GRC Strategy Services - EY

1 GRC Strategy Services GRC Strategy Services Implementing a GRC program Defining GRC. Implementing a comprehensive and innovative governance , risk, and compliance (GRC) program GRC is a set of functions that oversees and manages risks and compliance across the Value to enables organizations to address the multiple factors that are essential in managing and controlling enterprise risk. This includes factors such as: organization to reliably meet company objectives. It is not just about tools and technology clients Regulatory changes Fragmented risk and compliance functions GRC "One View" Resolution of All risk and compliance areas immediate and Decentralized operating model Ineffective use of ERP and GRC. Reporting | Dashboards | KPIs long term risk High number of control failures Process standardization exposure Talent management changes Cost reduction Improved risk By adopting an effective GRC Strategy , executives and risk leaders are able to challenge the way they governance Risk Compliance alignment and think about, respond to, and manage risk.

2 EY help you understand the risks related to your business Control Risk analysis, risk Requirement event Strategy and how to best respond to those risks. Our tailored approach to GRC integrates risk and response time functions*, Policy assessments, risk management, control performance management in order to create a competitive advantage in terms of risk insight and performance improvement. management, register, loss and testing, findings and Agile and Governing bodies incident database exceptions, evidence scalable management control EY GRC Framework: EY's GRC framework takes into account our clients risk Strategy based on business objectives, risk environment tolerance and treatment, investments and operating model to determine the overarching risk landscape and strategic enablers ( , people process, and technology).

3 This holistic approach creates a structure to readily respond to new Cost reduction risk, compliance, and regulatory needs. Consistent Data | Evaluation Methods | Taxonomy | Technology in internal and external risk * Control functions can include Compliance, Internal Audit, Enterprise Risk Management activities, The components of GRC EY GRC framework details including monitoring Strategic alignment and risk Domain Component Sub component Domain Component Sub component and governance , risk management Strategic governance Vision, mission and Strategy for corporate GRC program Risk and Process, risk Determine applicable regulatory, leading practices and internal requirements remediation and compliance governance and Strategy alignment and risk and Strategy Corporate oversight structure for GRC program controls establishment and control definition.

4 Identify and inventory organizational processes Development of specific risks and link to the processes Enterprise risk management Reduction in domains management Enterprise Define risk management methodology, definitions, and and adoption Identification of controls Business drivers and regulatory risk tolerances and process management Mapping of processes, risk, controls and regulations into a coordinated requirements management Perform risk identification and assessment framework disruption to Consolidate and standardize risk and assurance activities across functions Program structure and guidelines Define risk treatment processes (risk acceptance and remediation) the business Define Key risk indicators (KRI) and Key Performance Management Risk assessments Organization Policies and standards Indicators (KPI) of risks and controls.

5 Compliance testing Aggregation of observations and findings Improved Business Alignment between business objectives and GRC.. Findings management including risk response and prioritization Maintenance of process, risk and control framework for regulatory, business Risk and controls establishment and management drivers and regulatory . program Key legal and regulatory requirements organizational or process changes performance Process, risk and control definition and adoption requirements Tools and GRC tools and technology plan and innovation technology Technology ownership and support Managing processes, risks and controls Program Organization Organization structure and associated roles, Existing tools and GRC technology functionality via value.

6 Tools and technology governance and . responsibilities and accountabilities Training and skills development Monitoring and Periodic Define risk and compliance program reporting needs and cadence based risk organization Communication and awareness reporting reporting Develop reporting processes for risk and compliance, as well as consolidation management Monitoring and reporting Policies and Define Policy Management program Continuous Identify metrics and dashboards needed for risk and compliance monitoring Compliance monitoring and reporting standards Define process for Policy review monitoring Develop processes for metrics collection, monitoring, trend analysis and Risk monitoring and reporting Process for policy and standards availability.

7 Dashboards communication and enforcement across the organization GRC maturity model A high level GRC roadmap Integrates people, process, and technology Illustrative example Who we are John McLain Leverage GRC for specific events or situations Stabilize Optimize Enhance and Value: Principal, Government and Business/IT process and controls monitoring and testing sustain Public Sector Vulnerability testing, access control and segregation of duties Establish Begin GRC Resolution of immediate GRC governance technology and long term risk Cell: +1 410 300 2748. Data analytics and information management activities Continue GRC. point implementation exposure Off: +1 703 747 1198. Complete technology solutions control Pilot key implementation Improved risk alignment Design and deliver specific GRC functions/process rationalization/ elements of the Integrate with and event response time Compliance function enhancement optimization solution other functions Agile and scalable control Joe Quinn GRC.

8 LA process/technology transformation Agree on long Automate and environment Senior Manager Analytics enablement and fraud monitoring Cell: +1 202 257 5518. functional term road map control organizations Cost reduction in internal Process improvement/automation ( , Financial close Off: +1 703 747 0898. transformation reconciliation) and identify execution and Implement and external risk "quick wins" monitoring sustainability activities, including Develop an enterprise wide GRC program monitoring and Define business Deploy program supporting strategic vision and objectives remediation Zane Williams requirements continuous GRC Risk management integration initiatives Select GRC monitoring Reduction in disruption to Senior Manager enterprise Risk and controls transformation initiatives technology the business Cell: +1 914 439 6834.

9 Transformation Driver based performance management solution(s) Improved business Off: +1 212 773 8658. integration Business intelligence integration performance and Enabled by GRC technology innovation via value . Continuous monitoring based risk management Garo Nalabandian Enabled by change and benefits management Senior Advisor Cell: +1 301 675 6049. Off: +1 703 747 0616. Credentials of our work Improving Business Performance through GRC: Call for action Yes No We know your people, environment, Opportunities exist to transform your governance , Do you have a comprehensive risk vision and Strategy ? processes, and technology. risk and compliance program to realize cost Have your risk vision and Strategy addressed the three main risks: external, strategic We have an established and tested set savings and improve mission and business and preventable?

10 Of processes and protocols for performance. working with you on GRC. Does your senior management have confidence that you understand their risk vision Leading Federal agencies have achieved and appetite? We can continue to identify successful results by focusing on: efficiencies through multi purpose Have you established your risk appetite and tolerance for strategic risk events that Shifting risk management focus to a cross . risk and controls evaluations. could provide upward or downward potential to the mission or business operations? functional approach aligned to strategic risks We utilize existing team members and business performance measures Do you have visibility into the risk coverage of the organization? along with Government and Public Standardizing GRC processes to enhance Are you confident that there are no gaps in risk coverage and that they have visibility Sector subject matter resources with decision making and avoid unnecessary costs into how issues roll up and impact the strategic mission or business risks?