20/20 Workshops

GRC 20/20 provides engaging and interactive workshops to help organizations work through the components of their GRC related strategies.  These workshops are delivered in both public and private formats.

  • Public workshops are open enrollment and typically hosted by a workshop sponsor.
  • Private workshops are delivered for a specific organization for their employees and stakeholders.

Current GRC 20/20 Workshops and their agendas are:

Enterprise GRC by Design Workshop

Blueprint for an Effective, Efficient & Agile Enterprise GRC Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Governance, risk management & compliance (GRC) is something an organization does and not something an organization buys. GRC, done properly, is what is achieved throughout the business and its operations. By definition, GRC is “a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].” This requires that GRC needs to be understood in the context of enterprise strategy, objectives, architecture and processes.

Designing mature GRC processes that align with the organization requires an understanding of what the organization is about, how it operates, how it should be monitored and controlled. This is done through defining the right GRC process, information and technology architecture. GRC by Design requires an enterprise/organization architecture approach to the organization and how it operates.

This workshop aims to provide a blueprint for attendees on effective enterprise GRC strategies in a dynamic business, regulatory, and risk environment. Attendees will learn enterprise GRC strategies and techniques that can be applied across the organization. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Enterprise GRC Strategy. Understand GRC in the context of organization performance, strategy, objectives, obligations, risks, as well as its culture and values.
  • Enterprise GRC Processes. Flowing from strategy are the enterprise GRC processes integrated into the organization and how it operates. Enterprise GRC, done correctly, is part of the rhythm and cadence of the organization.
  • Enterprise GRC Information Architecture. Defining an information architecture that enables enterprise GRC strategy and processes by providing 360° situational awareness of GRC in context of the organization strategy and operations.
  • Enterprise GRC Technology Architecture. The necessary technology components needed to bring together diverse and distributed GRC departments and functions into an integrated information and technology architecture aligned with the strategy and operations of the organization.

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to enterprise GRC
  • Implement enterprise GRC in the context of business strategy, process, and operations
  • Explore different enterprise GRC strategy and architecture models and how they apply to your organization
  • Discover various enterprise GRC best practices and how they apply to your business
  • Develop an enterprise GRC information architecture that aligns with business operations and processes
  • Effectively communicate GRC related information across your organizations

Who should attend?

  • GRC managers and architects responsible for leading and integrating GRC strategy across different groups
  • Business managers whose job responsibilities include GRC responsibilities
  • Executives and governance personnel who have to oversee GRC
  • Audit personnel that provide assurance on the organization’s GRC practices
  • Risk management, compliance, legal, ethics, security, health and safety, project management, IT, and other personnel who are involved in enterprise GRC strategies

Typical Agenda:

Part 1: What is GRC?
Understanding GRC in the Context of the Organization
  • Different views of GRC throughout the organization
  • Who owns GRC?
  • Understanding GRC and its role in business strategy, objectives, performances, and operations
Part 2: Federated Enterprise GRC
Blueprint for Enterprise GRC Collaboration and Strategy
  • Developing a GRC committee (or herding cats), bringing together the range of GRC roles in the organization
  • Defining a GRC charter
  • Developing a collaborative and enterprise view of GRC
Part 3: GRC Capability Model
Integrated GRC Processes that Align & Support the Organization
  • LEARN: Learn about the organizational context, culture and key stakeholders to inform objectives, strategy and actions.
  • ALIGN: Align strategy with objectives, and actions with strategy, by using an effective decision-making approach that addresses values, opportunities, threats, and requirements.
  • PERFORM: Perform actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
  • REVIEW: Review the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organization.
Part 4: GRC Information & Technology Architecture
Providing an Integrated View of GRC to the Enterprise Without Losing Value to the Department
  • Understanding the interrelationship of GRC information
  • Developing a GRC ontology and taxonomy
  • How technology enables a GRC strategy and processes
  • GRC platform or GRC architecture?

[/toggle]

Compliance Management by Design Workshop

Blueprint for an Effective, Efficient & Agile Compliance Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Compliance is not easy. Organizations across industries have global clients, partners, and business operations. The larger the organization the more complex its operations. Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes by the minute. New employees come, others leave, roles change. New business partner relationships are established, others terminated. The business enters new markets, opens new facilities, contracts with agents, or introduces new products. New laws are introduced, regulations change, the risk environment shifts (e.g., economic, geo-political, operational), impacting how business is conducted. The dynamic and global nature of business is particularly challenging to compliance management. What may seem insignificant in one area can have profound impact on others.

Compliance obligations and ethical risk is like the hydra in mythology—organizations combat risk, only to find more risk springing up. Executives react to changing compliance requirements and fluctuating legal and ethical exposure, yet fail to actively manage and understand the interrelationship of risk and compliance. To maintain compliance and mitigate risk exposure, an organization must stay on top of changing regulatory requirements as well as a changing business environment, and ensure changes are in sync. Demands from governments, the public, business partners, and clients require your organization to implement defined compliance practices that are monitored and adapted to the demands of a changing business and regulatory environment.

Compliance activities managed in silos often lead to the inevitable failure of an organization’s governance, risk management, and compliance (GRC) program. Reactive, document-centric, siloed information and processes fail to manage compliance, leaving stakeholders blind to the intricate relationships of compliance risk across the business. Management is not thinking about how compliance and risk management processes can provide greater insight. This ad hoc approach results in poor visibility across the organization and its control environment.

Yesterday’s compliance program no longer works. Boards desire a deeper understanding of how the organization is addressing compliance risk, whether its activities are effective, and how they are enhancing shareholder value. Oversight demands are changing the role of the compliance department to an active, independent program that can manage and monitor compliance risk from the top down. The breadth and depth of compliance risk bearing down on companies today requires a robust compliance program operating in the context of integrated enterprise risk management.

This workshop aims to provide a blueprint for attendees on effective compliance management in a dynamic business, regulatory, and risk environment. Attendees will learn compliance management governance and process that can be applied across the organization at either an enterprise or a department level. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Effectivelymanaging compliance
  • Understandthe challenges and pitfalls of managing compliance
  • Achievesuccess capitalizing on agility while maintaining compliance
  • Facilitateongoing monitoring of compliance
  • Definea compliance management lifecycle for managing and monitoring compliance
  • Establishcompliance management ownership and accountability
  • Providecompliance management process consistency
  • Communicateeffectively with employees and stakeholders on matters of compliance
  • Trackcritical compliance workflow and tasks
  • Delivereffective compliance governance and assurance to the board of directors, regulators, and stakeholders
  • Monitormetrics to establish effectiveness or compliance management
  • Identifyand resolve compliance issues

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to compliance management
  • Implementcompliance management in the context of business strategy, process, and operations
  • Explore compliance management architecture models and how they apply to your organization
  • Discover various compliance assessment and monitoring techniques and how they apply to your business
  • Develop a compliance information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on compliance across your organizations

Who should attend?

  • Ethics & Compliance Professionals
  • Risk Management Professionals
  • IT Security Professionals
  • Legal Professionals
  • Environmental, Health & Safety Professionals
  • Corporate Social Responsibility & Accountability Professionals
  • Audit Professionals
  • Individuals with compliance management, ownership, or oversight responsibilities

Typical Agenda:

Part 1: Compliance Management by Design

Why Compliance Management Matters

  • Compliance in Disarray: how organizations mismanage compliance
  • Compliance Exposure: how mismanaged compliance expose the organization to risk
  • Current drivers & trends pressuring organizations in compliance management
  • Different ways organizations approach compliance management
  • What Effective Compliance Management Achieves: Compliance role in governance, risk management, and compliance

Part 2: Compliance Governance

Blueprint for Effective Compliance Management

  • Compliance Governance Committee: bringing together the range of compliance management roles and responsibilities in the organization
  • Compliance Management Charter: defining a structure to govern compliance across the organization
  • How to Develop a Compliance Management Strategic Plan

Part 3: Compliance Management Lifecycle

Managing Compliance in Context of Business and Regulatory Change

  • Compliance obligation identification
  • Ongoing compliance and business context monitoring
  • Compliance communications & attestations
  • Compliance monitoring & assessment
  • Compliance forms & approvals
  • Compliance metrics & reporting
  • Compliance evaluation, benchmarking & assurance

Part 4: Compliance Management Architecture

Enabling Information & Technology Management for Compliance Management

  • Compliance Management Information Architecture: Blueprint for Managing Compliance Content and Related Data
    • Types of compliance management information and how it integrates into compliance processes
    • Components and requirements for a compliance information architecture
  • Compliance Management Technology Architecture: Blueprint for Enabling Compliance Management Processes with Technology
    • Kinds of compliance management technologies and what best serves the organization
    • Capabilities and requirements of compliance management platforms
  • Compliance Management Business Case: Articulating the Value of Effective Compliance Management

[/toggle]

Internal Control Management by Design Workshop

Blueprint for an Effective, Efficient & Agile Internal Control Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Internal control management has become a critical foundation for corporate governance, risk management, and compliance (GRC). The correct controls that are operationally effective are the linchpin to assure that the organization can reliably achieve objectives while addressing uncertainty and acting with integrity. As organizations mature their approach to internal control management they are seeing more intersections with risk, compliance, and audit processes which require a more thorough strategy for managing controls in the context of the organization. Controls are critical throughout business strategies, operations, and processes. Reactive and stovepiped approaches to internal controls management leave the organization not seeing the big picture of how controls interrelate with each other, risks, and compliance obligations. This means the organization wastes resources on managing controls as separate assessments and projects instead of as an integrated whole. Defining strategy, managing operations, and addressing organization change requires agility in internal control management to provide assurance to boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile internal control management. This requires organizations to design internal management into the organization as an integrated part of strategy and operations supported by an integrated internal control information architecture that allows organizations to have a 360° situational awareness of internal controls in context of business strategy and operations.

This workshop provides a blueprint for attendees on effective internal control management strategies in a dynamic business and risk environment. Attendees will learn internal control management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Internal Control Management Strategy.Understand internal control in the context of business performance, strategy, objectives as well as its culture and values.
  • Internal Control Management Processes. Flowing from strategy are the internal control management processes integrated into the organization and how it operates. Good internal control management is done in the rhythm of the business.
  • Internal Control Management Information Architecture.Defining an information architecture that enables internal control strategy and processes by providing 360° situational awareness of internal controls in context of business strategy and operations
  • Internal Control Management Technology Architecture.The necessary technology components needed to bring together diverse and distributed internal control management roles and integrate internal control management into the operations of the organization.

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to internal control management
  • Implement internal control management in the context of business strategy, process, and operations
  • Explore internal control management architecture models and how they apply to your organization
  • Discover various internal control assessment and monitoring techniques and how they apply to your business
  • Develop an internal control information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on internal controls across your organizations

Who should attend?

  • Internal control managers and officers responsible for leading and managing internal controls
  • Business managers whose job responsibilities include internal control management and ownership
  • Executives and governance personnel who have to oversea and attest to internal controls
  • Audit personnel that provide assurance on internal controls

Typical Agenda:

Part 1: What is Internal Control Management?
Understanding Internal Controls in the Context of the Organization
  • Different views of internal control throughout the organization
  • Who owns internal controls?
  • Understanding internal controls and its role in assurance to business strategy, objectives, performances, and operations
  • Workshop Project & Discussion
Part 2: Federated Internal Control Management
Blueprint for Internal Control Management Collaboration and Strategy
  • Developing an internal control committee (or herding cats), bringing together the range of GRC roles in the organization
  • Defining an internal control management charter
  • Developing a collaborative and enterprise view of internal controls and how it relates to performance, risk, and compliance
  • Workshop Project & Discussion
Part 3: Internal Control Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Provide Assurance on Controls
  • Internal Control Identification – Collaborative process to identify internal controls from both the bottom and the top
  • Internal Control Analysis – Defining effective and operational controls to provide assurance while mitigating risk
  • Internal Control Management – Strategies to manage controls in context of performance, risk, and compliance
  • Internal Control Communication – Assign and manage internal control ownership and accountability
  • Workshop Project & Discussion
Part 4: Internal Control Management Information & Technology Architecture
Providing an Integrated View of Internal Controls to the Enterprise
  • Developing an internal control taxonomy and attributes of internal controls
  • Mapping internal controls to objectives, risk, policy, and compliance
  • Monitoring internal controls in a changing environment
  • Technology capabilities and considerations to support internal control management
  • Workshop Project & Discussion

[/toggle]

IT GRC Management by Design Workshop

Blueprint for an Effective, Efficient & Agile IT GRC Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.

Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.

Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.

This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • IT GRC Management Strategy.Understand IT GRC in the context of business performance, strategy, objectives as well as culture and values.
  • IT GRC Management Processes. Flowing from strategy are the IT GRC management processes integrated into the organization and how it operates. Good IT GRC management is done in the rhythm of the business.
  • IT GRC Management Information Architecture. Defining an information architecture that enables IT GRC management strategy and processes by providing 360° situational awareness of IT GRC in context of business strategy and operations
  • IT GRC Management Technology Architecture. The necessary technology components needed to bring together diverse and distributed risk and compliance management roles and integrate IT GRC management into the operations of the organization.

Benefits to attendees:

  • Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
  • Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
  • Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
  • Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
  • Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Who should attend?

  • IT GRC managers and officers responsible for leading and managing IT GRC and information security
  • Business managers whose job responsibilities include IT GRC responsibilities
  • Executives and governance personnel who have to oversea and govern IT GRC
  • Audit personnel that provide assurance on IT security and GRC

Typical Agenda:

Part 1: What is IT GRC Management?
Understanding IT GRC in the Context of the Organization
  • Different views of IT GRC and information security throughout the organization
  • Who owns IT GRC?
  • Understanding IT GRC and its role in assurance to business strategy, objectives, performances, and operations
  • Workshop Project & Discussion
Part 2: IT GRC Management
Blueprint for IT GRC Management Collaboration and Strategy
  • Developing an IT GRC committee (or herding cats), bringing together the range of GRC roles with a stake in IT GRC across the organization
  • Defining an IT GRC management charter
  • Developing a collaborative and enterprise view of IT GRC and how it relates to performance, risk, and compliance
  • Workshop Project & Discussion
Part 3: IT GRC Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Provide Assurance on IT GRC
  • Identification – Collaborative process to identify IT GRC risks and controls from both the bottom and the top
  • Analysis – Defining effective and operational controls to provide assurance while mitigating risk
  • Management – Strategies to manage IT GRC risk and controls in context of performance, risk, and compliance
  • Communication – Assign and manage IT GRC ownership and accountability
  • Workshop Project & Discussion
Part 4: IT GRC Management Information & Technology Architecture
Providing an Integrated View of IT GRC to the Enterprise
  • Developing an IT GRC taxonomy and attributes of risks and controls
  • Mapping IT GRC to objectives, risk, policy, and compliance
  • Monitoring IT GRC in a changing environment
  • Technology capabilities and considerations to support IT GRC management
  • Workshop Project & Discussion

[/toggle]

Policy Management by Design Workshop

Blueprint for an Effective, Efficient & Agile Policy Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

In order to achieve effectiveness, efficiency, and agility in policy management, organizations need to define a structured governance framework and process. Designing a mature policy management program and processes that align with the organization requires an understanding of what the organization is about, how it operates and how it should be monitored and controlled. Policy management by design requires a structured approach in context of how the organization operates. This is done through defining the right process, information and technology architecture for policy management.

Policies must be in place so the organization can:
  • Reliably achieve objectives
  • Manage and control uncertainty
  • Safeguard the workplace
  • Protect the organization from unnecessary risk
  • Ensure consistent operations
  • Uphold ethical values
  • Address compliance obligations
  • Defend the organization should it land in turbulent legal and regulatory waters
However, effectively managing policies is easier said than done. Ad hoc or passive approaches mean that policies are outdated, scattered across the organization, and not consistent– resulting in confusion for recipients and a nightmare to manage. Organizations often lack a complete inventory of policies as so many departments have gone in different policy directions. Further, there is significant concern of rogue policies as anyone can create a document and call it a policy which may put a legal duty of care upon the organization.
The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management. It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation, and understanding of policies across the organization. To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to govern policies and implement an effective policy management lifecycle.
This workshop aims to provide a blueprint for attendees on effective policy management in a dynamic business, regulatory, and risk environment. Attendees will learn policy management governance and process that can be applied across the organization at either an enterprise or a department level. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Define a process lifecycle for managing policies
  • Establish policy ownership and accountability
  • Provide policy consistency in style and language
  • Communicate policies across extended business relationships
  • Track policy attestation
  • Deliver effective training
  • Monitor metrics to establish effectiveness
  • Identify issues with policies
  • Map policies to objectives, risks, controls, issues, and other GRC areas

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to internal control management
  • Implement internal control management in the context of business strategy, process, and operations
  • Explore internal control management architecture models and how they apply to your organization
  • Discover various internal control assessment and monitoring techniques and how they apply to your business
  • Develop an internal control information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on internal controls across your organizations

Who should attend?

  • Chief Compliance Officers
  • Chief Risk Officers
  • Senior Managers in Compliance/Ethics
  • Legal
  • Policy Managers/Administrators
  • Individuals with policy management, approval or oversight responsibilities

Typical Agenda:

Part 1: Policy by Design
Why Policies Matter
  • Policies in Disarray: how organizations mismanage policies
  • Policy Exposure: how mismanaged policies expose the organization to risk
  • What Effective Policy Management Achieves: policy management’s role in governance, risk management, and compliance
  • Case Study in Effective Policy Management: a look at Morgan Stanley
  • Interactive Group Discussions
Part 2: Policy Governance
Blueprint for Effective Policy Management
  • Policy Committee & Collaboration: bringing together the range of policy roles and responsibilities in the organization
  • Policy Management Charter: defining a structure to govern policies
  • Meta Policy: the policy on writing policies
  • Style Guide: ensuring policies are written consistently to the organization’s voice
  • Interactive Group Exercise
Part 3: Policy Management Lifecycle
Managing Policies from Creation to Dissolution
  • When to Write a Policy: Framework to Determine Need for a Policy
  • Policy Development and Approval: Policy Authoring, Review, Editing, and Approval
  • Policy Communication: Policy Awareness, Communication, Training and Attestation
  • Policy Monitoring: Managing Exemptions, Exceptions, and Conformance to Policies
  • Policy Metrics & Maintenance: Measuring Policy Effectiveness and Keeping Policies Current
  • Interactive Group Exercise
Part 4: Policy Management Architecture
Enabling Information & Technology Management of Policies
  • Policy Management Information Architecture: Blueprint for Managing Policy Content and Related Data
  • Policy Management Technology Architecture: Blueprint for Enabling Policy Processes with Technology
  • Policy Management Business Case: Articulating the Value of Effective Policy Management
  • Interactive Group Discussion

[/toggle]

Risk Management by Design Workshop

Blueprint for an Effective, Efficient & Agile Risk Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Risk is pervasive throughout business strategies, operations, and processes. Siloed approaches to risk management leave the organization not seeing the big picture of risk. The reaction is often to centralize risk management which forces different areas of the organization into a one-size fits all risk management model that fails to adequately manage and monitor risk. Defining strategy, managing operations, and addressing organization change requires the ability to provide meaningful risk information for decision-making for boards, executives, GRC professionals, as well as the line of business. As business becomes increasingly complex in a changing business and risk environment – that struggles with growing regulations, globalization, and distributed operations – organizations need a blueprint for effective, efficient and agile risk management. This requires organizations to design risk management into the organization as an integrated part of strategy and operations supported by an integrated risk information architecture that allows organizations to have a 360° situational awareness of risk in context of business strategy and operations.

This workshop aims to provide a blueprint for attendees on effective risk management strategies in a dynamic business and risk environment. Attendees will learn risk management strategies and techniques that can be applied to enterprise and operational risk management strategies as well as departmental focused risk initiatives. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Risk Management Strategy. Understand risk in the context of business performance, strategy, objectives as well as its culture and values.
  • Risk Management Processes. Flowing from strategy are the risk management processes integrated into the organization and how it operates. Good risk management is done in the rhythm of the business.
  • Risk Management Information Architecture. Defining an information architecture that enables risk strategy and processes by providing 360° situational awareness of risk in context of business strategy and operations
  • Risk Management Technology Architecture. The necessary technology components needed to bring together diverse and distributed risk management roles and integrate risk management into the culture and operations of the organization.

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to risk management
  • Implement risk management in the context of business strategy, process, and operations
  • Explore different risk management architecture models and how they apply to your organization
  • Discover various risk management techniques and how they apply to your business
  • Develop a risk information architecture that aligns with business operations and processes
  • Effectively communicate risk across your organizations

Who should attend?

  • Risk managers and officers responsible for leading and managing risk
  • Business managers whose job responsibilities include risk management and risk ownership
  • Executives and governance personnel who have to oversea risk
  • Audit personnel that use risk to drive audit plans and provide assurance on risk management
  • Security, health and safety, project management, compliance, and other personnel who are involved in risk management

Typical Agenda:

Part 1: What is Risk?
Understanding Risk in the Context of the Organization
  • Different views of risk throughout the organization
  • Who owns risk?
  • Understanding risk and its role in business strategy, objectives, performances, and operations
Part 2: Federated Risk Management
Blueprint for Risk Management Collaboration and Strategy
  • Developing a risk committee (or herding cats), bringing together the range of risk roles in the organization
  • Defining a risk management charter
  • Developing a collaborative and enterprise view of risk
Part 3: Risk Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Communicate Risk
  • Risk identification – Collaborative process to identify risk from both the bottom and the top
  • Risk analysis – Understanding and contrasting risk assessment & analysis techniques
  • Risk management – Strategies to mitigate and reduce risk
  • Risk communication – Assign and manage risk ownership and accountability
Part 4: Risk Management Information & Technology Architecture
Providing an Integrated View of Risk to the Enterprise Without Losing Value to the Department
  • Developing a risk taxonomy and attributes of risk and risk ranking
  • Addressing risk normalization and aggregation for enterprise risk reporting
  • Monitoring risk in a changing environment
  • Technology capabilities and considerations to support risk management

[/toggle]

Third Party Management by Design Workshop

Blueprint for an Effective, Efficient & Agile Third Party Management Program

[toggle title_open=”Hide Details” title_closed=”Show Details . . . ” hide=”yes” border=”yes” style=”default” excerpt_length=”0″ read_more_text=”Read More” read_less_text=”Read Less” include_excerpt_html=”no”]

Workshop Abstract:

Organizations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity such as with deep supply chains. Organizations are a mixture of contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more. The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third party risk has risen to be a significant regulatory, contractual, and board level governance mandate. Organizations need to be fully aware of the risks in third party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.

Managing third party activities in disconnected silos leads the organization to inevitable failure. Without a coordinated third party management strategy the organization and its various departments never see the big picture and fail to put third party management in the context of business strategy, objectives, and performance, resulting in complexity, redundancy, and failure. The organization is not thinking about how processes can be designed to meet a range of third party needs. An ad hoc approach to third party management results in poor visibility across the organization, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches third party management in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about third party performance, risk management, and compliance and understand its impact on the organization.

A haphazard department and document centric approach for third party management compounds the problem and does not solve it. It is time for organizations to step back and define a cross-functional and coordinated strategy and team to define and govern third party relationships. Organizations need to wipe the slate clean and approach third party management by design with an integrated strategy, process, and architecture to manage the ecosystem of third party relationships with real-time information about third party performance, risk, and compliance and how it impacts the organization.

This workshop aims to provide a blueprint for attendees on effective third party management in a dynamic business, regulatory, and risk environment. Attendees will learn third party management governance and process that can be applied across the organization at either an enterprise or a department level. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of workshop:

Attendees will take back to their organization approaches to address:

  • Effectively managing due diligence and third-party risk.
  • Understand the challenges and pitfalls of managing third-party risk
  • Achieve success capitalizing on third-party relationships while maintaining compliance
  • Facilitate ongoing monitoring of third-party partners.
  • Define a third party management lifecycle for managing and monitoring third party relationships
  • Establish third party management ownership and accountability
  • Provide third party management process consistency
  • Communicate effectively with third parties on matters of risk and compliance
  • Track critical workflow and tasks internally and with third party relationships
  • Deliver effective third party governance and assurance to the board of directors, regulators, and stakeholders
  • Monitor metrics to establish effectiveness or third party management
  • Identify and resolve issues with third parties
  • Map third party relationships to objectives, risks, controls, issues, and other GRC areas

Benefits to attendees:

  • Understand a top-down as well as a bottom-up approach to third party management
  • Implement third party management in the context of business strategy, process, and operations
  • Explore third party management architecture models and how they apply to your organization
  • Discover various third party assessment and monitoring techniques and how they apply to your business
  • Develop an third party information architecture that aligns with business operations and processes
  • Effectively communicate and gather attestation on third parties across your organizations

Who should attend?

  • Procurement Professionals
  • Supply Chain Professionals
  • Ethics & Compliance Professionals
  • Risk Management Professionals
  • IT Security Professionals
  • Legal Professionals
  • Environmental, Health & Safety Professionals
  • Corporate Social Responsibility & Accountability Professionals
  • Individuals with third party management, ownership, or oversight responsibilities

Typical Agenda:

Part 1: Third Party Management by Design
Why Third Party Management Matters
  • Third Parties in Disarray: how organizations mismanage third parties
  • Third Party Exposure: how mismanaged third parties expose the organization to risk
  • Current drivers & trends pressuring organizations in third party management
  • Different ways organizations approach third party management
  • What Effective Third Party Management Achieves: third party management’s role in governance, risk management, and compliance
Part 2: Third Party Governance
Blueprint for Effective Third Party Management
  • Third Party Governance Committee: bringing together the range of third party management roles and responsibilities in the organization
  • Third Party Management Charter: defining a structure to govern third party relationships
  • How to Develop a Third Party Management Strategic Plan
Part 3: Third Party Management Lifecycle
Managing Third Parties from Onboard to Offboarding
  • Third party identification & onboarding
  • Ongoing context monitoring
  • Third party communications & attestations
  • Third party monitoring & assessment
  • Third party forms & approvals
  • Third party metrics & reporting
  • Third party re-evaluation and offboarding
Part 4: Third Party Management Architecture
Enabling Information & Technology Management of Third Party Relationships
  • Third Party Management Information Architecture: Blueprint for Managing Third Party Content and Related Data
    • Types of third party management information and how it integrates into third party processes
    • Components and requirements for a third party information architecture
  • Third Party Management Technology Architecture: Blueprint for Enabling Third Party Management Processes with Technology
    • Kinds of third party management technologies and what best serves the organization
    • Capabilities and requirements of third party management platforms
  • Third Party Management Business Case: Articulating the Value of Effective Third Party Management
    • Defining a business case and value of third party management platforms

[/toggle]

GRC 20/20 has also done workshops on the following specific topics and issues:

  • Addressing Anti-Bribery and Corruption Requirements
  • Effective Risk Assessment & Analysis Strategies
  • Social Accountability Across Extended Business & Supplier Relationships
  • Conducting Compliance Risk Assessments
  • Regulatory Change Management