IT Risk/GRC Management by Design, LONDON

Organizations are complex: from technological advancements to regulatory changes and global expansions, ensuring robust information security is a daunting task for any GRC professional.

In this workshop with renowned GRC pundit Michael Rasmussen, you’ll get the blueprint you need to achieve an effective IT risk management strategy in a dynamic business and risk environment. You’ll learn strategies and techniques to apply to your whole organization and as part of your broader GRC strategy.

Here’s what you can expect to gain:

• A comprehensive understanding of IT GRC within the broader context of business performance and strategy.
• Knowledge of how to integrate IT GRC management processes seamlessly into your organization’s operations.
• The ability to define an information architecture that provides 360° situational awareness of IT GRC in alignment with business objectives.
• A deep dive into the technology components necessary to streamline risk and compliance management across your organization.

Who should come along?

• IT GRC managers and officers
• Business managers who want to up their game in IT GRC
• Executives and governance personnel overseeing IT GRC
• Audit personnel providing assurance on IT security and GRC

Workshop Abstract:

Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data expose organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives constantly react to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk, as it permeates business operations, processes, transactions, and relationships in the digital world. Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows.

Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture of risk and its impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organization’s operations requires the Chief Information Security Officer (CISO) to be a foundational and integrated approach to risk management across the organization. Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy.

Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise. This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.

Objectives of the workshop:

Attendees will take back to their organization’s approaches to address:

• IT GRC Management Strategy. Understand IT GRC in the context of business performance, strategy, objectives, culture, and values.
• IT GRC Management Processes. The IT GRC management processes integrated into the organization and its operations flow from the strategy. Good IT GRC management is done in the rhythm of the business.
• IT GRC Management Information Architecture. Defining an information architecture that enables IT GRC management strategy and processes by providing 360° situational awareness of IT GRC in the context of business strategy and operations
• IT GRC Management Technology Architecture. The necessary technology components are needed to integrate diverse and distributed risk and compliance management roles and IT GRC management into the organization’s operations.

Benefits to attendees:

• Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
• Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
• Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
• Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
• Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.

Who should attend?

• IT GRC managers and officers responsible for leading and managing IT GRC and information security
• Business managers whose job responsibilities include IT GRC responsibilities
• Executives and governance personnel who have to oversea and govern IT GRC
• Audit personnel that provide assurance on IT security and GRC

Typical Agenda:

Part 1: What is IT GRC Management?

UNDERSTANDING IT GRC IN THE CONTEXT OF THE ORGANIZATION

• Different views of IT GRC and information security throughout the organization
• Who owns IT GRC?
• Understanding IT GRC and its role in assurance to business strategy, objectives, performances, and operations
• Workshop Project & Discussion

Part 2: IT GRC Management

BLUEPRINT FOR IT GRC MANAGEMENT COLLABORATION AND STRATEGY

• Developing an IT GRC committee (or herding cats), bringing together the range of GRC roles with a stake in IT GRC across the organization
• Defining an IT GRC management charter
• Developing a collaborative and enterprise view of IT GRC and how it relates to performance, risk, and compliance
• Workshop Project & Discussion

Part 3: IT GRC Management Process Lifecycle

INTEGRATED PROCESSES TO IDENTIFY, ANALYZE, MANAGE, AND PROVIDE ASSURANCE ON IT GRC

• Identification – Collaborative process to identify IT GRC risks and controls from both the bottom and the top
• Analysis – Defining effective and operational controls to provide assurance while mitigating risk
• Management – Strategies to manage IT GRC risk and controls in context of performance, risk, and compliance
• Communication – Assign and manage IT GRC ownership and accountability
• Workshop Project & Discussion

Part 4: IT GRC Management Information & Technology Architecture

PROVIDING AN INTEGRATED VIEW OF IT GRC TO THE ENTERPRISE

• Developing an IT GRC taxonomy and attributes of risks and controls
• Mapping IT GRC to objectives, risk, policy, and compliance
• Monitoring IT GRC in a changing environment
• Technology capabilities and considerations to support IT GRC management
• Workshop Project & Discussion

GRC 20/20 Analyst will be facilitating this workshop . . .

Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on enterprise GRC strategy and processes supported by robust information and technology architectures.  With 30+ years of experience, Michael helps organizations improve GRC strategy and processes supported by the correct GRC technology architecture. This enables organizations to align GRC with the business and deliver effective, efficient, resilient, and agile capabilities to the organization.  He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — the first to define and model the GRC market in February 2002 while at Forrester.

About Event Host . . .

SureCloud is a leading provider of cloud based, Integrated GRC (Governance, Risk & Compliance) products and Cybersecurity services, which reinvent the way you manage risk. SureCloud, and our Aurora platform, enable organizations to make better decisions and achieve their desired business outcomes. SureCloud is underpinned by Aurora, a highly configurable no-code platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers who force organizations to adapt their processes, our solutions are highly configurable. Aurora can be easily customized to fit a wide range of operating models, meaning that our clients get immediate and sustained value from the outset.