ebook img

Managing Governance, Risk and Compliance with ECM and BPM PDF

19 Pages·2015·1.42 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Managing Governance, Risk and Compliance with ECM and BPM

AIIM White Paper Managing Governance, Risk and Compliance with ECM and BPM Sponsored by About the White Paper As the non-profit association dedicated to nurturing, growing and supporting the user and supplier communities of ECM Enterprise Content Management, AIIM is proud to provide this research at no charge. In this way, the entire M community can leverage the education, thought leadership and direction provided by our work. Our objective is to a present the “wisdom of the crowds” based on our 80,000-strong community. n a We are happy to extend free use of the materials in this report to end-user companies and to independent g consultants, but not to suppliers of ECM systems, products and services, other than OpenText and its subsidiaries in and partners. Any use of this material must carry the attribution – “© AIIM 2015 www.aiim.org / © OpenText 2015 g www.opentext.com” G o Rather than redistribute a copy of this report to your colleagues, we would prefer that you direct them to www.aiim. v org/research for a download of their own. e r n Our ability to deliver such high-quality research is made possible by the financial support of our underwriting a sponsor, without whom we would have to return to a paid subscription model. For that, we hope you will join us in n c thanking our underwriter for this support: e , R i s k OpenText a 275 Frank Tompa Drive n d Waterloo, Ontario C Canada, N2L 0A1 o Tel: +1 519-888-7111 m Web: www.opentext.com p l i a n Process used and survey demographics c e The survey results quoted in this report are taken from a survey carried out between 13 March and 06 April 2015, w with 211 responses from individual members of the AIIM community surveyed using a Web-based tool. Invitations to i t h take the survey were sent via email to a selection of AIIM’s 80,000 registered individuals. 76% of respondents are E from North America, 14% from Europe, and 10% from elsewhere. They cover a representative spread of industry C and government sectors. Results from organizations of less than 10 employees have not been included, bringing M the total respondents to 1200. Full demographics are given in Appendix 1. a About AIIM n d AIIM has been an advocate and supporter of information professionals for nearly 70 years. The association mission B P is to ensure that information professionals understand the current and future challenges of managing information M assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research and member service. Today, AIIM is a global, non-profit organization that provides independent research, education and certification programs to information professionals. AIIM represents the entire information management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, including the Information Governance Certificate course. www.aiim.org/Training/Certificate-Courses/Information-Governance About the author Doug Miles is Chief Analyst at AIIM. He has over 30 years’ experience of working with users and vendors across a broad spectrum of IT applications. He was an early pioneer of document management systems for business and engineering applications, and has produced many AIIM survey reports on issues and drivers for Capture, ECM, Information Governance, Records Management, SharePoint, Big Data, Mobile and Social Business. Doug has also worked closely with other enterprise-level IT systems such as ERP, BI and CRM. He has an MSc in Communications Engineering and is a member of the IET in the UK. © 2015 © 2015 AIIM OpenText 1100 Wayne Avenue, Suite 1100 275 Frank Tompa Drive Silver Spring, MD 20910 Ontario, Canada, N2L 0A1 +1 301 587-8202 +1 519-888-7111 www.aiim.org www.opentext.com © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 1 Table of Contents M About the White Paper Opinions and Spend a About the White Paper ....................................1 Opinions and Spend ........................................13 n a Process used and survey demographics...........1 Spends ..............................................................14 g i n About AIIM .........................................................1 g About the author ................................................1 G Conclusion and Recommendations o v Conclusion and Recommendations ..............15 e r Introduction Recommendations.............................................15 n a Introduction ......................................................3 n c Key Findings ......................................................3 e Appendix 1: Survey Demographics , R Appendix 1: Survey Demographics .............16 is k Drivers for GRC Survey Background ...........................................16 a Drivers for GRC ...............................................4 Organizational Size ...........................................16 n d Risks ..................................................................4 Geography .........................................................16 C Challenges.........................................................5 Industry Sector ..................................................17 o m Stakeholders......................................................6 Job Roles...........................................................17 p l i a n c GRC Issues UNDERWRITTEN BY e w GRC Issues ......................................................6 OpenText ...........................................................18 i t Managing Regulatory and Standards AIIM ...................................................................18 h E Compliance........................................................6 C Managing the Policy Lifecycle ...........................7 M Managing Operational Risk ...............................8 a n Managing Audit ..................................................9 d Managing Supply-Chain Risk ............................9 B P M Use of ECM/RM/BPM Use of ECM/RM/BPM .......................................10 Role of ECM/RM/BPM in GRC ..........................11 Current Usage ...................................................12 GRC Solutions GRC Solutions .................................................12 Solution Selection ..............................................13 © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 2 Introduction Governance, risk management and compliance, or “GRC”, is increasingly being seen as a key discipline. The corporate misdemeanors of the past decade, and the resulting fines, refunds and brand damage have created M a situation where the long-term detrimental effect of “loose governance” is being felt both in business and in a government. As a result, organizations in a wide range of sectors are much more aware of potential risks, and the n need to assess and measure them, while at the same time, legislators and regulators are imposing more and more a g laws and rules to tighten up business practice. i n By its nature, if GRC is worth doing, it is worth doing well, and our survey respondents agree that good quality g GRC practices are generally a positive benefit to the business rather than “a necessary evil”. Operating a best G practice GRC regime will involve a number of key steps. Pro-active awareness of changes to laws and regulations; o v decisions on how to change policies and processes to ensure compliance; documentation and dissemination of e these changes; implementation of process changes that embed compliance; recording of actions and due process r n that are evidence of compliance; and measurement of performance to assure senior management and other a stakeholders that risk is under control. n c e ECM, BPM and RM systems (Enterprise Content Management, Business Process Management and Records , Management – sometimes combined as EIM, Enterprise Information Management) all have a big role to play in the R GRC equation including: information governance for policies, operational monitoring, risk tracking and compliance is auditing. In our survey, we set out to understand which governance, risk and compliance areas are the biggest k concern, if and how organizations are using ECM, BPM and RM to solve GRC challenges, and what their plans are a n to improve their GRC program, processes, and tools. d C Key Findings o m Drivers p l i n Reputational risk is twice as big a driver for compliance (44% of respondents) as avoiding fines and a n penalties (20%). 32% consider “being a good corporate citizen” to be the prime driver. c e n Keeping policies and procedures up to date is a bigger challenge (40%) than keeping up with new and w changing regulations (26%). Managing the paperwork to demonstrate compliance is given as the biggest i t challenge by 19%. h n Security risk (56%) and information privacy risks (52%) are of extreme concern. Then come reputational E C (48%) and regulatory risk (42%). Financial and operational risks are rated less highly, but are of extreme M concern for 35% of our respondents. a n There is a very wide spread of roles deemed to “own” the GRC program, with Legal (14%) or the GRC n committee (12%) most likely - although only 27% have a GRC committee. d B P GRC Issues M n Adoption of best practice in managing the policy lifecycle is poor. 38% have no scheduled reviews, 28% have no central store for policies, and 18% don’t capture employee acceptance. n 47% struggle with multiple systems to document compliance requirements and 45% use manual processes to track performance against requirements. 19% use home-grown systems that they admit are not efficient or effective. n The biggest issues with managing operational risk are lack of visibility and control (50%) and no way to track key indicators (27%). Not having a central system for records is an issue for 30%, and 25% struggle to provide management with timely reports. n 45% of respondents find their biggest challenge with internal audit operations is that processes are manual and inefficient. Having multiple and disparate systems to manage audit information is an issue for 35%. n Managing supply-chain risk is made difficult by vendor information not being stored in one place, nor being up-to-date for 35%. Gaining risk visibility of vendors and classifying them by risk profile is problematic for 25%. n 81%.support the view that “GRC is good for business”, although there is crossover with the 42% who consider it to be “a necessary evil.” © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 3 Use of ECM/RM/BPM n ECM and RM are used widely for policy management (69%), BPM for tracking and resolution (20%) and GRC tools for managing IT threats (30%), but all four are used across the range of GRC management. n 67% see ECM, BPM and RM as essential to solving GRC problems. 27% would like to use these tools for GRC, but the systems they have are not well optimized for this purpose. M n 40% feel that they are achieving regulatory compliance by using their ECM/RM system, but 78% feel a they could get much more value from these systems. n a g GRC Solutions in g n Ability to integrate with existing infrastructure (43%) and ease-of-use (35%) are given as the most G important selection factors for GRC solutions, along with price (37%). o n 46% of the organizations surveyed plan to spend more on GRC software or services in the next 12 v e months, including 15% spending more on software licences, and 19% on vendor implementation services. r n a n Drivers for GRC c e , The traditional justification for investment in compliance has been to avoid fines and penalties from regulators, but R as customer perception of the “brand” has shifted from the controlled media world of advertising and publishing is to uncontrolled social media and rolling news, the need to present a clean and responsible image has become k paramount. For non-commercial organizations, citizen power and political criticism create just as strong an a n imperative to protect the brand. As a result, we can see in Figure 1 that twice as many respondents (44%) d consider reputational risk to be the prime driver for GRC in their organizations rather than avoiding penalties and C fines (32%). In between are 32% who consider it part of good corporate stewardship. o m Figure 1: What is your organization’s main driver for regulatory compliance? p (N=197, one answer only) l i a n Shareholder/ c stakeholder e pressure, 5% w i t h E Avoiding fines C and penal(cid:31)es, M 20% a Reputa(cid:31)onal n risk for non- d compliance, B 44% P M Being a good corporate ci(cid:31)zen; it’s the law, 32% Risks Risk management has also become more sophis0ti%cated1.0 I%t is h2a0r%dly s3u0r%prisi4n0g% tha5t b0a%nkin6g0 %and7 i0n%sura8n0c%e 90% 100% businesses would take a more measured view of compliance costs versus compliance risks – risk balancing is what they do every day aIsn fpoarrmt oaf(cid:31) tohne isre ccourreit byusiness. However, they would also be keen to quantify risk, and to ensure that any risk exposure is both measured and monitored. Many of the huge fines incurred in the banking sector have been the result of over-eagerness to win business, as well as poor monitoring of process. Informa(cid:31)on privacy Underestimating the potential fallout from data breaches, price-fixing, money laundering, environmental failures, etc. has proved very damaging to some very large corporations, and strong and durable GRC practices can be an Reputa(cid:31)onal risk important buffer against poor business decisions. Regulatory & compliance risk Financial risk Opera(cid:31)onal risk © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 4 Corp & social responsibility Poli(cid:31)cal & geopoli(cid:31)cal risk Supply chain & vendor management risk Extremely concerned Very concerned Somewhat concerned Not too concerned 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Keeping policy and procedures up-to-date Keeping up with new and changing regula(cid:31)ons and standards Paperwork associated with demonstra(cid:31)ng compliance Managing global legisla(cid:31)ve requirements Repor(cid:31)ng to regulatory bodies ((cid:31)mely and accurately) Repor(cid:31)ng to Board and Execu(cid:31)ve Management 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Chief Legal Officer/General Counsel GRC Commi(cid:29)ee Chief Informa(cid:31)on Officer Chief Compliance Officer Chief Execu(cid:31)ve Officer Chief Risk Officer Director, Compliance Chief Financial Officer Chief Opera(cid:31)ng Officer Chief Informa(cid:31)on Security Officer Internal Audit Director, Enterprise Risk Line of Business Execu(cid:31)ves Owns GRC program Plays a role Does not play a role We do not have one Shareholder/ stakeholder pressure, 5% Avoiding fines and penal(cid:31)es, 20% Reputa(cid:31)onal Shareholder/ risk for non- stakeholder compliance, pressure, 5% 44% Avoiding fines and penal(cid:31)es, When rated for sigBneifiicnagn ac eg,o iondfo rmation security and privacy are the risks that raise most concern, greater, in fact, corporate 20% than financial or operational risk. With the aggressive growth in digital data and resulting increases in compliance ci(cid:31)zen; it’s the obligations, this finding is not surprising. Reputational risk and regulatory risk can result, of courseR, efrpoumta a(cid:31) olonsasl of law, 32% sensitive or private information, especially if customer related, and they rank at three and four. risk for non- M compliance, Figure 2: Please rate your concern for each of the following types of risk and the p4o4%tential a n impact they could have on your organization. (N=197) a g i 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% n g Being a good G Informa(cid:31)on securictoyrporate o ci(cid:31)zen; it’s the v law, 32% e Informa(cid:31)on privacy r n a Reputa(cid:31)onal risk n c e Regulatory & compliance risk , 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% R i Financial risk s k Informa(cid:31)on security a Opera(cid:31)onal risk n Informa(cid:31)on privacy d Corp & social responsibility C Reputa(cid:31)onal risk o m Poli(cid:31)cal & geopoli(cid:31)cal risk p Regulatory & compliance risk l i a Supply chain & vendor management risk n Financial risk c e Extremely concerned Very concerned Somewhat concerned Not too concerned Opera(cid:31)onal risk w i t h Corp & social responsibility Challenges E C Given the backdrop of constanPtloy lci(cid:31)hcaanl g&in gge roepgoullia(cid:31)tcioanl sr,i sokne might feel that simply keeping up with the latest rulings M 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% and legislation would prove to be the biggest challenge (26%), but it turns out that updating policies, procedures a and process instSruucptpiolyn sc htoa irne &fle vcet nredqouri rmeda ncahgaenmgeesn tr arniskks higher (40%). Managing the paperwork and records n Keeapsinsog cpiaotleicdy wainthd dperomcoendsutrraetsin ugp c-toom-dpalitaence is also a big headache (19%). Taking these two together, we can d see that document-centric issues are at tEhxet rceomree olyf cGoRnCce mrnaendagemVeenryt, caonndc aerren epdrovinSgo pmroebwlehmata tciocanlc feorrn medany Not too concernBed Keeping ourpg awniitzha tnioenws .a nd changing regula(cid:31)ons P M and standards Figure 3: What would you consider your organization’s biggest challenge when it comes to Paperwork associatreedg wuiltaht doermy ocnosmtrpa(cid:31)linagnce or risk management? (Chose only one) (N=198) compliance 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Managing global legisla(cid:31)ve requirements Repor(cid:31)ng to reguKlaeteopryin bgo pdoielisc y((cid:31) amnde lpy raoncdedures up-to-date accurately) Keeping up with new and changing regula(cid:31)ons Repor(cid:31)ng to Board and Execu(cid:31)ve and standards Management Paperwork associated with demonstra(cid:31)ng compliance Managing global legisla(cid:31)ve requirements Repor(cid:31)ng to regulatory bodies ((cid:31)mely and accurately) Repor(cid:31)ng to Board and Execu(cid:31)ve 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Management Chief Legal Officer/General Counsel GRC Commi(cid:29)ee Chief Informa(cid:31)on Officer © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 5 Chief Compliance Officer Chief Execu(cid:31)ve Officer 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Chief Risk Officer Chief Legal Officer/General Counsel Director, Compliance GRC Commi(cid:29)ee Chief Financial Officer Chief Informa(cid:31)on Officer Chief Opera(cid:31)ng Officer Chief Compliance Officer Chief Informa(cid:31)on Security Officer Chief Execu(cid:31)ve Officer Internal Audit Chief Risk Officer Director, Enterprise Risk Director, Compliance Line of Business Execu(cid:31)ves Chief Financial Officer Owns GRC program Plays a role Does not play a role We do not have one Chief Opera(cid:31)ng Officer Chief Informa(cid:31)on Security Officer Internal Audit Director, Enterprise Risk Line of Business Execu(cid:31)ves Owns GRC program Plays a role Does not play a role We do not have one Shareholder/ stakeholder pressure, 5% Avoiding fines and penal(cid:31)es, 20% Reputa(cid:31)onal risk for non- compliance, 44% Being a good corporate ci(cid:31)zen; it’s the law, 32% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Informa(cid:31)on security Informa(cid:31)on privacy Reputa(cid:31)onal risk Stakeholders Regulatory & compliance risk Despite the critical importance that GRC plays in the health and compliance culture of any organization, allocation of key leadership roles for strategy setting and ownership of the program is very broad, with little in the way of Financial risk M consensus as to where this responsibility lies. The Chief Legal Officer or General Counsel is the most likely to “own” the GRC process, but only in 14% of organizations. Or it may be run by a GRC Committee for 12% of a Opera(cid:31)onal risk n organizations – but only 29% of organizations actually have such a committee. Interestingly, the Chief Compliance a Officer takes the lead for just 10%, even though 40% of organizations answering the survey have one. 50% have a g Corp & social responsibility i Chief Information Security Officer and 35% a Chief Risk Officer. n g The CIO is likely to play a roleP ino lmi(cid:31)ocaslt &bu gseinoepsoslei(cid:31)sc, apla rritsikcularly in the security side of things, and it is reassuring G that the CEO is involved for 70%, along with the CFO (72%) and the COO (59%). What the findings seem to point o to is that there aSruep ap nlyu cmhbaeinr &of vdeifnfedroern mt fuanncatgioenmse pnat rrtiicskipating in GRC planning, not only traditional departments v e like Compliance, Risk and Audit, but also across the financial and operational areas, and, of course, IT. However, r n there is no obvious choice of leader, which can make it difficult to generate a GRC discipline where one does not Extremely concerned Very concerned Somewhat concerned Not too concernead exist at present. n c Figure 4: Which stakeholders play leadership roles in setting the strategy for your governance, e , risk and compliance (GRC) program? (N=193) R i s k 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% a n d Keeping policy and procedures up-to-date C o Keeping up with new and changing regula(cid:31)ons m and standards p l Paperwork associated with demonstra(cid:31)ng ia compliance n c e Managing global legisla(cid:31)ve requirements w i t Repor(cid:31)ng to regulatory bodies ((cid:31)mely and h accurately) E C Repor(cid:31)ng to Board and Execu(cid:31)ve M Management a n d B P M GRC Issues As we mentioned in the introduction, there are a number of distinct elements of a best practice GRC discipline. Monitoring changes and maintaining awareness of regulatory standards that affect the business is critical, and in 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% order to maintain standards certification or compliance, continuous monitoring is needed. These standards and regulations are likely to be incorporated into operational policies, and these policies need to be managed through Chief Legal Officer/General Counsel their lifecycles of introduction, revision, and retirement. Managing and containing risk in a systematic way is a core requirement, both for internal risk, and foGr ReCxt eCronmalm sui(cid:29)pepely chain risk. Continuous audit and reporting to senior management and stakeholders is also important. Chief Informa(cid:31)on Officer Managing Regulatory and Standards Compliance Chief Compliance Officer Documenting compliance requirements and outcomes across multiple disparate systems is given as the biggest issue with managing regulatory anCdh sietaf nEdxeacrdus(cid:31) vceo mOpffiliacenrce – more so than keeping up with the changes and their potential impact on the business. Using manual processes to capture and track compliance requirements and Chief Risk Officer controls is time-consuming and error-prone. Many organizations have home-grown systems to do this which are not efficient or effective. Director, Compliance Chief Financial Officer Chief Opera(cid:31)ng Officer Chief Informa(cid:31)on Security Officer Internal Audit Director, Enterprise Risk © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 6 Line of Business Execu(cid:31)ves Owns GRC program Plays a role Does not play a role We do not have one Figure 5: What have been the biggest issues with managing regulatory and standards compliance (e.g. Sarbanes-Oxley, ISO 9000, ISO 27001, etc.) in your organization? (MAX 3) (N=157) M 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% a n a Having mul(cid:14)ple and disparate systems to g document compliance requirements and outcomes i n Using manual processes to capture and track g compliance requirements, controls and mapping G o Keeping up with changes in regula(cid:14)ons and v standards and their impact on our obliga(cid:14)ons e r Not having clear visibility into our organiza(cid:14)on’s n a risk and compliance profiles n c Using a home-grown system that is not efficient or e effec(cid:14)ve0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% , R Inability to generate and produce accurate and i Having mul(cid:14)ple and disparate systems to s (cid:14)mely reports document compliance requirements and outcomes k a UInsianbgi lmitya tnou aml eperot cceosmsepsli aton ccea pdteuardel ianneds tfrraocmk n compliance requirements, croengturloaltso arns da nmda apupdinitgs d C Keeping up with changes in regula(cid:14)ons and o standards and their impact on our obliga(cid:14)ons m Managing the Policy Lifecycle Not having clear visibility into our organiza(cid:14)on’s p Corporate policies are the rdisirke actn ldin cko bmeptwliaenecne a pnr oorfiglaensization’s vision and their day-to-day operations. Policies li a provide the rules to guide employee decision-making, handle issues and set overall business behavior. Managing n polUicsyi ncgh aan hgoems ea-ngdr oawlenrt isnygs tsetmaff t thoa tth ioss neo ct heaffingcieesn tis o ar m0a%jor ch1a0lle%nge.2 P0o%licies3 0s%hould4 b0e% kep5t 0up%-to-d6a0te% with7 a0 % c effec(cid:14)ve e defined review schedule. Best practice would suggest that all policies be posted in a central repository and managed forW vee rasInrioean bcsiol.i ntMyfi adtonea nggte etnmhearetan tate lal aponpudrro ppvroaollisdc uiaecrsee a amrceoc suutpr ae-ttffoee- cadtnaivdtee and efficient when controlled by automated document w - Some of our policies are out-of-da(cid:14)tme ealnyd r erepqourtirse it workflows. Employee training and formal policyu padccae(cid:14)pntgance should be tracked and recorded. h UnfortunaItnealyb,i lwitey ctoa nm seeeet fcroommp Fliiagnucree 6d ethaadtl ibneesst fproramctice is losing out in most areas. Only 9% are confident that their E We follow a defined proelgicuyla rteovrise awn sdc ahueddiutsle C polic-i ePso laicrey ruepv-iteow-dsa aten dan udp odnaltye s2 6a%re hmooldr ere rgeualca(cid:14)r orenvaireyws. Although most do use a central repository such as ECM or M a company intranet for policies, 28% hatvhea nno s ochffiecdiaull elodcation for all policies, and only 15% use automated workflows for policy sign-off. 18% admit that they do not capture or record policy acceptance by employees. a All policies are posted in a central repository like an n ECM or company intranet d Figure 6: How does your organization currently manage the policy lifecycle? - There is no central official loca(cid:14)on for all policies B [Select all that apply] (N=159) P Policy approvals are done via automated workflows0% 10% 20% 30% 40% 50% 60% 70% M - Approvals for policy crea(cid:14)on and updates are done via email We are confident that all our policies are up-to-date - SomWee o hf aovuer ap osylisctieesm a troe toruatc-ko ef-mdaptleo yaened trreaqinuiinreg comple(cid:14)on and policy accueppdtaa(cid:14)nnceg - We do not capture policy acceptance by employees We follow a defined policy review schedule - Policy reviews and updates are more reac(cid:14)onary than scheduled All policies are posted in a central repository like an ECM or company intranet - There is no central official loca(cid:14)on for all policies Policy approvals are done via automated workflows - Approvals for policy crea(cid:14)on and updates are done via email 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% We have a system to track employee training comple(cid:14)on and policy acceptance - We do noEtn csaupritnugr ee mpoplliocyy eaecsc erepatadn, cuen bdye resmtapnldo yaeneds acknowledge acceptance of policies; Ensuring that policies are regularly reviewed and We can see these contrasting practices highlighted as issues in Figure 7 where ensuring that employees read, updated understand and acknowledge acceptance of policies is given as the biggest issue, along with ensuring that they take training, Kaenedp, ionfg c uopu rwseit,h id reengtuiflyaitnogr yth cohsaen wgehso t dhoa tn mota aydhere to the policy. Not having a central system of record for all impact policies GRC related policies and assessments is also a significant issue for many. Providing senior management with required metrics, detailed reports and a clear audit © AIIM 201N5o tw hwawv.ianigim a. ocergn t/ r©al OsypsetneTme xotf 2r0e1co5r wd wfowr. oapllentext.com 7 policies and related informa(cid:14)on0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Iden(cid:14)fying employees who have not adhered to Ensuring employees read, understaan pdo alincdy acknowledge acceptance of policies; Ensuring employees have taken required training, Ensuring that paos lmiciaensd aartee rde bgyu lpaorllyic rieesv iee.wg.e edt hanicds updated Keeping track of policy inventory, currency and Keeping up with regulatory changesa tphparto mvaalys impact policies Providing senior management with required metrics, detailed reports and a clear audit Not having a central system of record for all policies and related informa(cid:14)on Iden(cid:14)fying employees who have not adhered to a policy Ensuring employees have taken required training, 0% 10% 20% 30% 40% 50% 60% as mandated by policies e.g. ethics Not having visibility into, and control over, the muKle(cid:14)etupdineg o tfr ainctke ornf aplo alincdy ienxvteenrntoarl yr,i sckusr fraecnicnyg aonudr orgaapnpirzoav(cid:14)aolns Ensuring that risk controls are regularly reviewed and updated Not having a central system of record for all corporate policies, standards, guidelines, and procedures Inability to effec(cid:14)vely and efficiently track audit KPIs and KRIs (key risk indicators) 0% 10% 20% 30% 40% 50% 60% Providing senior management and auditors with required metrics and detailed reports quickly and Not having visibility into, and control over, the accurately mul(cid:14)tude of internal and external risks facing our Keeping up with risk framework ochrgaanngiezas (cid:14)eo.gn. gešng updates specific to our industry Ensuring that risk controls are regularly reviewed and updated None of these/not applicable Not having a central system of record for all corporate policies, standards, guidelines, and procedures Inability to effec(cid:14)vely and efficiently track audit KPIs and KRIs (key risk indicators) Providing senior management and auditors with required metrics and detailed reports quickly and accurately Keeping up with risk framework changes e.g. gešng updates specific to our industry None of these/not applicable 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Having mul(cid:14)ple and disparate systems to document compliance requirements and outcomes Using manual processes to capture and track compliance requirements, controls and mapping Keeping up with changes in regula(cid:14)ons and standards and their impact on our obliga(cid:14)ons 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Not having clear visibility into our organiza(cid:14)on’s Having mul(cid:14)ripslke aanndd cdoimsppalriaatnec esy psrtoefimles sto document compliance requirements and outcomes Using a home-grown system that is not efficient or Using manual processes to capturee affnedc (cid:14)trvaeck compliance requirements, controls and mapping Inability to generate and produce accurate and Keeping up with changes in regula(cid:14)ons and (cid:14)mely reports standards and their impact on our obliga(cid:14)ons Inability to meet compliance deadlines from Not having clear visibility into our organiza(cid:14)on’s regulators and audits risk and compliance profiles Using a home-grown system that is not efficient or effec(cid:14)ve Inability to generate and produce accurate and (cid:14)mely reports Inability to meet compliance deadlines from0% 10% 20% 30% 40% 50% 60% 70% regulators and audits We are confident that all our policies are up-to-date - Some of our policies are out-of-date and require upda(cid:14)ng We follow a defined policy review schedule - Policy reviews and updates are more reac(cid:14)onary than scheduled 0% 10% 20% 30% 40% 50% 60% 70% All policies are posted in a central repository like an ECM or company intranet We are confident that all our policies are up-to-date - There is no central official loca(cid:14)on for all policies - Some of our policies are out-of-date and require upda(cid:14)ng Policy approvals are done via automated workflows - ApprovalsW foer f poollloicwy ac rdeeafi(cid:14)noend a pnodl iucpy draetveiesw ar sec hdeodnuele - Policy reviews and updates are more rveiaac e(cid:14)monaailry We have a system to track empltohyaene s tcrhaeindiunlged comple(cid:14)on and policy acceptance All policies are posted in a central repository like an - We do not capture policy acEcCeMpt aonrc ceo bmyp eamnyp lionytreaenset - There is no central official loca(cid:14)on for all policies Policy approvals are done via automated workflows - Approvals for policy crea(cid:14)on and updates are done via email We have a system to track employee training Figure 7: Whacot mhapvlee(cid:14) obne eannd t hpoel ibcyig agcceesptt iasnscuees with managing the policy lifecycle in your - We do not capture policy accoeprgtaannciez bayti oemn?pl o(MyeAeXs 3) (N=151, excl. N/As) 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% M a n Ensuring employees read, understand and a acknowledge acceptance of policies; g i Ensuring that policies are regularly reviewed and n g updated G Keeping up with regulatory changes that may o impact policies 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% v e Providing senior management with required r mEentsruicrsin, gd eetmaiplelody reeepso rretsa da,n udn ad celresatar nadu daintd n a Not havinagc kan coewntleradlg sey satcecmep otaf nrececo orfd p foolri cailels; n c Ensuring that popolicliiceise sa raen dre rgeulalatrelyd rinefvoiermwead(cid:14) oannd e updated , Iden(cid:14)fying employees who have not adhered to R Keeping up with regulatory changes at hpaotl imcyay i impact policies s Ensuring employees have taken required training, k Providinags s menainodr amteadn abgye pmoelincite ws iet.hg .r eeqthuiicrsed a metrics, detailed reports and a clear audit n Keeping track of policy inventory, currency and d Not having a central system of reacpoprrdo fvoarl sall C policies and related informa(cid:14)on o m Iden(cid:14)fying employees who have not adhered to a policy p l i ManEansguirningg e Ompploeyereast hioavnea talk Reni rsekquired training, a n as mandated by policies e.g. ethics Operational risk can be described as the risk of business operations failing due to human error; and the risks will vary c e from induKsetreyp tion gin tdraucsktr yo.f A pnoyloicnye i ntavseknetod rwy,i tchu mrraennacgy inagn dand limiting operational risk would love to be able to readily w identify where and what those risks are, and evaepnp broevttaelrs, to have personal control over them. In reality, risk officers i can only strive to do their best with the tools available to0 t%hem. E1v0e%n wher2e0 t%he risk3s0 a%re kno4w0n%, havin5g0 %an effe6c0ti%ve th way to track and audit them through KPIs and KRIs (Key Risk Indicators) is vital if they are to be reported to senior E Not having visibility into, and control over, the management and auditors. Once again, we see in Figure 8 that a central system of record is considered to be very C mul(cid:14)tude of internal and external risks facing our important. M organiza(cid:14)on FiguErnes u8r:i nWg hthaatt hriaskv eco bnetreonls tahree rbeigguglaerslyt riesvsiuewese dwith managing operational risk in your organization? a n and upd(aMteAdX 3) (N=155) d Not having a central system of record for all 0% 10% 20% 30% 40% 50% 60% B corporate policies, standards, guidelines, and P procedures M Not having visibility into, and control over, the mInuabl(cid:14)iltiutyd eto o ef ffinetce(cid:14)rvneally a anndd e exffitecrineanl trlyis ktrsa fcakc ianugd oitur KPIs and KRIs (key risk oinrdgaicnaitzoar(cid:14)so)n PErnosvuidriinngg tsheanti orris mk caonnatgreomlse anrte arnedg ualuadrliyt orresv iwewithed required metrics and detailed reports qanudic kulpy daantded accurately Not having a central system of record for all Keceoprpinogr autpe wpoitlhic ireissk, sftraanmdeawrdosr,k g cuhidaenlginees se, .agn.d gešng updates specific to oupr rinodceudsturryes Inability to effec(cid:14)vely and efficiently track audit KPNIso anned o Kf RthIse (skee/yn roits ka pinpdliiccaabtolers) Providing senior management and auditors with required metrics and detailed reports quickly and accurately Keeping up with risk framework changes e.g. gešng updates specific to our industry None of these/not applicable © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 8 Managing Audit The role of Internal Audit is a critical but sometimes difficult one: to provide independent and objective assurance that an organization’s risk management, governance and internal control processes are operating effectively and ethically. M Demonstrable confirmation of compliance can only be achieved by suitable and regular audits. The work involved in these is hugely dependent on the efficiency of the audit process, the number of systems involved, and the degree a n of automated tracking and verification that is in place. For nearly half of our respondents, the internal audit process a is manual and inefficient, and documenting requirements and outcomes across the multiple systems and process g i workflows involved makes things challenging. n g Figure 9: What have been the biggest issues with managing the internal audit operations in your G organization? (MAX 3) (N=153) o v 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% e r n a The internal audit process is manual and n inefficient c e , Having mul(cid:3)ple and disparate systems to document audit requirements and outcomes 00%% 55%% 1100%% 1155%% 2200%% 2255%% 3300%% 3355%% 4400%% 4455%% 5500%% R i s k Keeping upTT hhweei tiihnn ttteehrrenn aagllr oaauuwddiniittg pp nrruoomcceebssess riiss a mmndaa nntyuupaaell saa nnoddf a auditsii nnreeeffiffiqucciiireeenndtt n d InabilityHH taaovv iiennffgge mmc(cid:3)uuvll(cid:3)(cid:3)epplyll eea naannddd e ffiddiisscppieaanrrtaalttyee t ssrayysscttkee ammussd itttoo C ddooccuummeenntt aaKuuPddIsiitt arrneedqq uuKiiRrreeIsmm (keeennyttss r aaisnnkdd i nooduuittcccaootmmorees)ss o m KKeeeeppiinnKgge uuepppi nwwgiitt uhhp tt hhweei tgghrr oochwwaiinnnggg ennsuu immn bbreeegrr uaalnnadd(cid:3) ottyynpps eeassn oodff p standards and their impacts on auditaa uureddqiittussi rrreeemqquueiinrreetsdd l i a Inability to generate and produce accurate and n IInnaabbiilliittyy ttoo eeffffeecc(cid:3)(cid:3)vveellyy aanndd eeffifficciieennttllyy ttrraacckk aauuddiitt (cid:3)mely audit reports c KKPPIIss aanndd KKRRIIss ((kkeeyy rriisskk iinnddiiccaattoorrss)) e w KKeeeeppiinngg uupp wwiitthh cchhaannggeess iinn rreegguullaa(cid:3)(cid:3)oonnss aanndd i Massttnaannaddgaarriddnssg aann Sdd ttuhhpeeiirrp iilmmypp-aaCcctthss ooanni naauu ddRiitti rrseekqquuiirreemmeennttss th Supply cIInnhaaabbiniillsiitt ayy nttdoo sggueebnn-eecrroaantteetr aaacnntdde dpp rrooopddeuuraccteeio aanccscc uuarrreaatt beee aacnnoddming increasingly complex, particularly in the manufacturing E C sector. Extending internal control an(cid:3)(cid:3)dmm veeisllyyib aailuuitydd iiittn rrtoee ppthooerrtt sssupply-chain may involve a wide range of contractors, M suppliers, partners, vendors, and other third parties. Generally, findings below show that vendor information is not in one place and is not up-to-date. Many organizations are struggling to keep an inventory of their suppliers, and a n to classify them by risk profile. It is also apparent that m0a%ny do5 n%ot ca1r0ry% out1 f5o%rma2l 0ve%ndo2r5 o%n-bo3a0r%ding3 5or% con4d0u%ct d reliable assessments to ensure the third parties they work with are compliant. B Keeping an authorita(cid:3)ve inventory/database of our P Figure 10: What have been the biggest issues with managing supply-chain risk - vendors you do suppliers/vendors that is accurate and current M business with such as contractors, suppliers, partners and other 3rd parties? (MAX 3) (N=152) Need to improve the way we classify our vendors, i.e. based on risk they pose 00%% 55%% 1100%% 1155%% 2200%% 2255%% 3300%% 3355%% 4400%% Not having clear visibility into our organiza(cid:3)on’s risk KKeeeeppiinngg aann aauutthhoorriittaa(cid:3)(cid:3)vvee iinnvveennttoorryy//ddaattaabbaassee ooff oouurr profiles as it pertains to our vendors ssuupppplliieerrss//vveennddoorrss tthhaatt iiss aaccccuurraattee aanndd ccuurrrreenntt Lack of formal, repeatable vendor on-boarding NNeeeedd ttoo iimmpprroovvee tthhee wwaayy wwee ccllaassssiiffyy oouurr vveennddoorrss,, process ii..ee.. bbaasseedd oonn rriisskk tthheeyy ppoossee Having mul(cid:3)ple and disparate systems to document NNoott hhaavviinngg cclleeaarr vviissiibbiilliittyy iinnttoo oouurr oorrggaanniizzaa(cid:3)(cid:3)oonn’’ss rriisskk supplier informa(cid:3)on pprroofifilleess aass iitt ppeerrttaaiinnss ttoo oouurr vveennddoorrss Not being clear on the scope of assessments LLaacckk ooff ffoorrmmaall,, rreeppeeaattaabbllee vveennddoorr oonn--bbooaarrddiinngg required for each vendor pprroocceessss Suppliers not mo(cid:3)vated to complete HHaavviinngg mmuull(cid:3)(cid:3)ppllee aanndd ddiissppaarraattee ssyysstteemmss ttoo ddooccuummeenntt surveys/provide requested info for assessment ssuupppplliieerr iinnffoorrmmaa(cid:3)(cid:3)oonn NNoott bbeeiinngg cclleeaarr oonn tthhee ssccooppee ooff aasssseessssmmeennttss rreeqquuiirreedd ffoorr eeaacchh vveennddoorr SSuupppplliieerrss nnoott mmoo(cid:3)(cid:3)vvaatteedd ttoo ccoommpplleettee ssuurrvveeyyss//pprroovviiddee rreeqquueesstteedd iinnffoo ffoorr aasssseessssmmeenntt 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100% Managing policy crea(cid:3)on, updates and dissemina(cid:3)on © AIIM 2015 www.aiim.org / © OpenText 2015 www.opentext.com 9 Automa(cid:3)ng the audit process 00%% 1100%% 2200%% 3300%% 4400%% 5500%% 6600%% 7700%% 8800%% 9900%%110000%% MMaannaaggiiMnngga nppaooglliiiccnyyg cc srrueepaap(cid:3)(cid:3)looiennr,,/ uu vppeddnaadttoeerss raainnskdd ddiisssseemmiinnaa(cid:3)(cid:3)oonn Risk iden(cid:3)fica(cid:3)on, tracking and remedia(cid:3)on AAuuttoommaa(cid:3)(cid:3)nngg tthhee aauuddiitt pprroocceessss Incident iden(cid:3)fica(cid:3)on, tracking and resolu(cid:3)on MMaannaaggiinngg ssuupppplliieerr// vveennddoorr rriisskk Managing IT security threats RRiisskk iiddeenn(cid:3)(cid:3)fificcaa(cid:3)(cid:3)oonn,, ttrraacckkiinngg aanndd rreemmeeddiiaa(cid:3)(cid:3)oonn Tracking regulatory and standards compliance IInncciiddeenntt iiddeenn(cid:3)(cid:3)fificcaa(cid:3)(cid:3)oonn,, ttrr(aacccokkniinntrggo aalsnn mdd orreenssitooolluuri(cid:3)(cid:3)noognn) ECM BPM RM GRC Tools MMaannaaggiinngg IITT sseeccuurriittyy tthhrreeaattss TTrraacckkiinngg rreegguullaattoorryy aanndd ssttaannddaarrddss ccoommpplliiaannccee ((ccoonnttrroollss mmoonniittoorriinngg)) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Records management EECCMM BBPPMM RRMM GGRRCC TToooollss Document management Email management 00%% 1100%% 2200%% 3300%% 4400%% 5500%% 6600%% 7700%% 8800%% 9900%% RReeccoorrddss mmaaAnnuaaggdeeitmm treeanniltt DDooccuuBmmPeeMnn tta mmndaa nnwaaoggreekmmfloeewnntt EEmmaaiill mmEaa-nndaaisggceeommveeernnytt Auto-clasAAsiuufiddciiatt(cid:3) ttorraaniill Enterprise search BBPPMM aanndd wwoorrkkflflooww Capture EE--ddiissccoovveerryy Repor(cid:3)ng /BI AAuuttoo--ccllaassssiifificcaa(cid:3)(cid:3)oonn Content analy(cid:3)cs/big data EEnntteerrpprriissee sseeaarrcchh Case management CCaappttuurree Mobile access RReeppoorr(cid:3)(cid:3)nngg //BBII Internal/workplace social tools CCoonntteenntt aannaallyy(cid:3)(cid:3)ccss//bbiigg ddaattaa CCaassee mmaannaaggeemmeenntt MMoobbiillee aacccceessss IInntteerrnnaall//wwoorrkkppllaaccee ssoocciiaall ttoooollss

Description:
Today, AIIM is a global, non-profit organization that provides independent research, AIIM represents the entire information management community: ECM, Information Governance, Records Management, SharePoint, Big Data,
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.