Blueprint for an Effective, Efficient & Agile IT GRC Management Program
[tabs style=”default”] [tab title=”Overview”]
Organizations are complex. Exponential growth and change in technology, vulnerabilities, regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, legacy technology, and business data exposes organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for information security professionals. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the organization, particularly information security risk as it permeates business operations, processes, transactions, and relationships in the digital world.
Risk Management maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Organizations require complete situational and holistic awareness of information risk management across operations, processes, relationships, systems, transactions, and data to see the big picture or risk and impact on performance and strategy. Risk management fails when risk issues are addressed as a system of parts that do not integrate and work as a collective whole. Information security cannot be managed in isolation. Decentralized, disconnected, and distributed processes of the past catch the organization off guard to information risk and expose the organization. The interconnectedness of information and technology underpinning all aspects of an organizations operations requires that the Chief Information Security Officer (CISO) be a foundational and integrated approach to risk management across the organization.
Understanding and managing risk in today’s environment requires a new paradigm in managing the interconnections and relationships of risk, particularly information risk. CISOs need to stay on top of their game by monitoring information security risk to their organization both internally (e.g., operations, processes, systems, data) and externally (e.g., threat, competitive, legal, geographic environments) to stay competitive in today’s economy. Organizations must understand information security risk and make risk-informed business decisions to manage effectively manage risk across the enterprise.
This workshop provides a blueprint for attendees on effective IT GRC management strategies in a dynamic business and risk environment. Attendees will learn IT GRC management strategies and techniques that can be applied across the organization and as part of broader GRC strategies. Learning is done through lectures, collaboration with peers, and workshop tasks.
[/tab] [tab title=”Objectives & Benefits”]
Attendees will take back to their organization approaches to address:
- IT GRC Management Strategy.Understand IT GRC in the context of business performance, strategy, objectives as well as culture and values.
- IT GRC Management Processes. Flowing from strategy are the IT GRC management processes integrated into the organization and how it operates. Good IT GRC management is done in the rhythm of the business.
- IT GRC Management Information Architecture. Defining an information architecture that enables IT GRC management strategy and processes by providing 360° situational awareness of IT GRC in context of business strategy and operations
- IT GRC Management Technology Architecture. The necessary technology components needed to bring together diverse and distributed risk and compliance management roles and integrate IT GRC management into the operations of the organization.
Benefits to attendees:
- Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of the organization and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework.
- Risk-intelligent decision-making. The organization has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with organization strategy; it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
- Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders, and the organization’s track record should illustrate successful risk tolerance and management.
- Multidimensional risk analysis and planning. The organization has a range of risk analytics, correlation and scenario analysis. Various qualitative and quantitative risk analysis techniques are in place and the organization has an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation or transfer — are working and monitored for progress.
- Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of organization objectives, performance and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance and timeliness.
[/tab] [tab title=”Who Should Attend”]
- IT GRC managers and officers responsible for leading and managing IT GRC and information security
- Business managers whose job responsibilities include IT GRC responsibilities
- Executives and governance personnel who have to oversea and govern IT GRC
- Audit personnel that provide assurance on IT security and GRC
[/tab] [tab title=”Workshop Agenda”]
Part 1: What is IT GRC Management?
Understanding IT GRC in the Context of the Organization
- Different views of IT GRC and information security throughout the organization
- Who owns IT GRC?
- Understanding IT GRC and its role in assurance to business strategy, objectives, performances, and operations
- Workshop Project & Discussion
Part 2: IT GRC Management
Blueprint for IT GRC Management Collaboration and Strategy
- Developing an IT GRC committee (or herding cats), bringing together the range of GRC roles with a stake in IT GRC across the organization
- Defining an IT GRC management charter
- Developing a collaborative and enterprise view of IT GRC and how it relates to performance, risk, and compliance
- Workshop Project & Discussion
Part 3: IT GRC Management Process Lifecycle
Integrated Processes to Identify, Analyze, Manage, and Provide Assurance on IT GRC
- Identification – Collaborative process to identify IT GRC risks and controls from both the bottom and the top
- Analysis – Defining effective and operational controls to provide assurance while mitigating risk
- Management – Strategies to manage IT GRC risk and controls in context of performance, risk, and compliance
- Communication – Assign and manage IT GRC ownership and accountability
- Workshop Project & Discussion
Part 4: IT GRC Management Information & Technology Architecture
Providing an Integrated View of IT GRC to the Enterprise
- Developing an IT GRC taxonomy and attributes of risks and controls
- Mapping IT GRC to objectives, risk, policy, and compliance
- Monitoring IT GRC in a changing environment
- Technology capabilities and considerations to support IT GRC management
- Workshop Project & Discussion
[/tab] [tab title=”Instructor”]
Michael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.
[/tab] [tab title=”Workshop Sponsor”]
LockPath® was created by GRC experts who recognized the need for intuitive GRC software that was flexible and scalable to serve ever-changing and expanding organizations.
In addition to the company’s founders, LockPath’s executive team comprises top industry professionals in the fields of software development, accounting and consulting, cybersecurity, financial services, market development and other industries. LockPath employs dozens of talented professionals and has several open positions.
LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises across industries. Along with their ecosystem of technology and channel partners, LockPath provides unparalleled customer satisfaction from initial project discovery discussions to ongoing customer support.