1 / 92

Slide Heading

Slide Heading. The Psychology of GRC. Matthew Chalmers Marshfield Clinic December 2013. Hello, My Name Is _______. Matthew Chalmers CISM , CISA, CRMA, GSNA, GCFA, CCSK, CEH, CCISO, ACE … Chief Auditor-Information Technology Marshfield Clinic

vega
Download Presentation

Slide Heading

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Slide Heading The Psychology of GRC Matthew Chalmers Marshfield Clinic December 2013

  2. Hello, My Name Is _______ • Matthew Chalmers • CISM, CISA, CRMA, GSNA, GCFA, CCSK, CEH, CCISO, ACE… • Chief Auditor-Information Technology • Marshfield Clinic • 501(c)3 charity incorporated in 1916 with over 50 locations, over 80 specialties, over 700 physicians, over 7000 employees, over 400,000 patients, over $1B annual gross receipts

  3. Agenda Slide Heading

  4. Level Set • This is not a primer • There will be a brief introduction

  5. Level Set • This is not a primer • There will be a brief introduction • This is not a how-to • I am not a vendor and have no product to ‘demo’

  6. Level Set • This is not a primer • There will be a brief introduction • This is not a how-to • I am not a vendor and have no product to ‘demo’ • I am not a psychologist • I don’t even play one on TV

  7. Level Set • This is not a primer • There will be a brief introduction • This is not a how-to • I am not a vendor and have no product to ‘demo’ • I am not a psychologist • I don’t even play one on TV • I was told there would be no math • Some people think my favorite function is tangent

  8. What GRC Is • The IIA says… • Governance, Risk, and Control

  9. What GRC Is • The IIA says… • Governance, Risk, and Control • Pretty much everyone else says… • Governance, Risk, and Compliance

  10. What GRC Is • Who came up with the term and when?

  11. What GRC Is • Who came up with the term and when? • PricewaterhouseCoopers (PwC)? • OCEG (formerly Open Compliance and Ethics Group)? • Some guy named Michael Rasmussen?

  12. What GRC Is • A definition • “The ability to reliably achieve objectives while addressing uncertainty and acting with integrity”

  13. What GRC Is • A definition • “The ability to reliably achieve objectives…” • Governance • “…while addressing uncertainty…” • Risk (management) • “…and acting with integrity” • Compliance

  14. What GRC Is • Is GRC really a thing? • Do companies do GRC?

  15. What GRC Is “Organizations have been doing GRC since the dawn of business. We did not need a three-letter acronym to all of a sudden do GRC. Every organization has some approach to the aspects of governance, risk management, and compliance: from the ad hoc and disorganized to the mature and aligned. GRC is part of business whether you call it GRC, something else like ERM, or you have no name for it at all. The question to consider is how mature is your organization’s GRC practices.” --Michael Rasmussen, GRC 20/20

  16. GOVERNANCE • Who • What • When • Where • Why • How • Bonus: To What Extent

  17. What GovernanceIs • The dictionary says… • “The way that a city, company, etc., is controlled by the people who run it” (Merriam-Webster) • “The way that organizations or countries are managed at the highest level, and the systems for doing this” (Cambridge)

  18. What GovernanceIs • The ITGI says… • “Governance includes the elements required to provide senior management assurance that its direction and intent are reflected in the…organization by utilizing a structured approach.”

  19. What GovernanceIs • Much less formally… • Governance is the process of governing processes

  20. What GovernanceIs • Is governance really a thing? • Do companies dogovernance?

  21. What GovernanceIs • Corporate governance is a lot like government: • The people elect representatives • Who direct appointed/hired managers • To implement processes compliant with policy set by representatives • Which themselves should reflect the “direction and intent” of the people

  22. What GovernanceIs • In public companies: • Shareholders elect board members • Who appoint/hire managers • To implement processes compliant with policy set by the board • Which should reflect the “direction and intent” of the shareholders

  23. What Governance Is • Your organization ISdoing governance • It is not always apparent, or formalized • It is done slightly differently everywhere • It is not any more or less important due to the size of the organization • But it may be more or less complex

  24. How Governance Is Done • There are standardized frameworks and methodologies for general governance, however… • They are purposely high-level or vague • There is a lot of variation from organization to organization • Organizations and their needs change over time

  25. How Governance Is Done • Some example frameworks/methodologies: • COSO? Not really…

  26. How Governance Is Done • Some example frameworks/methodologies: • Principles of Corporate Governance • Organization for Economic Cooperation and Development (OECD) • Not to be confused with the Open Compliance and Ethics Group (OCEG)

  27. How Governance Is Done • Some example frameworks/methodologies: • Principles of Corporate Governance • Organization for Economic Cooperation and Development (OECD) • Not to be confused with the Open Compliance and Ethics Group (OCEG) • Key Agreed Principles • National Association of Corporate Directors (NACD)

  28. How Governance Is Done • Too philosophical? • Too nebulous?

  29. How Governance Is Done • Some example frameworks/methodologies: • For information technology: • COBIT 5 • ISACA

  30. How Governance Is Done • Some example frameworks/methodologies: • For information technology: • COBIT 5 • ISACA • For information security: • ISO 27014: Governance of Information Security • International Organization for Standardization

  31. How Governance Is Done • Some example frameworks/methodologies • For information technology: • COBIT 5 • ISACA • For information security: • ISO 27014: Governance of Information Security • International Organization for Standardization • Lower-level and more concrete but not general-purpose

  32. Back To What Governance Is • Governance is not technical • Governance is not internal control • Governance is not really even management

  33. Back To What Governance Is • Governance is not technical • Governance is not internal control • Governance is not really even management • This way of thinking can lead to over-control… inefficiency… even attrition

  34. How Governance Is Done • Organization of the organization is part of the organization’s governance • How did the organization of your organization get organized the way it is today?

  35. How Governance Is Done • Articles of incorporation • Bylaws • Charters • Resolutions • Policies

  36. How Governance Is Done • Owners • Partners • Shareholders • Board(s) • Officers • Executives • Managers • Committees

  37. Organizational Example Does this look familiar? Board of Directors Audit Committee CEO CFO CAE

  38. Organizational Example Does this look any better? Board of Directors Audit Committee CEO CFO CAE

  39. Organizational Example Does this look any better? Board of Directors Audit Committee CEO CFO CAE

  40. Organizational Example Does this look any better? Board of Directors Audit Committee CEO CFO CAE

  41. Organizational Example Does this look familiar? Board of Directors CEO CIO CSO InfoSec Mgmt Committee

  42. Organizational Example Does this look any better? Board of Directors CEO CIO CSO InfoSec Mgmt Committee

  43. Organizational Example Does this look any better? Board of Directors Audit Committee CEO InfoSec Mgmt Committee CIO CSO

  44. Organizational Example Does this look any better? Board of Directors Audit Committee CEO InfoSec Mgmt Committee CIO CSO

  45. Organizational Example Does this look any better? Board of Directors Audit Committee CEO InfoSec Mgmt Committee CIO CSO

  46. How Governance Is Done • The audit committee is typically in the bylaws • Where do other committees, councils, etc. get their authority? • Is the authority documented or implied? • Where do officers, managers, etc. get their authority?

  47. How Governance Is Done • Policies help doers know the extent of their authority • Policies help governors know the scope of doers’ responsibility

  48. How Governance Is Done • Policies help doers know the extent of their authority • Policies help governors know the scope of doers’ responsibility • Doers should not have to ask permission to do something that fits under policy • Governors should not feel compelled to approve something that fits under policy

  49. How Governance Is Done • Depending on company culture… • A doer might be given the “creative latitude” to implement using his/her judgement • A doer might struggle to implement using his/her judgement because there is no policy giving the authority, and “governing bodies” or senior managers may disapprove, be slow to approve, require consensus, etc. • May go for both implementing processes and establishing policy, depending on who the doer is

  50. How Governance Is Done • What is one to do then? It depends… • Organizations are run by people; people are subject to perception and influence

More Related