View
9
Download
0
Category
Preview:
Citation preview
Presented by:
Collaborative Accountability in GRC: Creating Harmony Across Business Roles
Slide 1 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Michael Rasmussen, J.D., CCEP, OCEG Fellow Risk & Compliance Lecturer, Author, & Advisor
Managing Information Security Risk in Distributed and Dynamic Business
Slide 2 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Does your organization have integrity?
Slide 3 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Are you focused only on what you see?
“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”
E.J. Smith, Captain of the Titanic
Risk Awareness
Risk Ignorance
Slide 4 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Risky Nature of Business
• You cannot outsource liability
– You “stand in the shoes” of your business relationships
– Their problems are your problems – Their problems directly impact your
brand and reputation
• Increasing regulatory focus – Can you attest to an “in-compliance”
status?
• Many companies focus on the on-boarding process…
– Most risk is incurred over the life of the relationship
– Who owns on-going third party risk? – How is third party risk assessed and
reported to the board?
The issues organizations face in managing risk and compliance across extended business relationships include: q Information Security q Privacy q Anti-corruption q Code of conduct and ethics q Corporate social responsibility q Environmental q Geo-political q Health and safety q Import and export q Labor standards q Operational risk q Quality q Regulatory compliance q Physical Security q Supply-chain risks
Slide 5 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
The current state of 3rd party risk management is like “Dante’s Inferno”
Risk is only considered during the on-‐boarding process
• Risks in extended business rela1onships are usually only analyzed during the on-‐boarding process to validate the organiza1on is doing business with the right companies. This common approach fails to recognize that risk is incurred over the life of the business rela1onship. Once a rela1onship is established, organiza1ons oBen neglect risks that build over 1me.
Partner performance evalua:ons neglect risk • Metrics and measurements for ongoing business rela1onships oBen fail to fully analyze and monitor risk in extended business rela1onships. OBen, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considera1ons.
Slide 6 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
We need our oversight &accountability for 3rd party risk to be collaborative
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series
IS YOUR PROGRAM CONSISTENT?Establish standardized processes that apply to all areas of the busi-ness everywhere in the world. Incorporate standardized forms and templates to drive consistency.
IS YOUR PROGRAM RESPONSIVE?Support transparent and sound decision-making with strong management oversight and robust reporting.
IS YOUR PROGRAM INDEPENDENT?
Minimize potential con!icts of interest and ensure decisions are objective.
IS YOUR PROGRAM REASONABLE?
Don’t interfere with operations or be a burden on the business.
REINFORCE BRAND ANDCORPORATE REPUTATION
nhance Brand Credibilityolidify Shareholder Trust
Respect in the Marketplace
FULFILL LEGAL OBLIGATIONSAND GUIDANCE
. Foreign Corrupt Practices Act Bribery Act
.S. Dodd-Frank and Patriot ActsPublic Procurement Laws
and Regulationsuidance from OECD, World Bank,
and Non-Governmental Organizationstandards
ontractual Obligations
Protect Corporate Assets and Operations
Enable Public Procurement Lines of Business
nable Operation in Corruption-Prone Countries
Prevent Revenue Loss From Non-Compliance
Avoid or Reduce Fines and Penalties
ASSURE THE BOTTOM LINE
Slide 7 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
High performing business requires agile 3rd party risk processes
BUSINESS MODEL
strategy, people, process, technology and infrastructure in place to drive toward objec1ves
OPPORTUNITIES
OPPORTUNITIES
OPPORTUNITIES
MANDATORY BOUNDARY boundary established by external forces including laws, government regula1on and other mandates.
VOLUNTARY BOUNDARY boundary defined by management including organiza1onal values, contractual obliga1ons, voluntary policies and other promises.
OBJECTIVES strategic, opera1onal, customer, process, compliance objec1ves
Reliable achievement of objec:ves while addressing uncertainty and ac1ng with integrity
Slide 8 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Who is a 3rd party and how is your program built?
Slide 9 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
1 - Establish 3rd party governance and oversight
PROGRAM OWNERS
COMPLIANCEAND LEGAL
ANDOTHERS
FINANCEBUSINESS
OPERATIONS
AUDIT RISK
ESTABLISH PROGRAMOWNERSHIP AND OVERSIGHT
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series
Slide 10 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
2 - Scope your 3rd party risk program
Slide 11 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
3 – Understand your 3rd party risks
Factors • Nature and location of business
activities • 3rd Party relationships • Methods for generating business • Applicable laws
Evaluate and rank: • Risk appetite • Internal changes • External changes
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series
IDENTIFICATION
RISK
S
OBJECTIVES
CORRUPTION
Slide 12 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
4 - Build & operate 3rd party controls to mitigate risk
Establish: • Preventive • Detective • Corrective
Across the business: • Process • Technology • Human capital • Physical
Slide 13 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
5 - Perform Due Diligence
Due diligence includes analyzing
whether established policies and controls
are followed.
PROFESSIONAL SERVICES
REGULATORY FACILITATORS
SUPPLY AND SALES CHAIN
Slide 14 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
6 - Collect and analyze 3rd party data
Slide 15 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
7 - Implement screening procedures
Slide 16 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
8 - Train and educate
Provide training: • Across the business
and its relationships • Role-specific
programs for high-risk roles
• Develop/acquire content
• Understand cultural needs
• Track attendance and certification
Slide 17 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
9 - Monitor and review 3rd party relationships
Slide 18 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
10 – Monitor and Evaluate
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series
Track and assess policies and controls for e!ectiveness and performance in various ways:
monitor internal and external information and compare vendor, partner and customer records against trusted data sources for red !ags that indicate issues
SCREEN
provide regular internal audit oversight and inspection of the anti-corruption program; test and assess controls to determine if additional or modi"ed action is necessary
AUDIT
obtain and assess information about observed or suspected misconduct, using appropriate quali"ed teams, and considering privilege issues
INVESTIGATE
establish hotline and other open channels for reporting and resolution of questions and issues
IDENTIFY
evaluate data to locate concerns and potential problems by applying analytic techniques, tools and reporting capabilities
ANALYZE
AUDITING/TESTING
ANALYTICS
SCREENING
INVESTIGATIONS
HOTLINEDATA
Slide 19 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
11 – Review, Realign, and Report
Take action: • Disciplinary on incidents • Continual evaluation • Alignment to changing
business • Keep board and
management informed • External review and
certification • Strengthen program
©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series
Slide 20 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
3rd party risk management needs to be efficient, effective, and agile
ROI
Enhance Organizational CultureIncrease Stakeholder Con!dencePrepare & Protect the Organization
Achieve Business Objectives Prevent, Detect & Reduce AdversityMotivate & Inspire Desired ConductImprove Responsiveness & E"ciencyOptimize Economic & Social Value
UNIVERSAL PROGRAM OUTCOMES
RESPONSIVE (agile) EFFICIENT (lean)
EFFECTIVE (sound)
e!ective, responsive and e"cient processes will deliver measureable program outcomes
for the organization
Slide 21 © 2012 Corporate Integrity, LLC www.Corp-Integrity.com
Questions? Michael Rasmussen, J.D, CCEP, OCEG Fellow
mkras@Corp-Integrity.com +1.888.365.4560
Some of the content we have evaluated is OCEG content that I have an established agreement to use. Please do not copy these slides without
permission, and I highly recommend you consider OCEG membership at www.OCEG.org.
Corporate Integrity Newsletter
LinkedIn: Corporate Integrity Group
Blog: GRC Pundit
Twitter: GRCPundit
Events: Corporate Integrity
LinkedIn: Michael Rasmussen
THANK YOU!
Recommended