Terminology
QUICK REVIEW
Compliance
What is GRC?
Processes, Systems and Controls by which organizations defend the interests of the stakeholders. e.g. IFRS, COSO, OECD, Clause 49 Possibility of loss or injury created by an external entity or by a person.
Governance
X Credit Risk
Compliance
X Market Risk
Concept of acting in accordance with established laws, regulations, protocols, standards and specifications. E.g. SoX, HIPAA, FCPA
Maclear LLC, 2012
GRC Components
GRC Reporting & Analytics
Dashboards Reporting Alerts
Risk management
Set of processes thru which management identifies, analyzes, and responds appropriately to risks that might adversely affect realization of the organization's business objectives.
Compliance
Conforming with stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary.
Maclear LLC, 2012
GRC Eco-System
GRC is the integration of: Governance Risk Management Compliance Management Ethics Management Performance Management Internal Controls Information Assurance
Maclear LLC, 2012
Risk Management
Corporate Governance
Maclear LLC, 2012
Risk Management
Definitions and Terms Purpose of Risk Management Managing the Upside and Downside of Business RM Framework Measuring Risk Risk Assessment Approach Risk Calculations Risk Reporting
Risk (v)
To put something in a state where it may encounter undesirable effects on achieving objectives due to uncertainty.
Risk is like a fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.
Theodore Roosevelt
The purpose of risk management is to change the future, not to explain the past
The Book of Risk, Dan Borge
Maclear LLC, 2012
To assist the business in realizing opportunities through a broader understanding of the risks they face.
Maclear LLC, 2012
goal
Expanding Regulation Stiffer Sanctions Better Product Offerings
Criminal Indictments
Organizational
Functional
Data
External & Environmental
Risk Calculations
Inherent Risk = Inherent Likelihood * Inherent Impact
Residual Risk = Residual Likelihood * Residual Impact Inherent Risk = Threat Likelihood x Magnitude of Impact
15 Maclear LLC, 2012
Impact Criteria
Description of Impact Reputational impact on stakeholders (i.e., customers, shareholders, and employees)
Permanent loss of stakeholder confidence resulting in legal action, interruption in Enterprise operations globally, and / or defection to competition
Score
Rating
Operating Income
Duration
Critical
>11% >$2.5B
High
>4.4% >$1.0B
Substantial reduction in market capitalization, substantial draw on liquidity reserve (EPS > $0.10) Limited reduction in market capitalization, limited draw on operating cash flow (EPS $0.05) Missed forecast(s) and/or budget(s), limited draw on operating cash flow (EPS $0.025) (EPS $0.01)
Recoverable in the Long Term (i.e., 24-36 months) Recoverable in the Short Term (i.e., 12-24 months) Temporary (i.e., less than 12 months)
2 or more divisions: Significant, ongoing interruptions to business operations within 2 or more divisions 1 or more division(s): Moderate impact within 1 or more division(s) 1 division: Limited impact within 1 division
Moderate
Significant fines or limitations on conducting business in certain product lines, markets, or geographies.
2
1
Low
>1.10% >$250M
Minimal
Minimal Impact
Likelihood Criteria
Score Rating Consideration Probability Frequency
Expected
The risk event or circumstance is relatively certain to occur, or has occurred within the past year The risk event or circumstance is highly likely to occur The risk event or circumstance is more likely to occur than not The risk event or circumstance occurring is possible The risk event or circumstance is only remotely probable
90-100%
Almost Yearly
Highly Likely
70-90%
Every 2 to 3 Years
Likely
50-70%
Every 4 to 6 Years
Not Likely
10-50%
Every 7 to 9 Years
Slight
< 10%
Very High
Effective
High
Moderate
Key controls and/or Management Activities in place, with moderate opportunities for improvement identified. There are no outstanding High risk audit issues. There may be some significant deficiencies as defined by SOX or the external auditors.
Limited controls and/or Management activities in place, high level of risk remains, significant opportunity for improvement identified. There are outstanding High and / or Medium risk Audit issues or significant deficiencies as defined by SOX or the external auditors. Controls and/or Management Activities are non-existent or have major deficiencies and dont operate as intended, critical opportunity for improvement identified. There are outstanding High risk audit issues or material weakness(es) as defined by SOX or the external auditors.
Low
Very Low
NOTE: When evaluating the Management/Control Level for a particular risk event or circumstance, make the evaluation based on the existing management activities and/or controls that exist both within defined business processes as well as at the entity level. The table provides guidance for choosing a score of 1 through 5.
High Risk (high impact, high likelihood) Seek risk responses: avoid, transfer/share, mitigate/reduce, accept Remediate items causing the risk Investigate the risk further to gain better insight on how to respond
Accept the risk, since it is at/near tolerance level Seek ways to reduce the likelihood or impact of the risk Assess processes/controls to ensure risk will not worsen
Risks falling at or near the risk tolerance level Accept the risk, since it is at/near tolerance level Seek ways to reduce the likelihood or impact of the risk Assess processes/controls to ensure risk will not worsen Low risk (low impact, low likelihood) Monitor the risk periodically to confirm it has not increased
Medium risk (low/medium impact, high likelihood) Seek ways to reduce the likelihood of the risk occurring Investigate further to confirm that impact is not higher than believed Assess processes and controls to ensure risk will not worsen
Maclear LLC, 2012
4 7 5
10
Severe
Severity of Impact
3
Serious 3
8
4 5 6
Moderate
Mild
9
Remote Unlikely Possible Likely Almost Certain
Y! Data Management
10 Likelihood of Occurrence
Risk Responses
Avoid: Choosing not to participate in the activity that is associated with or causing the risk. Transfer/share: Engaging another party to accept all or part of the risk. This can be through insurance, outsourcing risky tasks or entering into business arrangements/agreements whereby risk is shared across parties or reassigned to the other party. Mitigate/reduce: Decrease the level of risk by either reducing the probability that the risk might occur, or by taking measures that will cause the impact to be lessened should the risk occur. Accept: Acknowledge the risk and choose to do nothing, thereby accepting any potential impacts and consequences.
OCTAVE
COSO ERM FRAP Risk Watch
22 Maclear LLC, 2012
Operations
Product Development: Product Strategy Software Development Product Development Partners Product Quality/Integrity Product Security Product Release 3rd Party Subsystems or Functionality Integration Sales & Marketing: Research and Development Marketing Advertising Product Pricing Sales and Marketing - Partner Management Sales Contracting/Customer Pricing Order Management Public Relations Services: Consulting Services Customer Support Service Partners Customer Operations People: Culture Recruiting & Retention Global Resourcing Development and Performance Succession Planning Compensation & Benefits Labor Relations Employee Communications Organizational Structure Information Technology: Infrastructure Resiliency and Availability Data Privacy Data Management, Integrity and Quality Infrastructure Security Information System Access IT Governance Business Continuity: Natural Events Information Technology Recovery Business Process Recovery Crisis Management
Legal/ Compliance
Corporate Governance: Board Performance
Financial/ Reporting
Planning & Resource Allocation: Operational and Business Planning Budgeting and Forecasting Capital Expenditure Planning Outsourcing Treasury: Cash Management Hedging Investing Insuring Funding Credit and Collections Securities Lending Financial Reporting: GAAP Accounting External Reporting & Disclosure Internal Control/SOX 404/302 Statutory Reporting Internal Reporting Information & Reporting Integrity Tax: Tax Strategy and Planning Tax Optimization Transfer Pricing Property Taxes Tax Compliance Investor Relations: Communications Mergers, Acquisitions & Divestitures: Accounting for Mergers, Acquisitions & Divestitures Internal Audit:
Supply Chain: Manufacturing Planning and Forecasting/Product Availability Vendors/Partners/Contract Execution Man Made Events
Procurement Production Inventory & Capacity Management Distribution Channels Product Licensing/Subscriptions Product Compliance Software Piracy
Corporate Physical Security: Buildings and Facilities Threats of Violence Incidents of Theft Life Safety
Monitor
Areas of high risk exposure where controls are deemed adequate should be monitored to provide ongoing assurance of control effectiveness.
(Impact x Likelihood)
Improve
Monitor
Accept
Areas of low risk exposure that also have a lower level of control may be consciously accepted by the organization.
Risk Exposure
Accept
Optimize
Optimize
Areas of low risk exposure with a high level of control may generate opportunities to optimize the management and control activities.
Low Low
High
Risk Management
Corporate Governance
Maclear LLC, 2012
Policy Management
Regulations and Corporate Policies Policies, Standards and Guidelines Policy Management Lifecycle Policy Compliance
Corporate Boundary
Policy
Policy Compliance
Promote
Policy Deployment
Communicate the business value of compliance Communicate how we help achieve compliance value Deliver and support the processes and tools that enable compliance Prepare and support the people who are accountable for compliance
Monitor compliance processes and tools Measure the effectiveness of compliance, including processes and tools
Enable
Monitor
Compliance Management
Report
Report on the enterprise health of compliance Provide business group reporting to management
32
Maclear LLC, 2012
Policy Management
Recap
Regulations and Corporate Policies Policies, Standards and Guidelines Policy Management Lifecycle Policy Compliance
Compliance
Complying with Internal and External Factors Stakeholder challenges and expectations Emerging compliance issues Compliance Risk Universe Corporate Compliance Framework
Bigger Fines and Settlements Stiffer Sanctions Criminal Indictments Catastrophic Reputational Consequences (Personal and Corporate)
goal
CEO Viewpoint Legal risk is the highest rated area in which CEOs wont tolerate risk.
Legal Financial Operating Strategic
defining compliance? identifying their more significant compliance risks and emerging (frontier) issues?
aligning and coordinating compliance and risk management activities? Embedding compliance into the business?
leveraging their compliance investments to provide benefit within their business units? .defining a successful compliance function and assigning ownership for its success?
Maclear LLC, 2012
Controls Framework
Identify and integrate
Regulatory requirements Customer requirements
Compliance Process
Rationalized Requirements
Compliance Recap
Complying with Internal and External Factors Stakeholder challenges and expectations Emerging compliance issues Compliance Risk Universe Corporate Compliance Framework
Governance
Corporate governance Set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered or controlled Information Technology Governance, Subset of corporate governance focused on IT system performance and risk management.
Maclear LLC, 2012