Risk & Compliance
Sushil Kumar Nahar of Wipro Technologies spoke about risk and
compliance.
Sushil Kumar Nahar
Compliance is for a long time a worldwide requirement. There are
multiple frameworks, standards, regulations and overlapping
compliance requirements such as COSO, COBIT, ITIL/ISO 20000, SOX,
GLBA and ISO 27001. This leads to confusion, especially when using
more than one model and it may cause conflicts of interests within
the organization as well as high operational cost due to overlap and
duplication of efforts. The solution then is to adopt an integrated
governance, risk & compliance framework.
Need for the GRC framework
You need a unified framework to address governance, risk and
compliance needs. It gives better control and visibility of IT and
Security Governance to the top management and Board of Directors and
results in improved risk and compliance management by integrating
governance, risk and regulatory compliance initiatives. Streamlining
processes and reducing operational costs, quick response to changes
in risk environment and regulatory requirements, a firm foundation
for efficient and effective enterprise risk management and
implementation of performance metrics to measure and improve it and
security performance are other advantages of having a GRC framework.
Integrated GRC ensures that IT strategy is aligned with business
strategy. It communicates the IT strategy, policies and control
framework and establishes clarity on the business impact of risks to
IT objectives and resources.
Integrated GRC: requirements & challenges
The requirements include developing information security and it
strategy in line with business goals and objectives, ensuring senior
management commitment, making sure that roles and responsibilities
are defined in accordance with IT and security governance
activities, establishing communication channels between business and
IT, identifying legal and regulatory requirements and the impact on
business, integrating governance, risk and compliance activities as
well as performance measurement criteria.
The challenges are in consolidating multiple frameworks and
standards with conflicting overlaps, resource constraints (resources
with expertise on Risk and Compliance) and alignment with business
goals & objectives and change management.
The building blocks of integrated GRC include a unified control
framework for governance, risk management and compliance, unified
organization structure with clear security responsibility and common
performance measures.
GRC Components
IT Governance: This encompasses IT strategic goals and objectives,
roles & responsibilities, policies & procedures, performance metrics
and internal assessments.
Risk Management: Under this you find risk appetite & tolerance,
assessment, analysis & scoring, mitigation and ongoing risk
management.
Compliance Management: Here you find regulatory requirement mapping
with the controls, define technical and process controls as well as
compliance assessment and monitoring.
Implementation Methodology
There are four phases in implementing GRC: assessment, remediation,
transformation and sustenance.
In Phase 1, you assess the Governance, Risk and Compliance
requirements. Phase 2 has three sub-stages:
Control gap remediation: You prioritize areas for remediation of
control gaps identified during assessment phase, remediation of
control gaps, implement processes for performance monitoring and
measurement and test operational effectiveness of controls.
Steady State Operations: Project reviews and quality assurance,
process optimization and ongoing process improvements, build best
practices and reusable components, support for identifying new
technologies and solutions, identify areas for control automation
and security metrics and dashboards for performance measurement and
monitoring.
Transformation initiatives: Prioritize activities for GRC
implementation, identify possible transformation challenges and
risks, ensure management commitment, establish communication
channels between business and it and develop the transformation
plan.
The third phase is of transformation. Here a unified control
framework, security organization structure, resource management and
value delivery come together to help create a GRC Centre of
Excellence.
Last but not least, sustenance involves ongoing compliance
management & monitoring, periodic risk & compliance assessments,
remediation of control gaps and compliance reports and dashboards
all of which permit the creation of a Compliance Solution Centre
that tracks changes/ amendments to regulations, security advisory
services, monitors changes to risk and compliance requirements,
follows industry best practices and reusable components, operational
effectiveness and efficiency and control automation.
Control Automation - Some of the tools
Risk/Compliance Tools Key Usages
Paisley - Risk Navigator, BizFlow - SOXA, Open Pages - FCM Control
Documentation
Microsoft - SharePoint Documentation sharing
Sigmaflow Process flow documentation
Agiliance GRC - compliance management
NetIQ, SecureAware, Arcsight Policy Management, SIM
Oracle - Internal Control Manager Oracle controls
SAP - Virsa Control Automation - SAP - SoD
Approva - BizRights Control Automation - SoD
Eurekify - Sage Control automation - Role Engineering
Strohl - LDRPS, BIA Professional Business Continuity Management
How GRC helps
Through risk & compliance management, savings, value creation,
lowered cost and improved customer service. The benefits include
improved control efficiency through automation, flexibility on
resource requirements – quick ramp up and ramp down based on needs,
cost advantages - leverage onsite offshore model, ability to perform
internal benchmarking of processes & identifying internal best
practices, eliminate `reinventing the wheel', access to multi-
skilled, adaptable resource pool who work as a single team and
collaborate at work, reduced risk of attrition-induced knowledge
vacuum, streamlined processes, improved risk & compliance posture,
improved customer service levels (consistent, reliable, efficient,
effective, etc), superior alignment between business, it & security
groups, synergies in it services management, leverage on the
knowledge base of a COE, metrics for performance measurement and
process improvement and a professional approach to applying
marketplace discipline.
He also touched upon performance management through performance
dashboards, process improvement dashboards, GRC performance metrics,
a single window for an organization'
compliance status and faster identification of root causes for non
compliance.
He talked about a client who is the world leader in air
conditioning, heating and refrigeration system for whom Wipro
undertook a project the scope of which encompasses Governance, Risk
and Compliance support. The requirements included reviewing the
existing control framework and suggesting the changes needed to
address risk management and compliance needs, developing process
narratives in line with the control requirements, implementing a
security center of excellence to manage risk and compliance, ongoing
control testing and recommending additional controls to address
control gaps, automation of controls including user access process,
exception reporting and preparing security and compliance
dashboards.
For the solution Wipro developed and implemented controls based on
COSO, COBIT, BS 7799 and ITIL frameworks/ standards, developed
process narratives and flowcharts in line with the control
requirements, implemented a Security CoE to support overall
compliance and risk management initiatives, automated controls
including user access management, log analysis and exception
reporting, patch monitoring and vulnerability remediation monitoring
and developed dashboards to monitor performance and compliance.
The benefits included well documented, effective and efficient IT
Processes, minimization of risks through preventive measures and
timely identification of irregularities, improved compliance with
regulatory requirements, effective monitoring of controls through
the Security CoE, process improvement though performance measurement
and monitoring and compliance dashboards to monitor compliance
posture.