19th Annual Regional Audit Conference – Abu Dhabi

Governance, Risk & Compliance (GRC) Technology

Abhisek Bhattacharyya, Principal, Risk Advisory Services, Deloitte & Touche (M.E.)
 Table of Contents

1 – Introduction to GRC

2 – GRC Technology Solution Overview

3 – GRC Products/Vendors Overview

© 2019 Deloitte & Touche (M.E.). All rights reserved 2

Introduction to GRC

© 2019 Deloitte & Touche (M.E.). 3

 GRC Overview

What could GRC mean to an Organization?

Governance is the culture, policies, Risk (management) is the coordinated Compliance is the act of
processes, laws, and institutions set of activities to direct and control an adhering to, and demonstrating
that define the structure by which organization
What could GRC meanto realize
to anopportunities
organizationwhile adherence to, external laws and
companies and functions are managing negative events. regulations as well as corporate
directed and managed. policies and procedures.

GRC Program Pillars

GOVERNANCE RISK MANAGEMENT COMPLIANCE

• Identify external laws, rules & • Align and adapt risk • Define obligation /
regulations that guide the management program to requirements
conduct of the organization organization's business model
Program Elements

• Develop and implement

and company culture
• Internal policies and controls, processes and
procedures to ensure • Identify, analyze and evaluate programs to ensure
compliance with external internal and external risks compliance with requirements
requirements and desired
• Prioritize and optimize risk • Audit against controls and
organization objectives
portfolio and risk treatments processes to measure
• Enable the boards and • Continuously monitor, effectiveness of
management teams to implementation
measure and adapt risk
understand current risk and
management program • Monitor and measure
regulatory land scape compliance programs and
adapt to changing conditions
Technology Platform - Enables and Automate GRC
© 2019 Deloitte & Touche (M.E.). 4
 Risk as a driver for GRC Technology
Internal Audit
Operational Risk
Inconsistent view of the
auditable entities across Misalignment between
Technology Risk the organization and other operational risk Regulatory Risk
assurance functions management and
Scale and lack of integration Demonstrating compliance
business strategy
between cyber risk and in a highly complex and
Decentralized resource
compliance activities constantly changing
allocation hinders Lack of centralized,
regulatory environment
appropriate planning and meaningful, value-driven
Inconsistent methodology
efficient audit assignment data analysis and
for risk evaluation Inconsistent identification
reporting
and mapping of operational
Multiple repositories and
Lack of robust incident and reputational risks to
organizational systems in Too much time spent on
response capabilities owners
use across the enterprise risk administration
with no communication instead of risk
Reactive monitoring and Limited resources and
or linkage capabilities management
integration of technology risk time to allocate to issue
between them
management
Lack of integrated view of
Misaligned cybersecurity
Duplication of effort to risks and loss events
expectations between Lack of transparent end-
address findings common hinders risk performance
business stakeholders to-end insights on key
across auditable entities assessment
risks combined with
due to an inability to
Lack of consolidation and inconsistent risk rating
effectively aggregate Disconnect between risk
coordination of cyber risk across functions
information appetite, the operational
management activities
risk framework, and
across the organization. Inconsistent risk
Inefficient, manual, and other assurance functions
aggregation between
time-consuming issue
governance forums
follow-up processes
hinder issue resolution
and action planning

© 2019 Deloitte & Touche (M.E.). 5

 Enablers for GRC Technology

GRC Enablers GRC Use Cases

Internal Audit

Enterprise Risk
Management
Operational Risk
Management
IT Risk Management

Compliance Management

Advanced Continuous
Controls Monitoring

Business Resiliency

Third Party & Vendor

Risk Management

© 2019 Deloitte & Touche (M.E.). 6

 Internal Audit/CAE AT THE CENTER OF GRC LEADERSHIP

CONVERSATION WITH THE AC & BOARD: “HOW CAN I HELP

KEY ASKS FOR CAE YOU GAIN TRANSPARENCY USING STANDARD, MEASURABLE
PROCESSES?”

Articulate to the Audit Committee and Board why CONVERSATION WITH THE CEO: “HOW CAN I HELP YOU PLAN
having a clear and conformed view of risk, including BY PROVIDING OBJECTIVE, MEASURABLE ASSURANCE ON THE GRC
compliance risks, across the enterprise is critical to CAPABILITY?”
defining and achieving strategic objectives
CONVERSATION WITH THE CFO: “HOW CAN I HELP YOU GROW
Assist the Chief Executive Officer (CEO) in finding AND PROTECT VALUE THROUGH AN INTEGRATED GRC
opportunities and preventing adverse effects from FRAMEWORK?”
identified risks

Influence other key functional executives to support CONVERSATION WITH THE CECO: “HOW CAN I HELP YOU
Internal Audit’s role in GRC strategy and the DEFINE AND IMPROVE THE USE OF METRICS AND OTHER ONGOING
organization’s achievement of business objectives. MEASUREMENT TOOLS?”
Especially key is having critical conversations with
the: CONVERSATION WITH THE CRO: “HOW CAN I HELP YOU DRIVE
• Chief Finance Officer (CFO) ENTERPRISE RISK MANAGEMENT THROUGHOUT THE
• Chief Ethics and Compliance Officer (CECO) ORGANIZATION?”
• Chief Risk Officer (CRO)
• Chief Information Officer (CIO)
CONVERSATION WITH THE CIO: “HOW CAN I HELP YOU
IMPROVE THE IT INFRASTRUCTURE FOR GRC?”

© 2019 Deloitte & Touche (M.E.). 7

GRC Technology Solution Overview

© 2019 Deloitte & Touche (M.E.). 8

 GRC Technology Solution – Market Direction

Traditional GRC approach Emerging GRC Trends

Use of spreadsheets to track regulatory compliance.  Analytic tools to measure and monitor risk management
No centralized means of tracking risks. processes.

Lack of consistent reporting around risk & compliance  Best-in-class vendor solutions to replace GRC modules.
initiatives.  GRC platforms integrated with other best-in-class solutions
Lack of accountability for risks and controls. and analytics tools to provide common reporting and holistic
view of the business environment.
Lack of automation to improve efficiency and data collection.

GRC solution types

A significant amount of
organizations still depend on But more organizations are
spreadsheets and office now using either stand-alone
automation for GRC or integrated vendor
programs. platforms indicating a shift
towards more consolidation.

© 2019 Deloitte & Touche (M.E.). 9

 GRC Technology Solution - Common Architecture

Compliance Enterprise Risk Operational Risk Audit

Common GRC
modules Third Party / Business
IT Risk Vendor Risk Financial Controls
Resiliency

GRC Risk & Incident &

Policy Remediation
elements control self Issues
management planning
assessment management

Risk & control Business

content processes

Core GRC Content Workflow Reporting Database

capabilities

© 2019 Deloitte & Touche (M.E.). 10

 GRC Technology Solution – Core Capabilities

Application builder
User experience
Build applications to meet business
Ease of end-user adoption
requirements

Integration Reports and dashboards

Seamlessly integrate cross- GRC Core Gain a real-time actionable
departmental systems Capabilities reports and graphical dashboards

Content & Access control

Document Management Enforce access controls at the
Storage of content and system or field level
documents

Workflows & Notifications

Enables business processes workflow
approvals

RPA Friendly or RPA AI & Cognitive Thinking Analytics ‘Driven’

‘Enabled’ ‘Embedded’
© 2019 Deloitte & Touche (M.E.). 11
GRC Technology for Audit Management

Key Roles Functional Architecture (How Audit Management Solution Works)

 Chief Audit Executive (CAE) or

Internal audit Director (IAD)
 Audit Committee
 Internal audit managers
 Lead auditor
 Internal auditor
 External auditor

Process High Level Summary

 Audit Management Team completes

pre-audit activities:
Create the Audit Entity in the
system by scopes the entity
based on associated Business
Processes, Applications,
Devices, and Facilities. Assign
audit and business ownership to
each audit entity

Create the Audit Plan in the

system , define start date and
end date i.e. reviewers and
approvers

Set-up the Program and

procedure library in the
system

 Audit Management team defines a

Plan Entity by linking it to the Audit
Entity and Audit Plan
 Audit user creates the Audit
Engagement and selects the in
scope audit programs
 The audit user completes work
papers generated by the system

© 2019 Deloitte & Touche (M.E.). 12

 Key Benefits of GRC Technology

Single repository of regulations to comply to by entity.

Automate assessment and remediation processes

Automated monitoring sensitive controls, data and transactions within IT, finance and
operations

Full audit record of automated policy distribution and user acknowledgement through mobile
applications

Comprehensive reporting capabilities related to compliance levels and risk exposure by

business unit

Document risk mitigation, prioritize & track responses

Workflow driven collaborative risk assessment for prioritization of actions & central planning
dashboard
© 2019 Deloitte & Touche (M.E.). 13
GRC Products/Vendors Overview

© 2019 Deloitte & Touche (M.E.). 14

 Sample ME GRC Vendors – Summary of Offerings

Thomson
Archer SAP GRC Oracle GRC MetricStream BWise
Reuters

Audit Management

Compliance Management

Enterprise Risk
Management

Operational Risk
Management

IT Risk Management
including Cyber Security

Advanced Financial
Controls Monitoring

Business Resiliency

Legend

Module offered by vendor in Module may not be out-of- Module not offered by
out-of-the-box solution the-box but consolidated vendor out-of-the-box
with other modules

© 2019 Deloitte & Touche (M.E.). 15

 Advanced Controls Monitoring Driven GRC Solution – SAP as an example

SAP Access Control

© 2019 Deloitte & Touche (M.E.). 16

 Enterprise GRC - RSA Archer GRC as an example

RSA Archer
RSA Archer RSA Archer
Enterprise &
Audit Management Business Resiliency
Operational Risk Management
Transform your internal audit function Automate business continuity and disaster
from reactive and compliance focused to recovery planning and execution to Gain a clear, consolidated view of risk
become a proactive and strategic enabler protect your organization from crisis across your business by aggregating
of the business. events. disparate risk information in one central
solution.

RSA Archer RSA Archer

RSA Archer Third
IT & Security Regulatory & Corporate
Party Governance
Risk Management Compliance Management
Get an accurate picture of third-party risk
Compile a complete picture of technology- Establish a sustainable, repeatable and while managing and monitoring the
and security-related risks and understand auditable regulatory compliance program performance of third-party relationships
their financial impact to improve decision- by consolidating information from multiple and engagements.
making. regulatory bodies.

© 2019 Deloitte & Touche (M.E.). 17

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member
firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as
“Deloitte Global”) does not provide services to clients. Deloitte & Touche (M.E.) is a member firm of DTTL and is a leading professional services firm
established in the Middle East region with uninterrupted presence since 1926, providing audit, tax, consulting, and financial advisory services
through 26 offices in 15 countries with more than 3,300 partners, directors and staff.

Copyright © 2018 Deloitte & Touche (M.E.). All rights reserved.