GRC och God Dag !

 GRC och God Dag ! ROBERT HIRTH CHAIRMAN, COSO What you Might Hear… •  View of the GRC func:on as a whole. •  How has the GRC func:on changed over the past few years and what awaits in the future? •  Where are the future opportuni:es and challenges for the internal auditors, risk managers and compliance officers? If You Believe… COSO is a “US Thing” Then, You Also Must Believe… All Swedes are Blond Three Roles… • Chairman, COSO • Member, PCAOB Standing Advisory Group (SAG) • Chairman IIA IPPF Re-­‐look Task Force The COSO Agenda
Since their inception, the COSO frameworks (COSO’s
Enterprise Risk Management – Integrated Framework and
Internal Control – Integrated Framework) have both intended
to provide guidance for management on how to implement
and evaluate effective enterprise risk management (ERM) and
internal control.
When applied effectively, the frameworks’ concepts contribute
to the end result of improving organizational performance and
governance.
8
Lets Get on the Same Page…
9
What is GRC?
“An integrated approach used by corporations to act in
accordance with the guidelines set for each category.
Governance, risk management and compliance (GRC) is
not a single activity, but rather a firm-wide approach to
achieving high standards in all three overlapping
categories.”
Source: Investopia
10
GRC processes are extensive, ranging from the ac:vi:es of the board and execu:ve management, through strategy seVng, performance management, risk management and financial repor:ng, and including internal controls and IT security. OCEG’s list of func:ons and processes that are typically included in GRC makes this very clear: •  Governance •  Strategy and business performance management •  Risk management •  Compliance •  Internal control •  Corporate security •  Legal •  IT •  Business ethics •  Sustainability and corporate social responsibility •  Quality management •  Human capital and culture •  Audit and assurance •  Finance More…
•  GRC is a discipline that aims to synchronize information
and activity across governance, risk management and
compliance in order to create efficiency, enable more
effective information sharing and reporting and avoid
wasteful overlaps. While interpreted differently in various
organizations, GRC typically encompasses activities
such as corporate governance,
enterprise risk management (ERM) and corporate
compliance with applicable laws and regulations
12
And…
•  Organizations reach a size where coordinated
control over governance, risk management and
compliance (GRC) activities is required to
operate effectively. Each of these three
disciplines creates information of value to the
other two. Each of the three GRC disciplines
touch and impact the same technologies,
people, processes and information in any
organization.
13
From OCEG …
•  OCEG defines GRC as a “system of people, processes, and
technology that enables an organization to:
•  Understand and prioritize stakeholder expectations.
•  Set business objectives that are congruent with values and risks.
•  Achieve objectives while optimizing risk profile and protecting value.
•  Operate within legal, contractual, internal, social, and ethical
boundaries.
•  Provide relevant, reliable, and timely information to appropriate
stakeholders.
•  Enable the measurement of the performance and effectiveness of
the system.”
14
15
GRC Sources… •  King III •  UK Corporate Governance Code •  COSO •  IIA Standards •  OCEG •  RIMS • 
• 
• 
• 
• 
• 
ISO Malaysia, Singapore Australia Japan Consul:ng firms Many Others 17
King III- New Requirements
•  The need for an annual integrated report that focuses on the impact of the
organization in the economic, environmental and social spheres
•  A statement by the audit committee to the board and shareholders on the
effectiveness of internal financial controls to be included in the integrated
report
•  The consideration of the strategic role of IT and its importance from a
governance perspective
•  The positioning of internal audit as a strategic function that conducts a riskbased internal audit and provides a written assessment of the company's
system of internal control, including internal financial controls
•  The governance of risk through formal risk management processes.
18
Key Principles of King III
•  Good governance is essentially about effective leadership. Leaders
need to define strategy, provide direction and establish the ethics
and values that will influence and guide practices and behavior with
regard to sustainability performance.
•  Sustainability is now the primary moral and economic imperative
and it is one of the most important sources of both opportunities and
risks for businesses. Nature, society, and business are
interconnected in complex ways that need to be understood by
decision makers. Incremental changes towards sustainability are not
sufficient – we need a fundamental shift in the way companies and
directors act and organize themselves.
19
King III Principles, Cont’d
•  Innovation, fairness, and collaboration are key aspects of any
transition to sustainability – innovation provides new ways of doing
things, including profitable responses to sustainability. Fairness is
vital because social injustice is unsustainable and collaboration is
often a prerequisite for large-scale change.
•  Social transformation and redress is important and needs to be
integrated within the broader transition to sustainability. Integrating
sustainability and social transformation in a strategic and coherent
manner will give rise to greater opportunities, efficiencies, and
benefits, for both the company and society
20
Governance and the Code (UK)
1.  The purpose of corporate governance is to facilitate
effective, entrepreneurial and prudent management
that can deliver the long-term success of the company.
2. The first version of the UK Corporate Governance Code
(the Code) was produced in1992 by the Cadbury
Committee. Its paragraph 2.5 is still the classic definition of
the context of the Code:
21
Corporate governance is the system by which companies
are directed and controlled. Boards of directors are
responsible for the governance of their companies. The
shareholders’ role in governance is to appoint the directors
and the auditors and to satisfy themselves that an
appropriate governance structure is in place. The
responsibilities of the board include setting the company’s
strategic aims, providing the leadership to put them into
effect, supervising the management of the business and
reporting to shareholders on their stewardship. The
board’s actions are subject to laws, regulations and the
shareholders in general meeting.
22
3.Corporate governance is therefore about what the board
of a company does and how it sets the values of the
company. It is to be distinguished from the day to day
operational management of the company by full-time
executives.
4. The Code is a guide to a number of key components of
effective board practice. It is based on the underlying
principles of all good governance: accountability,
transparency, probity and focus on the sustainable
success of an entity over the longer term.
23
5. The Code has been enduring, but it is not immutable. Its
fitness for purpose in a permanently changing economic
and social business environment requires its evaluation at
appropriate intervals.
6. The new Code applies to accounting periods beginning
on or after 1 October 2014 and applies to all companies
with a Premium listing of equity shares regardless of
whether they are incorporated in the UK or elsewhere.
24
GRC Management Platforms…
•  Enterprise GRC Platforms with IT GRC Capabilities and
Clients: Agiliance, Aruvio, Bwise, CURA, DoubleCheck, IBM Open
Pages, LockPath, LogicManager, MEGA, MetricStream, Modulo, Pr
ocess Unity, ProcessGene, Protiviti
•  Pure Play IT GRC: Allgress, Blackthorn, Brinqa, C2C Smart
Compliance, Citicus, Commugen, Continuity
Logic, Maclear GRC, MetaCompliance, RiskWatch, ServiceNow, Tra
ceSecurity, TRUSTe, UCF, XACGTA (note some of these players
have unique focuses and may not fit perfectly into the platform
definition)
•  And More… Resolver, RSA Archer, Rsam, SAI Global, SAP,
Thomson Reuters, Wolters Kluwer, Wynyard Group, Xactium
25
What’s New …
•  The 3rd Party Management segment of the GRC market
is the hottest and fastest growing segment. This is the
segment that looks at solutions (and content such as
databases) to help govern, manage risk and compliance,
and the overall lifecycle of 3rd party relationships.
Relationships spans areas of suppliers, vendors,
outsourcers, service providers, contractors, consultants,
agents, temporary workers and more.
26
COSO and GRC…
27
Mission
COSO’s Mission is “To provide thought leadership
through the development of comprehensive frameworks
and guidance on enterprise risk management, internal
control and fraud deterrence designed to improve
organizational performance and governance and to reduce
the extent of fraud in organizations.”
COSO’s Fundamental Principle
Good risk management and internal control are necessary
for long term success of all organizations
28
COSO is more than Internal Control…
29
•  Enterprise risk management is a process, effected by
an entity’s board of directors, management and
other personnel, applied in strategy setting and across
the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.
•  Internal control is a process, effected by an entity’s
board of directors, management, and other
personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to
operations, reporting, and compliance.
30
COSO Releases New
Thought Lead
Paper Demonstrating How
Frameworks Improve
Organizational Performance
and Governance
ALTAMONTE SPRINGS, Fla., Feb. 10, 2014: The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) announced today the
release of a new thought paper, Improving Organizational Performance and
Governance: How the COSO Frameworks Can Help, developed to illustrate
how the enterprise risk management (ERM) and internal control frameworks
can contribute to enhancing organizational performance and governance for
sustainable success.
31
http:/www.coso.org/
Management and Governance Processes
Governance
Starts with the organization’s vision and mission and consists of the oversight from
the board across the enterprise’s planning and operations
Strategy
Setting
Business
Is the process by which management
articulates a high level plan for
Planning
achieving goals consistent with mission
Plan
Business
Planning
Do
Act
Adapting
P
Execution
Study
Monitoring
33
Relating Frameworks and Business Model
Internal Control
Integrated Framework
Deals with alternate risk reduction
Enterprise Risk Management
Integrated Framework
Focuses on Strategic Objectives
Deals with alternate risk responses
(risk avoidance, acceptance, sharing,
and reduction)
Contextual Business Model
34
Update articulates principles of effective internal
control
1.  Demonstrates commitment to integrity and ethical values
Control Environment
2. 
3. 
4. 
5. 
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk Assessment
6. 
7. 
8. 
9. 
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Control Activities
10.  Selects and develops control activities
11. Selects and develops general controls over technology
12.  Deploys through policies and procedures
Information &
Communication
Monitoring Activities
13.  Uses relevant information
14.  Communicates internally
15.  Communicates externally
16.  Conducts ongoing and/or separate evaluations
17.  Evaluates and communicates deficiencies
35
36
Control Environment
1.  The organization demonstrates a commitment to
integrity and ethical values.
2.  The board of directors demonstrates
independence from management and
exercises oversight of the development and
performance of internal control.
3.  Management establishes, with board
oversight, structures, reporting lines, and
appropriate authorities and responsibilities in
the pursuit of objectives.
4.  The organization demonstrates a commitment to
attract, develop, and retain competent individuals
in alignment with objectives.
.
37
Risk Assessment
6. The organization specifies objectives with
sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7.
The organization identifies risks to
the achievement of its objectives
across the entity and analyzes
risks as a basis for determining
how the risks should be managed.
8. The organization considers the potential for
fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses
changes that could significantly impact the
system of internal control.
38
Compliance “Concepts”
•  Laws, rules, standards and regulations
establish minimum standards of conduct
•  Compliance objectives are established
•  Management consider acceptable level of
variation
•  Many laws and regulations depend on external
factors, geography and industry- and at times,
size
39
The Challenge and The
Opportunity
40
“That fact of life for compliance executives means that for
them to succeed, they should master the art of working with
and leveraging resources in other functions (legal, IT, HR,
and internal audit) to achieve compliance goals, and they
should continuously communicate to management and the
board that a strong compliance function is a valuable
strategic asset that not only focuses on risk avoidance, but
also looks to find ways to gain strategic advantage from
intelligently managing risk. “
Compliance Trends 2013, Deloitte and Compliance Week
41
Battling Your GRC Demons
Solving The Top 5 Concerns of Compliance
Professionals
•  Making Compliance a Concern for Leadership and Securing a Seat
at the Table
•  Employee Engagement- Keeping Ethics Top of Mind
•  Driving a “Speak-up” Culture and Overcoming a “Speak-not” Culture
•  Managing Potential Risk of Doing Business with Your Partners and
Vendors- Third-Party Risk
•  Globalizing and Socializing Compliance- Dealing with a Wide-open
World
Source: The Network, Integrated GRC Solutions
42
Protiviti’s Future Auditor…
•  Positioned to be objective
•  Vested with a direct reporting line to the board
•  Establishes relevance by understanding the organization’s business
objectives and strategy and identifying related risks
•  Creates value by making recommendations to strengthen the effectiveness
of governance, risk management and internal control processes
•  Uses a lines-of-defense perspective to ensure that risk management and
internal control are effective
•  Articulates value a risk-based audit plan contributes to the organization,
providing an assurance perspective the board and executive management
can understand
•  Maximizes use of technology to achieve efficiencies and maximizing
coverage
•  Possesses escalation authority and proactively exercises that authority
43
Ways to Add Value…
1. Think more strategically when analyzing risk and framing
audit plans
2. Provide early warning on emerging risk
3. Broaden the focus on operations, compliance and nonfinancial reporting issues
4. Strengthen the lines of defense that make risk
management work
5. Improve information for decision-making across the
organization
6. Watch for signs of a deteriorating risk culture
44
Adding Value, cont’d
7. Expand the emphasis on assurance through effective
communication with management and the board
8.Collaborate more effectively with other independent
functions on managing risk and compliance
9.Leverage technology-enabled auditing
10. Improve the control structure, including the use
automated controls
11. Advise on improving and streamlining compliance
management
12. Remain vigilant with respect to fraud
45
The Challenge …
Governance
Audit
Risk
Compliance
Other
47
The Opportunity …
48
The Goal ?
“We could not function without our GRC program. Our team
pulls it all together. They coordinate, consolidate and know
their stuff. They challenge us AND they help us.
As a result, we have become a better employer and a more
effective and successful organization. We know,
communicate and meet our objectives more of the time,
know how to measure, change course when needed and
realize this is a journey that may never be finished.”
49
Practical Advice
•  START THE DISCUSSION!
•  “Head North”
•  “Find” GRC in your organization
•  Learn more from others and outside sources
•  Determine if it’s worth the effort
•  Leverage activity of others
•  Consider how to leverage technology
•  Define value and measure it
50
Proposed Enhancements to
The Institute of Internal Auditors
International Professional Practices
Framework (IPPF)
August 4, 2014
NOTICE: Comment Period ends November 3, 2014.
Thank You ! Extra slides for reference Principle 2- Points of Focus
• Establishes oversight responsibilities
• Applies relevant expertise
• Operates independently
• Provides oversight to the system of
internal control
54
Principle 3 - Points of Focus
• Considers all structures of the entity
• Establishes reporting lines
• Defines, assigns and limits authorities
and responsibilities
55
56
Principle 7- Points of Focus
• Includes entity, subsidiary, division,
Operating unit and functional levels
• Analyzes internal and external factors
• Involves appropriate levels of
management
• Estimates significance of risks identified
• Determines how to respond to risks
57
58
Six Attributes of Contextual Business Model
1. Governance
•  Providing oversight / authoritative direction / control
•  Allocating power among the board, management and
shareholders*
•  The board ensures accountability, fairness and
transparency in the organization’s relationships with
its various stakeholders
* Governance, Risk Management and Compliance,
Richard M. Steinberg, John Wiley & Sons, Inc., page 2
Six Attributes of Contextual Business Model
1. Governance
2. Strategy Setting
•  Providing a high level plan for what the
organization seeks to achieve over the
planning horizon
•  Presented in the form of overall goals,
initiatives and tactics
•  Articulates what organization seeks to
achieve through its:
•  Overall direction
•  Environmental scan
•  Differentiating capabilities
•  Infrastructure needed to deliver
the differentiating capabilities
Six Attributes of Contextual Business Model
1. Governance
2. Strategy Setting
3. Business Planning
•  Initiates the management cycle for delivering the
strategy
•  Links strategic planning, risk mitigation, budgeting,
forecasting, and resource allocation
•  Breaks down corporate strategy into achievable plans,
with financial and operational targets to establish
accountability for results
•  Aligns business objectives, key metrics, plans and
budgets across the organization down to the level of
greatest achievability and accountability
Management & Governance:
ERM Components – Business Model
Governance
Strategy Setting
Business
Planning
Business
Planning
Execution
Adapting
P
Monitoring
62
Management & Governance:
Internal Control Components – Business Model
Governance
Strategy Setting
Business
Planning
Business
Planning
Execution
Adapting
P
Monitoring
63
64
Update considers changes in business
and operating environments…
Environmental changes...
…have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules, regulations, and
standards
Expectations for competencies and accountabilities
Use of, and reliance on,
evolving technologies
Expectations relating to preventing and detecting fraud
COSO Cube (2013 Edition)
65
Control Activities
10. The organization selects and develops control
activities that contribute to the mitigation of risks
to the achievement of objectives to acceptable
levels.
11. The organization selects
and develops general control
activities over technology to
support the achievement of
objectives.
12. The organization deploys control activities
through policies that establish what is expected
and procedures that put policies into place.
66
Principle 11- Points of Focus
•  Determine dependency between the use of
technology in business processes
and technology general controls
•  Establishes relevant:
–  technology infrastructure control activities
– security management process control activities
– technology acquisition, development and
maintenance control activities
67
Outsourcing Alternative (page 23)
“…While in principle, the same considerations
apply whether controls are performed internally or
by an outsourced service provider, outsourcing
presents unique risks and often requires selecting
and developing additional controls over the
completeness, accuracy, validity of information
submitted to and received from the outsourced
service provider .”
68
Information &
Communication
13. The organization obtains or
generates and uses relevant,
quality information to support
the functioning of internal
control.
14. The organization internally communicates
information, including objectives and
responsibilities for internal control, necessary to
support the functioning of internal control.
15. The organization communicates with external
parties regarding matters affecting the
functioning of internal control.
69
Principle 13- Points of Focus
• Identifies information requirements
• Captures internal and external sources of
data
• Processes relevant data into information
• Maintains quality throughout processing
• Considers costs and benefits
70
Why Two??????????
Internal Control
Integrated Framework
Enterprise Risk Management
Integrated Framework
Why Two??????????
71
All Organizations are Unique…
•  Different Maturity levels
•  No ERM but need controls
•  Have to report on controls and need a framework
•  Are starting ERM, controls are mature
•  ERM and Internal control are closely linked
•  ERM is a separate activity
•  Have to report on ERM and need a framework
•  And other distinctions…
ALL CAN USE COSO MATERIALS FOR ADDING
VALUE
72
Update on Transition to COSO 2013…
73
A Specific-Purpose Perspective
THE SARBANES-OXLEY
ACT OF
2002
THE
SARBA
NESOXLEY
ACT OF
2002
74
Getting COSO Publications
The updated Framework and related Illustrative
documents are available in 3 layouts
1. E-book – This layout is ideally suited for those wanting access in
electronic format for tablet use. An e-book reader from the AICPA is
required to view this layout. Printing is restricted in this layout.
•  Purchase through www.cpa2biz.com
2. Paper-bound – This layout is ideally suited for those wanting a hard
copy.
•  Purchase through www.cpa2biz.com
3. PDF – This layout is ideally suited for organizations interested in
licensing multiple copies.
•  Contact the AICPA at [email protected]
75