Beruflich Dokumente
Kultur Dokumente
Defining GRC
Implementing a comprehensive and innovative governance, risk, and compliance (GRC) program
enables organizations to address the multiple factors that are essential in managing and controlling
enterprise risk. This includes factors such as:
GRC is a set of functions that oversees and manages risks and compliance across the
organization to reliably meet company objectives. It is not just about tools and technology
Regulatory changes
Process standardization
Cost reduction
Value to
clients
Resolution of
immediate and
longterm risk
exposure
Improved risk
alignment and
event
response time
Agile and
scalable
control
environment
Cost reduction
in internal and
external risk
activities,
including
monitoring
and
remediation
Reduction in
disruption to
the business
Improved
business
performance
and innovation
via value
based risk
management
Governance
Control
functions*, Policy
management,
Governing bodies
By adopting an effective GRC strategy, executives and risk leaders are able to challenge the way they
think about, respond to, and manage risk. EY help you understand the risks related to your business
strategy and how to best respond to those risks. Our tailored approach to GRC integrates risk and
performance management in order to create a competitive advantage in terms of risk insight and
performance improvement.
EY GRC Framework: EYs GRC framework takes into account our clients risk strategy based on business objectives, risk
tolerance and treatment, investments and operating model to determine the overarching risk landscape and strategic
enablers (i.e., people process, and technology). This holistic approach creates a structure to readily respond to new
risk, compliance, and regulatory needs.
Risk
Risk analysis, risk
assessments, risk
register, loss and
incident database
Compliance
Requirement
management, control
testing, findings and
exceptions, evidence
management
Governance, risk
and compliance
domains
Domain
Component
Subcomponent
Domain
Component
Subcomponent
Strategic
alignment
and risk
management
Governance
and strategy
Enterprise
risk
management
Risk and
controls
establishment
and
management
Process, risk
and control
definition
and adoption
Organization
Policies and standards
Program
governance
and
organization
Business
drivers and
regulatory
requirements
Organization
Policies and
standards
Management
of risks and
controls
Risk assessments
Compliance testing
Aggregation of observations and findings
Findings management including risk response and prioritization
Maintenance of process, risk and control framework for regulatory,
organizational or process changes
Tools and
technology
Periodic
reporting
Continuous
monitoring
Identify metrics and dashboards needed for risk and compliance monitoring
Develop processes for metrics collection, monitoring, trend analysis and
dashboards
Monitoring and
reporting
GRC
point
solutions
Illustrative example
Who we are
Stabilize
Optimize
Establish
governance
Complete
control
rationalization/
optimization
Begin GRC
technology
implementation
GRC
functional
transformation
Pilot key
elements of the
solution
Agree on long
term road map
and identify
"quick wins"
Automate
control
execution and
monitoring
Define business
requirements
Deploy
continuous
monitoring
Select GRC
technology
solution(s)
Enhance and
sustain
Continue GRC
technology
implementation
Integrate with
other functions
and
organizations
Implement
sustainability
program
Value:
Resolution of immediate
and longterm risk
exposure
Improved risk alignment
and event response time
Agile and scalable control
environment
Cost reduction in internal
and external risk
activities, including
monitoring and
remediation
Reduction in disruption to
the business
Improved business
performance and
innovation via value
based risk management
Yes
John McLain
Principal, Government and
Public Sector
Cell: +1 410 300 2748
Off: +1 703 747 1198
john.mclain@ey.com
Joe Quinn
Senior Manager
Cell: +1 202 257 5518
Off: +1 703 747 0898
joseph.quinn@ey.com
Zane Williams
Senior Manager
Cell: +1 914 439 6834
Off: +1 212 773 8658
zane.williams@ey.com
Garo Nalabandian
Senior Advisor
Cell: +1 301 675 6049
Off: +1 703 747 0616
garo.nalabandian@ey.com
No
Have your risk vision and strategy addressed the three main risks: external, strategic
and preventable?
Does your senior management have confidence that you understand their risk vision
and appetite?
Have you established your risk appetite and tolerance for strategic risk events that
could provide upward or downward potential to the mission or business operations?
Do you have visibility into the risk coverage of the organization?
Are you confident that there are no gaps in risk coverage and that they have visibility
into how issues roll up and impact the strategic mission or business risks?
Are you confident that risk responses and compliance activities are optimized across
the organization?