slide heading
Download
Skip this Video
Download Presentation
Slide Heading

Loading in 2 Seconds...

play fullscreen
1 / 89

Slide Heading - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Slide Heading. The Psychology of GRC. Matthew Chalmers Marshfield Clinic December 2013. Hello, My Name Is _______. Matthew Chalmers CISM , CISA, CRMA, GSNA, GCFA, CCSK, CEH, CCISO, ACE … Chief Auditor-Information Technology Marshfield Clinic

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Slide Heading' - astro


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide heading
Slide Heading

The Psychology of GRC

Matthew Chalmers

Marshfield Clinic

December 2013

hello my name is
Hello, My Name Is _______
  • Matthew Chalmers
    • CISM, CISA, CRMA, GSNA, GCFA, CCSK, CEH, CCISO, ACE…
    • Chief Auditor-Information Technology
  • Marshfield Clinic
    • 501(c)3 charity incorporated in 1916 with over 50 locations, over 80 specialties, over 700 physicians, over 7000 employees, over 400,000 patients, over $1B annual gross receipts
agenda
Agenda

Slide Heading

level set
Level Set
  • This is not a primer
    • There will be a brief introduction
level set1
Level Set
  • This is not a primer
    • There will be a brief introduction
  • This is not a how-to
    • I am not a vendor and have no product to ‘demo’
level set2
Level Set
  • This is not a primer
    • There will be a brief introduction
  • This is not a how-to
    • I am not a vendor and have no product to ‘demo’
  • I am not a psychologist
    • I don’t even play one on TV
level set3
Level Set
  • This is not a primer
    • There will be a brief introduction
  • This is not a how-to
    • I am not a vendor and have no product to ‘demo’
  • I am not a psychologist
    • I don’t even play one on TV
  • I was told there would be no math
    • Some people think my favorite function is tangent
what grc is
What GRC Is
  • The IIA says…
    • Governance, Risk, and Control
what grc is1
What GRC Is
  • The IIA says…
    • Governance, Risk, and Control
  • Pretty much everyone else says…
    • Governance, Risk, and Compliance
what grc is2
What GRC Is
  • Who came up with the term and when?
what grc is3
What GRC Is
  • Who came up with the term and when?
    • PricewaterhouseCoopers (PwC)?
    • OCEG (formerly Open Compliance and Ethics Group)?
    • Some guy named Michael Rasmussen?
what grc is4
What GRC Is
  • A definition
    • “The ability to reliably achieve objectives while addressing uncertainty and acting with integrity”
what grc is5
What GRC Is
  • A definition
    • “The ability to reliably achieve objectives…”
      • Governance
    • “…while addressing uncertainty…”
      • Risk (management)
    • “…and acting with integrity”
      • Compliance
what grc is6
What GRC Is
  • Is GRC really a thing?
  • Do companies do GRC?
what grc is7
What GRC Is

“Organizations have been doing GRC since the dawn of business. We did not need a three-letter acronym to all of a sudden do GRC. Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned. GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all. The question to consider is how mature is your organization’s GRC practices.”

--Michael Rasmussen, GRC 20/20

governance
GOVERNANCE
  • Who
  • What
  • When
  • Where
  • Why
  • How
  • Bonus: To What Extent
what governance is
What GovernanceIs
  • The dictionary says…
    • “The way that a city, company, etc., is controlled by the people who run it” (Merriam-Webster)
    • “The way that organizations or countries are managed at the highest level, and the systems for doing this” (Cambridge)
what governance is1
What GovernanceIs
  • The ITGI says…
    • “Governance includes the elements required to provide senior management assurance that its direction and intent are reflected in the…organization by utilizing a structured approach.”
what governance is2
What GovernanceIs
  • Much less formally…
    • Governance is the process of governing processes
what governance is3
What GovernanceIs
  • Is governance really a thing?
  • Do companies dogovernance?
what governance is4
What GovernanceIs
  • Corporate governance is a lot like government:
    • The people elect representatives
      • Who direct appointed/hired managers
        • To implement processes compliant with policy set by representatives
          • Which themselves should reflect the “direction and intent” of the people
what governance is5
What GovernanceIs
  • In public companies:
    • Shareholders elect board members
      • Who appoint/hire managers
        • To implement processes compliant with policy set by the board
          • Which should reflect the “direction and intent” of the shareholders
what governance is6
What Governance Is
  • Your organization ISdoing governance
    • It is not always apparent, or formalized
  • It is done slightly differently everywhere
  • It is not any more or less important due to the size of the organization
    • But it may be more or less complex
how governance is done
How Governance Is Done
  • There are standardized frameworks and methodologies for general governance, however…
    • They are purposely high-level or vague
      • There is a lot of variation from organization to organization
      • Organizations and their needs change over time
how governance is done1
How Governance Is Done
  • Some example frameworks/methodologies:
    • COSO? Not really…
how governance is done2
How Governance Is Done
  • Some example frameworks/methodologies:
    • Principles of Corporate Governance
      • Organization for Economic Cooperation and Development (OECD)
        • Not to be confused with the Open Compliance and Ethics Group (OCEG)
how governance is done3
How Governance Is Done
  • Some example frameworks/methodologies:
    • Principles of Corporate Governance
      • Organization for Economic Cooperation and Development (OECD)
        • Not to be confused with the Open Compliance and Ethics Group (OCEG)
    • Key Agreed Principles
      • National Association of Corporate Directors (NACD)
how governance is done4
How Governance Is Done
  • Too philosophical?
  • Too nebulous?
how governance is done5
How Governance Is Done
  • Some example frameworks/methodologies:
    • For information technology:
      • COBIT 5
        • ISACA
how governance is done6
How Governance Is Done
  • Some example frameworks/methodologies:
    • For information technology:
      • COBIT 5
        • ISACA
    • For information security:
      • ISO 27014: Governance of Information Security
        • International Organization for Standardization
how governance is done7
How Governance Is Done
  • Some example frameworks/methodologies
    • For information technology:
      • COBIT 5
        • ISACA
    • For information security:
      • ISO 27014: Governance of Information Security
        • International Organization for Standardization
  • Lower-level and more concrete but not general-purpose
back to what governance is
Back To What Governance Is
  • Governance is not technical
  • Governance is not internal control
  • Governance is not really even management
back to what governance is1
Back To What Governance Is
  • Governance is not technical
  • Governance is not internal control
  • Governance is not really even management
  • This way of thinking can lead to over-control… inefficiency… even attrition
how governance is done8
How Governance Is Done
  • Organization of the organization is part of the organization’s governance
  • How did the organization of your organization get organized the way it is today?
how governance is done9
How Governance Is Done
  • Articles of incorporation
  • Bylaws
  • Charters
  • Resolutions
  • Policies
how governance is done10
How Governance Is Done
  • Owners
    • Partners
    • Shareholders
  • Board(s)
  • Officers
  • Executives
  • Managers
  • Committees
organizational example
Organizational Example

Does this look familiar?

Board of Directors

Audit Committee

CEO

CFO

CAE

organizational example1
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

CFO

CAE

organizational example2
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

CFO

CAE

organizational example3
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

CFO

CAE

organizational example4
Organizational Example

Does this look familiar?

Board of Directors

CEO

CIO

CSO

InfoSec Mgmt Committee

organizational example5
Organizational Example

Does this look any better?

Board of Directors

CEO

CIO

CSO

InfoSec Mgmt Committee

organizational example6
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

InfoSec Mgmt Committee

CIO

CSO

organizational example7
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

InfoSec Mgmt Committee

CIO

CSO

organizational example8
Organizational Example

Does this look any better?

Board of Directors

Audit Committee

CEO

InfoSec Mgmt Committee

CIO

CSO

how governance is done11
How Governance Is Done
  • The audit committee is typically in the bylaws
  • Where do other committees, councils, etc. get their authority?
    • Is the authority documented or implied?
    • Where do officers, managers, etc. get their authority?
how governance is done12
How Governance Is Done
  • Policies help doers know the extent of their authority
  • Policies help governors know the scope of doers’ responsibility
how governance is done13
How Governance Is Done
  • Policies help doers know the extent of their authority
  • Policies help governors know the scope of doers’ responsibility
  • Doers should not have to ask permission to do something that fits under policy
  • Governors should not feel compelled to approve something that fits under policy
how governance is done14
How Governance Is Done
  • Depending on company culture…
    • A doer might be given the “creative latitude” to implement using his/her judgement
    • A doer might struggle to implement using his/her judgement because there is no policy giving the authority, and “governing bodies” or senior managers may disapprove, be slow to approve, require consensus, etc.
  • May go for both implementing processes and establishing policy, depending on who the doer is
how governance is done15
How Governance Is Done
  • What is one to do then? It depends…
    • Organizations are run by people; people are subject to perception and influence
how governance is done16
How Governance Is Done
  • What is one to do then? It depends…
    • Organizations are run by people; people are subject to perception and influence
    • Know yourself, find ways to play to your strengths
how governance is done17
How Governance Is Done
  • What is one to do then? It depends…
    • Organizations are run by people; people are subject to perception and influence
    • Know yourself, find ways to play to your strengths
    • Know others, find ways to play to their strengths
      • Manage up
how governance is done18
How Governance Is Done
  • What is one to do then? It depends…
    • Organizations are run by people; people are subject to perception and influence
    • Know yourself, find ways to play to your strengths
    • Know others, find ways to play to their strengths
      • Manage up
    • Know the organization, find ways to play to its strengths
      • If you can’t beat ’em, join ’em
how governance is done19
How Governance Is Done
  • Does this sound like playing politics?
  • Does this sound like social engineering?
  • Does this sound like The Art of War?
    • “Know yourself and know your enemy…”
how governance is done20
How Governance Is Done
  • The principles are the same whether your perspective is from the bottom or the top
    • Those at the top:
      • Are influential by virtue of their position even if not intrinsically
      • Are concerned with creative rule-benders
      • Ask “why”
how governance is done21
How Governance Is Done
  • The principles are the same whether your perspective is from the bottom or the top
    • Those at the top:
      • Are influential by virtue of their position even if not intrinsically
      • Are concerned with creative rule-benders
      • Ask “why”
    • Those at the bottom:
      • Must find a way to be intrinsically influential, despite position
      • Are concerned about status quo
      • Ask “why not”
how governance is done22
How Governance Is Done
  • Those who “do” G, R, C, or some combination are often in the middle
    • It is rare for governance to be someone’s responsibility
      • E.g., Vice President of Governance, Chief Governance Officer
    • Governance is more conceptual than operational
      • The framework typically pre-dates every employee and changes very little, over very long periods
    • There are pockets of specialized governance
      • Project governance
      • IT governance
how governance is done23
How Governance Is Done
  • It is more common for someone to be assigned the responsibility of maintaining policies
    • Unfortunately not always a prestigious job
    • Can be done without any specialized tools, however, with the right tool(s) it can be almost completely automated
      • All your policy are belong to us
slide59
RISK
  • Who
  • What
  • When
  • Where
  • Why
  • How
  • Bonus: To What Extent
what risk management is
What Risk Management Is
  • The dictionary says:
    • “The activity of calculating and reducing risk, so that an organization does not fail or lose money” (Cambridge)
    • “The forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimize their impact” (Oxford)
what risk management is1
What Risk Management Is
  • The RIMS says:
    • “A management discipline, the goal of which is to protect the assets and profits of an organization by reducing the potential for loss before it occurs, and financing, through insurance and other means, potential exposures to catastrophic loss.”
what risk management is2
What Risk Management Is
  • The RIMS says:
    • “The process consists of logical steps: risk or exposure identification; measurement and evaluation of exposures identified; control of those exposures through elimination and/or reduction; and financing the remaining exposures so that the organization, in the event of a major loss, can continue to function without severe hardship to its financial stability.”
what risk management is3
What Risk Management Is
  • Is risk management really a thing?
  • Do companies dorisk management?
what risk management is4
What Risk Management Is
  • Your organization ISdoing risk management
    • It is not always apparent, or formalized
  • It is done slightly differently everywhere
  • It is not any more or less important due to the size of the organization
    • But it may be more or less complex
how risk mgmt is done
How Risk Mgmt Is Done
  • There are standardized frameworks and methodologies for risk management, however…
    • They are purposely high-level or vague
      • There is a lot of variation from organization to organization
      • Organizations and their needs change over time
    • OR… They are highly specialized
      • E.g. for insurance or investment
how risk mgmt is done1
How Risk Mgmt Is Done
  • Some example frameworks/methodologies:
    • COSO? Yes!
how risk mgmt is done2
How Risk Mgmt Is Done
  • Some example frameworks/methodologies:
    • Enterprise Risk Management – Integrated Framework
      • Committee Of Sponsoring Organizations (COSO)
how risk mgmt is done3
How Risk Mgmt Is Done
  • Some example frameworks/methodologies:
    • Enterprise Risk Management – Integrated Framework
      • Committee Of Sponsoring Organizations (COSO)
    • ISO 31000: Risk Management Principles & Guidelines
      • International Organization for Standardization
how risk mgmt is done4
How Risk Mgmt Is Done
  • Too philosophical?
  • Too nebulous?
how risk mgmt is done5
How Risk Mgmt Is Done
  • Some example frameworks/methodologies:
    • For information technology:
      • COBIT 5
        • ISACA
    • For information security:
      • SP 800-39: Managing Information Security Risk
        • National Institute for Standards and Technology
back to what risk mgmt is
Back To What Risk Mgmt Is
  • Risk management is not technical
  • Risk management is not internal control
  • Risk management is not really even management
back to what risk mgmt is1
Back To What Risk Mgmt Is
  • Risk management is not technical
  • Risk management is not internal control
  • Risk management is not really even management
  • Wait…what?
  • Okay, it is really management
    • But do not confuse risk analysis/assessment with risk management
back to what risk mgmt is2
Back To What Risk Mgmt Is
  • Some other confusing terms and processes:
    • Threat analysis/assessment/modeling
    • Business impact analysis (BIA)
    • Business continuity planning (BCP)
    • Disaster recovery planning (DRP)
how risk mgmt is done6
How Risk Mgmt Is Done
  • While (E)RM is arguably more concrete and focused than GRC, not all companies do it
    • Even some companies with a CRO are only focused on managing liability and insurance
    • Risk management is more often stove piped
      • IT risk, M&A risk, investment risk…
      • Even within stove pipes it’s not always holistic
        • E.g. IT risk doesn’t always consider opportunity risk, or weigh risk vs. reward
how risk mgmt is done7
How Risk Mgmt Is Done
  • It is not black and white, or an exact science
    • Risk management is done by people; people are subject to perception and influence
  • To reiterate:
    • Know yourself, find ways to play to your strengths
    • Know others, find ways to play to their strengths
      • Manage up
    • Know the organization, find ways to play to its strengths
      • If you can’t beat ’em, join ’em
how risk mgmt is done8
How Risk Mgmt Is Done
  • The principles are the same whether your perspective is from the bottom or the top
    • Those at the top:
      • Are influential by virtue of their position even if not intrinsically
      • Are concerned with creative rule-benders
      • Ask “why”
how risk mgmt is done9
How Risk Mgmt Is Done
  • The principles are the same whether your perspective is from the bottom or the top
    • Those at the top:
      • Are influential by virtue of their position even if not intrinsically
      • Are concerned with creative rule-benders
      • Ask “why”
    • Those at the bottom:
      • Must find a way to be intrinsically influential, despite position
      • Are concerned about status quo
      • Ask “why not”
compliance
COMPLIANCE
  • Who
  • What
  • When
  • Where
  • Why
  • How
  • Bonus: To What Extent
what compliance is
What Compliance Is
  • The dictionary says:
    • “Obeying an order, rule, or request; obeying a particular law or rule, or…acting according to an agreement” (Cambridge)
    • “Conformity in fulfilling official requirements” (Merriam-Webster)
    • “Excessive acquiescence” (Oxford)
what compliance is1
What Compliance Is
  • The professional association says:
    • <crickets>
what compliance is2
What Compliance Is
  • Is compliance really a thing?
  • Do companies docompliance?
what compliance is3
What Compliance Is
  • Your organization ISdoing compliance
    • It is not always apparent, or formalized
  • It is done slightly differently everywhere
  • It is not any more or less important due to the size of the organization
    • But it may be more or less complex
how compliance is done
How Compliance Is Done
  • Are therestandardized frameworks and methodologies for compliance?
back to what compliance is
Back To What Compliance Is
  • It may or may not be technical
  • It may or may not beinternal control
  • It may or may not be management
how compliance is done1
How Compliance Is Done
  • Often stove piped
    • Legal compliance, contract compliance, regulatory compliance, financial compliance, industry compliance…
how compliance is done2
How Compliance Is Done
  • It may seem black and white, but much is still subject to interpretation
  • Compliance is (or can be seen as) part of risk management
  • It can be just as expensive to comply as not to comply
conclusion
Conclusion
  • “A person is smart. People are dumb, panicky, dangerous animals…” (Men In Black, 1997)
  • “It’s wind, man. It blows all over the place.” (The Weather Man, 2005)
  • “All I want is compliance with my wishes, after reasonable discussion.” (Winston Churchill)
ad