Sie sind auf Seite 1von 38

Governance, Risk and Compliance

ISACA Monterrey

Sarah Adams, GRC Leader

Carlos Ruiz, SAP Specialist
Elias Rivera, Oracle Specialist
May 2013

© 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.


1. What is GRC
2. It´s All About Risk
3. Getting Started
4. Common GRC tools
• Oracle GRC
• Accelus
• Openpages
• RSA Archer eGRC

5. Summary and Questions

2 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

What is GRC

3 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Governance, Risk and Compliance (GRC)

GRC is a management model that promotes the criteria unification, as well as

communication and collaboration between different stakeholders in the management and
control of the organization.

- Strategy Governance:
- Goals and objectives • Manages the risks to the
- Policies and procedures
execution of the company strategy
- Structures and processes
as well as the risks from the
chosen strategy

Risk management:
Risk Management Compliance
• Determines the areas exposed to
- Identify risks - Comply with policy and
- Risk analysis procedures potential risks
- Risk profiles - Laws and regulations
- Risk Monitoring - Controls
- Achievement of objectives - Activities
• Is the tactical action to mitigate risk

4 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

GRC Stakeholders
and support committees Management team
Visions and uniform approaches Relationship with regulators
• Clear dissemination and consistent strategy, • Roles and responsibilities defined • Constant communication and
culture, policies and objectives • Ethics Program disseminated and collaboration "No surprises"
• Fast decision making and informed applied uniformly

• Comprehensive risk
• Effective and efficient internal
control environment

Systems department Legal

• Optimum level of safety • Permanent tasks and coordinated
• Disaster recovery plans and business • Coordinated compliance efforts With a
continuity plans proactive approach
• Segregation of functions implemented in
the systems according to the policies Finance
• IT projects and acquisitions aligned with • Performance aligned to business
business strategy objectives

• Clear vision of
Relations market trends
with and needs
Scheduled and Internal Audit
timely delivery •Audit plan aligned to the objectives of
the organization
•Efficient audit programs

5 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

The value of GRC to your business

GRC promote the criteria unification, the effort coordination and collaboration between
different characters involve in the direction of the organization through:

• The integration of the organs / government

officials, administration and risk management,
internal control and compliance

• Role and responsibility assignation to key


• Communication channels formalization

• Applying a risk-based approach

• The implementation of a compliance program

6 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

GRC Benefits and Organization Solutions

Control Performance Consolidation Innovation Compliance Assurance

Finance IT Internal Audit

CFO CIO Chief Audit Executive
Comptroller IT Director Audit VP
Finance Director Application Manager Audit Manager
Finance Manager Analyst DBA/Bus Internal Audit

GRC Benefits for CFO GRC Benefits for CIO GRC Benefits for CAE
• Reduced time and cost for audits • Management by exception, • Quick identification of potential issues due
reducing time and costs incurred in to rapid authorization flow, giving greater
• quickly and easily Validation of compliance compliance visibility within the organization
standards • Reducing runtimes audit plans through
• With less effort to respond to the self-managed reports and evidence
• Reducing risk and increasing confidence in compliance needs of business centralized online
financial reporting areas and internal audit • Improved coordination and utilization of
resources area
• Improved decision-making process through • Acceleration of the user
• Timely and accurate business operations
real-time diagnostics provisioning process and ensures
(continuous monitoring)
data security
• Improved process of remediation and risk
• Generation of internal control guidelines in
organizational culture management

7 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

It´s All About Risk

8 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Risk Intelligence

Our GRC approach focuses on maintaining the right balance between risk and reward. An
effective risk management program focuses simultaneously on value protection and value
creation. We call an organization that has attained this advanced state of risk management
capability a “Risk Intelligent Enterprise™.”
Deloitte’s Nine Principles
for building a
Risk Intelligent Enterprise Risk Intelligent Enterprise™
Common Definition of Risk

Common Risk Framework

Roles & Responsibilities

Transparency for Governing Bodies

Common Risk Infrastructure

Executive Management Responsibility

Objective Assurance and Monitoring

Business Unit Responsibility

Support of Pervasive Functions

9 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

The Risk Intelligent Maturity Model

Where are you on the maturity model?

Stakeholder value

Fragmented Top down

Stages of risk management maturity

Representative attributes
• Ad hoc/chaotic • Risk is defined differently • Identified risk universe • Risk management • Risk discussion
• Depends primarily at different levels and in • Common risk activities coordinated embedded in strategic
on individual different parts of the assessment/response across business areas planning, capital
heroics, organization approach developed and • Risk analysis tools allocation, product
capabilities, and • Risk is managed in silos adopted developed and development, etc.
verbal wisdom • Limited focus on linkages • Organization-wide risk communicated • Early warning system
between risks assessment performed • Enterprise risk to notify board and
monitoring, measuring, management to risks
• Limited alignment of risk • Action plans above established
to strategies implemented in response and reporting
• Disparate monitoring and to high-priority risks • Scenario planning
• Linkage to
reporting functions • Communication of top • Opportunity risks performance
strategic risks to the identified and exploited measures and
senior management • Ongoing risk incentives
team assessment processes • Risk modeling

10 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Getting Started

11 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

The GRC Framework

12 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Defining Your GRC Processes
• Institutionalization of integrated processes
Need a repeatable process, defined as any
other process in your organization would be. • Standardization of activities across business units
• Defined roles and responsibilities

Flowcharts and guidelines Workshops and

Defining GRC Processes
for to be state design validation

• Details of activities
• Definition of policies and rules
• Use of best practices
• Creation of processes that are
new to the client

• Key stakeholders
Frameworks included: OCEG • Refine, revise
(Open Compliance & Ethics Group), • Finalize policies,
GRC Model (Red Book), COSO, procedures and
CoBIT, ERM, CPMC processes
• Cultural change and
13 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.
Technology to Enable GRC

IT Infrastructure

14 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Know the Capabilities of Your Tool

Although the tool is the enabler, understand the features and functions of your tool
BEFORE you start on this journey.

• Better questions
• Easier upload
• More integrated
• Take advantage of what you have
• Understand the journey you are on

15 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Common GRC tools

16 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

SAP BusinessObjects GRC


Risk Management

Risk identification and integral monitoring

Process Control
Access Control
Comprehensive management to
Segregation of duties, user document, testing, monitoring and
automated provisioning, certifying the company's internal
management of super users, roles control
and profiles


Environment, Health,
Global Trade Services
and Safety Management

Risk management
globally (imports and exports) Environmental and safety

17 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

SAP BusinessObjects GRC

SAP GRC Access Control Key Benefits

Enhance the access request and SOD risk analysis • Manage and control access to
the SAP system suitable for the
defined scope.

• Indicators to monitor
segregation of duties conflicts
and document compensating

• Monitoring users with broad

access (Firefighter) in the SAP

• Automatic authorization flow

and identification of responsible
management (high, low or
changes) SAP user Mexico

• Analysis preventative
segregation of duties for access

18 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

SAP BusinessObjects GRC

SAP GRC Process Control

Enhance the continuous monitoring and reduce risk
Automates compliance monitoring, control and management of internal control within the company,
helps improve the effectiveness of controls in IT systems and align processes and compliance control
to risk prevention and efficiency requirements.

Key Benefits
 Support internal control areas, internal and external audit, the
review of process controls and risks
 Scalable support of corporate internal control and compliance
 Improves performance through the identification, prioritization
and focus on key risk areas.
 Achieve real-time visibility of all compliance activities and
internal control.
 Protect business value with Continuous Monitoring –
Automated Controls and robust policies.
 Accelerates audit cycles and reduces the cost of compliance
with automation.
 Analyzes failures proactively monitors control and

19 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

SAP BusinessObjects GRC

SAP GRC Risk Management

Preserves and enhances the value of your business
Gives an overview of how risk factors can impact the value and business reputation. Risk Managment
helps identify key risk indicators and align them with events and their potential impact, so that on this
basis make responsible use.
Key Benefits
 Enhance and support for the process of identification,
measurement, monitoring and responding to business
 Understand the risk factors and their impact on the
value, processes and business performance.
 Maps business objectives to indicators of value within
the organization.
 Document and monitor Key indicators of compliance
and risk mitigation
 Pictures executives and reporting
 Communication Process Control to mitigate risks with
their respective controls
 Integration of surveys for identifying risks and / or
 Analysis of quantitative and qualitative risk
20 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.
Common GRC tools
Oracle GRC

21 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Oracle GRC

GRC Intelligence:
Oracle GRC Platform consists of three
• Visibility into compliance readiness and responsiveness
• Risk and performance analytics and dashboarding
major components: GRC Intelligence,
• Planning, modeling, reporting, and analysis of GRC GRC Manager, and GRC Controls
GRC Manager:
• Central GRC repository Cross-
• Documentation of critical business policies, processes, GRC Intelligence Enterprise:
controls, risks, and issues Enables
• Test plans and performance of control tests Integrated
• Automatic initiation of testing review and approval Risk and
processes eGRC Manager Compliance
• Capture and storage of test evidence

Application Access Controls Governor:

• SOD controls at the access point or entitlement level
• Simulation feature to report conflicts before deploying GRC Controls
access model changes

Transaction Controls Governor: Application Access Configuration Controls

Controls Governor Governor
• Allows continuous monitoring of policies, controls, and Oracle
transactions within the Oracle ERP application Specific:
Preventive Controls Governor: Control
• Allows prevention of control violations from occurring and Automation
reduces expensive detection and remediation cycles Transaction Controls Preventive Controls and
Governor Governor
Configuration Controls Governor:
• Enforces data and application integrity
• Audit changes to key configurations and operational data

22 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Oracle GRC

Key Benefits
Governance Risk and Compliance
Soft Benefits Measurable Benefits
• Avoid the pain of returning to significant deficiency or material Cost Reduction
weakness disclosure • Less internal / external audit costs related to security
• Easier to detect fraud and respond quicker • Less help desk resources to provision security and resets
• Quality and reliability of Oracle generated audit reporting • Consultant fees for form / workflow customization
inherently more credible • Post-implementation remediation / rework
• Allows shift of ownership for access decisions from IT to • Form customization / workflow consulting
Business Management • Configuration change management
• Enhanced security restrictions
• Ability to identify and prevent segregation of duty violations Time Reduction
and to enforce segregation of duties compliance • Time spent on design/build/test/maintaining compliant security
• Manage by exception; reduce time and cost of compliance roles
• Improved support of Internal Audit and LOB compliance • Time spent testing authorization manager approvals
needs with less effort • Time spent validating compliance
• Consistent environments, full audit trail of changes, easier • Time spent Sarbanes-Oxley, SOD, or any other initiative
migration/upgrade testing
• Better decision making armed with real-time diagnostics due • Time spent conducting management review of access
to timely and accurate information • Time to respond to user provisioning requests
• Free up resources and time for core value-add activities; • Reduced audit time and efforts through self-service reporting
enhanced morale of finance staff and online centralized evidence
• Faster information flow and better visibility for quicker
identification of potential issues Costs
• Better utilization of audit resources and coordinated efforts
• Fewer duplicate payments • Resources required for the implementation
• Reduce/eliminate duplicate vendors and customers,… • Hardware assumed under ERP infrastructure
• Ability to identify and track changes to configurations; catch • Software license and maintenance costs
unexpected setup changes before going live • Implementation team
• Upgrade costs

23 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Oracle GRC
Why Oracle GRC?
Differentiators for Oracle GRC Controls Suite
Product Function Capabilities Value

 GRC Manager & Intelligence  Manages GRC processes, integrating  Central repository of business policies,
robust process management capabilities processes, controls, risks and issues
 Capture internal and external performance  Reduction in costs of proving risk and
metrics quickly & accurately compliance effectiveness across the
 Fact-based continuous improvement enterprise.

 Comprehensive Control Solution  Provide network of linked controls embedded

within business processes
 Deploy controls across user access,
actions, sensitive configurations and
 Access Controls  Define and enforce fine grain access & SOD  Simplify segregation of duties enforcement
rules in business terms with identification, prevention, simulation and

 Configuration Controls  Lock down & monitor critical application  Deliver complete audit trail (When, Who,
setups against corporate standards What & Why) for changes to key

 Transaction Controls  Continuously monitor for fraud and errors in  Ensure accuracy, test against thresholds and
business transactions search for anomalies

 Preventive Controls  Deploy preventive UI controls on risky  Proactively restrict access to sensitive data
transactions and configurations and route key changes for approval

 Predefined Content for P2P and O2C  Pre-built Business objects that represent  Reusable, Business User Friendly terms to
processes, system administrator key business entities across processes author new objects based on policies

 Pre-built Connector to EBS and PSFT  Includes the ETL adapter plus 100s meta-  Enables customers to build their own
data object mappings to EBS and PSFT adapters using easy to understand business
transactional and setup tables objects (meta-data) out of the box.

24 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Oracle GRC

Oracle GRC Manager and Intelligence

Oracle GRC Manager and Intelligence provide the opportunity to institute an end-to-end process to
manage compliance activities.

Reduce cost and complexity by managing multiple global financial mandates

with one system
Reduced cost and
complexity Rationalized multiple compliance requirement sources

Top-down, risk-based modeling across business units

Top-down risk decisions and control across business units

Reduced risk Accountability for processes and controls

Improve risk responsiveness with timely control and performance analytics

Integrated workflow solution for testing, assessment, and mitigation activities

Improved control Risk performance metrics and reporting
Event notification and tracking

25 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Oracle GRC

Oracle GRC Controls

Oracle GRC Controls provide the opportunity to deploy automated continuous monitoring.

GRC Module Challenges Solutions

Application Access Clients are unsatisfied with current Automate the SOD/Access life cycle detection, analysis,
Controls Governor state of application data access and remediation, deployment of preventive control, and
security. compensating control to accommodate dynamic business

Configuration Controls Clients have ineffective controls Design and implement configuration controls on field value
Governor around system integrity and security. changes, action buttons, and sensitive data based on
company policy and risk appetite.

Transaction Controls Clients have trouble monitoring Design and implement automated transaction controls to
Governor controls to prevent error and fraud validate application and systems control effectiveness, identify
from happening. suspect transactions, and route to process owners for visibility
before material issues arise.

Preventive Controls Clients struggle with master data Design and configure policy-based access to field data within
Governor maintenance. the application to enforce mandatory fields, as well as address
data privacy and protection of sensitive data.
Data privacy and protection of
sensitive data often requires extensive
application customization.

26 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Common GRC tools

27 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Accelus GRC Enterprise Solutions

Solution built to handle the diverse requirements of internal audit, internal controls management, risk
management, policy management, legal, and compliance professionals, the Thomson Reuters Accelus
suite of products provides solutions for documentation and workflow, regulatory news and information,
global compliance screening, board management, and regulatory disclosure.


PROACTIVE INSIGHT • Board • Regulatory • Internal Audit

Solutions Intelligence Solutions
Enterprise Solutions
GRC for Accelus Risk • Disclosure • Risk
GRC Manager Solutions • Training Management
Controls DYNAMIC
Solutions Solutions
CONNECTIONS • Due Diligence
Solutions • Screening • Internal
Solutions Control
• FATCA Solutions
Enterprise Compliance • Policy
GRC for
INFORMED CHOICES Solutions Management • Enterprise
Internal Solutions GRC Solutions

28 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Accelus Solution Suite

Key Benefits

 Provides visibility, transparency and oversight

over GRC processes
 Monitor and track regulatory rule changes
 Mitigate risk hiding in client relationships and
related human networks
 Identify and mitigate legal, regulatory and
business risk
 Maintain effective policies and demonstrate
 Streamline, audit, risk management, and internal
control processes
 Efficiently address required regulatory disclosure

29 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Common GRC tools

30 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.


Is an integrated governance, risk and compliance platform that enables companies to manage risk and
regulatory challenges across the enterprise. It provides a set of core services and functional
components that span risk and compliance domains including operational risk, policy and compliance,
financial controls management, IT governance and internal audit.

IT Governance
• Build and maintain a
sustainable IT risk and
compliance approach to
meet the challenges
posed by sensitive data,
managing technology
Policy and Financial assets, and evolving
Controls regulatory requirements
Management Management
• Consolidate the policy • Automate the financial
and compliance controls management
management process in process to address
a single solution and Operational Risk reporting requirements
manage regulatory introduced by Sarbanes-
change and regulator Management Oxley and similar global
interaction • Identify, manage, mandates
monitor, and analyze
operational risk across
the enterprise in a single
integrated solution
GRC Platform Internal Audit
• Unprecedented insight Management
into enterprise-wide risk
and compliance activities • Enable internal auditors
to automate and manage
intraorganizational audits
and leverage broader
risk and compliance
management activities

31 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.


Key Benefits


Operational Risk IT Risk Internal Audit

• Identify, manage, monitor and • IT risk evaluation • Definition, planning, execution

high level reports • Identified critical risk, controls and reporting
• Risk evaluation and self- and gaps audit for all business lines
assessments • Automated workflows and
• KRIs, Scenario analysis configurable reports


Operational Risk IT Risk Internal Audit

• Reporting risk standardized
• Improve risk operational • IT risk and control • Empowers audit department
processes management according to a • Enables auditors to automate
• Improves visibility into risk business process and manage internal audits,
exposure, reduces loss and • Multiple risk silos unification and conduct broader risk and
improve business compliance management
performance. activities.

32 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Common GRC tools
RSA Archer eGRC

33 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

RSA Archer eGRC

RSA Archer eGRC solutions allow you to build an efficient, collaborative enterprise governance, risk
and compliance (eGRC) program across IT, finance, operations and legal domains. With RSA Archer
eGRC, you can manage risks, demonstrate compliance, automate business processes, and gain
visibility into corporate risk and security controls.

RSA Archer
RSA Archer RSA Archer
Audit Risk
Management Management

Adapt enterprise governance, risk

management, and compliance
(eGRC) products to the
RSA Archer
RSA Archer
Organization requirements, build
Continuity applications, and integrate with
Management RSA Archer Management
eGRC other systems

RSA Archer RSA Archer

Threat Enterprise
Management Management

RSA Archer RSA Archer

Vendor Incident
Management Management

34 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

RSA Archer eGRC

Key Benefits

Flexiblility. The Platform offers a point-and-click

interface for building and managing business
applications. Non-technical users can automate
processes, streamline workflow, control user Application Reports and
access, tailor the user interface and report in Builder Dashboards

Unified. Provides a common platform to

manage policies, controls, risks, assessments
and deficiencies across lines of business. This Access Control
unified approach eases system complexity,
strengthens user adoption and reduces training

Collaborative. The Platform enables cross- System Platform

functional collaboration and alignment. Integration integration
Business users across IT, finance, operations
and legal domains can work together in an
integrated framework using common processes
and data.

35 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

Summary and Questions

36 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.

37 © 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.
Deloitte se refiere a Deloitte Touche Tohmatsu Limited, sociedad privada de responsabilidad limitada en el Reino Unido, y a su red de firmas
miembro, cada una de ellas como una entidad legal única e independiente. Conozca en la descripción detallada
de la estructura legal de Deloitte Touche Tohmatsu Limited y sus firmas miembro.

Deloitte presta servicios profesionales de auditoría, impuestos, consultoría y asesoría financiera, a clientes públicos y privados de diversas
industrias. Con una red global de firmas miembro en más de 150 países, Deloitte brinda capacidades de clase mundial y servicio de alta calidad a
sus clientes, aportando la experiencia necesaria para hacer frente a los retos más complejos de los negocios. Cuenta con alrededor de 200,000
profesionales, todos comprometidos a ser el modelo de excelencia.

Tal y como se usa en este documento, “Deloitte” significa Galaz, Yamazaki, Ruiz Urquiza, S.C., la cual tiene el derecho legal exclusivo de
involucrarse en, y limita sus negocios a, la prestación de servicios de auditoría, consultoría fiscal, asesoría financiera y otros servicios
profesionales en México, bajo el nombre de “Deloitte”.

Esta publicación sólo contiene información general y ni Deloitte Touche Tohmatsu Limited, ni sus firmas miembro, ni ninguna de sus respectivas
afiliadas (en conjunto la “Red Deloitte”), presta asesoría o servicios por medio de esta publicación. Antes de tomar cualquier decisión o medida
que pueda afectar sus finanzas o negocio, debe consultar a un asesor profesional calificado. Ninguna entidad de la Red Deloitte, será
responsable de pérdidas que pudiera sufrir cualquier persona o entidad que consulte esta publicación.

© 2013 Galaz, Yamazaki, Ruiz Urquiza, S.C.