needs. l Define resources needed for roll-out/implementation/enforcement of each policy.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P2.2.08
P2 POLICIES
P2.2 DEVELOP POLICIES Develop a mix of preventative and directive policies to address requirements, risks, and other program objectives. Core Sub-practices
l
P2.2.01 Ensure that only individuals with appropriate authority issue and modify policies.
l
P2.2.02 Define the objective of each policy.
l
P2.2.03 Define the target audience for each policy.
l
P2.2.04 Have appropriate experts approve policies that must satisfy mandates.
l
P2.2.05 Understand business model elements that are affected by each policy.
l
P2.2.06 Define when to review, revisit, modify, or expire each policy.
l
P2.2.07 Define resources needed for roll-out/implementation/enforcement of each policy.
l
P2.2.08 Determine which policies to impose through extended enterprise or to require partners to address directly.
l
P2.2.09 Translate or localize policies when determined to be necessary.
l
l
P2.2.10 Map or identify interrelated or dependent policies so that management may understand how changing one may affect another. P2.2.11 Design templates for various types of policies.
P2 POLICIES
P2.3 IMPLEMENT AND MANAGE POLICIES Implement, communicate, and manage policies to ensure that they operate and continue to be relevant. Core Sub-practices P2.3.01 This is not legal or professional advice. driving principled how to make each policy available to each target audience. l Determine Please contact a professional regarding performance ® 72 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P2.3.02 trainingTO orCDUCU testing ofON target audienceAPRIL is required forSINGLE each policy. l Determine whether LICENSED TUESDAY, 28, 2009. USER LICENSE GRANTED.
P2 POLICIES
P2.3 IMPLEMENT AND MANAGE POLICIES Implement, communicate, and manage policies to ensure that they operate and continue to be relevant. Core Sub-practices
l
P2.3.01 Determine how to make each policy available to each target audience.
l
P2.3.02 Determine whether training or testing of target audience is required for each policy.
l
P2.3.03 Deliver policies to target audiences.
l
P2.3.04 Confirm and document target audience receipt of policies.
l
P2.3.05 Define what awareness, education, and support practices should be in place for each policy and each target audience.
l
P2.3.06 Define methods for assessing knowledge of the existence and understanding of each policy by target audiences.
l
P2.3.07 Define procedure to notify help desk of any additions, modifications, or expiration of policies.
l
P2.3.08 Establish a method to assess periodically the effectiveness of each policy in meeting the requirement or objective it is meant to address.
P3 PREVENTIVE CONTROLS
Establish process, human capital, technology and physical control activities to prevent and/or reduce the likelihood and impact of adverse events and misconduct.
Principles 01 Required procedures should apply throughout the extended enterprise as necessary to address risk.
P3 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 Established procedures should go beyond those that are mandated, to include additional procedures that enable the organization to meet business objectives. This is not legal or professional advice. driving principled 03contact Physical safety of workforce surrounding community is paramount. Please a professional regardingand other stakeholders, including the performance ® 73 04 The organization should use physical controls to guard critical assets or to reduce the likelihood that loss will © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. occur. LICENSED CDUCU controls ON TUESDAY, SINGLE USER LICENSE GRANTED. 05 The organization should designTO technology in such APRIL a way 28, that2009. unauthorized human intervention is not possible.
P3 PREVENTIVE CONTROLS
Establish process, human capital, technology and physical control activities to prevent and/or reduce the likelihood and impact of adverse events and misconduct.
Principles 01 Required procedures should apply throughout the extended enterprise as necessary to address risk. 02 Established procedures should go beyond those that are mandated, to include additional procedures that enable the organization to meet business objectives.
P3 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
03 Physical safety of workforce and other stakeholders, including the surrounding community is paramount. 04 The organization should use physical controls to guard critical assets or to reduce the likelihood that loss will occur. 05 The organization should design technology controls in such a way that unauthorized human intervention is not possible. 06 The organization should identify the common points of failure in processes and controls and address them through common technology approaches wherever possible. 07 Employing ethical people in key GRC roles is essential to success of the GRC system. 08 Removing the opportunity for self-dealing or conflict of interest will reduce instances of noncompliance or criminal activity that require management actions.
Common Sources Of Failure 01 Not adapting controls to address mandates of different jurisdictions 02 Not being able to identify or track out-of-date, inaccurate, conflicting and inconsistent controls 03 Not ensuring that procedures, technology and physical controls neither “under-control†“over-control†risks
nor
04 Not communicating and training about established procedures for high risk areas and those for which employees have direct responsibility such as physical security of data contained in laptops, paper files, or other storage within the employees' control. 05 Not establishing procedures simply because a formal policy is not required 06 Not developing controls to address key risks unless they are legally mandated 07 Not allocating sufficient resources to provide effective technology and physical controls 08 Not field testing adequately to identify weaknesses in technology and physical controls (drills) 09 Not identifying events which could be prevented or mitigated with physical controls 10 Not identifying ways that a preventive control can be violated, circumvented or manipulated 11 Not coordinating technology control selection throughout enterprise or across risk areas 12 Not informing the workforce about the implementation of human capital controls 13 Not applying controls consistently and not making the reason for any exceptions clear to those subject to the controls
Guidelines and Practices
This is not legal or professional advice. Please contact a professional regarding Red Book 2.0 - GRC Capability Model your specific needs.
driving principled performance ®
74
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P3.1 Establish Preventive Process Controls LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. P3.2 Establish Preventive Human Capital Controls
controls
Guidelines and Practices Red Book 2.0 - GRC Capability Model P3.1 Establish Preventive Process Controls P3.2 Establish Preventive Human Capital Controls P3.3 Establish Preventive Technology Controls P3.4 Establish Preventive Physical Controls
Key Deliverables Authorizations
External Authorizations, Segregation of Duties
Descriptions
Role / Job Descriptions, GRC Technology Data Model Descriptions
Matrices
Policies and Related Procedures Matrix, Prioritized Risk Matrix, Risk / Control Matrix
Plans
Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Security Management (SM)
Business Applications
Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Contract Management (CM), Documents & Records Management (DRM) , Email Management (EM), Legal Entity Management (LEM), Policy & Procedure Management (P&P) , Quality Management & Monitoring (QMM) , Supply Chain & Procurement Management (SCM) , Transaction Management (TM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Controls Management & Monitoring (CMM) , Corporate Social Responsibility (CSR), Crisis Management (CMT) , Environmental, Health & Safety (EH&S) Management , Finance & Treasury Risk (FTR) Management , Fraud Detection & Prevention (FDP) , GeoPolitical Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Information Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Operational Assurance & Audit (OAA) , Risk Analytics (RA) , Transaction Monitoring (TRM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Information Technology Operations (ITO) Management , Physical Security (PS) , Retention & Storage Management (RSM)
P3 PREVENTIVE CONTROLS
P3.1 ESTABLISH PREVENTIVE PROCESS CONTROLS Establish preventive process control activities and procedures to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. This is not legal orSub-practices professional advice. driving principled Core Please contact a professional regarding performance ® 75 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific P3.1.01 needs. Establish preventive process control activities that are required under mandates or voluntary commitments including: l ApprovalsLICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. ¡
Storage Management (RSM) P3 PREVENTIVE CONTROLS
P3.1 ESTABLISH PREVENTIVE PROCESS CONTROLS Establish preventive process control activities and procedures to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. Core Sub-practices
l
l
P3.1.01 Establish preventive process control activities that are required under mandates or voluntary commitments including: ¡ Approvals ¡ Authorizations ¡ Pre-Submission Reviews ¡ Quality Reviews P3.1.02 For each preventive process control activity: ¡ Define who will perform the activity ¡ Define when and how often the activity will be performed ¡ Identify individuals with appropriate authority to modify or override preventive process control activities
l
P3.1.03 For each preventive process control activity, establish appropriate awareness, education, and support for responsible personnel.
l
P3.1.04 Determine the need to assess or certify responsible personnel to ensure that they are able to perform preventive process control activities.
l
l
P3.1.05 Establish a method to periodically assess the effectiveness of each preventive process control activity. P3.1.06 For each procedure, define a testing approach and related monitoring activities to ensure that the procedure is operating effectively within defined tolerances.
l
P3.1.07 Define procedures and accountability for exceptions to preventive process control activities.
l
P3.1.08 Determine which preventive process control activities should be established throughout the extended enterprise.
l
P3.1.09 Establish procedures to manage changes to preventive process control activities including: ¡ Notifying help desk of any change to a procedure ¡ Updating related awareness and education module ¡ Updating related skill assessments and certifications ¡ Maintaining revision history
P3.1.10 l Update the prioritized risk matrix to reflect: ¡ implemented preventive process controls, revised current residual risk analysis, and This is not legal ¡or professional advice. performance against planned residual risk. Please contact a ¡professional regarding your specific needs.
driving principled performance ®
76
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
l
P3.1.10 Update the prioritized risk matrix to reflect: ¡ implemented preventive process controls, ¡ revised current residual risk analysis, and ¡ performance against planned residual risk.
P3 PREVENTIVE CONTROLS
P3.2 ESTABLISH PREVENTIVE HUMAN CAPITAL CONTROLS Establish preventive human capital controls to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. Core Sub-practices
l
P3.2.01 Define job/role descriptions for all key roles.
l
P3.2.02 Define which duties should be segregated to prevent conflicts of interest.
l
P3.2.03 Confirm that individuals understand that a particular responsibility is segregated from another.
l
P3.2.04 Incorporate GRC expectations into appropriate job/role descriptions as determined during assignment of accountability for GRC responsibilities. P3.2.05
l
Define a methodology to check the backgrounds of employees, executives and personnel being hired or promoted into positions
of substantial authority and to evaluate their past conduct, including: • determinations of any history of violations of the law or unethical conduct, • how recently any violations or instances of unethical conduct have occurred, • how any violations or conduct are related to the area of concern for the proposed position of authority, • any patterns of violations or unethical conduct, • any conflicts of interest, and • compatibility of personal values with organizational values.
P3.2.06 l
Obtain approval from legal counsel (employment) regarding the background check methodology and criteria.
P3.2.07 l
Conduct background checks for individuals hired, promoted, or transferred into roles with substantial authority and d ocument result of background checks for candidates in employment file.
l
P3.2.08 Document consent to background check by each candidate. P3.2.09
l
Consistently use interviewing checklists that probe for indicators of behavior consistent with entity values/principles, as well as ethical and unethical behavior and decision-making.
P3.2.10 This is not legal or professional advice. l Augment or revise the prioritized risk matrix and risk optimization plan to reflect: Please contact a professional regarding implemented human capital controls, your specific •needs. • revised current residual risk analysis, and
driving principled performance ®
77
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
l
Consistently use interviewing checklists that probe for indicators of behavior consistent with entity values/principles, as well as ethical and unethical behavior and decision-making.
P3.2.10 l
Augment or revise the prioritized risk matrix and risk optimization plan to reflect:
• implemented human capital controls, • revised current residual risk analysis, and • performance against planned residual risk.
P3 PREVENTIVE CONTROLS
P3.3 ESTABLISH PREVENTIVE TECHNOLOGY CONTROLS Establish preventive technology controls to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. Core Sub-practices
l
l
l
P3.3.01 Create a common vocabulary to describe the types of technology controls. P3.3.02 Establish preventive technology controls including: ¡ Application access controls which limit access to systems, applications and information repositories ¡ Physical access controls which limit access to physical technology components such as networks, servers and workstations ¡ Configuration controls which prevent or restrict changes to hardware, system and application configurations ¡ Master data controls which prevent or restrict changes to information stored in data sources P3.3.03 Update the prioritized risk matrix and risk optimization plan to reflect: ¡ implemented preventive technology controls, ¡ revised current residual risk analysis, and ¡ performance against planned residual risk.
P3 PREVENTIVE CONTROLS
P3.4 ESTABLISH PREVENTIVE PHYSICAL CONTROLS Establish preventive physical controls to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. Core Sub-practices
l
P3.4.01 Establish preventive physical controls to meet mandated requirements.
l
P3.4.02 Establish preventive physical controls to protect human health and safety.
P3.4.03 Establish preventive physical controls to protect environmental conditions. This is notllegal or professional advice. driving principled Please contact a professional regarding performance ® 78 P3.4.04 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Establish preventive physical controls to protect key physical assets including facilities and equipment. P3.4.05
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P3 PREVENTIVE CONTROLS
P3.4 ESTABLISH PREVENTIVE PHYSICAL CONTROLS Establish preventive physical controls to reduce the likelihood and/or impact of adverse events, noncompliance and misconduct. Core Sub-practices
l
P3.4.01 Establish preventive physical controls to meet mandated requirements.
l
P3.4.02 Establish preventive physical controls to protect human health and safety.
l
P3.4.03 Establish preventive physical controls to protect environmental conditions.
l
P3.4.04 Establish preventive physical controls to protect key physical assets including facilities and equipment.
l
l
P3.4.05 Establish preventive physical controls to protect key information assets, including security of laptops, jump drives and other sata storage devices used by employees. P3.4.06 Update the prioritized risk matrix and risk optimization plan to reflect: ¡ implemented preventive physical controls, ¡ revised current residual risk analysis, and ¡ performance against planned residual risk.
P4 AWARENESS & EDUCATION
Educate the Board, management, the workforce and the extended enterprise about expected conduct and increase the skills and motivation needed to help the organization achieve Principled Performance.
Principles 01 Awareness, education and ongoing support enables individuals to: • know what is expected, • reduce the likelihood of errors and criminal behavior, and • be comfortable about reporting misconduct or GRC system flaws.
P4 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 A strong education program is not a one-time effort; it requires repeated, consistent messaging in language that the target audiences understand. This 03 is not legal or professionals professional advice. driving principled Qualified should design and deliver education. Please contact a professional regarding performance ® 79 04 The ability to seek guidance, including anonymous requests for guidance, prior to or at decision-making time, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.in an effective GRC system. is critical 05 Questions can be a LICENSED source of information that will enable GRC system improvements or identification of TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. inappropriate conduct.
P4 AWARENESS & EDUCATION
Educate the Board, management, the workforce and the extended enterprise about expected conduct and increase the skills and motivation needed to help the organization achieve Principled Performance.
Principles 01 Awareness, education and ongoing support enables individuals to: • know what is expected, • reduce the likelihood of errors and criminal behavior, and • be comfortable about reporting misconduct or GRC system flaws.
P4 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 A strong education program is not a one-time effort; it requires repeated, consistent messaging in language that the target audiences understand. 03 Qualified professionals should design and deliver education. 04 The ability to seek guidance, including anonymous requests for guidance, prior to or at decision-making time, is critical in an effective GRC system. 05 Questions can be a source of information that will enable GRC system improvements or identification of inappropriate conduct.
Common Sources Of Failure 01 Not matching the rigor of the messaging or education structure to the nature of the risk or significance of the underlying objective 02 Not keeping content current, fresh and relevant 03 Not establishing curriculum that is tied to knowledge requirements of specific roles 04 Not providing access to education and other supporting information at the right “points of need†05 Not offering multiple paths to ask questions and obtain guidance, allowing for anonymity when appropriate 06 Not obtaining evidence of completion and understanding of curriculum
Guidelines and Practices Red Book 2.0 - GRC Capability Model P4.1 Define an Awareness and Education Plan P4.2 Define a Curriculum Plan P4.3 Develop or Acquire Content P4.4 Implement Education P4.5 Provide Helpline P4.6 Provide Integrated Support
Key Deliverables This is not legal or professional advice. driving principled Descriptions Helpline FAQ Descriptions Please contact a professional regarding performance ® 80 Matrices Prioritized Risk Matrix © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Plans Awareness and Education Plan, Risk Optimization Plan LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Reports Findings and Recommendations Report
P4.6 Provide Integrated Support
Key Deliverables Descriptions
Helpline FAQ Descriptions
Matrices
Prioritized Risk Matrix
Plans
Awareness and Education Plan, Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Business Applications
Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Documents & Records Management (DRM) , Learning & Training Management (LTM) , Policy & Procedure Management (P&P)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Crisis Management (CMT) , Environmental, Health & Safety (EH&S) Management , Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Information Privacy Management (IPM) , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM)
Infrastructure
Retention & Storage Management (RSM)
P4 AWARENESS & EDUCATION
P4.1 DEFINE AN AWARENESS AND EDUCATION PLAN Develop a plan to inform and educate the Board, management, the workforce and the extended enterprise about their GRC responsibilities and expected conduct. Core Sub-practices
l
P4.1.01 Define a plan to make each target population generally aware of the GRC system and their responsibilities and expected conduct and as part of the plan: • consider scope of awareness required in extended enterprise, • consider the existing level of skill when designing plan, • categorize content – general awareness versus specific, in-depth training, • ensure people only get training relevant to their function/position, and • ensure the approach to education considers cultural differences, generational differences, and learning style differences in the target populations.
l
P4.1.02 Develop materials describing the primary elements of the GRC system including the underlying mission, vision, and values of the organization.
l
P4.1.03 Determine which target audiences require more specific education about particular aspects of the GRC system or about specific policies and procedures.
This is not legal or professional advice. Please contact a professional regarding your specific needs. P4 AWARENESS & EDUCATION
driving principled
performance ®
81
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P4.2 DEFINE A LICENSED CURRICULUM PLAN TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Infrastructure
Retention & Storage Management (RSM)
P4 AWARENESS & EDUCATION
P4.1 DEFINE AN AWARENESS AND EDUCATION PLAN Develop a plan to inform and educate the Board, management, the workforce and the extended enterprise about their GRC responsibilities and expected conduct. Core Sub-practices
l
P4.1.01 Define a plan to make each target population generally aware of the GRC system and their responsibilities and expected conduct and as part of the plan: • consider scope of awareness required in extended enterprise, • consider the existing level of skill when designing plan, • categorize content – general awareness versus specific, in-depth training, • ensure people only get training relevant to their function/position, and • ensure the approach to education considers cultural differences, generational differences, and learning style differences in the target populations.
l
P4.1.02 Develop materials describing the primary elements of the GRC system including the underlying mission, vision, and values of the organization.
l
P4.1.03 Determine which target audiences require more specific education about particular aspects of the GRC system or about specific policies and procedures.
P4 AWARENESS & EDUCATION
P4.2 DEFINE A CURRICULUM PLAN Develop a job specific curriculum and appropriate training program for the Board, senior management, the workforce and the extended enterprise to fulfill their GRC responsibilities. Core Sub-practices
l
P4.2.01 Identify legally required education courses including: • who must be trained, • what the content must cover, • how much time must be devoted to the course and how it will be measured, and • what methods may be used.
l
P4.2.02 For each course that contains legal and/or policy content, map the objective to specific legal and/or policy requirements.
l
P4.2.03 Define the competence required of specific roles and positions.
l
P4.2.04 Map the series of required and desired courses for each role and position.
This is not legal or professional advice. driving principled P4.2.05 Please contact a professional regarding performance ® 82 l Conduct a needs assessment that identifies high risk and mandatory training needs, and develop a training plan for each job © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. or job family that details: • learning objectives, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • training modules,
P4 AWARENESS & EDUCATION
P4.2 DEFINE A CURRICULUM PLAN Develop a job specific curriculum and appropriate training program for the Board, senior management, the workforce and the extended enterprise to fulfill their GRC responsibilities. Core Sub-practices
l
P4.2.01 Identify legally required education courses including: • who must be trained, • what the content must cover, • how much time must be devoted to the course and how it will be measured, and • what methods may be used.
l
P4.2.02 For each course that contains legal and/or policy content, map the objective to specific legal and/or policy requirements.
l
P4.2.03 Define the competence required of specific roles and positions.
l
P4.2.04 Map the series of required and desired courses for each role and position.
l
l
l
P4.2.05 Conduct a needs assessment that identifies high risk and mandatory training needs, and develop a training plan for each job or job family that details: • learning objectives, • training modules, • target duration of training module, • timeline for conducting training, • timeline and method(s) for assessing knowledge and/or skill, and • frequency for each course, including any "refresh" courses. P4.2.06 Define the timeframe for training newly hired, promoted, or transferred individuals for their new roles. P4.2.07 For each learning object, select appropriate training mode, media, and synchronicity based on: • current skill level of the target audience, • target skill level of the target audience, • total population size and geographic distribution of the audience, and • existing resources and technical capability to deliver training.
P4 AWARENESS & EDUCATION
P4.3 DEVELOP OR ACQUIRE CONTENT Develop or acquire content that does not exist in the curriculum or education plan and modify any content that needs updating in current learning objects. This is not legal or professional advice. driving principled Core Sub-practices Please contact a professional regarding performance ® 83 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P4.3.01 messages, capturingAPRIL critical on USER each and compare to desired l Inventory all standardized LICENSEDawareness TO CDUCU ON TUESDAY, 28,information 2009. SINGLE LICENSE GRANTED. communications in awareness and education plan.
P4 AWARENESS & EDUCATION
P4.3 DEVELOP OR ACQUIRE CONTENT Develop or acquire content that does not exist in the curriculum or education plan and modify any content that needs updating in current learning objects. Core Sub-practices
l
P4.3.01 Inventory all standardized awareness messages, capturing critical information on each and compare to desired communications in awareness and education plan.
l
P4.3.02 Inventory all live, online, and self-paced courses and related training vendors, capturing critical information on each and compare to desired courses in master curriculum.
l
l
l
P4.3.03 Prepare content development plan to fill gaps in inventory. P4.3.04 Use qualified individuals to develop training modules including, as appropriate, learning professionals and subject matter experts with relevant training and experience. P4.3.05 Tailor content to an understanding of the target audience’s general ability and readiness to learn.
P4 AWARENESS & EDUCATION
P4.4 IMPLEMENT EDUCATION Implement and manage the education program to ensure that each target audience achieves learning objectives and can transfer knowledge and skills to their jobs. Core Sub-practices
l
P4.4.01 Integrate GRC training into existing job training wherever possible.
l
P4.4.02 Use appropriate technology to develop, deliver, and measure education and awareness.
l
P4.4.03 Prepare helpdesk to support questions regarding training access and content.
l
P4.4.04 Distribute communications and deliver courses in accordance with plan to target audiences.
P4.4.05 l Deliver training to potential and newly promoted leaders about: • responsible decision making, • how integrity and responsible business conduct tie in with organizational objectives, and This is not legal or to professional advice. driving principled • how communicate about integrity and its impact on organizational performance. Please contact a professional regarding performance ® 84 P4.4.06 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Deliver training for all employees about responsible decision-making. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P4 AWARENESS & EDUCATION
P4.4 IMPLEMENT EDUCATION Implement and manage the education program to ensure that each target audience achieves learning objectives and can transfer knowledge and skills to their jobs. Core Sub-practices
l
P4.4.01 Integrate GRC training into existing job training wherever possible.
l
P4.4.02 Use appropriate technology to develop, deliver, and measure education and awareness.
l
P4.4.03 Prepare helpdesk to support questions regarding training access and content.
l
P4.4.04 Distribute communications and deliver courses in accordance with plan to target audiences.
l
P4.4.05 Deliver training to potential and newly promoted leaders about: • responsible decision making, • how integrity and responsible business conduct tie in with organizational objectives, and • how to communicate about integrity and its impact on organizational performance.
l
P4.4.06 Deliver training for all employees about responsible decision-making.
l
P4.4.07 Confirm that training was delivered/attended and completed.
l
P4.4.08 Assess knowledge, competency, and skills when required and for training that addresses significant risks.
l
P4.4.09 Measure training progress against training plan.
l
P4.4.10 Augment or revise the prioritized risk matrix and risk optimization plan to reflect: • implemented awareness and education initiatives, • revised current residual risk analysis, and • performance against planned residual risk.
P4 AWARENESS & EDUCATION
P4.5 PROVIDE HELPLINE Establish ways for the workforce and other stakeholders to seek guidance about future conduct and ask general questions about GRC responsibilities, including the option for anonymity in that is required or allowed. This islocations not legal or where professional advice. driving principled Please contact a professional regarding Core Sub-practices your specific needs.
l
performance ®
85
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
P4.5.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Define the helpline approach and policy, including the preference for posing questions to a supervisor (or other internal
P4 AWARENESS & EDUCATION
P4.5 PROVIDE HELPLINE Establish ways for the workforce and other stakeholders to seek guidance about future conduct and ask general questions about GRC responsibilities, including the option for anonymity in locations where that is required or allowed. Core Sub-practices
l
l
l
l
l
l
l
P4.5.01 Define the helpline approach and policy, including the preference for posing questions to a supervisor (or other internal route) first or to the helpline first (this may differ based on type of issue). P4.5.02 Define whether helpline (for questions) and hotline (for reporting concerns) are combined or separate. P4.5.03 Determine whether a caller must or may remain anonymous or be assured of confidentiality, which in some circumstances may create an atmosphere of greater trust and openness. P4.5.04 Establish a process to determine if a question is driven by observations of (or belief that there has been) noncompliance or undesirable conduct, including: • if concerns or allegations about noncompliance or misconduct are expressed either directly or after probing about the reason for a question, determine if the allegations or concerns are specific and credible enough to act on, • obtain as much information as possible to assist in the process of categorizing the issue within established investigation tiers, and • after gaining basic information, redirect to hotline process if an issue has been identified that constitutes a report. P4.5.05 Provide helpline personnel with a list of frequently asked questions and answers. P4.5.06 Staff the helpline with personnel who are well trained to respond to, or seek assistance to answer, a variety of anticipated inquiries related to the GRC system and requirements. P4.5.07 Establish a method to log questions and responses, indicating final resolution.
P4 AWARENESS & EDUCATION
P4.6 PROVIDE INTEGRATED SUPPORT Establish ways for the workforce to get questions about GRC requirements answered within their usual work environment. Core Sub-practices P4.6.01 l Ensure that supervisors and GRC system personnel embedded in the business can answer questions about authority, responsibilities, and issues related to compliance, ethics, and undertaking risks. This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 86 P4.6.02 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Inform employees about who is available within their work location to answer questions about authority, responsibilities, and issues related to compliance, ethics and risks. 28, 2009. SINGLE USER LICENSE GRANTED. LICENSED TO CDUCU ON undertaking TUESDAY, APRIL
P4 AWARENESS & EDUCATION
P4.6 PROVIDE INTEGRATED SUPPORT Establish ways for the workforce to get questions about GRC requirements answered within their usual work environment. Core Sub-practices
l
P4.6.01 Ensure that supervisors and GRC system personnel embedded in the business can answer questions about authority, responsibilities, and issues related to compliance, ethics, and undertaking risks.
l
P4.6.02 Inform employees about who is available within their work location to answer questions about authority, responsibilities, and issues related to compliance, ethics and undertaking risks.
l
P4.6.03 Develop and make available "self help" materials that employees and other agents can use to answer questions without requiring human interaction.
l
P4.6.04 Provide self-service resources (electronic or otherwise) to help individuals answer their questions.
P5 HUMAN CAPITAL INCENTIVES
Implement human capital incentives that reward and motivate desired conduct.
Principles 01 Incentives can be as important as preventive controls in driving desired conduct. 02 A mix of incentives and preventive controls will reduce the instances of noncompliance or criminal activity that require management actions.
P5 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
03 When management makes leadership choices, it should consider whether people view the individual as a role model. 04 Application of values in observable business conduct should be measurable and measured.
Common Sources Of Failure 01 Not establishing incentives that motivate the desired behavior 02 Not being consistent in providing rewards for desired conduct 03 Not convincing employees that management views integrity and responsible conduct as values that are equal in importance to strong financial performance This is not legal or professional advice. driving principled 04contact Not considering evidence of an individual’s ethical conduct and consistency with organizational values in Please a professional regarding performance ® 87 hiring/promotion/compensation decisions © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Guidelines andLICENSED Practices
P5 HUMAN CAPITAL INCENTIVES
Implement human capital incentives that reward and motivate desired conduct.
Principles 01 Incentives can be as important as preventive controls in driving desired conduct. 02 A mix of incentives and preventive controls will reduce the instances of noncompliance or criminal activity that require management actions.
P5 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
03 When management makes leadership choices, it should consider whether people view the individual as a role model. 04 Application of values in observable business conduct should be measurable and measured.
Common Sources Of Failure 01 Not establishing incentives that motivate the desired behavior 02 Not being consistent in providing rewards for desired conduct 03 Not convincing employees that management views integrity and responsible conduct as values that are equal in importance to strong financial performance 04 Not considering evidence of an individual’s ethical conduct and consistency with organizational values in hiring/promotion/compensation decisions
Guidelines and Practices Red Book 2.0 - GRC Capability Model P5.1 Foster Ethical Leadership P5.2 Develop Incentive Based Evaluation and Promotion Decisions P5.3 Develop Compensation Plans that Consider Conduct Expectations P5.4 Develop Reward Programs
Key Deliverables Matrices
Prioritized Risk Matrix
Plans
Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , This is not legal or professional advice.Human Resources Management (HRM)
driving principled Business Applications (CPM) , Employee Evaluations & Surveys Please contact a professional regardingCorporate Performance Management performance ® 88 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP (EES) , Policy & Procedure Management (P&P) your specific needs. GRC Core Applications Accountability/Responsibility Management (ARM) , Ethical Practices/Corporate LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Integrity (ECI) , Fraud Detection & Prevention (FDP) , Global Trade Compliance
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Business Applications
Corporate Performance Management (CPM) , Employee Evaluations & Surveys (EES) , Policy & Procedure Management (P&P)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Ethical Practices/Corporate Integrity (ECI) , Fraud Detection & Prevention (FDP) , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Insurance & Claims Management (ICM)
P5 HUMAN CAPITAL INCENTIVES
P5.1 FOSTER ETHICAL LEADERSHIP Foster and promote leadership that sets an appropriate "tone at the top" and models behavior in both words and deeds. Core Sub-practices
l
l
P5.1.01 Consider ethical conduct when evaluating, promoting, and selecting leaders for GRC system responsibilities. P5.1.02 Deliver training to potential and newly-promoted leaders about: • ethical decision-making, • how ethics ties in with organizational objectives, and • how to communicate ethics and its impact on organizational performance.
l
P5.1.03 Define ethical leadership objectives, measures, targets, and initiatives in the strategic plan.
l
P5.1.04 Identify and cultivate potential leaders to create "leadership supply chain.".
P5 HUMAN CAPITAL INCENTIVES
P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS Conduct performance reviews at all levels of the organization that include criteria related to GRC system performance - and use these same criteria for promoting individuals. Core Sub-practices P5.2.01 l Build ethical considerations into: • job descriptions, • hiring decisions, • employee performance evaluation, • promotion decisions, • compensation andadvice. bonus decisions, This is not legal or professional • termination criteria, and Please contact a professional regarding • disciplinary actions. your specific needs. P5.2.02
driving principled performance ®
89
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Claims Management (ICM) P5 HUMAN CAPITAL INCENTIVES
P5.1 FOSTER ETHICAL LEADERSHIP Foster and promote leadership that sets an appropriate "tone at the top" and models behavior in both words and deeds. Core Sub-practices
l
l
P5.1.01 Consider ethical conduct when evaluating, promoting, and selecting leaders for GRC system responsibilities. P5.1.02 Deliver training to potential and newly-promoted leaders about: • ethical decision-making, • how ethics ties in with organizational objectives, and • how to communicate ethics and its impact on organizational performance.
l
P5.1.03 Define ethical leadership objectives, measures, targets, and initiatives in the strategic plan.
l
P5.1.04 Identify and cultivate potential leaders to create "leadership supply chain.".
P5 HUMAN CAPITAL INCENTIVES
P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS Conduct performance reviews at all levels of the organization that include criteria related to GRC system performance - and use these same criteria for promoting individuals. Core Sub-practices
l
l
l
P5.2.01 Build ethical considerations into: • job descriptions, • hiring decisions, • employee performance evaluation, • promotion decisions, • compensation and bonus decisions, • termination criteria, and • disciplinary actions. P5.2.02 Conduct performance evaluations for key jobs/roles with GRC related duties. P5.2.03 Include GRC related criteria in performance evaluations including: • understanding of values, • incidents of ethical or alleged unethical conduct, and • compliance responsibilities related to the position.
This is not legal or professional advice. driving principled P5.2.04 Please contact a professional regarding performance ® 90 l Consider ethical conduct as a positive factor (and unethical conduct as a negative factor) when evaluating and promoting © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. employees and when selecting leaders. P5.2.05
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P5 HUMAN CAPITAL INCENTIVES
P5.2 DEVELOP INCENTIVE BASED EVALUATION AND PROMOTION DECISIONS Conduct performance reviews at all levels of the organization that include criteria related to GRC system performance - and use these same criteria for promoting individuals. Core Sub-practices
l
l
l
l
l
P5.2.01 Build ethical considerations into: • job descriptions, • hiring decisions, • employee performance evaluation, • promotion decisions, • compensation and bonus decisions, • termination criteria, and • disciplinary actions. P5.2.02 Conduct performance evaluations for key jobs/roles with GRC related duties. P5.2.03 Include GRC related criteria in performance evaluations including: • understanding of values, • incidents of ethical or alleged unethical conduct, and • compliance responsibilities related to the position. P5.2.04 Consider ethical conduct as a positive factor (and unethical conduct as a negative factor) when evaluating and promoting employees and when selecting leaders. P5.2.05 Define a promotion process that considers an individual's support for and achievement of GRC objectives.
P5 HUMAN CAPITAL INCENTIVES
P5.3 DEVELOP COMPENSATION PLANS THAT CONSIDER CONDUCT EXPECTATIONS Design compensation plans and bonus structures that align with desired conduct and do not reward undesirable conduct. Core Sub-practices
l
l
P5.3.01 Develop compensation and bonus structures that include consideration and reward for compliance and ethical conduct in any role. P5.3.02 Avoid compensation or bonus incentives that encourage misconduct in any role.
This is not legal or professional advice. driving principled P5.3.03 Please contact a professional regarding performance ® 91 roles/responsibilities, l Analyze compensation and bonus plans for jobs/roles that relate to revenue generation or financial © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. confirming that they do not induce noncompliant or unethical behavior. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P5.3.04
P5 HUMAN CAPITAL INCENTIVES
P5.3 DEVELOP COMPENSATION PLANS THAT CONSIDER CONDUCT EXPECTATIONS Design compensation plans and bonus structures that align with desired conduct and do not reward undesirable conduct. Core Sub-practices
l
l
P5.3.01 Develop compensation and bonus structures that include consideration and reward for compliance and ethical conduct in any role. P5.3.02 Avoid compensation or bonus incentives that encourage misconduct in any role.
l
P5.3.03 Analyze compensation and bonus plans for jobs/roles that relate to revenue generation or financial roles/responsibilities, confirming that they do not induce noncompliant or unethical behavior.
l
P5.3.04 Analyze compensation and bonus plans for key roles including roles with substantial authority confirming that they do not induce noncompliant or unethical behavior.
l
P5.3.05 Analyze discretionary budgets or allowances for all roles, confirming that they do not induce noncompliant or unethical behavior.
P5 HUMAN CAPITAL INCENTIVES
P5.4 DEVELOP REWARD PROGRAMS Establish a reward program for all employees and other stakeholders that recognizes individuals and organizational units for exhibiting desired conduct. Core Sub-practices
l
P5.4.01 Develop awards and other incentives to reward model conduct and leadership.
l
P5.4.02 Develop incentives that encourage reporting of misconduct or GRC system flaws.
l
l
P5.4.03 Develop awards and other incentives to recognize organizational units and extended enterprise partners for exemplary management of the GRC system or group conduct. P5.4.04 Develop awards and other incentives for suggestions that improve the GRC system.
P5.4.05 This is not legal or professional advice. driving principled l Develop awards and other incentives for contributions by individuals or organizational or extended enterprise units that Please contact a professional regarding performance ® result in reduced compliance failures, enforcement actions or92other external challenges to the organization. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
l
P5.4.06 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Augment and/or revise the prioritized risk matrix and, as needed, the risk optimization plan, to reflect:
P5 HUMAN CAPITAL INCENTIVES
P5.4 DEVELOP REWARD PROGRAMS Establish a reward program for all employees and other stakeholders that recognizes individuals and organizational units for exhibiting desired conduct. Core Sub-practices
l
P5.4.01 Develop awards and other incentives to reward model conduct and leadership.
l
P5.4.02 Develop incentives that encourage reporting of misconduct or GRC system flaws.
l
l
l
l
l
P5.4.03 Develop awards and other incentives to recognize organizational units and extended enterprise partners for exemplary management of the GRC system or group conduct. P5.4.04 Develop awards and other incentives for suggestions that improve the GRC system. P5.4.05 Develop awards and other incentives for contributions by individuals or organizational or extended enterprise units that result in reduced compliance failures, enforcement actions or other external challenges to the organization. P5.4.06 Augment and/or revise the prioritized risk matrix and, as needed, the risk optimization plan, to reflect: • implemented human capital incentives, • resulting current residual risk analysis, and • performance against planned residual risk analysis. P5.4.07 Reward by at least acknowledging members of the workforce for the successful completion of on the job training and selfinitiated continuous learning and improvement.
P6 RISK FINANCING/INSURANCE
Develop or acquire risk-sharing and financing instruments, including insurance, indemnifications, reserves, captives, and legal entities for appropriately reducing or removing the potential impact of risks.
Principles
P6 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & driving principled Requirements performance ®
Use financial methods such as indemnification, insurance, establishment of reserves, or creation of legal This 01 is not legal or professional advice. entities. Please contact a professional regarding 93 Finance risks simultaneously with consideration of internal controls, or choices about reduction or©avoidance 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your02 specific needs. of risk. 03 Risk financing is typically helpful forCDUCU low likelihood and highAPRIL impact28, risks that, shouldUSER they LICENSE materialize, would LICENSED TO ON TUESDAY, 2009. SINGLE GRANTED. require financial resources beyond the organization’s means.
P6 RISK FINANCING/INSURANCE
Develop or acquire risk-sharing and financing instruments, including insurance, indemnifications, reserves, captives, and legal entities for appropriately reducing or removing the potential impact of risks.
Principles 01 Use financial methods such as indemnification, insurance, establishment of reserves, or creation of legal entities.
P6 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 Finance risks simultaneously with consideration of internal controls, or choices about reduction or avoidance of risk. 03 Risk financing is typically helpful for low likelihood and high impact risks that, should they materialize, would require financial resources beyond the organization’s means.
Common Sources Of Failure 01 Not appropriately weighing cost versus benefit of coverage (i.e., over-insure) 02 Not fulfilling all obligations needed to maintain financing arrangements 03 Not considering the financial resilience of other financing parties (e.g., obtaining insurance from an entity that is not solvent)
Guidelines and Practices Red Book 2.0 - GRC Capability Model P6.1 Assess Risk Financing Need and Options P6.2 Set Risk Financing Objectives P6.3 Design Risk Financing Strategy P6.4 Implement Risk Financing Strategy
Key Deliverables Matrices
Prioritized Risk Matrix
Plans
Risk Optimization Plan
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM)
Business Applications
Legal Entity Management (LEM), Loss Management (LM), Transaction Management (TM)
GRC Core Applications
Crisis Management (CMT) , Environmental, Health & Safety (EH&S) This is not legal or professional advice.Management , Environmental Monitoring & Reporting (EMR) , Finance & driving principled Geo-Political Risk (GPR) Management , Please contact a professional regardingTreasury Risk (FTR) Management ,94 performance ® Insurance & Claims Management (ICM) , Operational Assurance & Audit © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA) LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Infrastructure Physical Security (PS)
Plans
Risk Optimization Plan
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM)
Business Applications
Legal Entity Management (LEM), Loss Management (LM), Transaction Management (TM)
GRC Core Applications
Crisis Management (CMT) , Environmental, Health & Safety (EH&S) Management , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Geo-Political Risk (GPR) Management , Insurance & Claims Management (ICM) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Physical Security (PS)
P6 RISK FINANCING/INSURANCE
P6.1 ASSESS RISK FINANCING NEED AND OPTIONS Assess the need or desire for financing risk and the options available. Core Sub-practices
l
l
l
P6.1.01 Review risk assessment findings to determine which risks should be addressed solely by financing options. P6.1.02 Review residual risk after application of determined internal controls to identify risks that require financing as back up for the applied controls. P6.1.03 Identify options for types of risk financing appropriate to each identified risk.
P6 RISK FINANCING/INSURANCE
P6.2 SET RISK FINANCING OBJECTIVES Set the risk sharing objectives and limits for the given risk or portfolio of risk. Core Sub-practices
l
l
P6.2.01 Determine available options for particular risk sharing instruments or approaches. P6.2.02 Determine any mandates or policies that preclude use of a particular risk-sharing instrument or approach for particular types of risks.
P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY risk-sharing instruments and approaches. This isDesign not legal a orportfolio professionalof advice. driving principled Please contact a professional regarding Core Sub-practices performance ® 95 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P6.3.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l Select risks to be insured.
Infrastructure
Physical Security (PS)
P6 RISK FINANCING/INSURANCE
P6.1 ASSESS RISK FINANCING NEED AND OPTIONS Assess the need or desire for financing risk and the options available. Core Sub-practices
l
l
l
P6.1.01 Review risk assessment findings to determine which risks should be addressed solely by financing options. P6.1.02 Review residual risk after application of determined internal controls to identify risks that require financing as back up for the applied controls. P6.1.03 Identify options for types of risk financing appropriate to each identified risk.
P6 RISK FINANCING/INSURANCE
P6.2 SET RISK FINANCING OBJECTIVES Set the risk sharing objectives and limits for the given risk or portfolio of risk. Core Sub-practices
l
l
P6.2.01 Determine available options for particular risk sharing instruments or approaches. P6.2.02 Determine any mandates or policies that preclude use of a particular risk-sharing instrument or approach for particular types of risks.
P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY Design a portfolio of risk-sharing instruments and approaches. Core Sub-practices
l
P6.3.01 Select risks to be insured.
l
P6.3.02 Select risks to be self-insured or subject to captive insurance company.
l
P6.3.03 Select risks to be contractually transferred.
P6.3.04 This is not legal or professional advice. driving principled l Select risks to be transferred to other organizational structures (subsidiary, joint venture, LLP, LLC, etc.). Please contact a professional regarding performance ® 96 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P6 RISK FINANCING/INSURANCE
P6.3 DESIGN RISK FINANCING STRATEGY Design a portfolio of risk-sharing instruments and approaches. Core Sub-practices
l
P6.3.01 Select risks to be insured.
l
P6.3.02 Select risks to be self-insured or subject to captive insurance company.
l
P6.3.03 Select risks to be contractually transferred.
l
P6.3.04 Select risks to be transferred to other organizational structures (subsidiary, joint venture, LLP, LLC, etc.).
P6 RISK FINANCING/INSURANCE
P6.4 IMPLEMENT RISK FINANCING STRATEGY Implement the risk sharing instruments or structures and acquire insurance. Core Sub-practices
l
P6.4.01 Construct indemnification, assignment, warranty or other contractual language that transfers or allocates risk to other party to contracts.
l
P6.4.02 Acquire insurance or establish self-insurance structures.
l
P6.4.03 Define appropriate deductibles / retention levels.
l
P6.4.04 Define appropriate limits / payouts.
l
P6.4.05 Assign accountability for maintaining compliance with requirements of each approach.
l
P6.4.06 Form organizational structures and transfer risks.
l
P6.4.07 Augment or revise the prioritized risk matrix and risk optimization plan to reflect: • implemented risk financing, insurance nad structural controls, • revised current residual risk analysis, and • performance against planned residual risk.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
97
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P6 RISK FINANCING/INSURANCE
P6.4 IMPLEMENT RISK FINANCING STRATEGY Implement the risk sharing instruments or structures and acquire insurance. Core Sub-practices
l
P6.4.01 Construct indemnification, assignment, warranty or other contractual language that transfers or allocates risk to other party to contracts.
l
P6.4.02 Acquire insurance or establish self-insurance structures.
l
P6.4.03 Define appropriate deductibles / retention levels.
l
P6.4.04 Define appropriate limits / payouts.
l
P6.4.05 Assign accountability for maintaining compliance with requirements of each approach.
l
P6.4.06 Form organizational structures and transfer risks.
l
P6.4.07 Augment or revise the prioritized risk matrix and risk optimization plan to reflect: • implemented risk financing, insurance nad structural controls, • revised current residual risk analysis, and • performance against planned residual risk.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
Interact with stakeholders to shape expectations, affect requirements, and influence perspectives that can have an impact on the organization.
Principles 01 Issuers are more likely to establish reasonable mandates and standards when they understand the implications to individual businesses, the industry, the economy and the community at large.
P7 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 Leveraging key champions helps to build relationships of trust and confidence. This is not legal or professional advice. driving principled 03 Involvement in developing mandates and standards offers the opportunity to show where integrated or Please contact regarding aligneda professional approaches can reduce the burden of compliance and generate more reliable, useful information. performance ® 98 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your04 specific needs. Demonstrating respect and building trust and confidence are essential to maintaining favorable relationships. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
Interact with stakeholders to shape expectations, affect requirements, and influence perspectives that can have an impact on the organization.
Principles 01 Issuers are more likely to establish reasonable mandates and standards when they understand the implications to individual businesses, the industry, the economy and the community at large.
P7 P1 Codes of Conduct P2 Policies P3 Preventive Controls P4 Awareness & Education P5 Human Capital Incentives P6 Risk Financing/Insurance P7 Stakeholder Relations & Requirements
02 Leveraging key champions helps to build relationships of trust and confidence. 03 Involvement in developing mandates and standards offers the opportunity to show where integrated or aligned approaches can reduce the burden of compliance and generate more reliable, useful information. 04 Demonstrating respect and building trust and confidence are essential to maintaining favorable relationships.
Common Sources Of Failure 01 Not identifying individuals with proper skills to serve as the “face of the organization†02 Not identifying the key individuals with power and/or influence within each stakeholder constituency and knowing what motivates them (individually and collectively) 03 Not communicating sufficiently with stakeholders before they develop requirements that apply to the organization 04 Not providing full information, both good and bad, relevant to stakeholder views of the organization and decisions about requirements
Guidelines and Practices Red Book 2.0 - GRC Capability Model P7.1 Understand Stakeholders P7.2 Develop Stakeholder Relations Plans P7.3 Identify and Track Activity by Requirement Issuing Authorities P7.4 Comment on Planned or Proposed Items P7.5 Propose Mandates, Standards or Guidance
Key Deliverables Plans
Communication and Reporting Plan
Reports
Filings
Enabling Technology Components This is not legal or professional advice. driving principled Technology Arenas Corporate Governance (CG) , Enterprise Risk Management (ERM) Please contact a professional regarding performance ® 99 Business Applications Contact/Customer Relationship Management (CRM) , Documents & Records © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Management (DRM) LICENSEDCorporate TO CDUCU ON TUESDAY, 28, 2009. SINGLE USER LICENSE GRC Core Applications Compliance (CC) , APRIL Corporate Social Responsibility (CSR), GRANTED.
Reports
Filings
Enabling Technology Components Technology Arenas
Corporate Governance (CG) , Enterprise Risk Management (ERM)
Business Applications
Contact/Customer Relationship Management (CRM) , Documents & Records Management (DRM)
GRC Core Applications
Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Employment Compliance Management (EC) , Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Information Privacy Management (IPM) , Legal Matter Management (LMM) , News Feeds (GRC Intelligence) , Reporting/eFiling (REF)
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.1 UNDERSTAND STAKEHOLDERS Research and analyze the organizations and key individuals involved within various stakeholder constituencies in order to understand their concerns and how best to relate to them. Core Sub-practices
l
l
l
P7.1.01 Develop an inventory of key stakeholder organizations and categorize by type, including: • government oversight and regulatory agencies, • investors, • insurers and underwriters, • ratings agencies and exchanges, • suppliers, extended enterprise partners, • customers, • communities of operations, and • employees, agents, unions. P7.1.02 Assemble and review available information about each key stakeholder organization including: • mission, vision and values, • any statements or documents about relationship with your organization, • key individuals important to the relationship, and • any information about ethical conduct or noncompliance issues or concerns. P7.1.03 Assign ownership for responsibility to keep information about each key stakeholder group current and to inform stakeholder relations executives of any relevant changes.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS Develop stakeholder relations plans, including communications plans, for each stakeholder constituency. Core Sub-practices This is not legal or professional advice. driving principled P7.2.01 Please contact a professional regarding Identify circumstances and processes where communications to each stakeholder type may be required. performance ® 100 l © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P7.2.02 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l Develop a high-level communication plan that aligns with existing entity channels of communication and which may be
(GRC Intelligence) , Reporting/eFiling (REF) P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.1 UNDERSTAND STAKEHOLDERS Research and analyze the organizations and key individuals involved within various stakeholder constituencies in order to understand their concerns and how best to relate to them. Core Sub-practices
l
l
l
P7.1.01 Develop an inventory of key stakeholder organizations and categorize by type, including: • government oversight and regulatory agencies, • investors, • insurers and underwriters, • ratings agencies and exchanges, • suppliers, extended enterprise partners, • customers, • communities of operations, and • employees, agents, unions. P7.1.02 Assemble and review available information about each key stakeholder organization including: • mission, vision and values, • any statements or documents about relationship with your organization, • key individuals important to the relationship, and • any information about ethical conduct or noncompliance issues or concerns. P7.1.03 Assign ownership for responsibility to keep information about each key stakeholder group current and to inform stakeholder relations executives of any relevant changes.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS Develop stakeholder relations plans, including communications plans, for each stakeholder constituency. Core Sub-practices
l
P7.2.01 Identify circumstances and processes where communications to each stakeholder type may be required.
l
P7.2.02 Develop a high-level communication plan that aligns with existing entity channels of communication and which may be adapted to specific circumstances and requirements.
l
P7.2.03 Define communication/message interdependencies and how each fits into the overall landscape of other entity communications/messages.
P7.2.04 This is not legal or professional advice. driving principled l Determine which role(s) may authorize initiating communications with each stakeholder type or stakeholder group. Please contact a professional regarding performance ® 101 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. P7.2.05 forUSER each LICENSE stakeholder type or individual l Determine who establishes and approves the content and design of communications LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE GRANTED. stakeholder groups.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.2 DEVELOP STAKEHOLDER RELATIONS PLANS Develop stakeholder relations plans, including communications plans, for each stakeholder constituency. Core Sub-practices
l
P7.2.01 Identify circumstances and processes where communications to each stakeholder type may be required.
l
P7.2.02 Develop a high-level communication plan that aligns with existing entity channels of communication and which may be adapted to specific circumstances and requirements.
l
P7.2.03 Define communication/message interdependencies and how each fits into the overall landscape of other entity communications/messages. P7.2.04
l
Determine which role(s) may authorize initiating communications with each stakeholder type or stakeholder group. P7.2.05
l
Determine who establishes and approves the content and design of communications for each stakeholder type or individual stakeholder groups. P7.2.06
l
l
Determine who delivers, responds to, and interacts with (i.e., the “face of the organization”) each stakeholder type or individual stakeholder groups. P7.2.07 Identify other participants in any process where stakeholder relations are important, including likely coalitions and their expected positions that may influence stakeholder views and be prepared to respond.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.3 IDENTIFY AND TRACK ACTIVITY BY REQUIREMENT ISSUING AUTHORITIES Determine which government agencies, standards organizations, and other entities that issue mandates, standards or guidance have significant effect on the organization†™s GRC requirements and track their activities. Core Sub-practices
l
P7.3.01 Document the issuing authorities of key mandates, standards, and guidelines. P7.3.02
l
Learn each authority’s internal procedures for developing mandates, standards, and guidance.
P7.3.03 This is not legal or professional advice. driving principled l Establish procedures to identify when an authority is planning to propose rules, standards, and guidance before publication. Please contact a professional regarding performance ® 102 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific P7.3.04 needs. l
Establish procedures to track and review proposed rules, standards, and guidance. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.3 IDENTIFY AND TRACK ACTIVITY BY REQUIREMENT ISSUING AUTHORITIES Determine which government agencies, standards organizations, and other entities that issue mandates, standards or guidance have significant effect on the organization†™s GRC requirements and track their activities. Core Sub-practices
l
P7.3.01 Document the issuing authorities of key mandates, standards, and guidelines. P7.3.02
l
Learn each authority’s internal procedures for developing mandates, standards, and guidance.
l
P7.3.03 Establish procedures to identify when an authority is planning to propose rules, standards, and guidance before publication.
l
P7.3.04 Establish procedures to track and review proposed rules, standards, and guidance. P7.3.05
l
Build relationships of trust and respect with key personnel within issuing authorities by creating a reputation for providing valuable assistance and reliable, truthful information.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.4 COMMENT ON PLANNED OR PROPOSED ITEMS Actively participate in the development of mandates, standards, and guidance through various comment pathways. Core Sub-practices
l
l
l
P7.4.01 Meet with issuing authorities to understand and discuss planned items and provide organization viewpoint. P7.4.02 Provide the issuing authority any relevant data or information that the organization has or may assemble, that enables the authority to make a well-reasoned decision. P7.4.03 Participate where appropriate in hearings and provide testimony regarding formal or planned proposals. P7.4.04
l
Provide issuing authority explanatory documents, proposed language or amendments to language, and alternative drafts.
l
P7.4.05 Prepare formal written comments on proposed items made available for public comment, which include data and other information that enables the authority to make well-reasoned review and changes to the proposal if appropriate.
This is not legal or professional advice. driving principled P7.4.06 Please contact a professional regarding arguments raised by those with different views and performance ® 103 l Provide data and other information to the issuing authority that counters © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific interests needs. than the organization. P7.4.07
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.4 COMMENT ON PLANNED OR PROPOSED ITEMS Actively participate in the development of mandates, standards, and guidance through various comment pathways. Core Sub-practices
l
l
l
P7.4.01 Meet with issuing authorities to understand and discuss planned items and provide organization viewpoint. P7.4.02 Provide the issuing authority any relevant data or information that the organization has or may assemble, that enables the authority to make a well-reasoned decision. P7.4.03 Participate where appropriate in hearings and provide testimony regarding formal or planned proposals. P7.4.04
l
Provide issuing authority explanatory documents, proposed language or amendments to language, and alternative drafts.
l
P7.4.05 Prepare formal written comments on proposed items made available for public comment, which include data and other information that enables the authority to make well-reasoned review and changes to the proposal if appropriate.
l
P7.4.06 Provide data and other information to the issuing authority that counters arguments raised by those with different views and interests than the organization.
l
P7.4.07 Form formal or informal coalitions with entities that share the organization’s viewpoint.
P7 STAKEHOLDER RELATIONS & REQUIREMENTS
P7.5 PROPOSE MANDATES, STANDARDS OR GUIDANCE Actively propose development of mandates, standards, and guidance to issuing authorities. Core Sub-practices
l
P7.5.01 Meet with issuing authorities to discuss the need for and benefit of proposed items in terms that meet the interests of the authority.
l
P7.5.02 Develop and make available to the issuing authority any relevant data or information that the organization has or may assemble, that enables the authority to make a well-reasoned decision about developing the desired item.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled 104 D DETECT & DISCERN
D
performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D DETECT & DISCERN
Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques. D1 Hotline & Notification D1.1 Capture Notifications D1.2 Filter and Route Notifications
D C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
D1.3 Adhere to Hotline and Data Protection Requirements
D2 Inquiry & Survey D2.1 Establish Multiple Pathways to Obtain Workforce and Stakeholder Views D2.2 Establish an Organization-Wide Integrated Approach to Surveys D2.3 Establish an Integrated Approach to Self-Assessments D2.4 Gather information through observations and conversations D2.5 Report Information and Findings
D3 Detective Controls D3.1 Establish Detective Process Controls D3.2 Establish Detective Human Capital Controls D3.3 Establish Detective Physical Controls D3.4 Establish Detective Technology Controls D3.5 Consolidate and Analyze Control Findings
D1 HOTLINE & NOTIFICATION
Provide multiple pathways to report suspicions or incidents of noncompliance or unethical conduct, or to identify concerns about GRC system weaknesses.
D1 D1 Hotline & Notification D2 Inquiry & Survey D3 Detective Controls
Principles This is not legal or professional advice. driving principled 01 Encourage stakeholders to raise issues directly with the organization rather than via external channels. Please contact a professional regarding performance ® 105 02 Design the capability so stakeholders can trust, without fear of reprisal, that their concerns are taken © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.are promptly and objectively assessed and addressed. seriously, 03 Promote notification pathwaysTO thatCDUCU are appropriate for the local and culture. LICENSED ON TUESDAY, APRILcustoms 28, 2009. SINGLE USER LICENSE GRANTED.
D3.5 Consolidate and Analyze Control Findings
D1 HOTLINE & NOTIFICATION
Provide multiple pathways to report suspicions or incidents of noncompliance or unethical conduct, or to identify concerns about GRC system weaknesses.
D1 D1 Hotline & Notification D2 Inquiry & Survey D3 Detective Controls
Principles 01 Encourage stakeholders to raise issues directly with the organization rather than via external channels. 02 Design the capability so stakeholders can trust, without fear of reprisal, that their concerns are taken seriously, are promptly and objectively assessed and addressed. 03 Promote notification pathways that are appropriate for the local customs and culture. 04 Accommodate for capturing reports made via informal methods and unstructured channels.
Common Sources Of Failure 01 Not establishing sufficient easy to use notification pathways consistent with local customs and culture 02 Not informing workforce and stakeholders of all notification pathways 03 Not convincing the workforce that the non-retaliation policy is real 04 Not training management and supervisory personnel to handle and record complaints that may never be “called in†05 Not defining consistent escalation paths for all notification pathways 06 Not encouraging stakeholders to notify about suspicions and GRC system weaknesses, not just observed misconduct 07 Not taking a concern or issue seriously because it is raised by an individual who frequently makes notifications
Guidelines and Practices Red Book 2.0 - GRC Capability Model D1.1 Capture Notifications D1.2 Filter and Route Notifications D1.3 Adhere to Hotline and Data Protection Requirements
Key Deliverables Authorizations
External Authorizations, Internal Authorization
Plans
Communication and Reporting Plan
Enabling Technology Components This is not legal or professional driving principled Technology Arenas advice.Business Process Management (BPM) , Enterprise Content Management (ECM) , Please contact a professional regardingEnterprise Risk Management (ERM)106 performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Business Applications Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Management Dashboards Workflow) LICENSEDCollaboration/Knowledge TO CDUCU ON TUESDAY, APRIL 28, (KM), 2009. SINGLE USER(GRC LICENSE GRANTED.
Plans
Communication and Reporting Plan
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Risk Management (ERM)
Business Applications
Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Collaboration/Knowledge Management (KM), Dashboards (GRC Workflow)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) , Environmental Monitoring & Reporting (EMR) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Helpline , Hotline/Whistleblower , Legal Matter Management (LMM) , Operational Risk Management (ORM) , Risk Analytics (RA)
D1 HOTLINE & NOTIFICATION
D1.1 CAPTURE NOTIFICATIONS Implement a notification system that will alert the organization to incidents or suspicions of legal noncompliance, violations of company policies, and concerns about perceived unethical conduct or GRC system weaknesses. Core Sub-practices
l
l
l
D1.1.01 Use multiple channels: • in person, • phone, • mail, • email, and • web. D1.1.02 Make some channels available 24 hours per day/7 days per week/365 days per year. D1.1.03 Define the notification approach and policy, including the preference for reporting to a supervisor (or other internal route) first or to the hotline first (this may differ based on type of issue and local custom and law).
l
D1.1.04 Define which channels will be delivered using internal and/or external resources.
l
D1.1.05 Define procedures for protecting the anonymity of notifiers in jurisdictions where that is required or allowed.
l
D1.1.06 Make the notification pathways available and accessible to multiple stakeholders: • employees, • agents (contract employees acting on behalf of the entity), • suppliers and customers, and • public
D1.1.07 l Communicate the availability of the notification pathways to the workforce and other stakeholders. This is not legal or professional advice. driving principled D1.1.08 Please contact a professional regarding performance ® 107 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. procedures for reducing abandonment of initiated notifications, including: l Define • limiting or disallowing hold time on phone notifications, LICENSED TOcapability, CDUCU and ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • providing multiple language
(RA) D1 HOTLINE & NOTIFICATION
D1.1 CAPTURE NOTIFICATIONS Implement a notification system that will alert the organization to incidents or suspicions of legal noncompliance, violations of company policies, and concerns about perceived unethical conduct or GRC system weaknesses. Core Sub-practices
l
l
l
D1.1.01 Use multiple channels: • in person, • phone, • mail, • email, and • web. D1.1.02 Make some channels available 24 hours per day/7 days per week/365 days per year. D1.1.03 Define the notification approach and policy, including the preference for reporting to a supervisor (or other internal route) first or to the hotline first (this may differ based on type of issue and local custom and law).
l
D1.1.04 Define which channels will be delivered using internal and/or external resources.
l
D1.1.05 Define procedures for protecting the anonymity of notifiers in jurisdictions where that is required or allowed.
l
l
l
D1.1.06 Make the notification pathways available and accessible to multiple stakeholders: • employees, • agents (contract employees acting on behalf of the entity), • suppliers and customers, and • public D1.1.07 Communicate the availability of the notification pathways to the workforce and other stakeholders. D1.1.08 Define procedures for reducing abandonment of initiated notifications, including: • limiting or disallowing hold time on phone notifications, • providing multiple language capability, and • training intended recipients of notifications to treat reporting individuals with respect.
l
D1.1.09 Define procedures for protecting the confidentiality of all reported information during intake.
l
D1.1.10 Obtain requisite internal and external approvals or licenses of the defined approach.
D1.1.11 This is not legal or professional advice. driving principled l Consistent with local custom and law, create a policy, either separately or as part of the code of conduct, that requires Please contact a professional regarding performance ® 108 employees to use one of the notification pathways if they observe or know of misconduct. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
l
D1.1.12 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Define a policy, either separately or as part of the code of conduct, stating that the organization will not retaliate against
l
Obtain requisite internal and external approvals or licenses of the defined approach.
l
D1.1.11 Consistent with local custom and law, create a policy, either separately or as part of the code of conduct, that requires employees to use one of the notification pathways if they observe or know of misconduct.
l
D1.1.12 Define a policy, either separately or as part of the code of conduct, stating that the organization will not retaliate against individuals who notify the organization about misconduct or GRC system flaws.
l
l
D1.1.13 Document the inquiry or issue using a system or method that allows for subsequent analysis. D1.1.14 Train personnel (particularly those supervisory personnel expected to receive notifications through the open door policy) on how to handle notifications they receive.
D1 HOTLINE & NOTIFICATION
D1.2 FILTER AND ROUTE NOTIFICATIONS Vet and route notifications for handling, regardless of the pathway through which a given notification is received. Core Sub-practices
l
D1.2.01 Create uniform procedures to manage notifications, including: • taxonomy and uniform vocabulary for types of incidents or concern, • uniform notification forms or data entry fields, • issue routing and escalation protocols, • single ultimate repository for all notifications, and • methods by which recipients of notifications outside of hotline process enter information into the repository for processing.
l
D1.2.02 Define procedures to efficiently review and confirm the validity of notifications.
l
D1.2.03 Define information retention requirements associated with all notification pathways.
l
D1.2.04 Track the issue as it flows through the resolution process.
l
D1.2.05 Establish a procedure to deliver feedback to the notifier so that he or she understands that the issue is being processed or has been resolved.
D1 HOTLINE & NOTIFICATION
D1.3 ADHERE TO HOTLINE AND DATA PROTECTION REQUIREMENTS This is not legal or professional advice. driving principled Ensure that the hotline pathway for notification complies with specific requirements established Please contact a professional regarding performance ® 109 in the locale where the notice originates and where the organization operates. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Core Sub-practices LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D1 HOTLINE & NOTIFICATION
D1.3 ADHERE TO HOTLINE AND DATA PROTECTION REQUIREMENTS Ensure that the hotline pathway for notification complies with specific requirements established in the locale where the notice originates and where the organization operates. Core Sub-practices
l
D1.3.01 Define whether hotline (for reporting concerns) and helpline (for questions) are combined or separate.
l
D1.3.02 Determine whether an anonymous reporting system is required, allowed, or not allowed in a given location or circumstance, and design hotline accordingly.
l
D1.3.03 Understand data protection and privacy requirements globally applicable to your organization and design the approach so that the hotline complies with all applicable mandates.
l
D1.3.04 Establish separate hotlines, or routing approaches, as needed to comply with different legal requirements based on locale of the notifier and of the organization.
D2 INQUIRY & SURVEY
Periodically seek input to understand perceptions of risk, progress toward objectives, and the occurrence of undesirable events and activities.
Principles
D2 D1 Hotline & Notification D2 Inquiry & Survey D3 Detective Controls
01 Create opportunities to ask various stakeholders about concerns, and organizational culture to increase the likelihood of internally discovering issues. 02 Make workforce and stakeholders feel their views are valued by considering all feedback and taking appropriate corrective actions. 03 Use the information gained to address issues, build workforce confidence and belief in the organization's commitment to values, and improve GRC systems. 04 Communicate the importance of stakeholder feedback. 05 Avoid any actual or perceived connection between an individual’s response and his/her performance assessment.
Common Sources Of Failure 01 Not gathering views and information from all relevant target audiences and coordinating efforts to avoid survey/self-assessment fatigue This is not legal or professional advice. driving principled Please a professional regarding 02contact Not defining the important questions to ask based on risk assessment, timing and target audiences performance ® 110 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your03 specific Notneeds. consolidating, comparing and reconciling information obtained from various methods 04 Not flowing information gained into appropriate aspects of GRC system including risk assessments, issue LICENSEDor TOsystem CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. management or investigation, improvement processes
D2 INQUIRY & SURVEY
Periodically seek input to understand perceptions of risk, progress toward objectives, and the occurrence of undesirable events and activities.
Principles
D2 D1 Hotline & Notification D2 Inquiry & Survey D3 Detective Controls
01 Create opportunities to ask various stakeholders about concerns, and organizational culture to increase the likelihood of internally discovering issues. 02 Make workforce and stakeholders feel their views are valued by considering all feedback and taking appropriate corrective actions. 03 Use the information gained to address issues, build workforce confidence and belief in the organization's commitment to values, and improve GRC systems. 04 Communicate the importance of stakeholder feedback. 05 Avoid any actual or perceived connection between an individual’s response and his/her performance assessment.
Common Sources Of Failure 01 Not gathering views and information from all relevant target audiences and coordinating efforts to avoid survey/self-assessment fatigue 02 Not defining the important questions to ask based on risk assessment, timing and target audiences 03 Not consolidating, comparing and reconciling information obtained from various methods 04 Not flowing information gained into appropriate aspects of GRC system including risk assessments, issue management or investigation, or system improvement processes
Guidelines and Practices Red Book 2.0 - GRC Capability Model D2.1 Establish Multiple Pathways to Obtain Workforce and Stakeholder Views D2.2 Establish an Organization-Wide Integrated Approach to Surveys D2.3 Establish an Integrated Approach to Self-Assessments D2.4 Gather information through observations and conversations D2.5 Report Information and Findings
Key Deliverables Plans
Communication and Reporting Plan
Reports
Findings and Recommendations Report
Enabling Technology Components This is not legal or professional advice. driving principled Technology Arenas Enterprise Content Management (ECM) Please contact a professional regarding performance ® 111 Business Applications Documents & Records Management (DRM) , Employee Evaluations & Surveys © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. (EES) LICENSEDEnvironmental TO CDUCU ON TUESDAY, APRIL 28,(EMR) 2009. SINGLE USER GRC Core Applications Monitoring & Reporting , Helpline , LICENSE GRANTED.
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Content Management (ECM)
Business Applications
Documents & Records Management (DRM) , Employee Evaluations & Surveys (EES)
GRC Core Applications
Environmental Monitoring & Reporting (EMR) , Helpline , Hotline/Whistleblower , Legal Matter Management (LMM)
D2 INQUIRY & SURVEY
D2.1 ESTABLISH MULTIPLE PATHWAYS TO OBTAIN WORKFORCE AND STAKEHOLDER VIEWS Define opportunities for obtaining workforce and stakeholder views about risk, the GRC system, conduct and organizational commitment to its stated values. Core Sub-practices
l
D2.1.01 Use key meetings or conversations with target audiences (employee council, analyst briefings, customer / business partner advisory groups, lessons learned sessions, knowledge sharing sessions, government relations meetings, ratings agency reviews, audits) to gain information.
l
D2.1.02 Institute opportunities for formal individual workforce conversations.
l
D2.1.03 Encourage informal conversations and establish an open door policy.
D2 INQUIRY & SURVEY
D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO SURVEYS Establish a survey approach that reduces the burden on survey subjects and provides a consolidated view of information obtained from the workforce and other stakeholders. Core Sub-practices
l
D2.2.01 Define key surveys and target audiences.
l
D2.2.02 Inventory existing surveys and analyze timing and content.
l
D2.2.03 Map desired surveys to existing surveys for content and audiences.
l
D2.2.04 Determine opportunities to consolidate or retire surveys.
D2.2.05 This is not legal or professional advice. driving principled gaps in existing surveys as against desired surveys. l Determine Please contact a professional regarding performance ® 112 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. D2.2.06 necessary l Develop additional LICENSED TOsurveys. CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Hotline/Whistleblower , Legal Matter Management (LMM) D2 INQUIRY & SURVEY
D2.1 ESTABLISH MULTIPLE PATHWAYS TO OBTAIN WORKFORCE AND STAKEHOLDER VIEWS Define opportunities for obtaining workforce and stakeholder views about risk, the GRC system, conduct and organizational commitment to its stated values. Core Sub-practices
l
D2.1.01 Use key meetings or conversations with target audiences (employee council, analyst briefings, customer / business partner advisory groups, lessons learned sessions, knowledge sharing sessions, government relations meetings, ratings agency reviews, audits) to gain information.
l
D2.1.02 Institute opportunities for formal individual workforce conversations.
l
D2.1.03 Encourage informal conversations and establish an open door policy.
D2 INQUIRY & SURVEY
D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO SURVEYS Establish a survey approach that reduces the burden on survey subjects and provides a consolidated view of information obtained from the workforce and other stakeholders. Core Sub-practices
l
D2.2.01 Define key surveys and target audiences.
l
D2.2.02 Inventory existing surveys and analyze timing and content.
l
D2.2.03 Map desired surveys to existing surveys for content and audiences.
l
D2.2.04 Determine opportunities to consolidate or retire surveys.
l
D2.2.05 Determine gaps in existing surveys as against desired surveys.
l
D2.2.06 Develop additional necessary surveys.
l
D2.2.07 Define maximum number of surveys that an individual should receive in any quarter.
This is not legal or professional advice. D2.2.08 Please contact a professional regarding l Establish an integrated calendar of surveys. your specific needs.
l
driving principled performance ®
113
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
D2.2.09 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Determine appropriate methods to increase survey response rates and candor for each survey:
D2 INQUIRY & SURVEY
D2.2 ESTABLISH AN ORGANIZATION-WIDE INTEGRATED APPROACH TO SURVEYS Establish a survey approach that reduces the burden on survey subjects and provides a consolidated view of information obtained from the workforce and other stakeholders. Core Sub-practices
l
D2.2.01 Define key surveys and target audiences.
l
D2.2.02 Inventory existing surveys and analyze timing and content.
l
D2.2.03 Map desired surveys to existing surveys for content and audiences.
l
D2.2.04 Determine opportunities to consolidate or retire surveys.
l
D2.2.05 Determine gaps in existing surveys as against desired surveys.
l
D2.2.06 Develop additional necessary surveys.
l
D2.2.07 Define maximum number of surveys that an individual should receive in any quarter.
l
D2.2.08 Establish an integrated calendar of surveys.
l
D2.2.09 Determine appropriate methods to increase survey response rates and candor for each survey: - method of delivery of survey (electronic, telephone, paper), - opportunity to respond anonymously, - incentive or reward for participating, or - mandating completion.
D2 INQUIRY & SURVEY
D2.3 ESTABLISH AN INTEGRATED APPROACH TO SELF-ASSESSMENTS Establish a self-assessment approach that integrates assessment of GRC system-related responsibilities and outcomes with other self-assessments imposed on management. Core Sub-practices D2.3.01 l Define key self-assessments and target audiences. This is not legal or professional advice. Please contact a professional regarding D2.3.02 114 your specific needs. l Inventory existing self-assessment requirements and analyze timing and content. D2.3.03
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D2 INQUIRY & SURVEY
D2.3 ESTABLISH AN INTEGRATED APPROACH TO SELF-ASSESSMENTS Establish a self-assessment approach that integrates assessment of GRC system-related responsibilities and outcomes with other self-assessments imposed on management. Core Sub-practices
l
D2.3.01 Define key self-assessments and target audiences.
l
D2.3.02 Inventory existing self-assessment requirements and analyze timing and content.
l
D2.3.03 Map desired self-assessments to existing ones for content coverage.
l
D2.3.04 Determine opportunities to consolidate or retire self-assessments.
l
D2.3.05 Determine gaps in existing self-assessments to address GRC assessment needs.
l
D2.3.06 Develop additional necessary self-assessment questions.
l
D2.3.07 Establish an integrated calendar of self-assessments.
D2 INQUIRY & SURVEY
D2.4 GATHER INFORMATION THROUGH OBSERVATIONS AND CONVERSATIONS Establish informal methods of gathering views through observations, group meetings, focus groups and individual conversations. Core Sub-practices
l
D2.4.01 Determine opportunities to gather views through existing scheduled meetings with various stakeholder groups.
l
D2.4.02 Coordinate the scheduling of any focus groups or other meetings established for the purpose of discussing GRC issues.
l
D2.4.03 Establish a method for information gathered by management during conversations and informal interactions with members of workforce or other stakeholders about their views to be captured.
l
D2.4.04 Establish methods to observe workforce behavior and glean information about attitudes and beliefs regarding organizational commitment to values and the GRC system.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
115
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
D2 INQUIRY & SURVEY LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D2.5 REPORT INFORMATION AND FINDINGS
D2 INQUIRY & SURVEY
D2.4 GATHER INFORMATION THROUGH OBSERVATIONS AND CONVERSATIONS Establish informal methods of gathering views through observations, group meetings, focus groups and individual conversations. Core Sub-practices
l
D2.4.01 Determine opportunities to gather views through existing scheduled meetings with various stakeholder groups.
l
D2.4.02 Coordinate the scheduling of any focus groups or other meetings established for the purpose of discussing GRC issues.
l
D2.4.03 Establish a method for information gathered by management during conversations and informal interactions with members of workforce or other stakeholders about their views to be captured.
l
D2.4.04 Establish methods to observe workforce behavior and glean information about attitudes and beliefs regarding organizational commitment to values and the GRC system.
D2 INQUIRY & SURVEY
D2.5 REPORT INFORMATION AND FINDINGS Provide information and findings from all methods of inquiry to management. Core Sub-practices
l
D2.5.01 Analyze information and findings to identify and refer any issues requiring immediate attention.
l
D2.5.02 Analyze information and findings to identify and refer information relevant to risk analysis and optimization choices.
l
D2.5.03 Analyze information and findings to identify and refer for improvement any GRC system weaknesses.
l
D2.5.04 Document inquiries or issues using a system or method that allows for subsequent tracking and further analysis.
D3 DETECTIVE CONTROLS This is not legal or professional advice. Please contact a professional Establish process,regarding human your specific needs.
D3 driving principled
performance ® capital, technology 116 and physical control activities D1 Hotline ETHICS GROUP © 2003 - 2009 OPEN COMPLIANCE&&Notification to detect adverse events and conduct, as well as weaknesses in the GRC D2 Inquiry & Survey system. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. D3 Detective Controls
D3 DETECTIVE CONTROLS
Establish process, human capital, technology and physical control activities to detect adverse events and conduct, as well as weaknesses in the GRC system.
D3 D1 Hotline & Notification D2 Inquiry & Survey D3 Detective Controls
Principles 01 Detective controls should detect actual adverse events and indications of opportunity for potential adverse events (e.g., the lock on the safe is not locked). 02 Define dashboards, alerts and reports at an appropriate level of detail/abstraction for the scope of responsibility of the intended audience to minimize the cost of finding information and increase ability to respond efficiently.
Common Sources Of Failure 01 Not designing and implementing detective controls based on the priorities and timing in the risk optimization plan 02 Not establishing a broad network of information sources to identify potential adverse events and weaknesses 03 Not capturing and analyzing information generated by preventive controls and other activities
Guidelines and Practices Red Book 2.0 - GRC Capability Model D3.1 Establish Detective Process Controls D3.2 Establish Detective Human Capital Controls D3.3 Establish Detective Physical Controls D3.4 Establish Detective Technology Controls D3.5 Consolidate and Analyze Control Findings
Key Deliverables Descriptions
Exit Interview Checklist
Internal Standards
Control Taxonomy
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM) , Security Management (SM)
Business Applications
Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & This is not legal or professional advice.Records Management (DRM) , Legal Entity Management (LEM), Loss Please contact a professional regardingManagement (LM), Quality Management 117 & Monitoring (QMM) your specific GRCneeds. Core Applications
driving principled performance ®
- 2009 OPEN COMPLIANCE & ETHICS GROUP © 2003 Controls Management & Monitoring (CMM) , Crisis Management (CMT) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Trade Compliance (GTC)/International Dealings , Hotline/Whistleblower ,
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM) , Security Management (SM)
Business Applications
Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM) , Legal Entity Management (LEM), Loss Management (LM), Quality Management & Monitoring (QMM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Crisis Management (CMT) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Hotline/Whistleblower , Information Privacy Management (IPM) , Information Technology Risk & Compliance (ITRC) Management , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA) , Transaction Monitoring (TRM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Physical Security (PS) , Retention & Storage Management (RSM) , Systems Log Management (SLM)
D3 DETECTIVE CONTROLS
D3.1 ESTABLISH DETECTIVE PROCESS CONTROLS Establish process control activities and procedures that detect adverse events, noncompliance and misconduct. Core Sub-practices
l
D3.1.01 Establish detective process control activities based on analysis of financial transactions by frequency, size, location and other factors that may indicate unethical, fraudulent or noncompliant conduct.
l
D3.1.02 Establish detective controls based on monitoring of movement and use of physical assets that may indicate unethical, fraudulent or noncompliant conduct.
l
D3.1.03 As warranted by the risk analysis, define appropriate continuous monitoring controls.
D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS Establish human capital control activities and procedures that detect adverse events, noncompliance and misconduct. Core Sub-practices D3.2.01 Use a performance review checklist for individuals that: ¡ asks whether the individual has observed misconduct while employed, This is not legal or inquires professional advice. of misconduct or opportunities for misconduct, driving principled into suspicions ¡ Please contact a professional regarding performance ® 118 ¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses, your specific needs.determines feelings toward the organization, management and immediate supervisors, and© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP ¡ ¡ determines belief in the organization’s commitment to stated values and policies. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l
Retention & Storage Management (RSM) , Systems Log Management (SLM) D3 DETECTIVE CONTROLS
D3.1 ESTABLISH DETECTIVE PROCESS CONTROLS Establish process control activities and procedures that detect adverse events, noncompliance and misconduct. Core Sub-practices
l
D3.1.01 Establish detective process control activities based on analysis of financial transactions by frequency, size, location and other factors that may indicate unethical, fraudulent or noncompliant conduct.
l
D3.1.02 Establish detective controls based on monitoring of movement and use of physical assets that may indicate unethical, fraudulent or noncompliant conduct.
l
D3.1.03 As warranted by the risk analysis, define appropriate continuous monitoring controls.
D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS Establish human capital control activities and procedures that detect adverse events, noncompliance and misconduct. Core Sub-practices
l
l
l
D3.2.01 Use a performance review checklist for individuals that: ¡ asks whether the individual has observed misconduct while employed, ¡ inquires into suspicions of misconduct or opportunities for misconduct, ¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses, ¡ determines feelings toward the organization, management and immediate supervisors, and ¡ determines belief in the organization’s commitment to stated values and policies. D3.2.02 Use an exit interview checklist for individuals that: ¡ verifies all organization assets are returned ¡ asks whether the individual observed or suspected any compliance failure, unethical conduct, unequal or bias response or discipline for misconduct, uncontrolled risks ¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses, ¡ determines feelings of the departing individual toward the organization, management and immediate supervisors, and ¡ advises how to report concerns or issues after separation. D3.2.03 Augment or revise the prioritized risk matrix and risk optimization plan to reflect: ¡ implemented human capital controls, ¡ revised current residual risk analysis, and ¡ performance against planned residual risk.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
119
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D3 DETECTIVE CONTROLS
D3.2 ESTABLISH DETECTIVE HUMAN CAPITAL CONTROLS Establish human capital control activities and procedures that detect adverse events, noncompliance and misconduct. Core Sub-practices
l
l
l
D3.2.01 Use a performance review checklist for individuals that: ¡ asks whether the individual has observed misconduct while employed, ¡ inquires into suspicions of misconduct or opportunities for misconduct, ¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses, ¡ determines feelings toward the organization, management and immediate supervisors, and ¡ determines belief in the organization’s commitment to stated values and policies. D3.2.02 Use an exit interview checklist for individuals that: ¡ verifies all organization assets are returned ¡ asks whether the individual observed or suspected any compliance failure, unethical conduct, unequal or bias response or discipline for misconduct, uncontrolled risks ¡ inquires into feelings about the effectiveness of the GRC system and any apparent weaknesses, ¡ determines feelings of the departing individual toward the organization, management and immediate supervisors, and ¡ advises how to report concerns or issues after separation. D3.2.03 Augment or revise the prioritized risk matrix and risk optimization plan to reflect: ¡ implemented human capital controls, ¡ revised current residual risk analysis, and ¡ performance against planned residual risk.
D3 DETECTIVE CONTROLS
D3.3 ESTABLISH DETECTIVE PHYSICAL CONTROLS Install physical controls necessary to provide surveillance of physical preventive controls and areas where noncompliance or unethical conduct can be physically observed. Core Sub-practices D3.3.01 l
Establish surveillance mechanisms (cameras or personnel) in high security or threat areas (e.g., hazardous materials storage, server locations, remote parking lots, etc.) to detect tampering, violence, theft, etc. D3.3.02
l
Establish mechanisms (electronic or human) to monitor entry/exit in high security areas.
l
D3.3.03 Provide necessary protection of privacy and notification of surveillance where required or determined by policy to be appropriate.
This is not legal or professional advice. driving principled D3.3.04 Please contact a professional regarding performance ® 120 l Establish silent, audible, and/or visual alarm systems to communicate the detection of breaches of preventive controls and emergencies. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. D3.3.05 l
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Establish mechanisms to track the location of highvalue assets or inventory to detect their unauthorized movement (e.g., RFID
D3 DETECTIVE CONTROLS
D3.3 ESTABLISH DETECTIVE PHYSICAL CONTROLS Install physical controls necessary to provide surveillance of physical preventive controls and areas where noncompliance or unethical conduct can be physically observed. Core Sub-practices D3.3.01 l
Establish surveillance mechanisms (cameras or personnel) in high security or threat areas (e.g., hazardous materials storage, server locations, remote parking lots, etc.) to detect tampering, violence, theft, etc. D3.3.02
l
Establish mechanisms (electronic or human) to monitor entry/exit in high security areas.
l
D3.3.03 Provide necessary protection of privacy and notification of surveillance where required or determined by policy to be appropriate. D3.3.04
l
Establish silent, audible, and/or visual alarm systems to communicate the detection of breaches of preventive controls and emergencies. D3.3.05
l
Establish mechanisms to track the location of highvalue assets or inventory to detect their unauthorized movement (e.g., RFID systems). D3.3.06
l
Use mechanisms to detect the presence or absence of environmental conditions outside acceptable targets or thresholds (e.g., smoke alarms, chemical sniffers, emissions monitors, water quality monitoring systems, refrigeration thermostats, vacuum seal pressure sensors, etc.). D3.3.07
l
Establish mechanisms to detect the presence or absence of workforce and visitors on organizational premises to determine the need to attempt rescue of such individuals,contact family, or other responses. D3.3.08
l
Use mechanisms (electronic or manual badges) to distinguish between workforce, visitors, and unknown individuals on organizational premises so people or systems may detect inappropriate or unauthorized presence or activities.
D3 DETECTIVE CONTROLS
D3.4 ESTABLISH DETECTIVE TECHNOLOGY CONTROLS Implement and monitor automated detective technology controls to promptly identify actual or potential misconduct. Core Sub-practices D3.4.01 Monitor detective technology control indicators to identify actual or potential misconduct or noncompliance, including those applied to: • physical access andadvice. surveillance, This is not legal or professional driving principled • system access controls, Please contact a professional regarding performance ® 121 • master data controls, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • transaction controls, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • operational controls, l
D3 DETECTIVE CONTROLS
D3.4 ESTABLISH DETECTIVE TECHNOLOGY CONTROLS Implement and monitor automated detective technology controls to promptly identify actual or potential misconduct. Core Sub-practices
l
l
D3.4.01 Monitor detective technology control indicators to identify actual or potential misconduct or noncompliance, including those applied to: • physical access and surveillance, • system access controls, • master data controls, • transaction controls, • operational controls, • audit trails and log analysis, • testing activities, • performance reporting, and • initiative progress, status and risk reporting. D3.4.02 Respond to alerts, notifications, and indications of threshold variances.
D3 DETECTIVE CONTROLS
D3.5 CONSOLIDATE AND ANALYZE CONTROL FINDINGS Consolidate and analyze all information gathered through various means of detection to identify patterns of misconduct, adverse events and other weaknesses that would otherwise go unnoticed. Core Sub-practices
l
D3.5.01 Perform analysis on gathered data.
l
D3.5.02 Document issues using a system or method that allows for subsequent tracking and further analysis.
l
D3.5.03 Complete official required forms or reports.
l
D3.5.04 Deliver forms, reports, and undocumented information and analysis (if any) according to reporting responsibilities.
l
D3.5.05 Engage appropriate Respond and Resolve elements for identified issues.
D3.5.06 Compare results of analysis with internal benchmarks (another department, business unit, etc.). This is notllegal or professional advice. driving principled Please contact a professional regarding performance ® 122 D3.5.07 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Compare results of analysis with external benchmarks (peer organization, industry index, etc.). LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
D3 DETECTIVE CONTROLS
D3.5 CONSOLIDATE AND ANALYZE CONTROL FINDINGS Consolidate and analyze all information gathered through various means of detection to identify patterns of misconduct, adverse events and other weaknesses that would otherwise go unnoticed. Core Sub-practices
l
D3.5.01 Perform analysis on gathered data.
l
D3.5.02 Document issues using a system or method that allows for subsequent tracking and further analysis.
l
D3.5.03 Complete official required forms or reports.
l
D3.5.04 Deliver forms, reports, and undocumented information and analysis (if any) according to reporting responsibilities.
l
D3.5.05 Engage appropriate Respond and Resolve elements for identified issues.
l
D3.5.06 Compare results of analysis with internal benchmarks (another department, business unit, etc.).
l
D3.5.07 Compare results of analysis with external benchmarks (peer organization, industry index, etc.).
R RESPOND & RESOLVE
Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevents or resolves similar issues more effectively and efficiently in the future. R1 Internal Review & Investigation R1.1 Define the Inquiry and Investigation Process
R C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
R1.2 Prepare to Investigate R1.3 Conduct Investigations R1.4 Report Results of Investigations This is not legal or professional advice. Please contact a professional regarding R2 Third-Party Inquiries & Investigations your specific needs.
driving principled performance ®
123
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
R2.1 Prepare forLICENSED and Address Party Inquiries TO Third CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R RESPOND & RESOLVE
Respond to and recover from noncompliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevents or resolves similar issues more effectively and efficiently in the future. R1 Internal Review & Investigation R1.1 Define the Inquiry and Investigation Process
R C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
R1.2 Prepare to Investigate R1.3 Conduct Investigations R1.4 Report Results of Investigations
R2 Third-Party Inquiries & Investigations R2.1 Prepare for and Address Third Party Inquiries R2.2 Prepare to Identify Third Party Investigations R2.3 Prepare to Manage Third Party Investigations R2.4 Prepare to Select Internal Team for Third-Party Investigation R2.5 Prepare to Respond to Specific Third-Party Investigations
R3 Corrective Controls R3.1 Establish Corrective Process Controls R3.2 Establish Corrective Human Capital Controls R3.3 Establish Corrective Technology Controls R3.4 Establish Corrective Physical Controls R3.5 Monitor and Report Corrective Controls
R4 Crisis Response, Continuity and Recovery R4.1 Develop Crisis Response and Continuity Plans R4.2 Identify Crisis Readiness and Response Teams R4.3 Test Plans and Procedures R4.4 Coordinate Plans
R5 Remediation & Discipline R5.1 Remediate the GRC System R5.2 Discipline Individuals This is not R5.3 legal orDisclose professional Issueadvice. Resolution Please contact a professional regarding your specific needs.
driving principled performance ®
124
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R5.1 Remediate the GRC System R5.2 Discipline Individuals R5.3 Disclose Issue Resolution
R1 INTERNAL REVIEW & INVESTIGATION
Review and be prepared to investigate allegations or indications of misconduct or GRC system failures to understand the facts, circumstances, root causes and appropriate resolution.
Principles 01 People need to have confidence in the process so that they will report incidents and cooperate in investigations.
R1 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
02 The process must be nimble enough to address regional and situational differences in meeting legal mandates. 03 The Board and senior management should never be blind-sided, but instead must know, in a timely fashion, about an issue that can significantly affect the organization. 04 Information from the issue resolution process should flow seamlessly into processes for identifying and correcting GRC systemic weaknesses.
Common Sources Of Failure 01 Not establishing sufficient channels of various types for reporting of incidents and concerns 02 Not having a tiered approach for responding to issues that have different levels of potential impact on the organization 03 Not having appropriate procedures in place to timely: • Capture and validate incidents, • Categorize incidents in a defined taxonomy, • Escalate incidents for priority investigation, • Identify need for in-house or external legal investigation, • Ensure appropriate confidentiality of information and determine privilege, • Ensure appropriate protection of anonymity and non-retaliation for reporters, • Preserve records and other evidence (document hold), • Complete required reporting or provide notice to outside parties, and • Determine the need and timing to suspend any business operations 04 Not having investigators with the right skills, knowledge and authority 05 Not informing interviewees about legal representation and potential use of information 06 Not coming to a conclusion about the root cause(s) of the problem
Guidelines and Practices Red Book 2.0 - GRC Capability Model R1.1 Define the Inquiry and Investigation Process R1.2 Prepare to Investigate R1.3 Conduct Investigations R1.4 Report Results of Investigations This is not legal or professional advice. Please contact a professional regarding yourKey specificDeliverables needs. Plans
driving principled performance ®
125
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU Investigation Management Plan ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R5.3 Disclose Issue Resolution
R1 INTERNAL REVIEW & INVESTIGATION
Review and be prepared to investigate allegations or indications of misconduct or GRC system failures to understand the facts, circumstances, root causes and appropriate resolution.
Principles 01 People need to have confidence in the process so that they will report incidents and cooperate in investigations.
R1 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
02 The process must be nimble enough to address regional and situational differences in meeting legal mandates. 03 The Board and senior management should never be blind-sided, but instead must know, in a timely fashion, about an issue that can significantly affect the organization. 04 Information from the issue resolution process should flow seamlessly into processes for identifying and correcting GRC systemic weaknesses.
Common Sources Of Failure 01 Not establishing sufficient channels of various types for reporting of incidents and concerns 02 Not having a tiered approach for responding to issues that have different levels of potential impact on the organization 03 Not having appropriate procedures in place to timely: • Capture and validate incidents, • Categorize incidents in a defined taxonomy, • Escalate incidents for priority investigation, • Identify need for in-house or external legal investigation, • Ensure appropriate confidentiality of information and determine privilege, • Ensure appropriate protection of anonymity and non-retaliation for reporters, • Preserve records and other evidence (document hold), • Complete required reporting or provide notice to outside parties, and • Determine the need and timing to suspend any business operations 04 Not having investigators with the right skills, knowledge and authority 05 Not informing interviewees about legal representation and potential use of information 06 Not coming to a conclusion about the root cause(s) of the problem
Guidelines and Practices Red Book 2.0 - GRC Capability Model R1.1 Define the Inquiry and Investigation Process R1.2 Prepare to Investigate R1.3 Conduct Investigations R1.4 Report Results of Investigations
Key Deliverables This is not legal or professional advice. Please contact a professional regarding Plans Investigation Management Plan your specific needs. Reports Filings, Findings and Recommendations Report
driving principled performance ®
126
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R1.4 Report Results of Investigations
Key Deliverables Plans
Investigation Management Plan
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Content Management (ECM)
Business Applications
Business Activity Monitoring (BAM) , Documents & Records Management (DRM) , Email Management (EM), Loss Management (LM)
GRC Core Applications
Audit Analytics (AA), Crisis Management (CMT) , Discovery (eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Fraud Detection & Prevention (FDP) , Global Trade Compliance (GTC)/International Dealings , Information Technology Audit (ITA) , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Retention & Storage Management (RSM)
R1 INTERNAL REVIEW & INVESTIGATION
R1.1 DEFINE THE INQUIRY AND INVESTIGATION PROCESS Establish procedures for inquiring further into, and investigating, complaints or reports about compliance or ethical issues, as well as for issues detected during ongoing monitoring or periodic evaluation of the GRC system. Core Sub-practices
l
R1.1.01 Establish a core team to process issues that are identified by complaints, expressions of concern, or other methods (additional parties may be involved on a case-by-case basis to address specific types of issues as they arise).
l
R1.1.02 Define a procedure to ensure that alleged perpetrators are not involved in the processing of the issue and are removed from involvement at any point at which they are identified as potential targets of an investigation.
l
R1.1.03 Develop and use taxonomies for classifying reported or identified issues and their severity level.
l
R1.1.04 Establish an initial screening process to separate issues that can be quickly resolved from those that may need investigation.
R1.1.05 l Define issue management methodology including these key steps: • recording and categorizing an issue or question (routing of questions for answers) upon intake, • confirmation / validation of an issue, • analysis of an issue, • investigation of an issue, • escalation of an issue, • resolution of issue, and • referral for remediation / discipline of individuals. This is not legal or professional advice. driving principled Please contact a professional regarding R1.1.06 performance ® 127 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Define policies and procedures for determining when and how to protect the confidentiality and anonymity of notifiers in accordance with applicable legal mandates. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Infrastructure
Retention & Storage Management (RSM)
R1 INTERNAL REVIEW & INVESTIGATION
R1.1 DEFINE THE INQUIRY AND INVESTIGATION PROCESS Establish procedures for inquiring further into, and investigating, complaints or reports about compliance or ethical issues, as well as for issues detected during ongoing monitoring or periodic evaluation of the GRC system. Core Sub-practices
l
R1.1.01 Establish a core team to process issues that are identified by complaints, expressions of concern, or other methods (additional parties may be involved on a case-by-case basis to address specific types of issues as they arise).
l
R1.1.02 Define a procedure to ensure that alleged perpetrators are not involved in the processing of the issue and are removed from involvement at any point at which they are identified as potential targets of an investigation.
l
R1.1.03 Develop and use taxonomies for classifying reported or identified issues and their severity level.
l
R1.1.04 Establish an initial screening process to separate issues that can be quickly resolved from those that may need investigation.
l
R1.1.05 Define issue management methodology including these key steps: • recording and categorizing an issue or question (routing of questions for answers) upon intake, • confirmation / validation of an issue, • analysis of an issue, • investigation of an issue, • escalation of an issue, • resolution of issue, and • referral for remediation / discipline of individuals.
l
R1.1.06 Define policies and procedures for determining when and how to protect the confidentiality and anonymity of notifiers in accordance with applicable legal mandates.
l
R1.1.07 Define policies and procedures for protecting the confidentiality of all reported information that aligns to applicable legal mandates.
l
R1.1.08 Define “investigation tiersâ€
that identify who will address issues of particular scope and type.
l
R1.1.09 Define categories of issues that are escalated to the Board or a Board committee immediately upon validation, such as those that are at the “crisis” level due to impact on the organization and/or allegations of senior management wrongdoing.
l
R1.1.10 Define categories of issues that are significant enough to be escalated to senior management and/or outside counsel immediately upon validation, due to the material nature of the potential effect on the organization.
R1.1.11 This is not legal or professional advice. driving principled l Define categories of issues that are serious enough to be addressed in special investigations by designated investigators Please contact a professional regarding performance ® 128 immediately upon validation, due to nature of the potential effect on the organization, for which specific procedures are © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. established. R1.1.12
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
immediately upon validation, due to the material nature of the potential effect on the organization.
l
l
l
l
R1.1.11 Define categories of issues that are serious enough to be addressed in special investigations by designated investigators immediately upon validation, due to nature of the potential effect on the organization, for which specific procedures are established. R1.1.12 Define categories of issues that are anticipated in the course of business and which may be addressed based on recommendations of initial investigators by line management using specifically established procedures. R1.1.13 Define template plans for standard and special investigations of common issues within each investigation tier addressing : • processing rules, • provision of counsel rules, • privilege rules, • record retention rules, • escalation rules, • internal and external reporting rules, and • investigation management rules (need for outside legal counsel or special in-house investigators). R1.1.14 Periodically conduct review of reported data to determine trends, trouble spots, and controls in need of revisions, looking for concentrated patterns by: • geography, • specific location, • job/role, • employee level, • employee type (exempt vs. nonexempt vs. temporary), and • supervisor.
R1 INTERNAL REVIEW & INVESTIGATION
R1.2 PREPARE TO INVESTIGATE Prepare to undertake the activities of the investigation phase of the issue resolution process. Core Sub-practices
l
R1.2.01 Define the scope of the planned investigation.
l
R1.2.02 Place issue into a particular investigation tier.
l
l
R1.2.03 Determine whether there is an obligation to immediately disclose the issue to the Board, independent auditors or regulatory agencies. R1.2.04 Determine if investigation will be conducted under privilege in accordance with established tier rules.
R1.2.05 l Define the investigation team, roles/responsibilities for each team member and the team leader taking into account the This is not legal orand professional advice. driving principled topic scope of the investigation. Please contact a professional regarding performance ® 129 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific R1.2.06 needs. l
Define the need for outside assistance in accordance with established tier rules, including: LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • counsel,
l
l
R1.2.05 Define the investigation team, roles/responsibilities for each team member and the team leader taking into account the topic and scope of the investigation. R1.2.06 Define the need for outside assistance in accordance with established tier rules, including: • counsel, • accountants, • forensic experts , and • technical consultants.
l
R1.2.07 Document a finding of no self-interest (or conflict) in the outcome on the part of any team member.
l
R1.2.08 Define internal management that is responsible for oversight of the investigation.
l
l
l
l
R1.2.09 Prepare investigation management plan (documents to obtain, interviews to conduct, data to analyze, anticipated reports and audience, budget, and rules of evidence to follow). R1.2.10 Initiate any requisite document holds in accordance with established tier rules. R1.2.11 If necessary, inform management of the need to suspend any relevant business processes (trading, etc.) in accordance with established tier rules. R1.2.12 Define which stakeholders will be informed about the results of the investigation and by what methods.
l
R1.2.13 Define a procedure for preserving privilege as necessary during and after completion of the investigation in accordance with established tier rules.
l
R1.2.14 Identify possible facts, events or circumstances that, if discovered, may require expansion of the original scope of the investigation and arrange for timely review of any discovered.
l
R1.2.15 Define a procedure and protocols to coordinate the investigation with other departments in accordance with established tier rules, including: • public relations, • investor relations, • marketing, • HR and human capital management, and • business unit and line management.
R1 INTERNAL REVIEW & INVESTIGATION
R1.3 CONDUCT INVESTIGATIONS Conduct investigations consistent with the plan and communicate with relevant stakeholders This is not legal or professional advice. while maintaining appropriate privileged status. Please contact a professional regarding 130 your specificCore needs.Sub-practices R1.3.01
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R1 INTERNAL REVIEW & INVESTIGATION
R1.3 CONDUCT INVESTIGATIONS Conduct investigations consistent with the plan and communicate with relevant stakeholders while maintaining appropriate privileged status. Core Sub-practices
l
l
R1.3.01 Notify employees who will be interview subjects. R1.3.02 Remind individuals involved whether as the notifier, accused or interviewee, that legal counsel and investigators represent the entity and not them individually.
l
R1.3.03 Request and obtain documents, electronic data and other information.
l
R1.3.04 Respond to document requests.
l
R1.3.05 Analyze documents, data, and interview information to draw conclusions.
l
R1.3.06 Determine which conclusions should be documented and which should be presented verbally.
l
R1.3.07 Track list of items being maintained as privileged.
l
R1.3.08 Track information that will be released as non-privileged, indicating that the release is intentional and controlled.
l
R1.3.09 Identify root cause(s) of issue requiring investigation.
R1 INTERNAL REVIEW & INVESTIGATION
R1.4 REPORT RESULTS OF INVESTIGATIONS Communicate investigation results to appropriate management, oversight bodies and, as appropriate, to other stakeholders and regulators. Core Sub-practices
l
l
R1.4.01 Communicate results and recommendations to appropriate management, oversight bodies and other stakeholders in accordance with established tier rules. R1.4.02 Communicate any findings of material impact (or potential thereof) to the audit committee of the Board.
This is not legal or professional advice. driving principled R1.4.03 Please contact a professional regarding performance ® 131 If required, or determined appropriate under established tier rules, file external reports and disclosures with regulatory l © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. agencies. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. R1.4.04
R1 INTERNAL REVIEW & INVESTIGATION
R1.4 REPORT RESULTS OF INVESTIGATIONS Communicate investigation results to appropriate management, oversight bodies and, as appropriate, to other stakeholders and regulators. Core Sub-practices
l
l
l
R1.4.01 Communicate results and recommendations to appropriate management, oversight bodies and other stakeholders in accordance with established tier rules. R1.4.02 Communicate any findings of material impact (or potential thereof) to the audit committee of the Board. R1.4.03 If required, or determined appropriate under established tier rules, file external reports and disclosures with regulatory agencies. R1.4.04
l
Document rationale of those with requisite authority for any recommendation not being pursued.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
Manage and respond to external inquiries and investigations.
Principles 01 A culture of cooperation with third-party inquiries and investigations can help to control the scope and the ultimate impact on the organization. 02 The fact that there is an ongoing external investigation, and its ultimate findings, should not be a surprise to the Board and management.
R2 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
03 Cooperation does not mean capitulation and the organization may protect itself and its information during an external investigation. 04 Being prepared to respond to an investigation will minimize its business disruption.
Common Sources Of Failure 01 Not having an effective system for responding to external inquiries before they become hostile investigations 02 Not being prepared for surprise investigations that involve the sudden appearance of investigators onsite and seizing of documents or premises Not having the right people in the organization aware of a third party investigation soon enough to afford full This 03 is not legal or professional advice. driving principled protection to the organization Please contact a professional regarding performance ® 132 04 Not determining the appropriate level of cooperation in conjunction with the advice of counsel and other © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. advisors LICENSED TO CDUCU ONtoTUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. 05 Not keeping track of all information provided external investigators
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
Manage and respond to external inquiries and investigations.
Principles 01 A culture of cooperation with third-party inquiries and investigations can help to control the scope and the ultimate impact on the organization. 02 The fact that there is an ongoing external investigation, and its ultimate findings, should not be a surprise to the Board and management.
R2 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
03 Cooperation does not mean capitulation and the organization may protect itself and its information during an external investigation. 04 Being prepared to respond to an investigation will minimize its business disruption.
Common Sources Of Failure 01 Not having an effective system for responding to external inquiries before they become hostile investigations 02 Not being prepared for surprise investigations that involve the sudden appearance of investigators onsite and seizing of documents or premises 03 Not having the right people in the organization aware of a third party investigation soon enough to afford full protection to the organization 04 Not determining the appropriate level of cooperation in conjunction with the advice of counsel and other advisors 05 Not keeping track of all information provided to external investigators 06 Not appreciating that inquiries may be precursors to civil or criminal investigations
Guidelines and Practices Red Book 2.0 - GRC Capability Model R2.1 Prepare for and Address Third Party Inquiries R2.2 Prepare to Identify Third Party Investigations R2.3 Prepare to Manage Third Party Investigations R2.4 Prepare to Select Internal Team for Third-Party Investigation R2.5 Prepare to Respond to Specific Third-Party Investigations
Key Deliverables Plans
Investigation Management Plan
Reports
Filings, Findings and Recommendations Report
ThisEnabling is not legal or professional advice. Components driving principled Technology Please contact a professional regarding performance ® 133 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Arenas Technology Assurance & Audit Management (AAM) , Enterprise Content Management (ECM) LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Business Applications Documents & Records Management (DRM) , Email Management (EM), Loss
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Assurance & Audit Management (AAM) , Enterprise Content Management (ECM)
Business Applications
Documents & Records Management (DRM) , Email Management (EM), Loss Management (LM)
GRC Core Applications
Audit Analytics (AA), Discovery (eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , Global Trade Compliance (GTC)/International Dealings , Information Technology Audit (ITA) , Insurance & Claims Management (ICM) , Legal Matter Management (LMM)
Infrastructure
Retention & Storage Management (RSM)
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.1 PREPARE FOR AND ADDRESS THIRD PARTY INQUIRIES Identify and respond to questions from third parties. Core Sub-practices
l
l
R2.1.01 Establish multiple pathways for intake of third party questions including, but not limited to, an anonymous helpline. R2.1.02 Establish procedures to screen incoming third party questions, including: • determine if initial questions are part of an ongoing investigation, • refer inquiries to in-house or external counsel, and • assign non-investigative question to appropriate person for timely response or discussion (or refusal to provide information).
l
R2.1.03 Establish accepted answers to expected questions that may be provided without further review or approval, via helpline or otherwise.
l
R2.1.04 Establish a list of types of questions requiring referral to in-house legal counsel or that will not be answered without a decision by counsel.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.2 PREPARE TO IDENTIFY THIRD PARTY INVESTIGATIONS Establish methods to ensure the right people know about initiated third party investigations. Core Sub-practices R2.2.01 l Establish procedures to ensure that questions posed to the organization via a helpline or other method, that are identified as part of or precursor to a third party investigation are forwarded to appropriate personnel responsible for vetting such investigations. This is not legal or professional advice. driving principled Please contact a professional regarding R2.2.02 performance ® 134 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Establish policies and procedures to require internal reporting of knowledge of non-standard third party inquiries, or investigations, to appropriate management personnel. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Infrastructure
Retention & Storage Management (RSM)
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.1 PREPARE FOR AND ADDRESS THIRD PARTY INQUIRIES Identify and respond to questions from third parties. Core Sub-practices
l
l
R2.1.01 Establish multiple pathways for intake of third party questions including, but not limited to, an anonymous helpline. R2.1.02 Establish procedures to screen incoming third party questions, including: • determine if initial questions are part of an ongoing investigation, • refer inquiries to in-house or external counsel, and • assign non-investigative question to appropriate person for timely response or discussion (or refusal to provide information).
l
R2.1.03 Establish accepted answers to expected questions that may be provided without further review or approval, via helpline or otherwise.
l
R2.1.04 Establish a list of types of questions requiring referral to in-house legal counsel or that will not be answered without a decision by counsel.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.2 PREPARE TO IDENTIFY THIRD PARTY INVESTIGATIONS Establish methods to ensure the right people know about initiated third party investigations. Core Sub-practices
l
l
l
R2.2.01 Establish procedures to ensure that questions posed to the organization via a helpline or other method, that are identified as part of or precursor to a third party investigation are forwarded to appropriate personnel responsible for vetting such investigations. R2.2.02 Establish policies and procedures to require internal reporting of knowledge of non-standard third party inquiries, or investigations, to appropriate management personnel. R2.2.03 Establish monitoring of external sources to identify onset of a third party investigation when possible.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.3 PREPARE TO MANAGE THIRD PARTY INVESTIGATIONS This isEstablish not legal or policies, professionalprocedures, advice. driving principled and responsibility for managing various types of third party Please contact a professional regarding performance ® 135 investigations. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Core Sub-practices LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R2.3 PREPARE TO MANAGE THIRD PARTY INVESTIGATIONS Establish policies, procedures, and responsibility for managing various types of third party investigations. Core Sub-practices
l
l
l
l
l
l
l
R2.3.01 Establish an inventory of the types of possible third party investigations and assign management responsibility for each type (overall or within specific areas of risk concern and/or part of the organization), including: • compliance audit of organization as a vendor; • routine regulatory investigations, • regulatory investigations that relate to possible civil or criminal violations, • private party investigations related to litigation or legal claims, • external stakeholder investigations including investors, lenders, underwriters, listing agents, • grand jury investigations, and • physical site or document seizures by government enforcement agents. R2.3.02 Determine and document organizational rights and procedural safeguards in the context of each anticipated type of investigation based on investigating authority and legal basis of the investigation, taking privilege and confidentiality needs into account. R2.3.03 Establish policies and procedures to follow at the onset of each identified type of investigation including: • procedures for establishing an internal response team and team leader, • procedures for responding to interview requests and subpoenas, • procedures for responding to document requests and subpoenas, • procedures for responding to information that former employees or other stakeholders have been contacted for interviews or documents, and • procedures for responding to sudden on site presence of investigators demanding documents or seizure of the premises. R2.3.04 Establish procedures to disclose the existence of a particular type of investigation to the Board, independent auditors, regulatory agencies, creditors or insurers whenever there is an obligation to do so under agreements, contracts or established policies and procedures, and ensure disclosure meets any timing requirements. R2.3.05 Establish procedures to quickly inform senior management and the Board or audit committee of any investigation the outcome of which may be material to the organization, implicate wrongdoing by any member of management, indicate criminal wrongdoing by anyone in the organization, or lead to potential reputational damage, taking privilege and confidentiality needs into account. R2.3.06 Establish procedures to inform those responsible for managing the public relations and stakeholder relations of the organization about investigations as soon as possible and, to the extent necessary, within the context of a privileged discussion. R2.3.07 Prepare methods for determining privilege, privacy and confidentiality issues that may need to be addressed with investigators.
R2.3.08 l Prepare methods for determining conflicts of interest of individuals involved in the investigation from either the organization or the investigating body. This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 136 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
R2 THIRD-PARTY INQUIRIES INVESTIGATIONS LICENSED& TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
l
R2.3.08 Prepare methods for determining conflicts of interest of individuals involved in the investigation from either the organization or the investigating body.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.4 PREPARE TO SELECT INTERNAL TEAM FOR THIRD-PARTY INVESTIGATION Establish procedures for selecting the team of individuals that will represent the organization during a specific investigation. Core Sub-practices
l
l
l
R2.4.01 Establish initial lists of the people (roles) responsible for implementing or overseeing procedures set for each type of investigation, considering that: • different people may be identified for investigations into different risk areas or parts of the organization, • different people may head up the team depending on the type of investigation, and • some investigations will need to be completely managed by external legal counsel. R2.4.02 Establish a list of outside counsel selected or approved in advance to be consulted when the need for counsel in a particular type of investigation arises and establish procedures to engage such counsel if the need arises. R2.4.03 Utilize established rules, policies and procedure for the type of investigation to determine which people within the organization will be responsible for overseeing the organization’s role in the investigation, dealing directly with investigators, and leading the internal investigation team.
l
R2.4.04 Establish procedures to screen all selected team members to ensure no conflict of interest or bias in the type of investigation and continually revisit as information arises.
l
R2.4.05 Establish policies that ensure team members have clear authority and that their authority will be expressed to all personnel who may have to respond to their requests for information, documents, or interviews.
l
R2.4.06 Establish policies and procedures that ensure team members are relieved of other duties as necessary to provide time required to participate effectively in the investigation.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.5 PREPARE TO RESPOND TO SPECIFIC THIRD-PARTY INVESTIGATIONS Establish procedures for developing a response to a specific investigation. Core Sub-practices R2.5.01 l Establish procedures to determine whether there is an obligation to immediately disclose the existence of a specific investigation to the Board, independent auditors, regulatory agencies, creditors or insurers under agreements, contracts or established policies advice. and procedures. This is not legal or professional driving principled Please contact a professional regarding performance ® 137 R2.5.02 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Prepare a standard response management plan for each type of investigation, which may be modified based on specific investigation facts and circumstances, which to: SINGLE USER LICENSE GRANTED. LICENSED TO CDUCU ON addresses TUESDAY,procedures APRIL 28, 2009.
R2 THIRD-PARTY INQUIRIES & INVESTIGATIONS
R2.5 PREPARE TO RESPOND TO SPECIFIC THIRD-PARTY INVESTIGATIONS Establish procedures for developing a response to a specific investigation. Core Sub-practices
l
l
R2.5.01 Establish procedures to determine whether there is an obligation to immediately disclose the existence of a specific investigation to the Board, independent auditors, regulatory agencies, creditors or insurers under agreements, contracts or established policies and procedures. R2.5.02 Prepare a standard response management plan for each type of investigation, which may be modified based on specific investigation facts and circumstances, which addresses procedures to: • collect or identify all requested documents and data and initiate document holds to stop any routine destruction or removal, • document exactly what is provided to the third party, • track information that will be released as non-privileged, indicating that the release is intentional and controlled, • track list of released items being maintained as privileged, • determine individuals who will need to be interviewed to fulfill investigation requests, both current personnel of the organization and former employees or agents, • determine if any requests for information will be refused and develop that response under legal review, • determine the need to negotiate confidentiality agreements regarding certain information to be delivered to the third party and whether the organization needs to seek to provide any privileged information under seal, • inform individuals involved in the investigation as witnesses, interviewees or otherwise, that in-house and outside counsel represent only the organization and not them individually, and document that they understand, and • internally and externally communicate investigation results and recommended actions.
R3 CORRECTIVE CONTROLS
Establish process, human capital, technology and physical control activities to correct undesirable consequences that result from adverse events, activities and conduct.
Principles 01 A well designed system of controls should include corrective controls to stop, slow and recover from an adverse event.
R3 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
02 Corrective controls should provide feedback about how to improve the prevention and detection of future adverse events.
Common Sources Of Failure
This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 138 01 Not correcting both the immediate adverse impact as well as the root cause of the adverse impact. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. 02 Excessive reliance on discretionary controls that require human intervention or decision which increases vulnerability LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R3 CORRECTIVE CONTROLS
Establish process, human capital, technology and physical control activities to correct undesirable consequences that result from adverse events, activities and conduct.
Principles 01 A well designed system of controls should include corrective controls to stop, slow and recover from an adverse event.
R3 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
02 Corrective controls should provide feedback about how to improve the prevention and detection of future adverse events.
Common Sources Of Failure 01 Not correcting both the immediate adverse impact as well as the root cause of the adverse impact. 02 Excessive reliance on discretionary controls that require human intervention or decision which increases vulnerability 03 Not establishing an audit trail to track when corrective control activities are performed
Guidelines and Practices Red Book 2.0 - GRC Capability Model R3.1 Establish Corrective Process Controls R3.2 Establish Corrective Human Capital Controls R3.3 Establish Corrective Technology Controls R3.4 Establish Corrective Physical Controls R3.5 Monitor and Report Corrective Controls
Key Deliverables Matrices
Risk / Control Matrix
Plans
Corrective Control Activity Plan
Reports
Corrective Action Report
Enabling Technology Components Technology Arenas Business Applications
Assurance & Audit Management (AAM) , Security Management (SM)
Brand & Reputation Management (BRM), Loss Management (LM), Policy & Procedure Management (P&P) , Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Supply Chain & Procurement Management (SCM) , This is not legal or professional advice.Transaction Management (TM) driving principled Please contact a professional regarding performance ® 139(CMM) , Crisis Management (CMT) , GRC Core Applications Controls Management & Monitoring © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit (FAA) , Geo-Political Risk (GPR) Management , Information Technology Audit LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. (ITA) , Information Technology Risk & Compliance (ITRC) Management ,
Reports
Corrective Action Report
Enabling Technology Components Technology Arenas
Assurance & Audit Management (AAM) , Security Management (SM)
Business Applications
Brand & Reputation Management (BRM), Loss Management (LM), Policy & Procedure Management (P&P) , Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Supply Chain & Procurement Management (SCM) , Transaction Management (TM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Crisis Management (CMT) , Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit (FAA) , Geo-Political Risk (GPR) Management , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Transaction Monitoring (TRM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Identity and Access Management (IAM) , Physical Security (PS) , Systems Log Management (SLM)
R3 CORRECTIVE CONTROLS
R3.1 ESTABLISH CORRECTIVE PROCESS CONTROLS Establish corrective process control activities to stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.1.01 Establish process control activities that stop and/or slow the adverse event.
l
R3.1.02 Establish process control activities that restore the system to a stable state.
l
R3.1.03 Establish process control activities that deter future potential adverse events.
R3 CORRECTIVE CONTROLS
R3.2 ESTABLISH CORRECTIVE HUMAN CAPITAL CONTROLS Establish corrective human capital controls that stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.2.01 Establish controls to suspend the authority of personnel involved in or related to adverse events.
l
R3.2.02 Establish controls to modify or override reporting structures once adverse events are detected.
l
R3.2.03 Establish procedures to assemble corrective action teams once adverse events are detected.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
140
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
R3 CORRECTIVE CONTROLS LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R3.3 ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS
(IAM) , Physical Security (PS) , Systems Log Management (SLM) R3 CORRECTIVE CONTROLS
R3.1 ESTABLISH CORRECTIVE PROCESS CONTROLS Establish corrective process control activities to stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.1.01 Establish process control activities that stop and/or slow the adverse event.
l
R3.1.02 Establish process control activities that restore the system to a stable state.
l
R3.1.03 Establish process control activities that deter future potential adverse events.
R3 CORRECTIVE CONTROLS
R3.2 ESTABLISH CORRECTIVE HUMAN CAPITAL CONTROLS Establish corrective human capital controls that stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.2.01 Establish controls to suspend the authority of personnel involved in or related to adverse events.
l
R3.2.02 Establish controls to modify or override reporting structures once adverse events are detected.
l
R3.2.03 Establish procedures to assemble corrective action teams once adverse events are detected.
R3 CORRECTIVE CONTROLS
R3.3 ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS Establish corrective technology controls that stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.3.01 Establish controls to eliminate or restrict access to appropriate technology once adverse events are detected.
R3.3.02 l Establish controls to suspend appropriate processing activities once adverse events are detected. This is not legal or professional advice. driving principled R3.3.03 Please contact a professional regarding performance ® 141 Establish controls to hold and archive appropriate information and documents once adverse events are detected. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP l needs. your specific LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R3 CORRECTIVE CONTROLS
R3.3 ESTABLISH CORRECTIVE TECHNOLOGY CONTROLS Establish corrective technology controls that stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.3.01 Establish controls to eliminate or restrict access to appropriate technology once adverse events are detected.
l
R3.3.02 Establish controls to suspend appropriate processing activities once adverse events are detected.
l
R3.3.03 Establish controls to hold and archive appropriate information and documents once adverse events are detected.
R3 CORRECTIVE CONTROLS
R3.4 ESTABLISH CORRECTIVE PHYSICAL CONTROLS Establish corrective physical controls that stop, slow and recover from adverse events, and deter future adverse events. Core Sub-practices
l
R3.4.01 Establish controls that secure and restrict access to appropriate physical assets once adverse events are detected.
l
R3.4.02 Establish controls to lock down appropriate buildings and facilities once adverse events are detected.
l
l
R3.4.03 Establish controls to "harden" physical infrastructure once adverse events are detected including: > barriers, > reinforcements, and > containment. R3.4.04 Establish controls to stop or slow the impact of adverse events on physical assets (e.g., fire extinguishers).
R3 CORRECTIVE CONTROLS
R3.5 MONITOR AND REPORT CORRECTIVE CONTROLS Monitor and report the progress of corrective control activities. Core Sub-practices This is not legal or professional advice. driving principled Please contact a professional regarding R3.5.01 performance ® 142 - 2009 OPEN COMPLIANCE & ETHICS GROUP © 2003 your specific needs. a monitoring approach and responsible party to ensure that corrective control activities are performed. l Establish R3.5.02
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R3 CORRECTIVE CONTROLS
R3.5 MONITOR AND REPORT CORRECTIVE CONTROLS Monitor and report the progress of corrective control activities. Core Sub-practices
l
l
R3.5.01 Establish a monitoring approach and responsible party to ensure that corrective control activities are performed. R3.5.02 Establish reports and identify relevant recipients to be notified when corrective control activities are performed and concluded.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
Plan for and respond to crisis issues, business disruption and other significant events.
Principles 01 Protecting individuals from physical harm is essential. 02 Having a broad view of where interruption could arise is critical. 03 Business, IT, emergency management, public affairs, communications, and continuity personnel should design integrated plans. 04 Constant, clear and redundant communication is essential to successful crisis management.
Common Sources Of Failure 01 Not establishing plans to address reasonably anticipated types of crises 02 Not testing crisis management plans 03 Not involving all relevant internal and external roles in the planning stage 04 Not communicating appropriate information to relevant stakeholders during implementation of a crisis plan
Guidelines and Practices Red Book 2.0 - GRC Capability Model R4.1 Develop Crisis Response and Continuity Plans Readiness and Response Teams This R4.2 is not Identify legal or Crisis professional advice. R4.3 Testa Plans and Procedures Please contact professional regarding yourR4.4 specific needs. Plans Coordinate
driving principled performance ®
143
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Key Deliverables
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
Plan for and respond to crisis issues, business disruption and other significant events.
Principles 01 Protecting individuals from physical harm is essential.
R4 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
02 Having a broad view of where interruption could arise is critical. 03 Business, IT, emergency management, public affairs, communications, and continuity personnel should design integrated plans. 04 Constant, clear and redundant communication is essential to successful crisis management.
Common Sources Of Failure 01 Not establishing plans to address reasonably anticipated types of crises 02 Not testing crisis management plans 03 Not involving all relevant internal and external roles in the planning stage 04 Not communicating appropriate information to relevant stakeholders during implementation of a crisis plan
Guidelines and Practices Red Book 2.0 - GRC Capability Model R4.1 Develop Crisis Response and Continuity Plans R4.2 Identify Crisis Readiness and Response Teams R4.3 Test Plans and Procedures R4.4 Coordinate Plans
Key Deliverables Plans
Crisis, Continuity and Recovery Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas Business Applications
Enterprise Risk Management (ERM) , Human Resources Management (HRM) , Security Management (SM)
Documents & Records Management (DRM) , Loss Management (LM), Strategic Planning (SP) This is not legal or professional advice. driving principled GRC aCore Applications (ARM) , Crisis Management (CMT) , Please contact professional regardingAccountability/Responsibility Management performance ® 144 Environmental, Health & Safety (EH&S) Management , Global Trade Compliance © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. (GTC)/International Dealings , Information Privacy Management (IPM) , Technology Audit APRIL (ITA) ,28, Legal Matter Management (LMM) , LICENSEDInformation TO CDUCU ON TUESDAY, 2009. SINGLE USER LICENSE GRANTED.
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM) , Human Resources Management (HRM) , Security Management (SM)
Business Applications
Documents & Records Management (DRM) , Loss Management (LM), Strategic Planning (SP)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Crisis Management (CMT) , Environmental, Health & Safety (EH&S) Management , Global Trade Compliance (GTC)/International Dealings , Information Privacy Management (IPM) , Information Technology Audit (ITA) , Legal Matter Management (LMM) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Risk Analytics (RA)
Infrastructure
Business Continuity Management (BCM), Disaster Recovery (DR) , Identity and Access Management (IAM) , Information Technology Operations (ITO) Management , Physical Security (PS)
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.1 DEVELOP CRISIS RESPONSE AND CONTINUITY PLANS Develop the plans for responding to various types of crises and recovering from business disruption. Core Sub-practices
l
l
l
R4.1.01 Identify the types of crises that might arise and create a list of specific examples of ones deemed to be either likely or of significant impact if they were to occur, including events with crisis level impacts on: • a physical plant or infrastructure such as weather disasters, accidents or intentional harm to structures, • access to data such as physical disruption to servers or technology failure, • protection of confidential or personally identifiable information such as theft or breach of confidential or personally identifiable data, • ability to operate such as technology or power interruptions, political upheaval, • public confidence in products or services, • reputation, • workforce such as health crises, and • the enterprise, the community or individuals from violent criminal conduct. R4.1.02 Develop business impact analysis for each listed type of crisis by: • refining internal and external context and risk analysis, • analyzing implications of loss, delay, inability to access or serve key people, systems, processes, suppliers, customers, and business partners, and • analyzing anticipated information loss based on archive/back-up strategies for systems and processes. R4.1.03 Address business continuity and recovery goals for each type of crisis by: • determining recovery time objectives, • prioritizing key business processes and critical functions, • selecting and documenting business continuity strategies for interim operations and recovery plans, • documenting information systems interim operations and recovery plans, and • documenting facilities interim responses and recovery.
This is not legal or professional advice. driving principled R4.1.04 Please contact a professional regarding performance ® 145 Establish detailed response and recovery plans for each type of crisis that include the following: l © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • in the case of a physical crisis, policies and procedures for coordination with first responders from local authorities on plans, procedures, and communication so theyAPRIL can facilitate rescue emergency operations, LICENSED TO CDUCUprotocols ON TUESDAY, 28, 2009.safety, SINGLE USERand LICENSE GRANTED.
Management , Physical Security (PS) R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.1 DEVELOP CRISIS RESPONSE AND CONTINUITY PLANS Develop the plans for responding to various types of crises and recovering from business disruption. Core Sub-practices
l
l
l
l
R4.1.01 Identify the types of crises that might arise and create a list of specific examples of ones deemed to be either likely or of significant impact if they were to occur, including events with crisis level impacts on: • a physical plant or infrastructure such as weather disasters, accidents or intentional harm to structures, • access to data such as physical disruption to servers or technology failure, • protection of confidential or personally identifiable information such as theft or breach of confidential or personally identifiable data, • ability to operate such as technology or power interruptions, political upheaval, • public confidence in products or services, • reputation, • workforce such as health crises, and • the enterprise, the community or individuals from violent criminal conduct. R4.1.02 Develop business impact analysis for each listed type of crisis by: • refining internal and external context and risk analysis, • analyzing implications of loss, delay, inability to access or serve key people, systems, processes, suppliers, customers, and business partners, and • analyzing anticipated information loss based on archive/back-up strategies for systems and processes. R4.1.03 Address business continuity and recovery goals for each type of crisis by: • determining recovery time objectives, • prioritizing key business processes and critical functions, • selecting and documenting business continuity strategies for interim operations and recovery plans, • documenting information systems interim operations and recovery plans, and • documenting facilities interim responses and recovery. R4.1.04 Establish detailed response and recovery plans for each type of crisis that include the following: • in the case of a physical crisis, policies and procedures for coordination with first responders from local authorities on plans, procedures, and communication protocols so they can facilitate safety, rescue and emergency operations, • in the case of potential allegations of criminal conduct, procedures for interactions with police or prosecution authorities, • in the case of a data management disruption or failure, disaster recovery plans, • an identified communications plan and team, including legal, public relations and investor relations as appropriate, • policies and procedures to direct public disclosures and communications through identified organization representatives, and involve legal, public relations and investor relations as appropriate, • procedures for establishment of crisis response headquarters away from danger/crisis area, • policies and procedures that prioritize physical safety of employees and family member communications, • procedures to evaluate pursuing contractual or other legal rights to demand indemnification or file claims for insurance, and • procedures to analyze response effectiveness and performance after action.
This is not legal or professional advice. Please contact a professional regarding your specific needs. R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
driving principled
performance ®
146
R4.2 IDENTIFY CRISIS READINESS AND RESPONSE TEAMS
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
• procedures to analyze response effectiveness and performance after action.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.2 IDENTIFY CRISIS READINESS AND RESPONSE TEAMS Define personnel who will be responsible for crisis preparedness and those who will be deployed as crisis response teams for each type of identified crisis. Core Sub-practices
l
R4.2.01 For each type of crisis, identify the personnel who will have responsibility for maintaining readiness and monitoring for signs of impending crisis.
l
R4.2.02 For each type of crisis, identify a preliminary response team in each location, amending to stay fresh as necessary to address personnel changes.
l
R4.2.03 Identify leadership that is accountable for communicating with the workforce, families and external stakeholders for each type of crisis.
l
R4.2.04 Determine succession authorities in the event that an individual with established authority is unavailable when a crisis arises.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.3 TEST PLANS AND PROCEDURES Test and evaluate the various crisis plans and procedures. Core Sub-practices
l
l
R4.3.01 For each type of crisis, define a preparedness exercise plan, including: • scope of the exercise, • frequency of the exercise, • accountability for the preparedness exercise, • who will be involved, including any personnel new to the crisis management team, and • how the practice response will be evaluated. R4.3.02 Select appropriate preparedness exercise type including: • tabletop scenarios, • simulations, and • activation exercises.
R4.3.03 l Conduct exercises according to plan. This is not legal or professional advice. R4.3.04 Please contact a professional regarding 147 Evaluate your specific l needs. performance against the plan and effectiveness of the response.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.3 TEST PLANS AND PROCEDURES Test and evaluate the various crisis plans and procedures. Core Sub-practices
l
l
l
l
R4.3.01 For each type of crisis, define a preparedness exercise plan, including: • scope of the exercise, • frequency of the exercise, • accountability for the preparedness exercise, • who will be involved, including any personnel new to the crisis management team, and • how the practice response will be evaluated. R4.3.02 Select appropriate preparedness exercise type including: • tabletop scenarios, • simulations, and • activation exercises. R4.3.03 Conduct exercises according to plan. R4.3.04 Evaluate performance against the plan and effectiveness of the response.
R4 CRISIS RESPONSE, CONTINUITY AND RECOVERY
R4.4 COORDINATE PLANS Coordinate the various continuity and response plans in anticipation of business disruption that may span more than one facility. Core Sub-practices
l
l
l
R4.4.01 Correlate local, regional and national plans. R4.4.02 Coordinate and rationalize recovery time objectives across plans of individual functions, departments, business units or facilities with projected resource availability. R4.4.03 Rationalize recovery time objectives with information systems recovery capabilities.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
R5 REMEDIATION & DISCIPLINE 148
R5
driving principled performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R5 REMEDIATION & DISCIPLINE
Resolve substantiated issues by fixing any weaknesses in the GRC system and disciplining appropriate individuals.
Principles 01 The assurance that each reported issue/incident is resolved is essential to maintain support for the GRC system throughout all levels of the organization. 02 Disciplinary measures that are applied consistently and objectively serve as deterrents and drive support for the GRC system throughout the workforce.
R5 R1 Internal Review & Investigation R2 Third-Party Inquiries & Investigations R3 Corrective Controls R4 Crisis Response, Continuity and Recovery R5 Remediation & Discipline
Common Sources Of Failure 01 Not ensuring that relevant people are aware the issue has been redressed 02 Not establishing a process to record and ascertain history regarding discipline 03 Not establishing expectations regarding discipline for various types of conduct 04 Not providing timely notification about resolution of the investigation 05 Not making changes to aspects of the GRC system that contributed to or allowed the incident or issue to occur
Guidelines and Practices Red Book 2.0 - GRC Capability Model R5.1 Remediate the GRC System R5.2 Discipline Individuals R5.3 Disclose Issue Resolution
Key Deliverables Matrices
Prioritized Risk Matrix
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM) , Human Resources Management (HRM) , Security Management (SM)
Business Applications
Loss Management (LM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Controls Management & Monitoring (CMM) , Corporate Social Responsibility (CSR), Enterprise Risk Assessment (ERA) , Risk Analytics (RA)
This is not legal or professional advice.Business Continuity Management (BCM), Configuration and Change Infrastructure Please contact a professional regardingManagement (CCM), Disaster Recovery 149 (DR) your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
R5 REMEDIATION & DISCIPLINE LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
R5.1 REMEDIATE THE GRC SYSTEM
Reports
Filings, Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Enterprise Risk Management (ERM) , Human Resources Management (HRM) , Security Management (SM)
Business Applications
Loss Management (LM)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Controls Management & Monitoring (CMM) , Corporate Social Responsibility (CSR), Enterprise Risk Assessment (ERA) , Risk Analytics (RA)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR)
R5 REMEDIATION & DISCIPLINE
R5.1 REMEDIATE THE GRC SYSTEM Resolve each reported issue/incident, document the outcome, and propose appropriate changes to the GRC system to avoid similar issues in the future. Core Sub-practices
l
R5.1.01 Propose changes to the GRC system to remediate points of failure that contributed to the issue or incident.
l
R5.1.02 Document results including: • outcome categories, • root cause, • resolution, and • remediation.
l
R5.1.03 Resolve reported issues/incidents using corrective action processes.
l
R5.1.04 Revise the prioritized risk matrix to reflect the effect of detected issues and remediation activities on: • identified current optimization activities, and • likelihood and probability analysis of current and planned residual risk.
R5 REMEDIATION & DISCIPLINE
R5.2 DISCIPLINE INDIVIDUALS Discipline individuals for misconduct. Core Sub-practices
l
R5.2.01 Define and enforce a procedure and criteria for consistent discipline given type of misconduct. R5.2.02
l
Administer appropriate discipline under applicable policies, procedures, laws, and regulations. R5.2.03
l
Track discipline decisions and include in workforce files and extended enterprise relationship records.
R5.2.04 This is not legal or professional advice. driving principled l Periodically report to the Board on material disciplinary measures taken (and underlying facts and circumstances). Please contact a professional regarding performance ® 150 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific R5.2.05 needs. l
Periodically review past disciplinary actions to ensure consistency. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Management (CCM), Disaster Recovery (DR) R5 REMEDIATION & DISCIPLINE
R5.1 REMEDIATE THE GRC SYSTEM Resolve each reported issue/incident, document the outcome, and propose appropriate changes to the GRC system to avoid similar issues in the future. Core Sub-practices
l
R5.1.01 Propose changes to the GRC system to remediate points of failure that contributed to the issue or incident.
l
R5.1.02 Document results including: • outcome categories, • root cause, • resolution, and • remediation.
l
R5.1.03 Resolve reported issues/incidents using corrective action processes.
l
R5.1.04 Revise the prioritized risk matrix to reflect the effect of detected issues and remediation activities on: • identified current optimization activities, and • likelihood and probability analysis of current and planned residual risk.
R5 REMEDIATION & DISCIPLINE
R5.2 DISCIPLINE INDIVIDUALS Discipline individuals for misconduct. Core Sub-practices
l
R5.2.01 Define and enforce a procedure and criteria for consistent discipline given type of misconduct. R5.2.02
l
Administer appropriate discipline under applicable policies, procedures, laws, and regulations. R5.2.03
l
Track discipline decisions and include in workforce files and extended enterprise relationship records.
l
R5.2.04 Periodically report to the Board on material disciplinary measures taken (and underlying facts and circumstances).
l
R5.2.05 Periodically review past disciplinary actions to ensure consistency.
R5 REMEDIATION & DISCIPLINE
R5.3 DISCLOSE ISSUE RESOLUTION This isWhen not legalrequired or professional advice. driving principled or appropriate, disclose findings and resolution of investigations to stakeholders. Please contact a professional regarding performance ® 151 Core Sub-practices © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
l
R5.3.01 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. As required, disclose results of investigations to external stakeholders.
R5 REMEDIATION & DISCIPLINE
R5.3 DISCLOSE ISSUE RESOLUTION When required or appropriate, disclose findings and resolution of investigations to stakeholders. Core Sub-practices
l
l
R5.3.01 As required, disclose results of investigations to external stakeholders. R5.3.02 Establish procedures to voluntarily disclose results and resolution of investigations to internal and external stakeholders as appropriate, including: • regulatory agencies, • enforcement authorities, • investors / underwriters, • customers, and • workforce.
l
R5.3.03 Provide single point of communication with external stakeholders.
l
R5.3.04 Inform stakeholders about resulting changes to the GRC system.
M MONITOR & MEASURE
Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment. M1 Context Monitoring M1.1 Monitor External Context M1.2 Monitor Internal Context
M C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
M2 Performance Monitoring & Evaluation M2.1 Monitor and Evaluate GRC System Design M2.2 Review and Reconsider Risks M2.3 Identify Relevant Risk Optimizing Activities M2.4 Analyze Potential for Failure Monitoring This is not M2.5 legal or Identify professional advice.Information Please contact a professional regarding M2.6 Perform Monitoring Activities your specific needs.Analyze and Report Monitoring Results M2.7
driving principled performance ®
152
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
M3 Systemic Improvement
M MONITOR & MEASURE
Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment. M1 Context Monitoring M1.1 Monitor External Context M1.2 Monitor Internal Context
M C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
M2 Performance Monitoring & Evaluation M2.1 Monitor and Evaluate GRC System Design M2.2 Review and Reconsider Risks M2.3 Identify Relevant Risk Optimizing Activities M2.4 Analyze Potential for Failure M2.5 Identify Monitoring Information M2.6 Perform Monitoring Activities M2.7 Analyze and Report Monitoring Results
M3 Systemic Improvement M3.1 Develop Improvement Plan M3.2 Implement Improvement Initiatives
M4 Assurance M4.1 Plan Assurance Assessment M4.2 Perform Assurance Assessment
M1 CONTEXT MONITORING
Monitor and analyze changes in the internal and external context to determine if GRC system changes are required.
M1 M1 Context Monitoring M2 Performance Monitoring & Evaluation driving principled M3 Systemic Improvement performance ® M4 Assurance
ThisPrinciples is not legal or professional advice. Please contact a professional regarding 153 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your01 specific The needs. GRC system must be flexible enough to respond rapidly to changes in the external and internal©context in which it must operate. TOto CDUCU TUESDAY, APRILin28, 2009. USER system LICENSE GRANTED. 02 Failure to recognizeLICENSED and respond contextON changes may result failure ofSINGLE critical GRC controls.
M4.2 Perform Assurance Assessment
M1 CONTEXT MONITORING
Monitor and analyze changes in the internal and external context to determine if GRC system changes are required.
Principles
M1 M1 Context Monitoring M2 Performance Monitoring & Evaluation M3 Systemic Improvement M4 Assurance
01 The GRC system must be flexible enough to respond rapidly to changes in the external and internal context in which it must operate. 02 Failure to recognize and respond to context changes may result in failure of critical GRC system controls. 03 The GRC system will be most effective if the organization identifies and evaluates anticipated changes in context in time to plan system alterations.
Common Sources Of Failure 01 Not sufficiently monitoring the external and internal context for changes that could render the GRC system ineffective 02 Not taking a sufficiently broad view of which external events may apply to the organization 03 Not monitoring inherently high risks because of a belief that controls will not fail or that the occurrence is unlikely 04 Not assigning clear accountability for tracking each aspect to identify and analyze changes 05 Not responding to an identified change quickly enough
Guidelines and Practices Red Book 2.0 - GRC Capability Model M1.1 Monitor External Context M1.2 Monitor Internal Context
Key Deliverables Matrices
Prioritized Risk Matrix
Plans
Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Applications
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , This is not legal or professional advice. driving principled Contract Management (CM), Corporate Performance Management (CPM) , Please contact a professional regarding performance ® 154 Dashboards (GRC Workflow), Email Management (EM), Employee Evaluations & © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Surveys (EES) , Enterprise Asset Management (EAM), Legal Entity Management Project ON Portfolio Management (PPM) Planning (SP) , Supply LICENSED(LEM), TO CDUCU TUESDAY, APRIL 28, 2009., Strategic SINGLE USER LICENSE GRANTED.
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Human Resources Management (HRM)
Business Applications
Brand & Reputation Management (BRM), Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Contract Management (CM), Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Email Management (EM), Employee Evaluations & Surveys (EES) , Enterprise Asset Management (EAM), Legal Entity Management (LEM), Project Portfolio Management (PPM) , Strategic Planning (SP) , Supply Chain & Procurement Management (SCM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Corporate Social Responsibility (CSR), Discovery (eDiscovery) , Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate Integrity (ECI) , Fraud Detection & Prevention (FDP) , Geo-Political Risk (GPR) Management , Global Trade Compliance (GTC)/International Dealings , Information Privacy Management (IPM) , News Feeds (GRC Intelligence) , Operational Risk Management (ORM) , Risk Analytics (RA) , Transaction Monitoring (TRM)
Infrastructure
Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Retention & Storage Management (RSM) , Systems Log Management (SLM)
M1 CONTEXT MONITORING
M1.1 MONITOR EXTERNAL CONTEXT Continually monitor changes in the external environment that may have a direct, indirect or cumulative effect on the organization. Core Sub-practices
l
M1.1.01 Monitor stakeholder groups for changes in views and key individuals.
l
M1.1.02 Monitor market conditions.
l
M1.1.03 Monitor industry participants and competitors for risk and compliance issues.
l
l
M1.1.04 Monitor other peers as defined by similar workforce size, similar business activities, and similar geographic scope for risk and compliance issues. M1.1.05 Monitor geopolitical changes in all relevant areas of operation.
M1.1.06 l Monitor changes in external requirements including those from: • laws, rules and regulations, • administrative guidelines and rulings, • significant judicial rulings, This is not legal or professional advice. • regulatory guidance, Please contact a professional regarding 155 • prosecutorial guidance, your specific •needs. legal interpretations,
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
• consent orders and integrity agreements, and LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • enforcement activities,
(SLM) M1 CONTEXT MONITORING
M1.1 MONITOR EXTERNAL CONTEXT Continually monitor changes in the external environment that may have a direct, indirect or cumulative effect on the organization. Core Sub-practices
l
M1.1.01 Monitor stakeholder groups for changes in views and key individuals.
l
M1.1.02 Monitor market conditions.
l
M1.1.03 Monitor industry participants and competitors for risk and compliance issues.
l
l
l
l
l
M1.1.04 Monitor other peers as defined by similar workforce size, similar business activities, and similar geographic scope for risk and compliance issues. M1.1.05 Monitor geopolitical changes in all relevant areas of operation. M1.1.06 Monitor changes in external requirements including those from: • laws, rules and regulations, • administrative guidelines and rulings, • significant judicial rulings, • regulatory guidance, • prosecutorial guidance, • legal interpretations, • consent orders and integrity agreements, and • enforcement activities, • contracts, • standards, and • trade association commitments. M1.1.07 Monitor changes in customary practices in the industry, and cultural differences in the relevant locations. M1.1.08 Notify individuals responsible for relevant risk optimization activities about context changes, including those that require immediate consideration.
M1.1.09 l Individuals responsible for risk analysis and optimization activities augment or revise the prioritized risk matrix and risk optimization plan to reflect, as appropriate: • changes in the form of additional, altered or eliminated risks and requirements, • revised inherent risk analysis, • current residual risk analysis, • categorization and prioritization, • risk This is not legal oroptimization professional strategy, advice. driving principled • risk optimization activities, and Please contact a professional regarding performance ® 156 • planned residual risk. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
• revised inherent risk analysis, • current residual risk analysis, • categorization and prioritization, • risk optimization strategy, • risk optimization activities, and • planned residual risk.
M1 CONTEXT MONITORING
M1.2 MONITOR INTERNAL CONTEXT Continually monitor changes in the internal environment that may have a direct, indirect or cumulative effect on the organization. Core Sub-practices
l
M1.2.01 Monitor significant changes in business strategy such as: • changes in business objectives, values and strategy, • new product development, • expansion into new markets, and • mergers and acquisitions.
l
M1.2.02 Monitor changes in personnel.
l
M1.2.03 Monitor changes in processes.
l
M1.2.04 Monitor changes in technology.
l
M1.2.05 Monitor changes in culture including any significant variance of culture metrics in business units, departments, jobs, or locations.
l
M1.2.06 Notify individuals responsible for relevant risk optimization activities about context changes, including those that require immediate consideration.
l
M1.2.07 Individuals responsible for risk analysis and optimization activities augment or revise the prioritized risk matrix and risk optimization plan to reflect, as appropriate: • changes in the form of additional, altered or eliminated risks and requirements, • revised inherent risk analysis, • current residual risk analysis, • categorization and prioritization, • risk optimization strategy, • risk optimization activities, and • planned residual risk.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled 157
M2 PERFORMANCE MONITORING & LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. EVALUATION SINGLE USER LICENSE GRANTED.
M2
performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
M2 PERFORMANCE MONITORING & EVALUATION
Monitor and periodically evaluate the performance of the GRC system to ensure that it is designed and operated to be effective, efficient, and responsive to the changing external and internal context.
M2 M1 Context Monitoring M2 Performance Monitoring & Evaluation M3 Systemic Improvement M4 Assurance
Principles 01 Continual monitoring and periodic evaluation enables management and the Board to determine if the GRC system operates effectively over time. 02 Monitoring provides evidence to support assertions about the effectiveness of the GRC system. 03 The monitoring effort should be congruent with level of risk. 04 Evaluation of GRC system design and operation is part of the GRC management responsibility to assure timely system corrections and improvements.
Common Sources Of Failure 01 Only considering what is effective to prevent or detect noncompliant conduct that would give rise to criminal or civil liability 02 Not measuring performance indicators 03 Not measuring the efficiency and responsiveness of the GRC system 04 Not periodically re-evaluating the design of the GRC system to ensure it is appropriate to optimize identified risks 05 Not considering the full range of information that may indicate GRC systemic weaknesses
Guidelines and Practices Red Book 2.0 - GRC Capability Model M2.1 Monitor and Evaluate GRC System Design M2.2 Review and Reconsider Risks M2.3 Identify Relevant Risk Optimizing Activities M2.4 Analyze Potential for Failure M2.5 Identify Monitoring Information M2.6 Perform Monitoring Activities M2.7 Analyze and Report Monitoring Results
Key Deliverables Plans GRC Strategic Plan, Risk Optimization Plan This is not legal or professional Reports Findings andadvice. Recommendations Report Please contact a professional regarding your specific needs.
Enabling Technology Components
driving principled performance ®
158
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Technology Arenas Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Risk
M2.7 Analyze and Report Monitoring Results
Key Deliverables Plans
GRC Strategic Plan, Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Risk Management (ERM) , Security Management (SM)
Business Applications
Business Activity Monitoring (BAM) , Collaboration/Knowledge Management (KM), Corporate Performance Management (CPM) , Employee Evaluations & Surveys (EES) , Enterprise Asset Management (EAM), Loss Management (LM), Policy & Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Supply Chain & Procurement Management (SCM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management , Helpline , Hotline/Whistleblower , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics (RA)
Infrastructure
Disaster Recovery (DR) , Information Technology Operations (ITO) Management , Systems Log Management (SLM)
M2 PERFORMANCE MONITORING & EVALUATION
M2.1 MONITOR AND EVALUATE GRC SYSTEM DESIGN Establish a schedule for periodic re-evaluation of the appropriateness of the GRC system design in light of the identified requirements and key risks. Core Sub-practices
l
l
M2.1.01 Define aspects of the GRC system design to be periodically re-evaluated, including: • effectiveness in preventing and detecting conduct or events that violate mandated or voluntarily established requirements, • efficiency of the controls established as part of the system, • appropriateness of the selected controls relative to the level of risk, and • responsiveness of the system. M2.1.02 Select appropriate monitoring methods for each aspect of the GRC system based on identified goals, assurance level and privilege status, such as: • technologies to flag incidents of non-conformance to established procedures, • periodic review of samples of reports, forms, or other required documentation, • periodic review of established metrics and performance indicators, and • periodic review of testing controls information.
This isM2 notPERFORMANCE legal or professional advice. MONITORING & EVALUATION PleaseM2.2 contactREVIEW a professionalAND regarding RECONSIDER RISKS your specific needs.
driving principled performance ®
159
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Review any previously assessed or newly identified and reconsider, or assess for the first LICENSED TO CDUCU ON TUESDAY, APRIL risks 28, 2009. SINGLE USER LICENSE GRANTED.
Management , Systems Log Management (SLM) M2 PERFORMANCE MONITORING & EVALUATION
M2.1 MONITOR AND EVALUATE GRC SYSTEM DESIGN Establish a schedule for periodic re-evaluation of the appropriateness of the GRC system design in light of the identified requirements and key risks. Core Sub-practices
l
l
M2.1.01 Define aspects of the GRC system design to be periodically re-evaluated, including: • effectiveness in preventing and detecting conduct or events that violate mandated or voluntarily established requirements, • efficiency of the controls established as part of the system, • appropriateness of the selected controls relative to the level of risk, and • responsiveness of the system. M2.1.02 Select appropriate monitoring methods for each aspect of the GRC system based on identified goals, assurance level and privilege status, such as: • technologies to flag incidents of non-conformance to established procedures, • periodic review of samples of reports, forms, or other required documentation, • periodic review of established metrics and performance indicators, and • periodic review of testing controls information.
M2 PERFORMANCE MONITORING & EVALUATION
M2.2 REVIEW AND RECONSIDER RISKS Review any previously assessed or newly identified risks and reconsider, or assess for the first time, their priority based on the best information currently available. Core Sub-practices
l
M2.2.01 Analyze information from prevent, detect and respond activities including completed and ongoing investigations.
l
M2.2.02 Analyze information from human capital control activities.
l
M2.2.03 Analyze information from context monitoring.
M2 PERFORMANCE MONITORING & EVALUATION
M2.3 IDENTIFY RELEVANT RISK OPTIMIZING ACTIVITIES Review the related risk optimizing activities in place to address high priority risks. Core Sub-practices This is not legal or professional advice. driving principled M2.3.01 Please contact a professional regarding not be detected in a timely manner (single points of failure). performance ® l Identify the key risk optimizing activities whose failures may 160 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. M2.3.02 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. l Identify the risk optimizing activities whose failure might trigger the failure of other risk optimizing activities (points of
M2 PERFORMANCE MONITORING & EVALUATION
M2.3 IDENTIFY RELEVANT RISK OPTIMIZING ACTIVITIES Review the related risk optimizing activities in place to address high priority risks. Core Sub-practices
l
M2.3.01 Identify the key risk optimizing activities whose failures may not be detected in a timely manner (single points of failure).
l
M2.3.02 Identify the risk optimizing activities whose failure might trigger the failure of other risk optimizing activities (points of cascading failure).
l
M2.3.03 Identify the risk optimizing activities that may compensate for failures in other key optimizing activities (key compensating activities).
l
M2.3.04 Identify other related risk optimizing activities.
M2 PERFORMANCE MONITORING & EVALUATION
M2.4 ANALYZE POTENTIAL FOR FAILURE Analyze the potential that risk-optimizing activities will fail and the ways in which they might fail. Core Sub-practices
l
M2.4.01 Analyze the relative complexity of the control as controls that are more complex typically have a higher degree of potential failure.
l
M2.4.02 Analyze the skills required to perform a control and the availability of these skills, as skills shortages will quickly affect these controls.
l
l
M2.4.03 Analyze the degree of automation versus manual execution of the control as: • Manual controls are more prone to human error than automated controls, and • Automated controls are more prone to voluminous and repeated error if there is a systemic issue. M2.4.04 Analyze prior failures associated with controls.
M2 PERFORMANCE MONITORING & EVALUATION
M2.5 IDENTIFY MONITORING INFORMATION This is not legal or professional advice. driving principled PleaseIdentify contact a professional regarding performance ® 161 the information to use to support the evaluation of the performance of the risk © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
optimizing activity(s) and/or the overall performance of the GRC system.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Core Sub-practices
M2 PERFORMANCE MONITORING & EVALUATION
M2.5 IDENTIFY MONITORING INFORMATION Identify the information to use to support the evaluation of the performance of the risk optimizing activity(s) and/or the overall performance of the GRC system. Core Sub-practices
l
M2.5.01 Identify persuasive information that can be used to conclude that a risk optimizing activity is effective, efficient and responsive.
l
M2.5.02 Consider direct information from monitoring the external and internal environments.
l
M2.5.03 Consider direct information about substantiated incidents and general patterns of misconduct.
l
M2.5.04 Consider direct information from testing controls.
l
M2.5.05 Consider indirect information generated by business processes for operational purposes.
l
M2.5.06 Ensure that information is sufficient, relevant, reliable, and timely obtained.
l
M2.5.07 Determine what information may be reviewed by samples and what information requires complete review.
l
M2.5.08 Determine what information must be considered that is not contained in reviewable documents or date, and determine methods for reviewing such information such as interviews or surveys.
M2 PERFORMANCE MONITORING & EVALUATION
M2.6 PERFORM MONITORING ACTIVITIES Perform monitoring activities to support the evaluation of the performance of the system. Core Sub-practices
l
M2.6.01 Review identified documents and samples of data.
l
M2.6.02 Conduct identified interviews and surveys.
l
M2.6.03 Consolidate information from different sources to enable comparison and analysis.
This is not legal or professional advice. Please contact a professional regarding your specific needs. M2 PERFORMANCE MONITORING & EVALUATION
driving principled
performance ®
162
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
M2.7 ANALYZELICENSED AND REPORT MONITORING RESULTS TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
M2 PERFORMANCE MONITORING & EVALUATION
M2.6 PERFORM MONITORING ACTIVITIES Perform monitoring activities to support the evaluation of the performance of the system. Core Sub-practices
l
M2.6.01 Review identified documents and samples of data.
l
M2.6.02 Conduct identified interviews and surveys.
l
M2.6.03 Consolidate information from different sources to enable comparison and analysis.
M2 PERFORMANCE MONITORING & EVALUATION
M2.7 ANALYZE AND REPORT MONITORING RESULTS Analyze the results of monitoring activities to identify instant weaknesses and opportunities for systemic improvements. Core Sub-practices
l
M2.7.01 Identify and analyze reasons for conflicting information.
l
M2.7.02 Determine validity and reliability of information.
l
M2.7.03 Determine if misconduct or control failures are occurring beyond established acceptable tolerances.
l
M2.7.04 Determine if a number of instances of misconduct or control failures relate to a particular location, supervisor or manager, or individual.
l
M2.7.05 Determine if a number of control failures relate to a particular process, human capital, technology, or physical control.
l
M2.7.06 Report on the results and general proposed responses to appropriate internal and external stakeholders.
M3 SYSTEMIC IMPROVEMENT This is not legal or professional advice. Please contact a professional regarding your specific needs.
M3 driving principled performance ®
163
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Use information from periodic monitoring as well as ongoing detection LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. activities to identify opportunities for GRC system improvements.
M1 Context Monitoring
M3 SYSTEMIC IMPROVEMENT
Use information from periodic monitoring as well as ongoing detection activities to identify opportunities for GRC system improvements.
Principles
M3 M1 Context Monitoring M2 Performance Monitoring & Evaluation M3 Systemic Improvement M4 Assurance
01 Continual improvement is the hallmark of a mature and high performing GRC system. 02 Improvement efforts allow for implementation of innovations as they become available. 03 Budgeting for regular improvement activities enables continual GRC system maturation and efficiency. 04 Ensure all improvements address root causes and not just symptoms.
Common Sources Of Failure 01 Not acting on identified improvement opportunities 02 Not identifying root causes behind GRC system failures 03 Not having a sufficiently broad network of intelligence to identify opportunities for improvement 04 Not establishing clear ownership of improvement projects
Guidelines and Practices Red Book 2.0 - GRC Capability Model M3.1 Develop Improvement Plan M3.2 Implement Improvement Initiatives
Key Deliverables Matrices
Prioritized Risk Matrix
Plans
GRC Strategic Plan, Risk Optimization Plan
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Process Management (BPM)
Business Applications
Budget & Finance Management (BFM), Contact/Customer Relationship Management (CRM) , Corporate Performance Management (CPM) , Policy & Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Transaction Management (TM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , This is not legal or professional advice.Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) driving principled Integrity (ECI) , Information Please contact a professional regardingManagement , Ethical Practices/Corporate performance ® 164 Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Management , Operational Assurance & Audit (OAA) , Transaction Monitoring LICENSED(TRM) TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Business Process Management (BPM)
Business Applications
Budget & Finance Management (BFM), Contact/Customer Relationship Management (CRM) , Corporate Performance Management (CPM) , Policy & Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality Management & Monitoring (QMM) , Strategic Planning (SP) , Transaction Management (TM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Environmental, Health & Safety (EH&S) Management , Ethical Practices/Corporate Integrity (ECI) , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Operational Assurance & Audit (OAA) , Transaction Monitoring (TRM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Enterprise Architecture Standards (EAS) , Information Technology Operations (ITO) Management
M3 SYSTEMIC IMPROVEMENT
M3.1 DEVELOP IMPROVEMENT PLAN Develop a prioritized plan for implementing improvements to the program. Core Sub-practices
l
M3.1.01 Develop portfolio of improvement initiatives.
l
M3.1.02 Communicate improvement plan to management.
l
l
M3.1.03 Define any recommendations from investigation outcome reports that are not in improvement plan and provide explanation (s). M3.1.04 Obtain authorization to execute improvement plan.
M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES Implement the specific action plans and initiatives intended to improve the program. Core Sub-practices
l
M3.2.01 Adapt existing priorities and plans to accommodate additions.
M3.2.02 Enhance change management and program management capability as needed for additional initiatives. This is notllegal or professional advice. driving principled Please contact a professional regarding performance ® 165 M3.2.03 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Engage resources for initiatives. M3.2.04
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Standards (EAS) , Information Technology Operations (ITO) Management M3 SYSTEMIC IMPROVEMENT
M3.1 DEVELOP IMPROVEMENT PLAN Develop a prioritized plan for implementing improvements to the program. Core Sub-practices
l
M3.1.01 Develop portfolio of improvement initiatives.
l
M3.1.02 Communicate improvement plan to management.
l
l
M3.1.03 Define any recommendations from investigation outcome reports that are not in improvement plan and provide explanation (s). M3.1.04 Obtain authorization to execute improvement plan.
M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES Implement the specific action plans and initiatives intended to improve the program. Core Sub-practices
l
M3.2.01 Adapt existing priorities and plans to accommodate additions.
l
M3.2.02 Enhance change management and program management capability as needed for additional initiatives.
l
M3.2.03 Engage resources for initiatives.
l
M3.2.04 Manage initiatives pursuant to project plans.
l
M3.2.05 Periodically report on project and portfolio status.
l
M3.2.06 Confirm that initiatives were complete as defined in the improvement plan.
l
M3.2.07 Assess whether targeted improvements are achieved.
M3.2.08 l Document changes to the GRC system, including changes, if any, to the GRC strategic plan, prioritized risk matrix, and the risk optimization plan. This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 166 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
M3 SYSTEMIC IMPROVEMENT
M3.2 IMPLEMENT IMPROVEMENT INITIATIVES Implement the specific action plans and initiatives intended to improve the program. Core Sub-practices
l
M3.2.01 Adapt existing priorities and plans to accommodate additions.
l
M3.2.02 Enhance change management and program management capability as needed for additional initiatives.
l
M3.2.03 Engage resources for initiatives.
l
M3.2.04 Manage initiatives pursuant to project plans.
l
M3.2.05 Periodically report on project and portfolio status.
l
M3.2.06 Confirm that initiatives were complete as defined in the improvement plan.
l
M3.2.07 Assess whether targeted improvements are achieved.
l
M3.2.08 Document changes to the GRC system, including changes, if any, to the GRC strategic plan, prioritized risk matrix, and the risk optimization plan.
M4 ASSURANCE
Provide assurance to management and the Board that the GRC system is reliable, effective, efficient and responsive.
Principles
M4 M1 Context Monitoring M2 Performance Monitoring & Evaluation M3 Systemic Improvement M4 Assurance
01 Management and the Board need independent reasonable assurance about the effectiveness of the GRC system. 02 Management and the Board should obtain reasonable assurance that the GRC system is effective to detect and prevent conduct that is not in accordance with mandates and voluntary commitments of the organization. 03 Either internal auditors or external auditors or evaluators can provide assurance. This 04 is not legal or professional advice. driving principled The degree of assurance desired may vary at different times and for different purposes. Please contact a professional regarding performance ® 05 The degree of assurance increases as the level of independence167 and capability of the assessors changes, and is © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. further enhanced by the use of independent, objective standards or agreed upon procedures for review. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Common Sources Of Failure
M4 ASSURANCE
Provide assurance to management and the Board that the GRC system is reliable, effective, efficient and responsive.
Principles
M4 M1 Context Monitoring M2 Performance Monitoring & Evaluation M3 Systemic Improvement M4 Assurance
01 Management and the Board need independent reasonable assurance about the effectiveness of the GRC system. 02 Management and the Board should obtain reasonable assurance that the GRC system is effective to detect and prevent conduct that is not in accordance with mandates and voluntary commitments of the organization. 03 Either internal auditors or external auditors or evaluators can provide assurance. 04 The degree of assurance desired may vary at different times and for different purposes. 05 The degree of assurance increases as the level of independence and capability of the assessors changes, and is further enhanced by the use of independent, objective standards or agreed upon procedures for review.
Common Sources Of Failure 01 Not using objective, skilled assurance personnel with experience in the subject matter of the assessment 02 Not ensuring independence of assurance personnel 03 Not ensuring assurance personnel have no stake in activities for which they are providing assurance 04 Not using risk assessment to focus the assurance effort 05 Not having consistent high quality information as a basis for assurance opinions
Guidelines and Practices Red Book 2.0 - GRC Capability Model M4.1 Plan Assurance Assessment M4.2 Perform Assurance Assessment
Key Deliverables Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Assurance & Audit Management (AAM) , Corporate Governance (CG) , Security Management (SM)
Business Applications
Loss Management (LM), Policy & Procedure Management (P&P)
GRC Core Applications
Audit Analytics (AA), Controls Management & Monitoring (CMM) , Discovery (eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & This is not legal or professional advice.Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial driving principled Please contact a professional regardingAssurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , performance ® 168 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Hotline/Whistleblower , Information Technology Audit (ITA) , Legal Matter Management (LMM) , Operational Assurance & Audit (OAA) , Transaction LICENSEDMonitoring TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. (TRM)
Reports
Findings and Recommendations Report
Enabling Technology Components Technology Arenas
Assurance & Audit Management (AAM) , Corporate Governance (CG) , Security Management (SM)
Business Applications
Loss Management (LM), Policy & Procedure Management (P&P)
GRC Core Applications
Audit Analytics (AA), Controls Management & Monitoring (CMM) , Discovery (eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental Monitoring & Reporting (EMR) , Finance & Treasury Risk (FTR) Management , Financial Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , Hotline/Whistleblower , Information Technology Audit (ITA) , Legal Matter Management (LMM) , Operational Assurance & Audit (OAA) , Transaction Monitoring (TRM)
Infrastructure
Physical Security (PS) , Systems Log Management (SLM)
M4 ASSURANCE
M4.1 PLAN ASSURANCE ASSESSMENT Determine scope, procedures and criteria required to provide desired level of assurance. Core Sub-practices
l
M4.1.01 Determine scope of review.
l
M4.1.02 Determine level of assurance desired. M4.1.03
l
l
Based on schedule, cost and objectives, determine whether to define standards, procedure and criteria or to use objective, independently issued standards or agreed upon procedures for review, and if so, identify them. M4.1.04 Identify parties to perform assessment that supports the assurance.
M4 ASSURANCE
M4.2 PERFORM ASSURANCE ASSESSMENT Perform procedures, evaluate results against criteria and deliver report. Core Sub-practices
l
l
M4.2.01 Review monitoring reports and changes to the GRC system previously undertaken by management as part of the assurance process. M4.2.02 Prepare an assurance report and recommendations for management and the Board.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
169
I
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
I INFORM & INTEGRATE
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Infrastructure
Physical Security (PS) , Systems Log Management (SLM)
M4 ASSURANCE
M4.1 PLAN ASSURANCE ASSESSMENT Determine scope, procedures and criteria required to provide desired level of assurance. Core Sub-practices
l
M4.1.01 Determine scope of review.
l
M4.1.02 Determine level of assurance desired. M4.1.03
l
l
Based on schedule, cost and objectives, determine whether to define standards, procedure and criteria or to use objective, independently issued standards or agreed upon procedures for review, and if so, identify them. M4.1.04 Identify parties to perform assessment that supports the assurance.
M4 ASSURANCE
M4.2 PERFORM ASSURANCE ASSESSMENT Perform procedures, evaluate results against criteria and deliver report. Core Sub-practices
l
l
M4.2.01 Review monitoring reports and changes to the GRC system previously undertaken by management as part of the assurance process. M4.2.02 Prepare an assurance report and recommendations for management and the Board.
I INFORM & INTEGRATE
Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders. I1 Information Management & Documentation This is not legal or professional advice. Please contact regarding I1.1a professional Develop a GRC Information Management Classification170 Structure your specific needs. I1.2 Develop GRC Information Collection Policies & Procedures
I
C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern driving principled R Respond & Resolve ® M Monitor performance & Measure & ETHICS GROUP © 2003 - 2009 OPENI COMPLIANCE Inform & Integrate
I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. I1.4 Develop GRC Information Storage & Disposition Policy & Procedures
I INFORM & INTEGRATE
Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders. I1 Information Management & Documentation I1.1 Develop a GRC Information Management Classification Structure I1.2 Develop GRC Information Collection Policies & Procedures
I C Culture & Context O Organize & Oversee A Assess & Align P Prevent & Promote D Detect & Discern R Respond & Resolve M Monitor & Measure I Inform & Integrate
I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures I1.4 Develop GRC Information Storage & Disposition Policy & Procedures
I2 Internal & External Communication I2.1 Develop Reporting Plan I2.2 Develop Communication Plan
I3 Technology & Infrastructure I3.1 Assess Technology Needs and Gaps I3.2 Develop GRC Technology Portion of GRC Strategic Plan
I1 INFORMATION MANAGEMENT & DOCUMENTATION
Implement and manage an integrated record management system so that GRC information is relevant, reliable, timely, secure and available.
Principles
I1 I1 Information Management & Documentation I2 Internal & External Communication I3 Technology & Infrastructure
01 Information should be reconciled and consistent across the organization to allow for efficient and accurate flow of information across the organization and to external stakeholders. 02 It is not necessary to have a single record management system across the organization, if management designs and operates multiple systems to allow the efficient reconciliation, consolidation and exchange of information. Consistent definitions of terms and taxonomies ensure that different parts of the organization do not have This 03 is not legal or professional advice. driving principled different understandings of information, or are not operating on conflicting sets of information. Please contact a professional regarding performance ® 171 04 Data hoarding or failure to transfer relevant and necessary information to all parts of the organization that © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. need the information is damaging. 05 The organization uses commercially reasonable organizational, technical andSINGLE physicalUSER measures as necessary LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. LICENSE GRANTED. for the adequate protection of all personal data acquired through the conduct of its business.
I3.2 Develop GRC Technology Portion of GRC Strategic Plan
I1 INFORMATION MANAGEMENT & DOCUMENTATION
Implement and manage an integrated record management system so that GRC information is relevant, reliable, timely, secure and available.
Principles
I1 I1 Information Management & Documentation I2 Internal & External Communication I3 Technology & Infrastructure
01 Information should be reconciled and consistent across the organization to allow for efficient and accurate flow of information across the organization and to external stakeholders. 02 It is not necessary to have a single record management system across the organization, if management designs and operates multiple systems to allow the efficient reconciliation, consolidation and exchange of information. 03 Consistent definitions of terms and taxonomies ensure that different parts of the organization do not have different understandings of information, or are not operating on conflicting sets of information. 04 Data hoarding or failure to transfer relevant and necessary information to all parts of the organization that need the information is damaging. 05 The organization uses commercially reasonable organizational, technical and physical measures as necessary for the adequate protection of all personal data acquired through the conduct of its business.
Common Sources Of Failure 01 Not reconciling disparate information as it becomes available to the organization 02 Not using common definitions of terms and taxonomies to create, exchange and store information 03 Not enforcing a uniform information management system or systems from which information can be easily combined, compared or shared 04 Not having consistent policies and procedures regarding the retention and retrieval of information. 05 Not informing outsourcing partners or suppliers of record management requirements 06 Not considering additional controls that may be needed when information is maintained outside the organization
Guidelines and Practices Red Book 2.0 - GRC Capability Model I1.1 Develop a GRC Information Management Classification Structure I1.2 Develop GRC Information Collection Policies & Procedures I1.3 Develop GRC Information Access, Use and Transfer Policies & Procedures I1.4 Develop GRC Information Storage & Disposition Policy & Procedures
Key Deliverables Plans Crisis, Continuity and Recovery Plan, GRC Information Management Plan This is not legal or professional advice. Please contact a professional regarding 172 yourEnabling specific needs. Technology Components
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSEDBusiness TO CDUCU ONManagement TUESDAY, APRIL 2009. SINGLE USER LICENSE GRANTED. Technology Arenas Process (BPM) 28, , Enterprise Content Management (ECM)
I1.4 Develop GRC Information Storage & Disposition Policy & Procedures
Key Deliverables Plans
Crisis, Continuity and Recovery Plan, GRC Information Management Plan
Enabling Technology Components Technology Arenas
Business Process Management (BPM) , Enterprise Content Management (ECM)
Business Applications
Board Management (BM), Business Rules (BR) Engines , Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Contract Management (CM), Documents & Records Management (DRM) , Email Management (EM), Employee Evaluations & Surveys (EES) , Enterprise Asset Management (EAM), Intellectual Property (IP) Management , Loss Management (LM), Policy & Procedure Management (P&P) , Project Portfolio Management (PPM) , Quality Management & Monitoring (QMM) , Strategic Planning (SP)
GRC Core Applications
Audit Analytics (AA), Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Discovery (eDiscovery) , Enterprise Risk Assessment (ERA) , Environmental, Health & Safety (EH&S) Management , Environmental Monitoring & Reporting (EMR) , Financial Assurance & Audit (FAA) , Fraud Detection & Prevention (FDP) , Global Trade Compliance (GTC)/International Dealings , Hotline/Whistleblower , Information Privacy Management (IPM) , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Insurance & Claims Management (ICM) , Legal Matter Management (LMM) , Operational Assurance & Audit (OAA) , Operational Risk Management (ORM) , Reporting/eFiling (REF) , Risk Analytics (RA)
Infrastructure
Configuration and Change Management (CCM), Enterprise Architecture Standards (EAS) , Information Technology Operations (ITO) Management , Retention & Storage Management (RSM) , Systems Log Management (SLM)
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.1 DEVELOP A GRC INFORMATION MANAGEMENT CLASSIFICATION STRUCTURE Determine the definitions, classifications and procedures necessary to identify and manage GRC information in the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.1.01 Define GRC system records (GRC Records).
l
I1.1.02 Define and maintain a classification schema and methodology.
I1.1.03 l Define an ongoing process for information inventory and classification including characteristics such as: • type, • privacy requirement, • confidentiality requirement, This is not legal or professional advice. driving principled • preservation requirement, Please contact a professional regarding performance ® 173 • retention requirement, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • disposition requirement, • availability requirement, LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • operational/strategic value,
Retention & Storage Management (RSM) , Systems Log Management (SLM) I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.1 DEVELOP A GRC INFORMATION MANAGEMENT CLASSIFICATION STRUCTURE Determine the definitions, classifications and procedures necessary to identify and manage GRC information in the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.1.01 Define GRC system records (GRC Records).
l
I1.1.02 Define and maintain a classification schema and methodology.
l
l
I1.1.03 Define an ongoing process for information inventory and classification including characteristics such as: • type, • privacy requirement, • confidentiality requirement, • preservation requirement, • retention requirement, • disposition requirement, • availability requirement, • operational/strategic value, • data owner, • source of information (data base/application, email, Excel, etc.), • associated business processes, and • associated policies. I1.1.04 Periodically consider changes to the classification structure, and its underlying definitions and classifications, to reduce future reconciliation needs.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.2 DEVELOP GRC INFORMATION COLLECTION POLICIES & PROCEDURES Establish the policies and procedures necessary to collect GRC information from sources within and outside the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.2.01 Define rules and procedures to meet requirements regarding collecting and creating information.
I1.2.02 l Define policies and procedures regarding information ownership. This is not legal or professional advice. Please contact a professional regarding I1.2.03 174 your specific needs. Define a procedure and schedules or triggers for reconciling disparate information. l I1.2.04
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.2 DEVELOP GRC INFORMATION COLLECTION POLICIES & PROCEDURES Establish the policies and procedures necessary to collect GRC information from sources within and outside the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.2.01 Define rules and procedures to meet requirements regarding collecting and creating information.
l
I1.2.02 Define policies and procedures regarding information ownership.
l
I1.2.03 Define a procedure and schedules or triggers for reconciling disparate information.
l
I1.2.04 Reconcile disparate information upon scheduled or triggering events.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.3 DEVELOP GRC INFORMATION ACCESS, USE AND TRANSFER POLICIES & PROCEDURES Establish the policies and procedures necessary to access, use and transfer GRC information in the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.3.01 Define rules and procedures to meet requirements regarding managing access, authorization and authentication, including: • evaluation of the level of access required, • data owner approval, • administration of access (add, change, remove), • password requirements, • authentication method, and • access to physical storage locations.
l
I1.3.02 Appropriately define, mark, handle and store privileged documents, deliverables, and artifacts.
l
I1.3.03 Define rules and procedures to meet requirements regarding the transfer of information.
l
I1.3.04 Define procedures for notification, containment and response to a breach of information management access and use procedures.
I1.3.05 This is not legal or professional advice. driving principled l Define data and security models for all systems designed to enable the processes and meet requirements. Please contact a professional regarding performance ® 175 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs.
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.3 DEVELOP GRC INFORMATION ACCESS, USE AND TRANSFER POLICIES & PROCEDURES Establish the policies and procedures necessary to access, use and transfer GRC information in the organization and extended enterprise, as part of an Information Management Plan. Core Sub-practices
l
I1.3.01 Define rules and procedures to meet requirements regarding managing access, authorization and authentication, including: • evaluation of the level of access required, • data owner approval, • administration of access (add, change, remove), • password requirements, • authentication method, and • access to physical storage locations.
l
I1.3.02 Appropriately define, mark, handle and store privileged documents, deliverables, and artifacts.
l
I1.3.03 Define rules and procedures to meet requirements regarding the transfer of information.
l
l
I1.3.04 Define procedures for notification, containment and response to a breach of information management access and use procedures. I1.3.05 Define data and security models for all systems designed to enable the processes and meet requirements.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.4 DEVELOP GRC INFORMATION STORAGE & DISPOSITION POLICY & PROCEDURES Establish the policies and procedures necessary to store GRC information in the organization and extended enterprise in accordance with requirements and recovery objectives, as part of an Information Management Plan. Core Sub-practices
l
l
I1.4.01 Define rules and procedures to meet requirements regarding maintaining stored information. I1.4.02 Define the rules and procedures to meet requirements regarding retention, destruction, restoration, and disposition of information.
I1.4.03 Determine off site media This is notllegal or professional advice.storage and media rotation requirements. driving principled Please contact a professional regarding performance ® 176 I1.4.04 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. l Define information back up schedules (source, frequency). LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I1 INFORMATION MANAGEMENT & DOCUMENTATION
I1.4 DEVELOP GRC INFORMATION STORAGE & DISPOSITION POLICY & PROCEDURES Establish the policies and procedures necessary to store GRC information in the organization and extended enterprise in accordance with requirements and recovery objectives, as part of an Information Management Plan. Core Sub-practices
l
l
I1.4.01 Define rules and procedures to meet requirements regarding maintaining stored information. I1.4.02 Define the rules and procedures to meet requirements regarding retention, destruction, restoration, and disposition of information.
l
I1.4.03 Determine off site media storage and media rotation requirements.
l
I1.4.04 Define information back up schedules (source, frequency).
l
I1.4.05 Define rules and procedures to meet requirements regarding systematic disposition of information.
l
I1.4.06 Define rules and procedures to meet requirements regarding manual deletion of information.
l
I1.4.07 Define a procedure for the disposition of data on recycled media/hardware.
l
I1.4.08 Define rules and procedures to meet requirements regarding identifying and halting destruction of information.
l
I1.4.09 Regularly test the restoration of data from back-up storage media.
l
I1.4.10 Define procedures for containment and response to a breach of information storage and disposition procedures.
I2 INTERNAL & EXTERNAL COMMUNICATION
I2
I1 Information Management & This is not legal or professional advice. driving principled Documentation Deliver reliable, and timely information to the right audiences as ® Please contact a relevant, professional regarding 177 I2 Internal &performance External COMPLIANCE & ETHICS GROUP yourrequired specific needs. by mandates or as needed to perform responsibilities and © 2003 - 2009 OPENCommunication effectively shapeLICENSED attitudes. I3 Technology & Infrastructure TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I2 INTERNAL & EXTERNAL COMMUNICATION
Deliver relevant, reliable, and timely information to the right audiences as required by mandates or as needed to perform responsibilities and effectively shape attitudes.
I2 I1 Information Management & Documentation I2 Internal & External Communication I3 Technology & Infrastructure
Principles 01 Effective flow of information throughout the organization enables decision-making and improves performance. 02 The organization should be able to deliver consistent information to those who need it, when they need to know it. 03 The organization must be able to meet its mandatory reporting obligations and to provide reliable and understandable information to stakeholders. 04 Not all communication takes place through formal reports and informal communication may have more impact.
Common Sources Of Failure 01 Not knowing (or communicating) requirements for timing and content of mandated external reports 02 Not establishing clear policies, procedures and triggers for immediate escalation or routine reporting of information within the organization or to external stakeholders 03 Not getting the right information to the right people at the right time 04 Not maintaining a complete and accurate record of how communication was managed
Guidelines and Practices Red Book 2.0 - GRC Capability Model I2.1 Develop Reporting Plan I2.2 Develop Communication Plan
Key Deliverables Plans
Communication and Reporting Plan
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Human Resources Management (HRM) This is not legal or professional advice. driving principled Business Applications Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) , Please contact a professional regardingCollaboration/Knowledge Management performance ® 178 (KM), Contact/Customer Relationship © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Management (CRM) , Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM) , Email LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Management (EM), Employee Evaluations & Surveys (EES) , Intellectual Property
Plans
Communication and Reporting Plan
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Corporate Governance (CG) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Enterprise Risk Management (ERM) , Human Resources Management (HRM)
Business Applications
Brand & Reputation Management (BRM), Business Activity Monitoring (BAM) , Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM) , Email Management (EM), Employee Evaluations & Surveys (EES) , Intellectual Property (IP) Management , Learning & Training Management (LTM) , Legal Entity Management (LEM), Loss Management (LM), Policy & Procedure Management (P&P) , Strategic Planning (SP)
GRC Core Applications
Accountability/Responsibility Management (ARM) , Corporate Compliance (CC) , Corporate Social Responsibility (CSR), Crisis Management (CMT) , Discovery (eDiscovery) , Employment Compliance Management (EC) , Environmental Monitoring & Reporting (EMR) , Ethical Practices/Corporate Integrity (ECI) , Geo-Political Risk (GPR) Management , Helpline , News Feeds (GRC Intelligence) , Reporting/eFiling (REF) , Risk Analytics (RA)
Infrastructure
Disaster Recovery (DR) , Enterprise Architecture Standards (EAS)
I2 INTERNAL & EXTERNAL COMMUNICATION
I2.1 DEVELOP REPORTING PLAN Establish a plan to ensure compliance with mandatory reporting requirements and provide desired reports to management, the Board, and stakeholders. Core Sub-practices
l
l
I2.1.01 Identify required external reports to regulators and other stakeholders, and create a matrix indicating: • the schedules or triggering events for each, • the content required, • the location or source of the content required, • the person or office responsible for preparing and filing each report, • the location or classification of each report copy as it will be retained in the organization, • the record retention and protection rules, and • the method for confirmation of delivery and receipt. I2.1.02 Define internal reports needed to allow the entity to certify there are no violations of mandates or policies, and those needed to manage the GRC system, and prepare a matrix indicating: • the schedules or triggering events for each, • the content required, • the location or source of the content required, • the person or office responsible for preparing each report, • the intended recipients of each report, • the location or classification of each report copy as it will be retained in the organization, • the record retention and protection rules, and • the need for confirmation of receipt.
I2.1.03 This is not legal or professional advice. driving principled any additionally desired voluntary reports to stakeholders and create a matrix indicating: l Define Please contact a professional regarding performance ® 179 • the schedules or triggering events for each report, © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. • the content required, CDUCUrequired, ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. • the location orLICENSED source of TO the content
Infrastructure
Disaster Recovery (DR) , Enterprise Architecture Standards (EAS)
I2 INTERNAL & EXTERNAL COMMUNICATION
I2.1 DEVELOP REPORTING PLAN Establish a plan to ensure compliance with mandatory reporting requirements and provide desired reports to management, the Board, and stakeholders. Core Sub-practices
l
l
l
l
l
I2.1.01 Identify required external reports to regulators and other stakeholders, and create a matrix indicating: • the schedules or triggering events for each, • the content required, • the location or source of the content required, • the person or office responsible for preparing and filing each report, • the location or classification of each report copy as it will be retained in the organization, • the record retention and protection rules, and • the method for confirmation of delivery and receipt. I2.1.02 Define internal reports needed to allow the entity to certify there are no violations of mandates or policies, and those needed to manage the GRC system, and prepare a matrix indicating: • the schedules or triggering events for each, • the content required, • the location or source of the content required, • the person or office responsible for preparing each report, • the intended recipients of each report, • the location or classification of each report copy as it will be retained in the organization, • the record retention and protection rules, and • the need for confirmation of receipt. I2.1.03 Define any additionally desired voluntary reports to stakeholders and create a matrix indicating: • the schedules or triggering events for each report, • the content required, • the location or source of the content required, • the person or office responsible for preparing and filing each report, • the location or classification of each report as it will be retained in the organization, and • the record retention and protection rules. I2.1.04 Define policies and procedures regarding referral for review and resolution when reports reflect performance outside targets and tolerances. I2.1.05 Analyze existing reporting and determine gaps against the planned reports and their desired management.
I2 INTERNAL & EXTERNAL COMMUNICATION
I2.2 DEVELOP COMMUNICATION PLAN This is not legal or professional advice. Define how the organization will manage GRC related communications that are not formal driving principled Please contact a professional regarding performance ® 180 reports. © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. Core Sub-practices LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I2 INTERNAL & EXTERNAL COMMUNICATION
I2.2 DEVELOP COMMUNICATION PLAN Define how the organization will manage GRC related communications that are not formal reports. Core Sub-practices
l
l
l
l
l
I2.2.01 Prepare to develop a high level communication plan by: • defining current behavior/knowledge state of audience, • defining desired state, • analyzing gaps, and • identifying areas where there is likely to be resistance to change. I2.2.02 Develop a high level communication plan that identifies: • all key program messages with identified senders and target audiences, • the various communication pieces that will deliver each message, and • the high level delivery schedule and triggering events. I2.2.03 Determine what methods of communication should be used for each category of message, applying multiple methods for key messages and taking into consideration the purpose of the communication (education, persuasion, information, interview), such as: • paper based, • email, • websites, • postings, • live events or meetings, • video/audio broadcast , or • face-to-face personal communication. I2.2.04 For each communications piece: • develop communication/messaging objective and content, • obtain required approvals, • determine who will respond to questions, • determine the most effective method(s) of communication, • determine need for redundant communication (frequency and type), • define primary communication methods: - between GRC roles - between GRC roles and business roles, and - between GRC roles and external stakeholders. I2.2.05 Define communication/message interdependencies and how each fits into the overall landscape of other entity communications/messages.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled 181
I3 TECHNOLOGY & INFRASTRUCTURE
I3
performance ®
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I3 TECHNOLOGY & INFRASTRUCTURE
Enable the GRC system with a technology architecture that integrates with and, where appropriate, uses existing investments in technology.
Principles
I3 I1 Information Management & Documentation I2 Internal & External Communication I3 Technology & Infrastructure
01 Not everything has to be, or can be, automated; automate when it optimizes the organization’s cost and risk and the GRC performance objectives. 02 Using consistent tools to deliver similar processes offers efficiency and more accurate information. 03 Planning for GRC solutions benefits from early IT involvement in designing approaches, strategies and controls. 04 A partnership between GRC professionals and IT professionals with common understanding of needs, processes, and capabilities is essential to implementing the right technology.
Common Sources Of Failure 01 Not knowing what technology solutions are currently used in the organization to address GRC needs 02 Not knowing the solutions available and understanding what they do and do not provide 03 Not identifying the technology requirements for GRC throughout the organization 04 Not assessing existing technology components for applicability to identified needs 05 Not integrating existing technology solutions to share information where appropriate 06 Not including a GRC technology plan in the overall IT technology plan
Guidelines and Practices Red Book 2.0 - GRC Capability Model I3.1 Assess Technology Needs and Gaps I3.2 Develop GRC Technology Portion of GRC Strategic Plan
Key Deliverables Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Business Applications
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Security Management (SM)
Budget & Finance Management (BFM), Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Collaboration/Knowledge Management (KM), This is not legal or professional advice.Contact/Customer Relationship Management (CRM) , Corporate Performance driving principled (GRC Workflow), Documents & Records Please contact a professional regardingManagement (CPM) , Dashboards 182 performance ® Management (DRM) , Email Management (EM), Project Portfolio Management © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. (PPM) , Supply Chain & Procurement Management (SCM) , Transaction LICENSEDManagement TO CDUCU(TM) ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Plans
GRC Strategic Plan
Enabling Technology Components Technology Arenas
Business Intelligence (BI) , Business Process Management (BPM) , Enterprise Content Management (ECM) , Enterprise Resource Management (ER) , Security Management (SM)
Business Applications
Budget & Finance Management (BFM), Business Activity Monitoring (BAM) , Business Rules (BR) Engines , Collaboration/Knowledge Management (KM), Contact/Customer Relationship Management (CRM) , Corporate Performance Management (CPM) , Dashboards (GRC Workflow), Documents & Records Management (DRM) , Email Management (EM), Project Portfolio Management (PPM) , Supply Chain & Procurement Management (SCM) , Transaction Management (TM)
GRC Core Applications
Controls Management & Monitoring (CMM) , Crisis Management (CMT) , Information Technology Audit (ITA) , Information Technology Risk & Compliance (ITRC) Management , Transaction Monitoring (TRM)
Infrastructure
Business Continuity Management (BCM), Configuration and Change Management (CCM), Disaster Recovery (DR) , Enterprise Architecture Standards (EAS) , Identity and Access Management (IAM) , Information Technology Operations (ITO) Management , Retention & Storage Management (RSM) , Systems Log Management (SLM)
I3 TECHNOLOGY & INFRASTRUCTURE
I3.1 ASSESS TECHNOLOGY NEEDS AND GAPS Identify gaps and underperforming systems in existing technology environment. Core Sub-practices
l
I3.1.01 Identify key processes controls that are less error-prone and more efficient if enabled by technology.
l
I3.1.02 Define GRC technology requirements.
l
I3.1.03 Understand existing technology environment.
l
I3.1.04 Map functionality requirements to existing capabilities.
l
I3.1.05 Identify redundancies in existing technology solutions.
l
I3.1.06 Select among existing systems, the system(s) that best fit functionality requirements.
l
I3.1.07 Identify unmet functional requirements.
l
I3.1.08 Identify priorities for solution enhancement or additions.
This is not legal or professional advice. Please contact a professional regarding your specific needs. I3 TECHNOLOGY & INFRASTRUCTURE
driving principled
performance ®
183
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
(RSM) , Systems Log Management (SLM) I3 TECHNOLOGY & INFRASTRUCTURE
I3.1 ASSESS TECHNOLOGY NEEDS AND GAPS Identify gaps and underperforming systems in existing technology environment. Core Sub-practices
l
I3.1.01 Identify key processes controls that are less error-prone and more efficient if enabled by technology.
l
I3.1.02 Define GRC technology requirements.
l
I3.1.03 Understand existing technology environment.
l
I3.1.04 Map functionality requirements to existing capabilities.
l
I3.1.05 Identify redundancies in existing technology solutions.
l
I3.1.06 Select among existing systems, the system(s) that best fit functionality requirements.
l
I3.1.07 Identify unmet functional requirements.
l
I3.1.08 Identify priorities for solution enhancement or additions.
I3 TECHNOLOGY & INFRASTRUCTURE
I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN Develop plan for implementing technology to enable GRC processes and information flows. Core Sub-practices
l
l
I3.2.01 Determine which technology solutions must share information or develop/store easily combined or compared information. I3.2.02 Decide what existing solutions can and should be enhanced or extended to apply to similar needs in other parts of the organization or GRC system.
l
I3.2.03 Decide what new solutions should supplement or replace existing solutions.
l
I3.2.04 Decide whether to build or buy identified new solutions.
This is not legal or professional advice. driving principled I3.2.05 Please contact a professional regarding performance ® 184 l Develop a plan for the prioritized initiatives to build, buy, or enhance technology capabilities using IT methodologies (GRC © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific Technology needs. Plan). I3.2.06
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
I3 TECHNOLOGY & INFRASTRUCTURE
I3.2 DEVELOP GRC TECHNOLOGY PORTION OF GRC STRATEGIC PLAN Develop plan for implementing technology to enable GRC processes and information flows. Core Sub-practices
l
l
I3.2.01 Determine which technology solutions must share information or develop/store easily combined or compared information. I3.2.02 Decide what existing solutions can and should be enhanced or extended to apply to similar needs in other parts of the organization or GRC system.
l
I3.2.03 Decide what new solutions should supplement or replace existing solutions.
l
I3.2.04 Decide whether to build or buy identified new solutions.
l
l
l
I3.2.05 Develop a plan for the prioritized initiatives to build, buy, or enhance technology capabilities using IT methodologies (GRC Technology Plan). I3.2.06 Determine ownership and responsibility for ongoing resources and budget of enabling technology components. I3.2.07 Reconcile timeline conflicts between GRC technology implementation priorities and GRC strategic plan and IT strategic plan.
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
185
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Basic Member Edition --DOES NOT INCLUDE Appendix C OCEG Premium and Enterprise members may use the links to Technology Arenas and Modules in the online version of the Model (located within each Element) to access Appendix A of the GRC-IT Blueprint™, which identifies and defines types of technologies that enable the GRC system. The Technology Arenas and Modules in the Model represent a bridge between the GRC professional and the IT professional. GRC professionals can use the Technology Arenas and Modules as a basis for discussing technology options with their IT counterparts. Enterprise member IT professionals can use the Technology Arenas and Modules as a bridge from the Model into the GRC Blueprint™. While the downloadable version of the Model available to all OCEG members provides high level guidance on which Technology Arenas and Modules support each Element of the Model, the GRC-IT Blueprint™ provides the definitions of these Arenas and Modules as well as visual representation of how they relate to each other. The GRC-IT Blueprint™ also is available as a downloadable stand-alone document. To sign up: For OCEG Premium Membership go to: https://www.oceg.org/subscribe/PremiumUpgrade For OCEG Enterprise Membership contact
[email protected]
186
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX B - DELIVERABLES
DEL.A - Authorizations DEL.A.01 - External Authorizations a grant of approval, authority or acceptance from an entity or geopolitical authority outside the control of the organization receiving it
Referenced in: P3 , D1
DEL.A.02 - Internal Authorization a grant of approval, authority or acceptance from an individual vested with accountability or responsibility for a particular activity, function, process, or entity
Referenced in: O1 , O3 , D1
DEL.A.03 - GRC System Charter a document from a governing authority defining the purpose, objective and authorization of an individual or group to undertake activities within the specified scope
Referenced in: O1
DEL.A.04 - Segregation of Duties a document reflecting that the responsibilities of some roles or positions should be kept distinct from the responsibilities of other roles or positions as a protective measure to prevent fraud, error, or conflict of interest
Referenced in: O3 , P3
DEL.D - Descriptions DEL.D.01 - Role / Job Descriptions a detailed explanation of the responsibilities and expectations of an individual in a particular role or job, generally including: • accountabilities and supervisor/oversight responsibilities, • reporting obligations, • individual performance measure and objectives, and • skills, qualifications and experience.
Referenced in: O2 , P3 This is not legal or professional advice. Please contact a professional regarding your specific needs. - GRC Technology DEL.D.02
driving principled performance ®
187
Data Model Descriptions
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
TO relationships CDUCU ONamong TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. a document describing the LICENSED structure and data within a key GRC Technology Component
experience. APPENDIX B - DELIVERABLES
Referenced in: O2 , P3
DEL.D.02 - GRC Technology Data Model Descriptions a document describing the structure and relationships among data within a key GRC Technology Component
Referenced in: P3
DEL.D.03 - Helpline FAQ Descriptions a complete, detailed description of the questions that are frequently asked to the helpline, together with the preferred guidance and any information or related resources to provide to the caller or of use to the helpline staff
Referenced in: P4
DEL.D.04 - Exit Interview Checklist A document listing the activities to be conducted and questions to be asked during an interview with an internal stakeholder before his/her departure from the organization
Referenced in: D3
DEL.I - Internal Standards DEL.I.04 - Control Taxonomy A common vocabulary for describing the categories of controls along several dimensions: Dimension 1 - preventive, - detective and - corrective controls Dimension 2 - process - human capital - technology - physical controls
Referenced in: D3
DEL.M - Matrices DEL.M.01 - Policies and Related Procedures Matrix a table correlating each policy to its attributes and other policies or procedures, and, optionally, to the training, reports or other sources for evidence of compliance
Referenced in: P2 , P3 This is not legal or professional advice. Please contact a professional regarding DEL.M.02 your specific needs. - Prioritized
driving principled
Risk Matrix
188
performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
TO CDUCU TUESDAY, APRIL 28, 2009. SINGLE USER GRANTED. a table correlating each riskLICENSED to its attributes such as:ON • classification or prioritization, • sources of LICENSE risk (event, trend, requirement, etc.), •
evidence of compliance APPENDIX B - DELIVERABLES
Referenced in: P2 , P3
DEL.M.02 - Prioritized Risk Matrix a table correlating each risk to its attributes such as: • classification or prioritization, • sources of risk (event, trend, requirement, etc.), • inherent risk analysis (likelihood, impact, duration), • current implemented optimization activities, • current residual risk analysis (likelihood,impact, duration), • planned optimization activities, and • planned residual risk analysis.
Referenced in: A1 , A2 , A3 , P3 , P4 , P5 , P6 , R5 , M1 , M3
DEL.M.03 - Risk / Control Matrix A listing of risks mapped to related preventive, detective and corrective controls.
Referenced in: P3 , R3
DEL.P - Plans DEL.P.01 - Awareness and Education Plan a synopsis reflecting the order, timing, audience, and responsibility for all communications and educational activities to be undertaken over the course of a year or multiple years to promote general awareness of: • the organization's commitment to meeting its GRC requirements; • the GRC system capabilities; • the avenues for resolving questions about GRC responsibilities and expectations; • the GRC system activities designed to meet GRC requirements,and • to educate regarding the specific responsibilities of the general workforce,the extended enterprise,and those in GRC specific roles.
Referenced in: P4
DEL.P.02 - Communication and Reporting Plan a schedule that sets out the structures, processes and resources to deliver information (whether to inform or to persuade) to those with authority and responsibility to act at appropriate times to affect or monitor a program or initiative. A plan would include: • target audience, • objectives of the communication, • method of delivery, • timing of delivery, • who is accountable and responsible for the communication and who should be consulted regarding the communication, and • for a series of communications, the dependencies betweeen them and relative timing.
Referenced in: P7 , D1 , D2 , I2
DEL.P.03 - Crisis, Continuity and Recovery Plan a document or series of documents that sets out the structures, processes, protocols and resources to respond to a crisis event, to deliver This is notoperations legal or professional driving principled interim pending fulladvice. resumption of business and to recover from the impacts of an adverse event. Such plans would include: • names Please contactinformation a professional and contact forregarding key response personnel, • identification and responsible owners of key assets, processes, systems, supply performance ® 189 - 2009 OPEN• COMPLIANCE & ETHICS GROUP © 2003and your specific needs. relationships, and customer relationships, • designation of safety, evacuation coordinators and evacuation sites paths, key stakeholder contact points (police, fire, utilities, media, employee representatives, investor relations, analysts, etc.), and • components of this deliverable TO •CDUCU ONoperations TUESDAY,plan; APRIL 28, 2009. SINGLE USER GRANTED. would include: • successionLICENSED of authority; emergency • interim operations plan; LICENSE • information systems recovery plan; •
DEL.P.03 - Crisis, Continuity and Recovery Plan
APPENDIX B - DELIVERABLES
a document or series of documents that sets out the structures, processes, protocols and resources to respond to a crisis event, to deliver interim operations pending full resumption of business and to recover from the impacts of an adverse event. Such plans would include: • names and contact information for key response personnel, • identification and responsible owners of key assets, processes, systems, supply relationships, and customer relationships, • designation of safety, evacuation coordinators and evacuation sites and paths, • key stakeholder contact points (police, fire, utilities, media, employee representatives, investor relations, analysts, etc.), and • components of this deliverable would include: • succession of authority; • emergency operations plan; • interim operations plan; • information systems recovery plan; • resumption of operations plan; • emergency operating procedures; and • test plans.
Referenced in: R4 , I1
DEL.P.05 - GRC Information Management Plan a document that sets out the structures, processes and resources to manage GRC information through-out the information life-cycle. Would include: • classification schema for records, and • policies and procedures related to: • capture of information; • access, use and transfer of information; and • storage, retention, disposition and retrieval of information.
Referenced in: I1
DEL.P.06 - GRC Strategic Plan a document that details the structures, processes, technologies, resources, objectives and measures to establish and maintain the capability needed to achieve the mission and vision. Components would include: • charter, • mission / vision statement, • outcomes and maturity milestones(with correlation to business objectives) • business case, • measurement strategy (metrics, indicators, calculation method, frequency of measurement, nature and frequency of reporting), • organization chart, • human capital / vendor relations plan (for implementation and ongoing operations), • financial plan (start-up and operations), • technology plan, • assurance plan, and • implementation plan.
Referenced in: C3 , O1 , O3 , M2 , M3 , I3
DEL.P.07 - Investigation Management Plan a document that sets out the structures, processes, protocols and resources to perform and conclude an investigation. Plan would include: • investigation governance structure, • investigation team, • communication and reporting plan, • operating and communication procedures, • budget, • projected schedule of activities, and • technology plan (for team management, investigation mangement, and information management).
Referenced in: R1 , R2
DEL.P.08 - Risk Optimization Plan a document that sets out the strategy, structures, processes, activities, and resources to optimize the organization's risks. Would include: • risk, • risk classification, • optimization strategy, • optimization activities, • residual risk objective, • initiative completion and acceptance criteria, • budget, • human capital plan, • technology plan, • implementation timeline and milestones, and • measurement plan(project performance and outcomes). This is not legal or professional advice. Referenced in: A3 , P3 , P4 , P5 , P6 , M1 , M2 , M3 Please contact a professional regarding your specific needs.
driving principled performance ®
190
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TOGRC CDUCUCurriculum ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. DEL.P.09 - Specialized Plan
budget, • human capital plan, • technology plan, • implementation timeline and milestones, and • measurement plan(project performance and APPENDIX B - DELIVERABLES outcomes).
Referenced in: A3 , P3 , P4 , P5 , P6 , M1 , M2 , M3
DEL.P.09 - Specialized GRC Curriculum Plan a synopsis reflecting the order and timing of all courses of study for each of the GRC system roles and may include a detailed description of each course: • name of course, • course objectives, • skills to be attained, and • options for attendance (online, video, live) together with the skills pre-requisites for each course.
Referenced in: O2
DEL.P.10 - Corrective Control Activity Plan A plan that details the steps to stop or slow an adverse event from impacting an organization; and restoring the system to a stable state.
Referenced in: R3
DEL.R - Reports DEL.R.01 - Filings an official document submitted to a governmental authority (administrative, regulatory, legislative or judicial).
Referenced in: P7 , D3 , R1 , R2 , R5
DEL.R.02 - Findings and Recommendations Report a presentation or statement of the outcome of an activity or analysis together with recommendations for change and/or improvement.
Referenced in: P1 , P3 , P4 , P5 , D2 , D3 , R1 , R2 , R4 , R5 , M1 , M2 , M3 , M4
DEL.R.03 - Corrective Action Report Listing of corrective control activities performed in the period under analysis, grouped by type of corrective control as well as category of adverse event corrected. Information from prior periods may be included for comparison and analysis. Completed, ongoing and future activities should be details relative to plan.
Referenced in: R3
DEL.S - Statements of Position
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
191
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
DEL.S.01 - Code of Conduct LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Referenced in: R3 APPENDIX B - DELIVERABLES
DEL.S - Statements of Position DEL.S.01 - Code of Conduct a guide linking an organization's values and principles with rules of professional conduct
Referenced in: P1
DEL.S.02 - Ethical Decisions Guidelines the organization's recommendation on the factors to consider along with applicable requirements, policies and philosophies in determining the proper course of action when faced with an ethical dilemma
Referenced in: P1
DEL.S.03 - Mission/ Vision/ Values Statement an oral or documented description of the main aims, core beliefs, values, intended future state and overall plan that guide the organization's actions and inspires people to act toward that future state
Referenced in: C4
DEL.S.04 - Statement of Organizational Objectives a declaration of the tangible results that the organization expects to achieve through execution of its mission and vision
Referenced in: C4
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
192
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX C - TECHNOLOGY COMPONENTS
TECH.A - Technology Arenas TECH.A.01 - Assurance & Audit Management (AAM) Systems used to manage audit cycles and output - this includes audit resource scheduling/calendaring, audit work paper management, and audit process management. Utilizing audit action plans and results as information input, this component drives audit reviews of GRC capabilities. Additionally, the audit management component maintains reports and findings documents associated with financial and technology systems and operational audits for internal and external reporting purposes. GRC Capability Model Elements: A1, I1, R1, R2, R3, M4
Referenced in: A1 , R2 , R3 , M4
TECH.A.02 - Business Intelligence (BI) Systems, processes and applications that manage the collection, integration, analysis, and presentation of all layers of planning, operational, procedural and decision-making information. BI often includes Business Activity Monitoring (BAM) functions as part of the workflow (user responsibilities, action review and consequence evaluation) control mechanism. BI is most often implemented in role-based or customized user information dashboards. GRC Capability Model Elements: C2, C4, A1, A2, A3, I2, M1, M2
Referenced in: C2 , C4 , A1 , A2 , A3 , M1 , M2 , I2 , I3
TECH.A.03 - Business Process Management (BPM) Systems that model, test, manage and deliver business and activity-based information flows in modules that associate forms, documents, rules and procedural triggers with defined processes so that the appropriate actions are consistently executed according to the policies and practices of an organization. GRC Capability Model Elements: C2, O3, P1, P3, P4, D1, I1, I3, M1, M3
Referenced in: C2 , O3 , P1 , P3 , P4 , D1 , M1 , M3 , I1 , I3
TECH.A.04 - Corporate Governance (CG) Corporate governance systems, processes, frameworks and policies support the overall coordination of an organization’s board and management responsibilities in accordance with legal, fiduciary and operational requirements. Corporate governance tools and information may be synchronized for the purpose of a GRC program management office under the leadership of the Board. GRC Capability Model Elements: C1, C2, C3, C4, O1, O2, O3, P1, P2, P4, P5, P6, I1, I2, M2, M3, M4
Referenced in: C1 , C2 , C3 , C4 , O1 , O2 , O3 , P1 , P4 , P5 , P7 , M2 , M4 , I2
TECH.A.05 - Enterprise Content Management (ECM) Software and storage systems used to manage the creation, use, editing, transfer, archiving and disposal of structured and unstructured This is not legalincluding or professional advice. driving principled information, documents and records, in a wide variety of physical and electronic formats and media. GRC Capability Model Elements: Please contact a professional regarding performance ® 193 C4, A1, P1, P2, P3, P4, D2, R1, R2, I1, I2, M1 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. APRIL 2009. USER GRANTED. , O2 , O3TO , A1CDUCU , P1 , P2ON , P3TUESDAY, , P4 , P5 , D1 , D228,, R1 , R2SINGLE , M1 , I1 , I2 ,LICENSE I3 Referenced in: C4LICENSED
TECH.A.05 - Enterprise Content Management (ECM)
APPENDIX C - TECHNOLOGY COMPONENTS
Software and storage systems used to manage the creation, use, editing, transfer, archiving and disposal of structured and unstructured information, including documents and records, in a wide variety of physical and electronic formats and media. GRC Capability Model Elements: C4, A1, P1, P2, P3, P4, D2, R1, R2, I1, I2, M1
Referenced in: C4 , O2 , O3 , A1 , P1 , P2 , P3 , P4 , P5 , D1 , D2 , R1 , R2 , M1 , I1 , I2 , I3
TECH.A.06 - Enterprise Resource Management (ER) Enterprise resource systems are used to manage the formatting, integration and processing of core business information related to transactions, physical operations, projects, budgeting, supply chains, logistics, customer, partner and supplier interactions, human resources and general organizational procedures. ERP systems are generally composed of a business rules engine with integrated sub-systems and information input from a single or multiple databases. Multiple GRC-related processes - including audit, control and reporting functions - are supported by these systems. GRC Capability Model Elements: C2, O2, O3, A1, P3, P4, P5, I1, M1
Referenced in: C2 , O2 , O3 , A1 , P3 , P4 , P5 , M1 , I2 , I3
TECH.A.07 - Enterprise Risk Management (ERM) ERM systems mange the implementation of frameworks and processes that apply parameters, indicators, measures, consequential outcomes and business scenarios related to financial and non-financial risks. ERM systems incorporate mandatory and voluntary obligations, key objectives, causality and key risk indicators in order to map the impacts of non-compliance (including the failure to meet business objectives or performance indicators), assess the organization’s risk appetite and drive the development of risk prevention strategies. ERM systems include historical analysis, objective-setting and recommended actions regarding financial, logistics, supply chain, product management, services, regulatory, political, market, third-party and physical conditions. GRC Capability Model Elements: A1, A2, A3, P2, P3, P4, P5, P6, P7, D1, D3, I1, I2, R1, R4
Referenced in: C3 , A1 , A2 , A3 , P3 , P4 , P5 , P6 , P7 , D1 , D3 , R4 , R5 , M2 , I2
TECH.A.08 - Human Resources Management (HRM) HRM systems record, administer and report all information and activity related to employees and employment processes, inclusive of hiring, salaries, payroll, income taxes, training, work incidents, promotions, performance and departures and the records related to all applicable organizational policy and labor laws. Learning Management Systems are often implemented as part of or integrated with HRM systems. GRC Capability Model Elements: C2, C3, O2, A1, P4, P5, P6, R4, I2, M1
Referenced in: C2 , C3 , O2 , A1 , P4 , P5 , R4 , R5 , M1 , I2
TECH.A.09 - Security Management (SM) Security Management encompasses systems, components, processes and frameworks that govern and implement the assurance of data integrity, information incorruptibility, system protection, segmented user access, data privacy, and asset and employee protection throughout the architecture and information management infrastructure of an organization. GRC Capability Model Elements: O2, A3, P1, P2, P3, P5, D3, I3, R3, R4, R5, M2, M4 This is not legal or professional advice. Please contact a professional regarding , I3 Referenced in: A3 , P1 , P2 , P3 , D3 , R3 , R4 , R5 , M2 , M4 194 your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
information incorruptibility, system protection, segmented user access, data privacy, and asset and employee protection throughout the APPENDIX C - TECHNOLOGY COMPONENTS architecture and information management infrastructure of an organization. GRC Capability Model Elements: O2, A3, P1, P2, P3, P5, D3, I3, R3, R4, R5, M2, M4
Referenced in: A3 , P1 , P2 , P3 , D3 , R3 , R4 , R5 , M2 , M4 , I3
TECH.B - Business Applications TECH.B.01 - Board Management (BM) Board management systems record and maintain information regarding the Board of Directors' members, obligations, meetings and actions so as to provide evidence of accountability, effective dates for approval of action plans, policies and decisions impacting organizational structure, roles, responsibilities and requirements. The related technology focuses on board calendaring, communications and board papers and reports maintained by the Board Secretary.
Referenced in: C3 , C4 , O1 , O2 , I1
TECH.B.02 - Brand & Reputation Management (BRM) Brand & reputation management systems and processes track, report on and respond to an organization’s activities and customer, employee, partner and shareholder opinions about those activities. The resulting information is used to guide public relations and marketing efforts that focus on improving brand perception and corporate trustworthiness.
Referenced in: C1 , C4 , O1 , P3 , P4 , R3 , M1 , I2
TECH.B.03 - Budget & Finance Management (BFM) Systems and tools that manage the financial planning, budgeting, resourcing, and cost analysis for an organization. Financial information may be managed on spreadsheets and other desktop documents or in modules that are part of or integrated with enterprise resource planning (ERP) systems. Information from budget and finance management systems is used to support core metrics for GRC objectives. The identification of issues flagged by these systems provide key detective controls.
Referenced in: O3 , A3 , M3 , I3
TECH.B.04 - Business Activity Monitoring (BAM) BAM applications are used to monitor, analyze and support changes to the workflow, decision-making and accountability processes in an organization to help optimize task effectiveness and process efficiency. Typically, the associated data analysis - via a management tool like the Balanced Scorecard - is displayed in a corporate dashboard so that personnel can review activities and take recommended actions.
Referenced in: O2 , O3 , P3 , D1 , D3 , R1 , M2 , I2 , I3
TECH.B.05 - Business Rules (BR) Engines
This is not legal or professional advice. driving principled Please contact a professional regarding performance ® 195 Business rules engines automate the organization, data input, use and logical flow of information in enterprise software related to defined © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. business processes, transactions, operational guidelines, policies and objectives. Business Rules Engines are often an inherent or integrated component of BPM systems. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX C - TECHNOLOGY COMPONENTS
TECH.B.05 - Business Rules (BR) Engines Business rules engines automate the organization, data input, use and logical flow of information in enterprise software related to defined business processes, transactions, operational guidelines, policies and objectives. Business Rules Engines are often an inherent or integrated component of BPM systems.
Referenced in: P3 , D1 , D3 , I1 , I3
TECH.B.06 - Collaboration/Knowledge Management (KM) Collaboration and knowledge management systems assist decision-makers to share, update, prioritize and send information regarding the development and review of principles, policies, actions and the actual and recommended responses to risks. Decision-makers are able to initiate a formal review process for approval of new or changing obligations through the collaboration functions of a knowledge management system. These systems include meeting, scheduling and decision-support capability via role-based dashboards.
Referenced in: C1 , C2 , C3 , O1 , O2 , P4 , D1 , M1 , M2 , I1 , I2 , I3
TECH.B.07 - Contact/Customer Relationship Management (CRM) CRM systems record and organize customer, partner, affiliate, and supplier information, including contact and entity identification, and information regarding meetings, offers, joint projects, services, specific communications and sales. As CRM systems track external information exchanges, they are used to support corporate communications policy, planning and stakeholder relations.
Referenced in: C1 , P7 , M1 , M3 , I1 , I2 , I3
TECH.B.08 - Contract Management (CM) Contract management tools provide the ability to create, manage, store, change, deliver and append all business-related contracts (with suppliers and clients) and apply organizational policies and procedures, as well as specific legal and local regulatory criteria, to their administration. Contract Management systems feed key information about organizational requirements and compliance obligations to other GRC systems.
Referenced in: A1 , A2 , P3 , M1 , I1
TECH.B.09 - Corporate Performance Management (CPM) CPM systems apply defined parameters to organize and present data supplied by other business information management platform, in order to provide the organization with analysis as to how well management, departments and the organization as a whole performs against identified obligations, objectives, competitors, the industry and the marketplace. Performance management tools including the Balanced Scorecard are typically implemented in CPM systems.
Referenced in: C3 , C4 , O1 , O3 , P5 , D3 , M1 , M2 , M3 , I2 , I3 This is not legal or professional advice. Please contact a professional regarding your specific needs. - Dashboards TECH.B.10
driving principled 196
performance ®
(GRC Workflow)
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. Dashboards provide users with “instrument panels†to represent role-based information derived from core enterprise data. Dashboards
typically implemented in CPM systems. APPENDIX C - TECHNOLOGY COMPONENTS
Referenced in: C3 , C4 , O1 , O3 , P5 , D3 , M1 , M2 , M3 , I2 , I3
TECH.B.10 - Dashboards (GRC Workflow) Dashboards provide users with “instrument panels†to represent role-based information derived from core enterprise data. Dashboards apply operational and financial risk and performance indicators to represent current status and provide the means to analyze operating conditions for specific users and departments. Dashboards can be implemented as aggregate visualization tools for multiple information systems and are inherent in Business Intelligence and related enterprise systems.
Referenced in: O1 , D1 , D3 , M1 , I2 , I3
TECH.B.11 - Documents & Records Management (DRM) Document and record management systems and applications that administer the creation, organization, use and transfer of structured documents and records in various formats and media. Records management systems often integrate with or are components of more comprehensive enterprise content management or storage systems.
Referenced in: O1 , O2 , O3 , A1 , A3 , P1 , P2 , P3 , P4 , P7 , D2 , D3 , R1 , R2 , R4 , I1 , I2 , I3
TECH.B.12 - Email Management (EM) Stand-alone or integrated systems that work with email servers to capture, organize, analyze, archive and create report logs on email messages. Email management systems capture and preserve email traffic flowing into and out of email servers so they can be accessed quickly from a secure, centrally managed location. When the need arises to search the content of email for internal investigations or for a court-ordered legal discovery, organizations can search archived email records using search tools embedded in these systems. Email management can be used as a vehicle for establishing and enforcing compliance-related obligations across an organization.
Referenced in: P1 , P3 , R1 , R2 , M1 , I1 , I2 , I3
TECH.B.13 - Employee Evaluations & Surveys (EES) Systems used to define an organization’s positions and roles; establish individual performance standards; record individual performance and requirements for managers; performance remediation procedures; and certification, promotion, transfer and termination criteria and related actions for all employees. Employee evaluation systems are typically a sub- component of - or integrated with - human resource management (HRM) systems. Survey and assessment results included in employee evaluations provide data to support audit, risk and compliance management, learning management and corporate performance management systems. Employee evaluation systems provide an organization with assurance that codes of conduct and policies have been read, understood and agreed to by staff. These systems provide the ability to record certifications and to track and report exceptions. Incentives and controls around employee recognition, promotion and censure necessitate the use of evaluation systems across an organization.
Referenced in: C3 , O2 , P1 , P5 , D2 , M1 , M2 , I1 , I2
This is not legal or professional advice. driving principled TECH.B.14 - Enterprise Asset Management (EAM) Please contact a professional regarding performance ® 197 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific asset needs.management systems administer and support accounting, inventory management, use, and©disposal Enterprise of physical, intellectual, and electronic assets in an organization, with the purpose of optimizing their value. EAM includes the organization of information and processes LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. used to design, construct, commission, operate, maintain and replace an organization’s property, equipment, technology assets and
Referenced in: C3 , O2 , P1 , P5 , D2 , M1 , M2 , I1 , I2 APPENDIX C - TECHNOLOGY COMPONENTS
TECH.B.14 - Enterprise Asset Management (EAM) Enterprise asset management systems administer and support accounting, inventory management, use, and disposal of physical, intellectual, and electronic assets in an organization, with the purpose of optimizing their value. EAM includes the organization of information and processes used to design, construct, commission, operate, maintain and replace an organization’s property, equipment, technology assets and facilities. EAM supports information technology asset acquisition, use, disposal and strategic decisions regarding the optimization of components in the information technology environment. EAM processes and data support the implementation of operational and financial controls and the tracking of control violations.
Referenced in: C2 , A2 , M1 , M2 , I1
TECH.B.15 - Intellectual Property (IP) Management IP management systems help identify, capture, organize and protect the organization's portfolio of intellectual property (copyrights, trademarks, patents, trade secrets and all related intangible assets with inherent value).
Referenced in: C1 , C2 , I1 , I2
TECH.B.16 - Learning & Training Management (LTM) Learning and training management systems store course curricula and record and administer the training course requirements, question content, question distribution, test scoring, scoring level indicators, suspend data and training results. LTM Systems feed the appropriate employee, evaluator and management dashboards and related reporting repositories with data on the status of individual, departmental and organizationwide training and skills certification. LMS provides the organization with the ability to test the effectiveness and implementation of policies by all staff members.
Referenced in: O2 , A2 , P2 , P4 , I2
TECH.B.17 - Legal Entity Management (LEM) Legal entity management systems record and maintain information regarding the registered organizational structure, company bylaws, directors and executive managers. Legal entity management systems store organization-defining legal documents and administer the procedures for maintaining credentials, licenses and the qualifications to conduct business.
Referenced in: C2 , O3 , A1 , P3 , P6 , D3 , M1 , I2
TECH.B.18 - Loss Management (LM) Databases and related systems designed to record and maintain information regarding the conditions, decisions, actions, outcomes, costs, analysis and recommendations associated with operational and financial losses in the organization. These systems collect and manage internal loss information and litigation-related loss portfolios, as well as analyze external loss database information for benchmarking purposes. Loss management systems may be integrated with enterprise risk management systems. This is not legal or professional advice. Please contact a professional regarding , M4 , I1 , I2 Referenced in: A1 , A2 , P6 , D3 , R1 , R2 , R3 , R4 , R5 , M2 198 your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
analysis and recommendations associated with operational and financial losses in the organization. These systemsCcollect and manage internal APPENDIX - TECHNOLOGY COMPONENTS loss information and litigation-related loss portfolios, as well as analyze external loss database information for benchmarking purposes. Loss management systems may be integrated with enterprise risk management systems.
Referenced in: A1 , A2 , P6 , D3 , R1 , R2 , R3 , R4 , R5 , M2 , M4 , I1 , I2
TECH.B.19 - Policy & Procedure Management (P&P) Policy and procedure management systems help develop, record, organize, modify and administer organizational policies and obligations, in response to new or changing requirements or principles, and correlate them to one another. Policy and procedure management systems help the organization to execute new and revised policies, including control-based activities, procedures that follow regulatory mandates, and criteria that conform to the organization’s risk profile. Workflow rules enable changes to be processed and shared between areas of the organization that may be impacted and to update policies, procedures and compliance plans as required. A critical component of policy and procedure management functions is the awareness management system used to document the organization’s, specific departments’ and managers’ activities that inform employees of policy, contractual, market and regulatory obligations (including the effective dates of new policies and procedures).
Referenced in: C3 , P1 , P2 , P3 , P4 , P5 , R3 , M2 , M3 , M4 , I1 , I2
TECH.B.20 - Project Portfolio Management (PPM) PPM applications record and maintain project plans, activities, schedules, resources, and budgets, and provide cost data, cost projections and project-level performance analysis. PPM systems may be implemented as an ERP component and may provide the mechanism for managing project procedures and timelines in other enterprise systems, including those devoted to Learning Management, Risk Management, Audit Management, and Event Management.
Referenced in: A1 , A3 , M1 , M2 , M3 , I1 , I3
TECH.B.21 - Quality Management & Monitoring (QMM) Quality management systems record, benchmark, track and manage processes related to product and service quality assessments and the certifications, production failures, product recalls, design and delivery improvements and their related regulatory guidelines. In addition, corrective action/preventive action (CAPA) components may be used as part of quality management systems to document adverse issues and events and the actions taken to correct them. Quality management systems provide relevant data for warranty guidelines as well as case management for discovery and investigations.
Referenced in: A1 , P3 , D3 , R3 , M2 , M3 , I1
TECH.B.22 - Strategic Planning (SP) Strategic planning systems and applications define the criteria and objectives, manage the process and workflow, maintain related documents and provide scenarios for multiple phases of operational and financial planning in an organization. Strategic Planning is implemented with the oversight and guidance of senior management expressing and implementing the objectives of C-Suite and the Board.
Referenced in: O3 , A3 , R3 , R4 , M1 , M2 , M3 , I1 , I2 This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
199
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
TECH.B.23 - Supply Chain & Procurement Management (SCM) LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
oversight and guidance of senior management expressing and implementing the objectives of C-Suite and the Board. APPENDIX C - TECHNOLOGY COMPONENTS
Referenced in: O3 , A3 , R3 , R4 , M1 , M2 , M3 , I1 , I2
TECH.B.23 - Supply Chain & Procurement Management (SCM) SCM platforms govern, record and maintain the format and process of information related to logistics planning, production cycles, production supplies, purchasing, related transactions, plant operations, manufacturing budgets, the transportation of supplies and finished goods and the overall management of physical manufacturing processes.
Referenced in: P1 , P2 , P3 , R3 , M1 , M2 , I3
TECH.B.24 - Transaction Management (TM) Transaction management systems record, format, conduct and report on live and historical financial and operational transaction data related to counterparties, third parties, business accounts, domestic and international transfers, and receivables and payables. An organization’s transaction management systems are part of a larger network of information exchange systems including third parties and financial institutions interacting with the extended enterprise.
Referenced in: P3 , P6 , R3 , M3 , I3
TECH.G - GRC Core Applications TECH.G.01 - Accountability/Responsibility Management (ARM) Accountability management systems help organizations associate responsibilities with compliance obligations, corporate policies, procedures, business contracts and operational and financial risk mitigation to provide insight and guidance on individual, departmental and management roles and accountability. The performance of obligations is tracked through regular assessments and workflow rules escalate obligations where necessary. Reports track exceptions and outstanding actions across the organization. Organizational mapping systems that associate the organizational structure, job titles and positions with compliance, risk and governance-specific roles and responsibilities, including those assigned to the management hierarchy throughout the extended enterprise, offer a practical implementation of accountability management in human resources management systems.
Referenced in: O1 , O2 , O3 , A1 , P3 , P5 , D1 , R4 , R5 , I2
TECH.G.02 - Audit Analytics (AA) Audit analytics tools provide the ability to independently analyze and test transactions and system settings in order to determine whether they comply with controls that are intended to be in place, as well as to identify instances of error and fraud. Audit analytics help identify transactions and business activities for which no effective controls are established. Audit analytics can also be used for ad hoc testing or for automated testing. The latter may be run on a continuous basis to provide notification of errors, fraud and other risk and control concerns.
Referenced in: A2 , R1 , R2 , M4 , I1 This is not legal or professional advice. Please contact a professional regarding TECH.G.03 - Controls your specific needs.
driving principled
Management & Monitoring (CMM) 200
performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Controls management and monitoring systems provide the ability to define, record, map, monitor, change, alert and report on sub-domain LICENSED TO CDUCUdata), ON TUESDAY, APRIL 28, 2009. USER LICENSE GRANTED. information processing (financial and operational including the limitations or SINGLE conditions applied to amounts and parties in a transaction;
Referenced in: A2 , R1 , R2 , M4 , I1
APPENDIX C - TECHNOLOGY COMPONENTS
TECH.G.03 - Controls Management & Monitoring (CMM) Controls management and monitoring systems provide the ability to define, record, map, monitor, change, alert and report on sub-domain information processing (financial and operational data), including the limitations or conditions applied to amounts and parties in a transaction; user access, rights, and responsibilities; and accounts, workflows, and process initiation. Controls management and monitoring employs rules derived from organizational policies, risk profiles, risk objectives, compliance obligations, policies and procedures. Controls management includes feeds from surveys and assessments that evaluate employee understanding of individual and departmental responsibilities. These systems also provide the ability to record actions and remediation in relation to risks, incidents, controls, compliance obligations and Key Risk Indicators.
Referenced in: O3 , P1 , P3 , D3 , R3 , R5 , M1 , M2 , M3 , M4 , I3
TECH.G.04 - Corporate Compliance (CC) Corporate compliance systems support the overall coordination of an organization’s responsibilities and associated tasks and records involving accordance with legal, industry and corporate policy-based standards and procedures. Corporate compliance information may be integrated for the purpose of supporting the functions of a general compliance program management office under the direction of a Chief Compliance Officer. Corporate compliance management functions include the myriad tasks of data gathering, analysis, monitoring and reporting that make use of the data sources, information processes, and repositories identified throughout the GRC Management Technology Arenas.
Referenced in: C1 , C2 , C4 , O1 , O2 , O3 , P1 , P2 , P4 , P7 , M2 , M3 , I1 , I2
TECH.G.05 - Corporate Social Responsibility (CSR) CSR tools help document the objectives, organize contextual news feeds, assign responsibilities, recommend actions, methods for monitoring, reporting and altering activities designed to improve an organization’s perceived relationship with the local and broader community, focused on the impact to its reputation, brand, and market growth. Environmental, Health and Safety (EHS) systems provide a relevant source of data input for CSR management systems.
Referenced in: C1 , C2 , C3 , C4 , O1 , O2 , O3 , P1 , P2 , P3 , P4 , P7 , R5 , M1 , M2 , M3 , I1 , I2
TECH.G.06 - Crisis Management (CMT) Crisis management systems and applications that help evaluate and monitor catastrophic events and support the implementation and examine the effect of decisions taken by management to prevent further damage, recover and sustain business activity and maintain credibility after the event or events. This information and the resulting processes are instrumental in the organization’s ability to perform loss recovery and to improve loss prevention methods.
Referenced in: A1 , A2 , A3 , P3 , P4 , P6 , D1 , D3 , R1 , R3 , R4 , I2 , I3
TECH.G.07 - Discovery (eDiscovery) This is not legal or professional advice. driving principled eDiscovery tools assist in uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both Please contact a professional regarding performance ® 201 before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. and repositories. eDiscovery tools are often used as a component of or may be integrated with retention technologies. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX C - TECHNOLOGY COMPONENTS
TECH.G.07 - Discovery (eDiscovery) eDiscovery tools assist in uncovering, segmenting, organizing and storing electronic forms of evidence that can be used in an investigation, both before and after the occurrence of the related events, including tools that separate potential discovery documents from their original locations and repositories. eDiscovery tools are often used as a component of or may be integrated with retention technologies.
Referenced in: R1 , R2 , M1 , M4 , I1 , I2
TECH.G.08 - Employment Compliance Management (EC) Employment compliance applications help gather, organize and report data that assists legal counsel, human resources and compliance officers with the administration of legal requirements regarding their employees and employment practices. The employment domain of compliance includes laws in every locality and industry context, involving multiple agencies across jurisdictions with authority over wage and hour requirements, anti-discrimination regarding the hiring, treatment and termination of employees, employee health and safety, employer relations with unions and the collective bargaining process, and related activities. Systems that serve employment compliance data and reporting may be part of or provide input to health & safety, human resources, hotline, learning & training and corporate compliance information management resources.
Referenced in: C1 , P7 , I2
TECH.G.09 - Enterprise Risk Assessment (ERA) Enterprise risk assessment applications support the identification and evaluation of an organization’s exposures to risk by means of internal audit. These systems aid the internal audit function to monitor and assess the effectiveness of the organization’s risk management system by evaluating risk exposures relating to the organization’s governance, operations, and information systems. The scope of enterprise risk assessment audit includes the reliability and integrity of financial and operational information, the effectiveness and efficiency of operations, the status and security of assets, and compliance with applicable laws, regulations, and contracts.
Referenced in: A1 , A2 , R1 , R2 , R5 , M4 , I1
TECH.G.10 - Environmental, Health & Safety (EH&S) Management E, H & S applications help manage the regulatory and policy-based guidelines and processes for protecting the workforce, workplace, resourcesunder-management and external environment impacted by an organization’s activities. EHS systems manage the related regulatory and contractual data, including the conditions, requirements, incidents, reporting and exceptions to applicable guidelines. These systems assist the execution of management responsibilities, submission of related forms, and implementation of policies and procedures. EHS systems are also used to monitor environmental conditions, emissions, and controls and report thresholds within defined key risk and performance indicators. GRC Capability Model Elements: C1, C2, C4, O1, O2, O3, P1, P2, P3, P4, P6, P7, I1, M2, M3
Referenced in: C1 , C2 , C4 , O1 , O2 , O3 , P1 , P2 , P3 , P4 , P6 , P7 , R4 , M2 , M3 , I1
TECH.G.11 - Environmental Monitoring & Reporting (EMR) This is not legal or professional advice. driving principled Environmental monitoring systems and related applications help monitor, analyze and record organizational activity focused on compliance with ® Please contact a professional regarding environmental laws and corporate policy related to managing environmental report the 202 controls and conditions. Such systems help evaluate and performance 2003 - 2009 OPENpublic. COMPLIANCE & ETHICS GROUP your specific needs. results of monitored activity and subsequent actions to designated regulatory authorities, shareholders and©to the general Specifically, environmental monitoring systems track and report on the release of pollutants exceeding mandated thresholds to the air and to water sources LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. and land owned or occupied by the organization, as well as the transfers of wastes to both public and privately-held properties.
APPENDIX C - TECHNOLOGY COMPONENTS TECH.G.11 - Environmental Monitoring & Reporting (EMR) Environmental monitoring systems and related applications help monitor, analyze and record organizational activity focused on compliance with environmental laws and corporate policy related to managing environmental controls and conditions. Such systems help evaluate and report the results of monitored activity and subsequent actions to designated regulatory authorities, shareholders and to the general public. Specifically, environmental monitoring systems track and report on the release of pollutants exceeding mandated thresholds to the air and to water sources and land owned or occupied by the organization, as well as the transfers of wastes to both public and privately-held properties.
Referenced in: A1 , A2 , P2 , P4 , P6 , D1 , D2 , R1 , R2 , R3 , M1 , M2 , M4 , I1 , I2
TECH.G.12 - Ethical Practices/Corporate Integrity (ECI) Systems that help an organization to identify correct and reinforce ethical business policies and the enforcement of ethical employee behavior in relationships with government officials, shareholders, business partners and customers are identified as corporate integrity tools. Information gathering of this nature may serve both Legal Counsel and Chief Ethics Officers in exposing illegal and corrupt business practices on the part of individual employees. The maturation of practices involving corporate philanthropy and social responsibility may be assisted by these systems in supporting the broader will of the Board and senior management regarding the organization’s overall mission and reputation. GRC Capability Model Elements: C2, C3, C4, O2, O3, P1, P2, P4, P5, P6, I2, M1, M2, M3
Referenced in: C2 , C3 , O2 , O3 , P1 , P4 , P5 , P7 , M1 , M2 , M3 , I2
TECH.G.13 - Finance & Treasury Risk (FTR) Management Finance and Treasury risk management involves an array of applications and systems used to identify and manage the risk factors, causes and remediation procedures in an organization’s financial and treasury positions. These applications include the identification, monitoring and administration of trade surveillance, structured finance, assets and liabilities and credit, market (foreign exchange, interest payments), margin, capital, collateral, and liquidity-related risks.
Referenced in: A1 , A2 , P3 , P6 , M4
TECH.G.14 - Financial Assurance & Audit (FAA) Financial audit systems help manage the financial audit cycles and output including audit resource scheduling/calendaring, audit work paper management, and audit process management. Utilizing audit action plans and results as information input, this component drives audit reviews of financial risk and compliance capabilities.
Referenced in: A1 , A2 , R2 , R3 , M4 , I1
TECH.G.15 - Fraud Detection & Prevention (FDP) Fraud detection and prevention systems assist in the identification, control, and reduction of incidents involving deliberate employee misuse or misapplication of an organization’s resources and assets in order to obtain money or property. The indication of criminal acts involving bribery, forgery, and related violations is the information domain of the legal, ethical and compliance officers and responsibilities of the organization. Information regarding actual or indicated acts of fraud may be part of or provide input to legal matter management systems. This is not legal or professional advice. PleaseReferenced contact a professional , A2 , P3 , P5 , D1 , D3 , R1 , R2 , M1 , M4203 , I1 in: A1regarding your specific needs.
driving principled performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
TECH.G.16 - Geo-Political Risk (GPR) Management
misapplication of an organization’s resources and assets in order to obtain money or property. The indication criminal acts involving APPENDIX C -ofTECHNOLOGY COMPONENTS bribery, forgery, and related violations is the information domain of the legal, ethical and compliance officers and responsibilities of the organization. Information regarding actual or indicated acts of fraud may be part of or provide input to legal matter management systems.
Referenced in: A1 , A2 , P3 , P5 , D1 , D3 , R1 , R2 , M1 , M4 , I1
TECH.G.16 - Geo-Political Risk (GPR) Management Systems that track evaluate and report on the risks inherent in conducting business in and sourcing services from markets around the globe are identified as geo-political risk management solutions. Processes in place to monitor and to recommend responses to potential threats to the provision and delivery of products and services include monitoring local election processes and outcomes, changes in executive and legislative power structures, political party and labor union activities, as well as the military, security and international relations profiles of the countries in which the organization is active.
Referenced in: C1 , C2 , O1 , A1 , A2 , A3 , P3 , P4 , P6 , D1 , D3 , R3 , M1 , M2 , I2
TECH.G.17 - Global Trade Compliance (GTC)/International Dealings Systems and applications that document and manage relevant regulations for the exchange of capital, goods and services across international boundaries and territories are global trade compliance applications. Data inputs from manufacturing, supply chain, logistics, and financial and outsourced services contract management systems are critical to the effective administration, process review, legal analysis and regulatory reporting requirements (including the Foreign Corrupt Practices Act and similar laws) executed with the assistance of global trade compliance systems.
Referenced in: C1 , C2 , C3 , O2 , O3 , P1 , P2 , P3 , P4 , P5 , D1 , D3 , R1 , R2 , R4 , M1 , I1
TECH.G.18 - Helpline The corporate helpline is the employee information intake and response system designed to provide the required data regarding corporate policy and legal advice as well as a resource for employees to understand guidelines in reporting observations related to potential acts of internal fraud, negligence or impropriety committed by co-workers, partners or contractors.
Referenced in: O3 , A1 , P1 , P2 , P4 , P5 , D1 , D2 , M2 , I2
TECH.G.19 - Hotline/Whistleblower The employee hotline information intake and response system is designed to provide a confidential, independent resource for all employees to report observations related to potential acts of internal fraud, negligence or impropriety committed by co-workers, partners or contractors.
Referenced in: O3 , A1 , P1 , P2 , P4 , P5 , D1 , D2 , D3 , M2 , M4 , I1
TECH.G.20 - Information Privacy Management (IPM) Information privacy management systems and tools help to identify, capture, segment, and secure access to and use of personally identifying This is not legal or professional advice. driving principled information information sources, applications and users. Please contactacross a professional regarding performance ® 204 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. , P1 , P2 ,TO P3 ,CDUCU P4 , P7 , ON D3 ,TUESDAY, R4 , M1 , I1 Referenced in: A3LICENSED APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
TECH.G.20 - Information Privacy Management (IPM)
APPENDIX C - TECHNOLOGY COMPONENTS
Information privacy management systems and tools help to identify, capture, segment, and secure access to and use of personally identifying information across information sources, applications and users.
Referenced in: A3 , P1 , P2 , P3 , P4 , P7 , D3 , R4 , M1 , I1
TECH.G.21 - Information Technology Audit (ITA) IT audit systems and related tools provide the ability to detect inconsistencies and recommend and record actions in relation to information systems, applications and data management risks, controls, and compliance-specific obligations. GRC Capability Model Elements: A1, A2, I1, I3, R1, R2, R3, R4, M3, M4
Referenced in: A1 , A2 , R1 , R2 , R3 , R4 , M3 , M4 , I1 , I3
TECH.G.22 - Information Technology Risk & Compliance (ITRC) Management IT risk and compliance management systems implement the frameworks and principles that govern risk controls and compliance-guided elements in the planning, development, acquisition, delivery, use, integration, evaluation and retirement of information technology resources. GRC Capability Model Elements: A1, A2, A3, P2, P3, D3, I1, I3, R3, M3
Referenced in: C2 , A1 , A2 , A3 , P2 , P3 , D3 , R3 , M3 , I1 , I3
TECH.G.23 - Insurance & Claims Management (ICM) Insurance and claims management platforms record and administer an organization's corporate insurance, liability and warranty coverage levels and documents (including property and casualty, product liability, director’s and officer’s, and related areas of core coverage) and help execute the related claims, process the forms and monitor claims administration procedures across jurisdictions. Compliance obligations, identification of key risks and risk optimization strategies are supported by insurance and claims management systems.
Referenced in: A1 , A2 , P2 , P3 , P5 , P6 , R1 , R2 , M2 , I1
TECH.G.24 - Legal Matter Management (LMM) Also referred to as event management, incident management or issue management, legal matter management systems track the remediation and investigation processes, role-based responsibilities, legal and regulatory requirements, and associated costs and losses due to specific operational and compliance issues or incidents. Matter management systems administer the collection of facts related to events under investigation, for use in verifying their circumstances, in order to provide valid information for testing by independent parties with the confidence that the information provided is related to these events. These systems help manage litigation risks and strategies, and include legal hold and case management tools to organize the production and analysis of culled documents both before and after the occurrence of related events, including the tools to separate potential discovery documents from production repositories.
Referenced in: C1 , C2 , O2 , O3 , A1 , A2 , P2 , P4 , P7 , D1 , D2 , R1 , R2 , R4 , M2 , M4 , I1 This is not legal or professional advice. Please contact a professional regarding TECH.G.25 - News Feeds your specific needs.
driving principled 205 (GRC Intelligence)
performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
Internet and intranet feeds of legal, risk and regulatory-related updates, corporate actions, agency reports, court decisions, and business LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED. practices assist the GRC intelligence capability of the entire organization. This live information provides the organization with a means of
C - TECHNOLOGY COMPONENTS I1 Referenced in: C1 , C2 , O2 , O3 , A1 , A2 , P2 , P4 , P7 , D1 , D2 , R1 , R2 , R4 , M2 , M4 ,APPENDIX
TECH.G.25 - News Feeds (GRC Intelligence) Internet and intranet feeds of legal, risk and regulatory-related updates, corporate actions, agency reports, court decisions, and business practices assist the GRC intelligence capability of the entire organization. This live information provides the organization with a means of remaining constantly informed of new obligations and of changes to current obligations. This information feeds Policy and Procedure Management systems with the ability to monitor and identify changes to legislation, codes and other regulations which impact the organization.
Referenced in: C1 , C2 , A1 , A2 , P4 , P7 , M1 , I2
TECH.G.26 - Operational Assurance & Audit (OAA) Operational audit tools are used to help manage operational review cycles including resource scheduling/calendaring and resource audit process management. Utilizing audit results as information input, this component drives reviews of process management and resource allocation. Additionally, the audit management component maintains reports and findings documents associated with financial and technology systems for internal and external reporting purposes. GRC Capability Model Elements: A1, A2, P3, D3, I1, R1, R4, M3, M4
Referenced in: A1 , A2 , P3 , P6 , D3 , R1 , R4 , M3 , M4 , I1
TECH.G.27 - Operational Risk Management (ORM) Operational risk management systems and applications help implement policies and processes that define parameters, indicators, consequential analysis and “what-if?†scenarios for risks that derive from performing tasks and from passive activities. Operational risk indicators help to identify consequences for performance-related failures and drive the development of risk mitigation strategies. Such systems include the automation of empirical and scenario-based analysis and courses of action and their likely outcomes regarding logistics/supply chain, services delivery, third-party, employee-related and physical disruptions. GRC Capability Model Elements: C1, C2, O2, O3, A1, A2, P1, P2, P4, P7, D1, D3, I1, R1, R4, M1, M2
Referenced in: C1 , C2 , O2 , O3 , A1 , A2 , P1 , P2 , P4 , P6 , D1 , D3 , R1 , R4 , M1 , M2 , I1
TECH.G.28 - Reporting/eFiling (REF) Reporting and electronic filing systems and applications manage prescribed financial, operational and audit reporting requirements and the associated electronic filing format templates in addition to supplying the appropriate template to the reporting systems where the reports must be submitted and reviewed. GRC Capability Model Elements: O1, O1, P2, P6, D2, I1, I2, M2
Referenced in: O1 , O2 , P2 , P7 , M2 , I1 , I2
TECH.G.29 - Risk Analytics (RA) Risk analytics tools provide and implement parameters, benchmarks, models, tests, scenarios and recommendations for managing event probabilities and their consequences. Risk Analytics and Modeling systems help identify specific causes and execute historical review, simulation, interpretation and advice. projection of impacts on an organization’s operations, assets, or individuals, given the potential driving principled This is not legal or professional consequences of events and the likelihood of events occurring sequentially or simultaneously. This function may include advanced techniques Please contact a professional regarding performance ® 206 used to analyze decisions, communications and user behavior in order to identify norms for an organization and detect undesirable events © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. outside a given set of criteria or permissions. GRC Capability Model Elements: O2, O3, A1, A2, P1, P2, P3, D1, D3, I1, R1, R4, M1, M2 LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
APPENDIX C - TECHNOLOGY COMPONENTS Risk analytics tools provide and implement parameters, benchmarks, models, tests, scenarios and recommendations for managing event probabilities and their consequences. Risk Analytics and Modeling systems help identify specific causes and execute historical review, simulation, interpretation and projection of impacts on an organization’s operations, assets, or individuals, given the potential consequences of events and the likelihood of events occurring sequentially or simultaneously. This function may include advanced techniques used to analyze decisions, communications and user behavior in order to identify norms for an organization and detect undesirable events outside a given set of criteria or permissions. GRC Capability Model Elements: O2, O3, A1, A2, P1, P2, P3, D1, D3, I1, R1, R4, M1, M2
Referenced in: O2 , O3 , A1 , A2 , P1 , P2 , P3 , P6 , D1 , D3 , R1 , R4 , R5 , M1 , M2 , I1 , I2
TECH.G.30 - Transaction Monitoring (TRM) Transaction monitoring provides the ability to analyze and test financial and operational transactions in order to determine if they comply with defined rules or otherwise appear to contain indicators of fraud, error, inefficiency and failure to comply with regulatory requirements. Transaction monitoring identifies suspect transactions, creates alerts and reports on the results of the testing processes. Transaction monitoring typically provides the ability to vary test parameters in order to minimize the incidence of false positives and to manage the exception remediation processes. The monitoring normally takes place on a regularly repeated and continuous basis, but seldom in real-time. GRC Capability Model Elements: P3, D3, I3, R3, M1
Referenced in: P3 , D3 , R3 , M1 , M3 , M4 , I3
TECH.I - Infrastructure TECH.I.01 - Business Continuity Management (BCM) BCM systems model, record and direct the responsibilities, plans, actions and execution of operating procedures, alternatives, information back-ups, data recovery and restoration processes during expected and unexpected disruptions to all areas of operation. Maintained with standard operating procedures and emergency procedures, business continuity addresses the ability to identify and prevent operational risks and to avoid the conditions that lead to business disruptions. GRC Capability Model Elements: C2, A3, P1, P2, P3, D3, I3, R3, R4, R5, M3
Referenced in: C2 , A3 , P1 , P2 , P3 , D3 , R3 , R4 , R5 , M3 , I3
TECH.I.02 - Configuration and Change Management (CCM) Configuration and change management systems implement management processes according to parameters and procedures derived from baseline operational and system settings. Configuration and change management governs changes in the function, use, integration, security and performance settings in enterprise software according to the baselines established for specific information processes, users, systems, groups of systems, and applications. GRC Capability Model Elements: C2, O2, A3, P1, P2, P3, P5, D3, I3, R3, R5, M3
Referenced in: C2 , A3 , P1 , P2 , P3 , D3 , R3 , R5 , M3 , I1 , I3
TECH.I.03 - Disaster Recovery (DR) Disaster Recovery (DR) systems maintain and implement alternatives to standard operating procedures with emergency restoration procedures and the use of secondary or redundant systems during a crisis. General Disaster Recovery practices extend to physical systems protections, This is not legal or professional advice. driving principled asset security, and employee safety procedures as part of Business Continuity Management. GRC Capability Model Elements: O3, A3, P2, P3, Please contact a professional regarding performance ® 207 P5, D3, I2, I3, R1, R2, R3, R4, R5, M2, M3 © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP your specific needs. LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
Referenced in: A3 , P2 , P3 , D3 , R3 , R4 , R5 , M2 , M3 , I2 , I3
TECH.I.03 - Disaster Recovery (DR)
APPENDIX C - TECHNOLOGY COMPONENTS
Disaster Recovery (DR) systems maintain and implement alternatives to standard operating procedures with emergency restoration procedures and the use of secondary or redundant systems during a crisis. General Disaster Recovery practices extend to physical systems protections, asset security, and employee safety procedures as part of Business Continuity Management. GRC Capability Model Elements: O3, A3, P2, P3, P5, D3, I2, I3, R1, R2, R3, R4, R5, M2, M3
Referenced in: A3 , P2 , P3 , D3 , R3 , R4 , R5 , M2 , M3 , I2 , I3
TECH.I.04 - Enterprise Architecture Standards (EAS) Enterprise Architecture describes the overall design and delivery model for all data components, applications, sub-systems and information processing modules, based on acknowledged frameworks. The enterprise software architecture is implemented by the related standards-based development infrastructure. The integrity and operating efficiency of systems and applications in an organization reflect the enterprise architecture’s level of synchronization with the organization's actual operating model. GRC Capability Model Elements: C2, O2, P2, P3, P5, D3, I12, I3, M3
Referenced in: C2 , O2 , P2 , P3 , D3 , M1 , M3 , I1 , I2 , I3
TECH.I.05 - Identity and Access Management (IAM) IAM systems are used to employ defined processes that establish and verify unique user identity in order to assign or deny an individual permission to access specific data, content, and applications as a function or integrated component of Information security management. GRC Capability Model Elements: C1, C2, O2, O3, A1, P1, P2, P3, P5, D3, I3, R3, R4, M1
Referenced in: C1 , C2 , O2 , O3 , A1 , P1 , P2 , P3 , D3 , R3 , R4 , M1 , I3
TECH.I.06 - Information Technology Operations (ITO) Management IT Operations Management includes the tools and processes which allow technology managers to schedule maintenance, integration and development and to monitor the ongoing processes of software systems, applications and their respective interfaces. IT operations management is accomplished with the assistance of job scheduling systems, interface management systems, and IT systems monitoring tools. In addition, IT operations management involves the identification, resolution, and re-processing of incomplete and unsuccessful jobs and routines. GRC Capability Model Elements: C2, O3, P2, P3, I1, I3, M2, M3
Referenced in: O3 , P2 , P3 , R4 , M2 , M3 , I1 , I3
TECH.I.07 - Physical Security (PS) Physical security systems implement physical asset and individual protection, and the authorization of individual access to an organization’s facilities and property. Electronic door locks and keys, restricted offsite storage facilities, and contactless entry badges are all examples of physical security systems. GRC Capability Model Elements: O2, A1, P1, P2, P3, P7, D3, I3, R3, R4, M4
Referenced in: O2 , A1 , P1 , P3 , P6 , D3 , R3 , R4 , M4 This is not legal or professional advice. Please contact a professional regarding TECH.I.08 your specific needs. - Retention
driving principled 208
& Storage Management (RSM)
performance ® © 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSEDincludes TO CDUCU ON and TUESDAY, 28, and 2009.associated SINGLE USER LICENSE Retention and storage management hardware softwareAPRIL systems processes that GRANTED. manage the rules and activities
physical security systems. GRC Capability Model Elements: O2, A1, P1, P2, P3, P7, D3, I3, R3, R4, M4 APPENDIX C - TECHNOLOGY COMPONENTS
Referenced in: O2 , A1 , P1 , P3 , P6 , D3 , R3 , R4 , M4
TECH.I.08 - Retention & Storage Management (RSM) Retention and storage management includes hardware and software systems and associated processes that manage the rules and activities regarding the physical and virtual storage, organization, transfer, retrieval and disposal of structured and unstructured information according to information content age, contextual use, geographic origin, specific legal requirements and other criteria. Retention technologies are often integrated with or provide an information lifecycle management function for Records Management systems. GRC Capability Model Elements: C2, O2, A1, P1, P2, P3, P4, D3, I1, I3, R1, R2, M1
Referenced in: C2 , O2 , A1 , P1 , P2 , P3 , P4 , D3 , R1 , R2 , M1 , I1 , I3
TECH.I.09 - Systems Log Management (SLM) Systems logs record and manage large volumes of computer-generated messages, including system records, system audit trails, and event logs. Log Management covers log record collection, centralized log record aggregation, log file retention and log data analysis. GRC Capability Model Elements: A1, A2, D3, I3, R3, M1
Referenced in: A1 , A2 , D3 , R3 , M1 , M2 , M4 , I1 , I3
This is not legal or professional advice. Please contact a professional regarding your specific needs.
driving principled performance ®
209
© 2003 - 2009 OPEN COMPLIANCE & ETHICS GROUP
LICENSED TO CDUCU ON TUESDAY, APRIL 28, 2009. SINGLE USER LICENSE GRANTED.
GRC CAPABILITY MODEL™ OPEN COMPLIANCE & ETHICS GROUP drive principled performance by providing standards, tools and resources that enhance corporate culture and integrate governance, risk management, compliance, internal control and ethics processes.
www.oceg.org “Principled Performance” and “Driving Principled Performance” are registered trademarks of OCEG.
®
DRIVING PRINCIPLED PERFORMANCE ®
