Documente Academic
Documente Profesional
Documente Cultură
Information =
Data,
Information,
Knowledge,
Wisdom
Data
Information
Knowledge
Wisdom(AI)
Resources of the
Organization
Database Management
System* (Data as Resource)
Technology Process
(SQL Server, Oracle)
Technology
Process
(Business Process Modeler, ERP)
(Business Process Management)
Governance
People
(Organization Structure and Policies) (Change Management)
Knowledge Management
System (Knowledge as
Resource)
Technology
(Microsoft SharePoint) Process
Governance People
Artificial Intelligence
System (Wisdom as
resource)
Technology Process
When reviewed as individual GRC areas, the three most common individual headings are considered
to be Financial GRC, IT GRC, and Legal GRC.
1. Financial GRC relates to the activities that are intended to ensure the correct operation of all
financial processes, as well as compliance with any finance-related mandates.
2. Legal GRC focuses on tying together all three components via an organization's legal
department and chief compliance officer.
3. IT GRC relates to the activities intended to ensure that the IT (Information Technology)
organization supports the current and future needs of the business and complies with all IT-
related mandates.
4. HR GRC
5. Operation GRC
IT Governance:
(Cobit 5, or Cobit 2019,
or ISO/IEC 38500) Enterprise Risk
Management
IT Risk Management Coso ERM 2017 or
(Cobit 5 for Risk IT) ISO 31000
IT
Management
IT Governance
IT Governance
• Primarily concerned with facilitating
(strategic) decision making
• Organization specific and cannot be
delegated to the market
IT Management
• More focused on the operational
excellence of the IT function
• Focused on the effective and efficient
internal supply of IT services and
• products
• Focused on the management of present
IT operations
• Elements can be commissioned to an
external provider
Fully engage the executive leadership team of the company in each step of
the I.T. Alignment process:
Step 1: Get a list of the strategic goals of the company
Step 2: Get a list of the strategic business initiatives that each CXO proposes
to help achieve the stated strategic business goals
Step 3: Brainstorm to find hidden opportunities for IT to help accomplish the
goals and initiatives from Steps 1 & 2
Step 4: Prioritize and select the winners from the suggestions and then
redeploy IT resources to develop them
Step 5: Plan for, institute and execute a serious post project audit policy.
IT Governance:
(Cobit 5, or Cobit 2019,
or ISO/IEC 38500) Enterprise Risk
Management
IT Risk Management Coso ERM 2017 or
(Cobit 5 for Risk IT) ISO 31000
IT
Management
IT Governance
Country
Individual Family/Group/Community Organizations (people and culture)
GRC ERM
OCEG Framework COSO ERM
Financial
GRC IT GRC Strategic Risk Tactical Risk Operational Risk
Legal GRC
Cobit 5 Management Management Management
Basel I, II, III
IT IT Risk IT
Governance Management Compliance
Cobit 5 for IT Risk
• The Risk Management Association (RMA) ERM Definition: “the management capability to
manage all business risks in pursuit of acceptable returns.” According to RMA:
• Enterprise Risk Management, essential for any financial institution, encompasses all
relevant risks.
• An ERM framework supports management competency to manage risks well,
comprehensively, and with an understanding of the interrelationship/correlation
among various risks.
• The successful institution incorporates a robust ERM capability as part of its culture by
integrating what already exists to create a comprehensive and integrated view of the
institution’s risk profile in the context of its business strategy.
▪ The numbers show that corporations around the world are recognizing risk
management as a priority and moving toward integrated ERM
▪ As a management framework, ERM has been more widely adopted than other
management frameworks (e.g., reengineering, balanced scorecard, total quality
management)
▪ Outside the financial sector, it’s a different story, however. A 2012 paper produced
by McKinsey & Company pointed out that, unlike financial institutions, most
corporates still do not have a CRO, leaving the de facto role of risk manager to the
CFO.
▪ With ERM’s role increasing within organizations and across industries, the roles of
the board and upper management have to adapt. Certainly, the CRO bears the brunt
of this change, but the CEO, CFO, and board of directors all find that ERM is taking a
more prominent position in their priorities.
▪ ERM is providing value for a large number of corporations despite its current
challenges.
▪ In less than a decade, risk management has risen to the top of corporate agendas
for senior management and the board across all industry sectors.
• The world of risk management fundamentally changed in late 2007 with the onset of the
global financial crisis. Longstanding financial institutions such as Lehman Brothers and
Washington Mutual were left to fail, while many other banks and non-banks received
bailouts from nervous national governments around the world.
• It was clear that excessive debt and fatally compounded risks were the primary drivers of
the crisis. What’s more, a relatively strong global economy had disguised the fact that
many institutions were betting on unsustainable levels of growth in pursuit of greater
market share and increased profitability.
• The economic landscape that emerged following the Great Recession was vastly different
from what existed prior to the 2007–2008 period.
• Regulators demanded that banking institutions increase capital and liquidity reserves,
enhance transparency, curb risk appetite, and tighten controls.
• In all, seven fundamental trends emerged after the financial crisis that together
have shaped the practice of risk management for the past decade:
1. Much stricter compliance requirements
2. Increased board-level risk oversight
3. Greater risk management independence
4. Focus on enterprise-wide risk management
5. Improved board and management reporting
6. Creation of objective feedback loops
7. Better incentive compensation systems
▪ The Open Compliance and Ethics Group (OCEG) has published one of the most
comprehensive GRC definitions. https://www.oceg.org/, https://go.oceg.org/grc-
capability-model-red-book
▪ There are many GRC solutions on the market. IBM OpenPages GRC Platform,
MetricStream and Rsam's Enterprise GRC are a few examples of highly rated
solutions.
▪ ISACA website
▪ COSO website
• IT Governance
(3) Cybersecurity