TRANSFORMING GRC INTO A

GROWTH ENABLER – BANKING,

FINANCIAL SERVICES AND
INSURANCE PERSPECTIVE
PRESENTERS

AKHENATON MARCANO, HEAD, OPERATIONAL RISK, FIRST CITIZENS BANK OF TRINIDAD AND TOBAGO
TOM HARPER, EXECUTIVE VICE PRESIDENT AND GENERAL AUDITOR, FEDERAL HOME LOAN BANK OF CHICAGO
YO DELMAR, VP GRC SOLUTIONS, METRICSTREAM
Housekeeping
• Download slides at https://go.oceg.org/transforming-
grc-into-a-growth-enabler-bfsi-s-perspective
• Answer all 3 polls
• Certificates of completion
(only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the Resource tab of the OCEG
site, under Archived Webinars

2
 Learning Objectives

• Understand the latest drivers and trends in GRC

• Identify the key GRC areas on which to focus

• Understand critical success factors in implementing an

integrated GRC program: challenges faced, lessons learned
and industry best practices to improve business
performance

• Identify ways to leverage technology to enable an

effective, sustainable GRC program across the enterprise

3
Poll 1
Do you have an OCEG All Access Pass (a paid membership) and would you like to
receive CPE credit for this event?
a. Yes, I have an All Access Pass and I would like to receive a
Certificate of Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of
Completion
c. No, I do not have an All Access Pass but I would like to get one and
receive CPE credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at this
time (so I won’t get CPE credit for this event)

4
DRIVERS: What Enterprises Face Today
EXPANDING INTO NEW MARKETS ECONOMIC/3RD PARTY
NEW COMPETITION
LAUNCHING NON-TRADITIONAL PRODUCTS
OPERATIONS

DIGITAL CUSTOMER INTERACTIONS

DATA PRIVACY
DISRUPTIVE
BUSINESS MODELS
SHORTER CUSTOMER ATTENTION SPAN
REPUTATION

NEW MODES OF INTERACTION

CYBER SECURITY
TECHNOLOGY
ADVANCEMENT
KEEPING PACE WITH TECHNOLOGY
TECHNOLOGY

CHANGING POLITICAL ENVIRONMENT

GEO-POLITICS
CONSTANT
REGULATORY CHANGE COMPLIANCE
EMERGING REGULATIONS
TRENDS: BFSI
Rapidly Changing Digital Risk Risk-Informed Strategy
Global Ecosystems Management & Performance

Understanding the Enabling digitization of Risk Intelligence linked to

interconnectedness of risks business Business Performance

Empowering the Culture & Change Aligning 1st, 2nd, & 3rd
First Line Management Lines of Defense

Driving Risk Management to Who carries the torch to The importance of

the front lines harmonize & integrate? bringing it all together
DRIVERS: GRC – A System of Intelligence

• Timely insights & reporting

• Links GRC to business performance

• Proactively identify gaps, provide recommendations

• A holistic view for all stakeholders

 Growth Enabler
DRIVERS: Intelligent, Risk Based Decisions
Compliance Risks. Operational Risks. Regulatory Risks. IT Risks…
Data Aggregation, Real-time Reporting Prescriptive Recommendations
Reporting & MIS & Early Warning based on Scenario Analysis

What happened? What is Happening? What has to be done?

What is likely to happen?

Why did it happen?

Historical Data Analysis and Causal Exploration Forecasting of Diverse GRC Data Sets
TRENDS: GRC where the users are
TRENDS: What’s Coming?

..For Improving Business Decisions

# Predict risks with AI # Understand the unknown # Draw Insights for business decisions
MetricStream
Poll 2
Is your organization using GRC to gain efficiencies and drive growth?

a. No, we are not using a GRC Platform

b. Partially, for example, we’ve increased efficiencies for the the business

c. Yes, without our GRC platform we would not have supported a strategic goal

d. Yes, we align our GRC program to support our organization’s strategic and growth objectives

11
Key Areas in GRC to Focus on
Challenges
What’s the Research Saying?
 WHAT TO FOCUS ON: Role & Alignment
Risk Aware Decision Making Visibility and
BOARD OF
Accountability into
DIRECTORS
Risk Profile

CHIEF
AUDIT
Revenue Optimizing Risk Strategies EXECUTIVE
COMMITTEE
OFFICER

CHIEF CHIEF CHIEF CHIEF CHIEF CHIEF CHIEF AUDIT

BUSINESS
FINANCIAL OPERATING INFORMATION INFORMATION COMPLIANCE RISK EXECUTIVE
HEADS
OFFICER OFFICER OFFICER SECURITY OFFICER OFFICER OFFICER

Understand Reduce Earnings Risk Weighted Align digital business Defend the extended Protecting Protecting the Serve as the final
risk impact on Volatility while Process & Resourcestrategy to drive enterprise from Regulatory and brand and line of defense and
business reducing cost Optimization corporate objectives external and internal Corporate Integrity creating be on the strategy
decisions digital and emerging opportunities table of the
threats company

* This is an indicative organizational hierarchy only. Actual organizational hierarchies and reporting structures will vary from business to business
WHAT TO FOCUS ON: Business Value
67%
Improvement in risk
reporting visibility and
efficiency for the executive
management and board
50%
Fewer compliance
issues
Driving a Culture of
15x
Improvement in risk
metrics tracking
CCO Compliance and
Integrity
Guiding the business
50% towards risk reward
CRO
Reduction in the cost
optimized decisions
of audit follow-ups
55% Enabling Better
Reduction in the time CAE Assurance and Insight
taken to create and
update policies
Preserving Digital
90% Integrity and Corporate CISO
Reduction in audit Reputations
review time
WHAT TO FOCUS ON: A Single System Ensuring Uniformity
Relational Data Objects with a Federated Architecture

• Many to Many relationships BU/FU Country/Region Legal Entity • Reduced redundancy and improved
between multiple data accountability due to defined
Organization
objects relationships
Regulatory Objectives
Body
Area of Risk
Compliance

Control
Standard

Regulatory
Requirement Development

Process Evidence

Product Function

Asset Class Financial • Data objects stored in structured

Account libraries with ease of access
Asset Exception

Framework Document
Reference Reference
An Example – Between Compliance & Risk
Regions

Countries

Lines of Business
• Example of relationships across the Legal Entities
compliance and risk universe driving latent
Regulatory Body Sub lines of Business
synergies across functional units
Area of Risk
Compliance

Common Data Libraries across Compliance and Control

Standard
Risk Universe

Question /
Data Libraries of Compliance Universe Requirement Procedure
Associated with the Risk Universe
Process Regulatory
Data Libraries of Risk Universe Associated with the Development
Compliance Universe
Product / Service Function

Asset Class Metrics

Asset Loss

Framework Policy
Reference
RISK
COMPLIANCE
IT RISK and CYBER
AUDIT
THIRD PARTY GOVERNANCE
POLL 3
Has your GRC Platform yielded anticipated benefits?

a. No, we are not using a GRC Platform

b. Partially, but we did not develop a business case

c. Yes, as we rollout our GRC initiatives, we achieve most benefits as anticipated

d. Yes, as we rollout our GRC initiatives, continuously improve and are overachieving benefits
Critical success factors in implementing an
integrated GRC program:

lessons learned
industry best practices to
improve business performance
 LESSONS LEARNED - Best Practices - 7 Steps
Understand organizational strategic imperatives and
B
E
S
1 Business Value and CSFs: Driving the Right Priorities priorities as well as expectations of how and when
business value will be achieved
T
Rate the Maturity and Readiness of each target business
P
R
2 Maturity and Readiness: Sequencing for Value unit or group and sequence rollout priority based on
value to be achieved and ability to get ready
A
C
For each business unit, and each use case, scope the
T
I
C
3 Rollout Scope: Prioritizing Use Cases with Lines of Defense activities that will be completed by each line of defense

E
Map out the rollout milestones and activities, from
O
V
4 Effective Rollout Plans: Leveraging Champions general sessions to testing, specific training and
communication involvement from Champions
E
R Understand what roles and job functions will change and
V
I
E
5 Organization Change Management: Being Proactive how individuals will be impacted, retrained or redeployed

W
Define the Communications Plan for each rollout group,
6 Communications: Celebrating Successful Adoption with executive sponsor and champion involvement,
and sentiment surveys

S For each rollout Initiative, assess the effectiveness of

T
E
7 Continuous Improvement: Agile Value Attainment adoption, areas for improvement and agile business
value achievement
P
S
 LESSON LEARNED - by Step
Step Lessons Learned
B 1. Institutional • If you don’t show alignment to strategic initiative and the context (ex app, shared information)) without executive
E Support - Business
S
endorsement and pushing it, you will get push back from the silo’s
Value and CSFs:
T
Driving the Right
Priorities • Know the benefits and have all executives reinforce the value (for example – GRC 101 or GRC Framework)
P
R
A • Note that Maturity And Readiness (Step 2) reveals an opportunity for business value that Leadership is not aware of –
C so be flexible in your rollout plan
T
I 2. Maturity and • Be flexible - Eagerness to get on the system does not translate into Readiness! It takes more time to design and iterate
C Readiness:
E
when you are trying to deploy
Sequencing for Value
O • Be mindful of shared information from libraries – make sure it is actually ‘capturable’ – if you know where/when to go get
V it, the deployment will go more smoothly example: normalization of controls
E
R
V • Make sure you sequence based on what process are well defined, if they can’t tell you what they do, in a well defined way
I (info on reports, approval process and contacts, for example), they aren’t ready
E
W
• If you are 30% sure of the process double the budget and timeline! There is an impact.
3. Rollout Scope: • Line 1 users will not get the full scope of benefits – reinforce the overall benefits for their management, leadership, the
Prioritizing Use board – by getting the info right, everyone will appreciate more ‘what you do (even if it takes more time at first before it
S Cases with Lines of
T becomes BAU)
Defense
E
P • Get the 1st line and local perspective and terminology right - Football analogy – US vs UK it’s different game !
S
 LESSON LEARNED - by Step
Step Lessons Learned
B 4. Effective Rollout • Beware that IT does not become ‘the rollout champion’ – the right people in the business need to really ‘own this for UAT,
E Plans: Leveraging
S
training, change management needs, information taxonomy, etc
Champions
T
• Make sure champions have the time allocated, and don’t get burnt out and transfer their knowledge to a local person
P
R
who be the POC (region, LoB, etc)
A
C • Invite Champions to participate in Working Groups – for example, Libraries Information Governance, Change
T
Management, Future Enhancements
I
C
E 5. Organization • Champions and IT needs to be well enough informed to appropriate level of access to roles/people and the security user
Change stories (increasingly important with GDPR and other Security/Cyber controls) – who in the organization is going to act as
O Management: Being
V Administrator and Provisioner of new users? This is a new role and requires a handshake between the business and IT.
Proactive
E
R • Identify your governance process up front and adapt (or impose!) as you onboard new stakeholder group
V
I
E • Create awareness and understanding of process alignment of upstream and downstream impacts from potential changes
W – optimizing in one area can cause a negative impact downstream! Bring people together (that may not work together
normally) to really understand this – there can be a multiplier effect +/-.

• Make sure you and your users know the internal SLAs and support structure – when there is a problem or ticket, user
S
satisfaction is tied to the speed of resolution – don’t let frustration set in. Don’t let perception distort app effectiveness –
T
E bad news travels faster than good news.
P
S
 LESSON LEARNED - by Step
Step Lessons Learned
B 6.Communications: • Adoption – make sure you tracking real usage and adoption and incidents. You don’t have success unless your end users
E Celebrating
S
are using the system and know where go when they have a question or a problem
Successful Adoption
T
• Reward the team! Toot your own horn! Make good news travel faster and wider!
P
R
A • Really listen to what you users are saying – Use the Five Whys and Learn to Interpret complaints for the underlying root
C cause
T
I
C
E 7. Continuous
Improvement: Agile • Incremental improvements by tweak can have corresponding multiplier effects. “Horseshoe missing, hobbles the
O Value Attainment
V warhorse, loses the King’s battle – For want a nail we lost the kingdom”.
E
R • Schedule regular (at least quarterly) meetings and continue to conduct survey/interact to see how it is working
V
I
E • Measure the value attained and continue to make incremental improvements to increase value.
W
• Don’t take criticism personally – they may be frustrated with the change, the process or the app, not you.

S
T
E
P
S
•Ways to leverage technology to
enable an effective, sustainable
GRC program across the
enterprise.

•MetricStream Products and Technology

TECHNOLOGY: How BFSI can benefit from a GRC Platform

Single Platform to power enterprise-wide GRC programs

» Global, federated, multi-dimensional organizational modelling
Organizations, Geographies, Legal Entities, Functions
» Federated data model for multiple GRC use cases
» Business configurability to meet unique requirements
» Industry standard security & scalability
» Embed within your enterprise technology ecosystem

Integrate the 1st,2nd, and 3rd lines of defense and beyond

» Comprehensive portfolio of tightly integrated applications
» Award-winning user interface to drive engagement and adoption
» Sequence your GRC journey as per organizational requirements
TECHNOLOGY: MetricStream Products for your GRC Journey
Enterprise Risk Internal Audit
Operational Risk RISK AUDIT
SOX / Financial Controls
Business Continuity
Compliance Management IT Risk
Regulatory Change IT Compliance
Regulatory Engagement Threat & Vulnerability
REGULATORY & Policy Management
Policy Management
CORPORATE COMPLIANCE IT & CYBER SECURITY Case & Incident
Case & Incident
Surveys Vendor Risk

Operational Audit
Third-Party Management THIRD-PARTY QUALITY NCM & CAPA

GRC PLATFORM
GRC CLOUD GRC FOUNDATION GRCINTELLIGENCE GRC ANALYTICS APPSTUDIO
Why MetricStream?
The Partner for
your GRC Journey
Domain & Delivery expertise
GRC Journey Program
Customer Community
Global Partner ecosystem
Market-Leading Continuous
GRC Platform Innovation
450+ enterprise implementations across Patented technology
industries
250+ R&D staff
Award-winning user experience
Co-innovation
Recognized by Gartner, Forrester & Chartis
as a Market leader User Experience, AI/ML
Built for global scale & security
Questions?