Information System Challenges Managing Governance, Risks, and Compliance

Prof. Richardus Eko Indrajit indrajit@post.harvard.edu

Technology in Life

Banking Industry

!   The introduction of the new concept of banking that is driven by technology enhancement: !   Internet Banking !  Mobile Banking !  Virtual Banking !  Phone Banking !  E-Banking to I-Banking !  Digital Kiosks !  E-Money and Digital Cash !  Smart Cards

Business C

haracteristics

!  Volume of transactions

!  Velocity of interactions

!  Variant of products/services

!  Veracity of data/information

!  Vulnerability of channels

!  Viscoelasticity of profiles

!  Variability of resources

!  Vibration of stakeholders

Multi C

hannels

Information Flow

Threats and Risks

Risks A

nalysis

•  Banyak KERAWANAN •  Mudah DIEKSPLOITASI •  Dengan cara SEMAKIN CANGGIH •  Menggunakan alat yang SEMAKIN MUDAH •  Dan dapat dilakukan oleh SIAPA SAJA

Monitoring S

ystem

The Weakest Link

!   “Your security is my security”

Holistic A

pproach

GOVERNANCE

RISKS

COMPLIANCE

About G

RC

Trend

!   These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs !  Governance — exercise of authority;

control; arrangement !  Risk — management of hazard;

danger; peril; exposure to loss, injury, or destruction

!  Compliance — the act of complying; a yielding; as to a desire, or concession

Banking B

usiness

!  Driven and enabled by the massive use of information technology

!   “The network is the bank” core philosophy

!   Information become the most valuable asset and resources

! Digitalisation of products and services

!   The need of effectiveness, efficiency, and control

Problem

at Night

PRISON ??? DATA ???

COMPLAINTS ???

NETWORK ??? HACKERS

???

HIGH COST ???

FAIL PROJECTS ???

DATA LOSS ???

Paradigm

Shift

!  Evolution of audit as quality assurance – by ISACA/ITGI

It is a Must D

ecision

!  Good GRC = good business, impacting enterprise reputation

Business W

isdom

!   The success of GRC implementation should be designed

Things to Consider

!   The cost of not following consistent approach and methodology

Various Fram

ework

Various Fram

ework

Various Fram

ework

Various Fram

ework

Various Fram

ework

Various Fram

ework

Good P

ractices

!  Open Compliance and Ethics Group (OCEG)

!  Control Objectives for Information and Related Technologies (COBIT)

The Values of G

RC

!  GRC Capability Model as good practices to be adopted within enterprise/organisation

The Design of G

RC

!  Every domain of the eight integrated components has important aspects to be ruled

Exam

ple of Principles

Enterprise E

nablers

!  1. Meeting stakeholder needs

Enterprise E

nablers

!  2. Covering the enterprise end-to-end

Enterprise E

nablers

!  3. Applying a single integrated framework

Enterprise E

nablers

!  4. Enabling a holistic approach

Enterprise E

nablers

!  4. Enabling a holistic approach

Enterprise E

nablers

!  5. Separating governance and management

Enterprise E

nablers

!  5. Separating governance and management

Implem

entation Guide

IT for GR

C P

rinciples

!   Integration – it is unlikely a single application can enable all GRC activities. Create a “GRC Backbone” of integrated parts

!   Simplification – Simplify the architecture and use common components to enable multiple risk areas

!   Reuse – Leverage existing investments and only buy when you must

!   Automation – For repetitive or complex tasks, but sometimes human judgment is required

!   Information – Sharing information about performance, risks, controls, incidents and resolution is fundamental to GRC. The ability to analyze this information alongside business information is the essence of GRC

The IS/IT N

ine Arenas

1.  Assurance and Audit Management 2.  Business Intelligence 3.  Business Process Management 4.  Corporate Governance 5.  Enterprise Content Management 6.  Enterprise Resource Management 7.  Enterprise Risk Management 8.  Human Resources Management 9.  Security Management

Before

After

Integration is a Key

!   GRC refers to taking an integrated, enterprise-wide approach to Governance, Risk Management, and Compliance: !   Governance – The Board of Directors’ and management’s

structures, policies, processes, and controls that focus on long-term value through the ethical, equitable, efficient, and effective operation of the business

!   Risk Management – An organization’s systematic process to identify, assess, manage, and monitor upside and downside risks to the business

!   Compliance – An organization’s process to demonstrate its employees and agents adherence to policies and procedures, laws, and regulations

!   GRC is transformational and addresses the people, process, and technology enhancements required to achieve risk intelligence

GR

C R

esponsibilities

!  All CxOs have strategic roles and responsibilities upon GRC requirements and practices

Bottom

Line

Why does a car have BRAKES ??? The car have BRAKES so that it can go FAST … !!!

Why should we have regulation? Why should we establish institution? Why should we collaborate with others? Why should we agree upon mechanism? Why should we develop procedures? Why should we have standard? Why should we protect our safety? Why should we manage risks? Why should we form response team?

The End Discussion – Questions and Answers

Prof. Richardus Eko Indrajit indrajit@post.harvard.edu