Vous êtes sur la page 1sur 24

RISQUES SI

SOLUTIONS ET LES BONNES PRATIQUES INTERNATIONALES

GESTION UNIFIEE ET INTEGREE DE LA GRC

QANTARA consulting

Contexte
Risk A = q

CFO
Regulation Agency Risk A = x SOX office Mandatory Framework Risk A = y Project A Project B BoD Project C Impact Risk Management Internal Audit

? ? ?
Risk A = z BoD / Top Management Risk A = k

Risk A = x+y+z+ vs Risk A = (x+y+ )/n vs Risk A = x = y = z = ?

Audit Committee

Real level of Risk A

New or updated laws and legislation Compliance Officer

Risk A = w

Increase Control

2102 QANTARA consulting

Rappel des principales stratgies de gestion utilises par secteur

2102 QANTARA consulting

Pratiques de reporting par les risques

2102 QANTARA consulting

Les plus avancs


Les Organisations deviennent de plus en plus efficaces dans lidentification et la gestion des risques:: Pour celles qui jugent leur gestion des risques trs efficace, elles prsentent un profil diffrent en termes de pratiques de risk management. La criticit de certains risques est trs rduite dans ces entreprises, notamment : le risque de fraude et dthique est majeur pour 22% de ces entreprises comparer 33% pour les autres socits (-11 points) ; celui des risques des systmes dinformation et de la scurit informatique est majeur pour 26% contre 36% pour les autres rpondants (-10 points) ; celui de la matrise des grand projets (technologie, investissements, R&D ...) : majeur pour seulement 4% dentre elles contre 21% pour les autres socits (-17 points). Pour rduire cette criticit, ces mmes entreprises dploient leur gestion des risques au sein de toute lentreprise plus que les autres : Politique de gestion des risques dploye totalement pour 70% dentre elles. La quasi-totalit de ces entreprises (85%) dploient dans toute leur organisation des outils de reporting sur les risques et des bases dincidents et de pertes oprationnelles associes). Elles recourent des mthodes de risk management plus avances (quantification des risques, autovaluation des risques et des contrles, valuation du niveau de maturit des processus).
2102 QANTARA consulting

Les autres
Risques sont toujours grs en silos Dcisions non coordonnes - Responsabilits dilues Outils non intgrs - Les risques potentiels sont identifis et grs par des solutions ad hoc - Approche ractive et solutions court terme. Responsabilit finale floue concernant la gestion de certains risques spcifiques (Sparation des tches, fraude) Sensibilit faible aux risques cause des faiblesses de communication entre les diffrents niveaux hirarchiques du Management. Le risque est vu comme un sujet ngatif et nest pas discut de manire srieuse et active. La gestion des risques est concentre sur les pertes physiques (assurables) et/ou sur la conformit rglementaire Les activits de gestion des risques ne sont pas priorises et ne sont pas relies la stratgie et/ou aux sources de valeur de lentreprise

Absence de vision des risques lors de la prise de dcision.


2102 QANTARA consulting

Approche unifie et intgre de la GRC

2102 QANTARA consulting

GRC: Les dfis


Basel II Process Improvement Entity-Level Control Internal Audit NI 52-109 Health & Safety
Regulatory Compliance Financial Compliance Operational Risk

Legislative Compliance
IT Governance

Governance, Risk & Compliance


Policies Standards Procedures

ERM

Integration
IT Governance

Anti-Money Laundering Tax Compliance Environmental SelfAssessment Information Security Anti-Fraud Program Business Continuity - Management Ethics Privacy Other ?? Operational Risk

Convergence

CEO/CFO Certification

Risk and Control Self-Assessment (RCSA) Frameworks


SOX

Risk Language

Standardization
Infrastructure

Models Processes

Quality

En finir avec la gestion en silo

2102 QANTARA consulting

Enterprise Risk

Internal Audit

Approche unifie et intgre de la GRC

In itself GRC is not new. As individual issues, governance, risk management and compliance have always been fundamental concerns of business and its leaders. What is new is an emerging perception of GRC as an integrated set of concepts that, when applied holistically within an organization, can add significant value and provide competitive advantage.

2102 QANTARA consulting

GRC : Intgration de la Gouvernance, de la gestion des Risques et de la Conformit


Stakeholder Expectations
ure

Business Environment

l os

Governance

|D isc

Strategies, business objectives, policies, accountabilities and performance monitoring

Pe Pe Pe e e le o o op |P |P |P

po rtin g

s| ss ss es r r roc

Risk Management

Re

Risk identification, assessment, response and monitoring


og og log n n no

ch ch ch Te Te Te

mu nic a

tio n|

Compliance and Control

Operating processes and controls to meet business objectives and assessment of compliance/control effectiveness

y y y

Co m

Organisational Culture and Ethics


2102 QANTARA consulting

Bnfices de loutillage: Cas du Testing de la Conformit


Manual Process:

Document control and test plan Attach reference document and spreadsheet

Receive test instructions via email

Follow guided procedure and perform test

Compliance Team & Business Process Owners

Document control and test plan

Control Testers & Internal Audit

Report results and attach evidence

Corporate Executives

Workflow-Driven Process:

Automatic notification and routing Step dependencies and configurable escalation paths Complete audit trail of test plan results and evidence
Receive test instructions via email Follow guided procedure and perform test Report results and attach evidence

Document control and test plan Attach reference document and spreadsheet Document control and test plan

Compliance Team & Business Process Owners


2102 QANTARA consulting

Control Testers & Internal Audit

Corporate Executives

Intgrer les Activits de GRC : Messages cls


Lidentification et la priorisation des risques Utiliser un rfrentiel et un langage commun au sein de lorganisation. Ces risques doivent tre aligns avec les objectifs stratgiques de lentreprise Ne pas diluer les responsabilits, et adopter un champion , sponsor pour coordonner lintgration Evaluer la maturit de lorganisation en matire de gestion des risques et dterminer le niveau cible le plus adapt pour amliorer les choses tout en protgeant la valeur de lentreprise Concevoir une approche pour agrger les risques au niveau de lentreprise pour viter la gestion de risques en silos Etablir un systme cohrent et transparent pour mesurer et surveiller les risques Crer un systme de reporting et un tableau de bord pour fournir des informations lies lenvironnement au Management et au Conseil dAdministration. Le reporting doit tre adapt et appropri pour permettre la bonne dcision au bon moment et viter les surprises Mettre en uvre un processus dallocation des ressources aux activits de gestion des risques prioritaires

Prioritize risks from the top down, manage from the bottom up
2102 QANTARA consulting

Intgrer les Activits de GRC : Messages cls


Intgrer la GRC ne signifie pas de regrouper toutes les activits de GRC dans un dpartement. La communication et la coordination sont importantes.

Normaliser les approches et les processus lis la GRC.


L'amlioration des processus est un lment cl dans lintgration des activits de GRC. Il n'y existe pas de mthode unique ou dapproche simple qui fonctionneront pour toutes les organisations.

Chaque organisation doit dvelopper son propre business case pour le changement.
Le chemin est long Et ne pas ignorer / sous-estimer les freins culturels

2102 QANTARA consulting

Panorama des outils: Enterprise GRC & IT GRC

2102 QANTARA consulting

The Forrester Wave: Q4 2011 Enterprise Governance, Risk And Compliance Platforms, and IT GRC Landscape

Avant de dmarrer
Business Strategies & Policies Business & Risk Management Processes People & Organizational Structure Management Reports

Methodologies

Systems & Data

Optimizing

Managed

Strategies and policies are integrated across all business units and align to corporate objectives Strategies for long term development are in place

Process benchmarks (KPI/KRI) consistently achieved / cost and cycle time reduced Process output is predictable with limited variation New processes and business changes are scoped and documented proactively

Centralized shared services functions Formal training for all areas and certified professionals throughout the organization Strong teamwork Organization continuously strives to improve capabilities

Productivity and quality are measured and reported Measurements for control activity and documentation are quantitative and statistically based Self-assessment and internal audit validation are commonplace Characterized by metrics, measures, and monitoring Senior Management is comfortable with content and consistent reporting format Robust reporting applications are utilized Exceptions and near misses are reported Status of improvement initiatives is reported Regular internal audit validation Regular / actionable reports Key metrics identified Consistent format and content Process output measures are tracked and monitored Data integrity exists Limited audit or validation of evaluation is performed

Sophisticated models available for decision-making and early warning systems Robust forecasting models Utilization of formal risk management and risk analytics. Integrated physical and financial models Contingency planning

Complete business intelligence and enterprise wide data warehouse in place and utilized Enhanced functionality of integrated Tier 1 ERP systems. No or isolated use of spreadsheets Advanced analytics and data modeling

Defined

All policies and procedures are formally documented and understood, enforced, and institutionalized enterprise-wide Strategies are more longer term focus with evident progress toward integration across several functions

Defined and standardized processes in place and well documented for all activities, including risk and change recognition procedures Processes are proactive rather than reactive Processes are stable with inputs and outputs defined and measured

Standard training programs / back up capabilities exist Roles, responsibilities, accountabilities, and corporate culture clearly defined, documented, and communicated Integrated / cross functional teams across organization

Well-developed models / methodologies utilized for decision-making Consistent measures of performance and process variability Rapid business analysis of alternatives Six components of infrastructure are integrated Simple models used inconsistently for decision making Assumptions are consistent and understood Measurement methods are specified and documented Improvements are being developed Risk and change recognition is emerging No models / methodologies used to support decision-making Heavy reliance upon key people and their instincts Best practices and/or external benchmarks are not used No capabilities assessment or process improvement Risk and change recognition is non-existent

Good suite of integrated systems Stable client server application Scalable component architecture Reliable, web-enabled processes for data extraction, analysis and reporting

Risk of Failure

Repeatable

Initial

2102 QANTARA consulting

Strategies not clearly defined nor understood Undocumented, vague, and informal policies and procedures throughout the organization Department tactics not aligned with overall strategy No strategic focus or direction

Processes are not defined, formalized, consistent, documented or repeatable. Processes are reaction-driven and unpredictable, with outcome relying solely on individual fire drill efforts Processes often do not meet desired outcomes or deadlines

Performance depends on heroics Coordination between functions is non-existent / Functional silos are pervasive Roles, responsibilities and accountabilities are poorly defined and not documented Unstable environment Little or no formal training exists

Reporting is sporadic, ad-hoc, and informal Reports are often incomplete, inaccurate, and untimely Inconsistent reporting mechanisms across functions Data integrity issues exist No audits performed

Disparate, inefficient, unstable and ineffective systems Heavy use of individual spreadsheets Database access and controls are poor / Data is not available Technology does not support operational requirements Technology functional areas operate as separate silos

Risk of Failure

Limited strategic focus on business activities Management sets objectives and there is limited focus on longer term planning Basic policies and procedures for managing processes are defined with a common understanding, but not consistently documented

Process requirements defined Critical processes are established and repeatable with limited documentation Processes are somewhat effective, stable, and consistent, but driven by output measures Process gaps are identified and corrected

Still dependent on capabilities of individuals rather than groups in some areas Roles, responsibilities, and accountabilities are defined and documented for key areas Limited formal training offered Limited coordination between functions with lessons learned

Systematic data collection Independent / robust spreadsheets used Adequate system security / data integrity Suite of effective systems in place or being planned Tier 2 ERP systems or limited Tier 1 ERP applications used, with reliance on spreadsheets

Realization of Value

Centrally-aligned vision, mission, goals, strategy and objectives across the entire organization Fully integrated policies and responsibilities into day-to-day activities Organization strategy is considered visionary and best in class

Processes are best in class or industry leading Continuous benchmarking and continuous improvement enterprise-wide

Formal in-house training program Knowledge and skills continuously upgraded Cross-functional teams analyze problems, determine root causes, remove errors and variation, and implement improvements

Fully developed & automated reporting Excellent data integrity used to manage and monitor work effort, failure / pass rates, and remediation / action plan status

Remediation, synergies and efficiency are achieved Enterprisewide Risk Management is fully incorporated Quality Control and Review processes are applied

Complete suite of systems for analysis, execution, and performance management Technological innovations are identified and leveraged throughout the organization Performance data used to analyze costs and benefits of new applications / innovations

Quick Wins
Raliser un inventaire complet et une cartographie des activits et processus de GRC Comprendre les cots associs aux activits de GRC

Intgrer les valuations (indpendantes) des risques et les auto-valuations dans lapprciation finale Coordonner les activits de conformit et de reporting sur le contrle interne avec les activits daudit interne (ex: tests)
Identifier un point central de coordination (ex: Directeur des Risques, Directeur des Services Juridiques, Comit de GRC, ) Partager les donnes et les informations entre les diffrentes fonctions de GRC

2102 QANTARA consulting

Dveloppement dune culture Risques

2102 QANTARA consulting

Impacts

2102 QANTARA consulting

Culture du Risque
La culture dun groupe se construit avec les comportements rpts de ses membres, le comportement dun groupe est lui-mme form par les attitudes individuelles de ses membres.
L'attitude : la position choisie et adopte par un individu ou un groupe face au risque, sous l'influence de leur perception du risque et la prdisposition Le comportement : comprend des actions externes observables relatives aux risques, et inclus la prise de dcisions base sur les risque, des processus de gestion des risques, des communications sur les risques, etc. La culture : reprsente les valeurs, les croyances, la connaissance et comprhension des risques, partags par un groupe de personnes ayant un objectif commun prcis, en particulier la direction gnrale et les employs d'une organisation
2102 QANTARA consulting

Crer un environnement de travail propice la gestion des risques


1. Encourager lapprentissage

en crant un milieu qui motive les gens apprendre, en valorisant les connaissances, les nouvelles ides et les nouvelles relations qui sont des composantes essentielles de la crativit menant linnovation, en incluant lapprentissage dans les plans stratgiques et en insistant sur son importance.

2102 QANTARA consulting

Crer un environnement de travail propice


2. Tirer des enseignements de lexprience

en valorisant lexprimentation, dans le cadre de laquelle on dtermine si les bonnes occasions prsentent des avantages et ont des consquences, en partageant lapprentissage tir des russites et des checs antrieurs, en se servant des leons apprises et des pratiques exemplaires dans le cadre des exercices de planification.

2102 QANTARA consulting

Crer un environnement de travail propice


3. Faire preuve de leadership

en choisissant ses dirigeants parmi les encadreurs, les enseignants et les bons intendants, en tmoignant son engagement et son appui envers les employs en leur fournissant des occasions de samliorer, des ressources et des outils,

en prvoyant du temps, en affectant des ressources et en mesurant le succs grce des examens priodiques (par exemple des vrifications de lapprentissage comme les Quizzs ).
2102 QANTARA consulting

Intgrer les plans dapprentissage aux pratiques de gestion


Renforcer la capacit de lorganisation de grer le risque et appuyer lorientation stratgique cet gard. Des plans dapprentissage doivent noncer les besoins de formation et de perfectionnement de chaque employ. Ces plans dapprentissage, pour tre efficaces, doivent tenir compte des stratgies dapprentissage de la gestion du risque, et tre lis la fois la stratgie oprationnelle et la stratgie de lorganisation. Inclure des objectifs dapprentissage en matire de gestion du risque dans les valuations du personnel, permettent d appuyer lapprentissage continu en matire de gestion du risque.

2102 QANTARA consulting

Appuyer lapprentissage continu et linnovation


Favoriser une culture de gestion du risque en informant, en illustrant et en adaptant le discours chaque audience cible,
Encourager et appuyer une prise de risque responsable et les retours dexprience, Impliquer les parties prenantes, partager linformation et favoriser la transparence pour fonder les prises de dcisions, Favoriser les suggestions et demander des commentaires et feedbacks pour amliorer le dispositif.

2102 QANTARA consulting