ENSURING A FRAME OF REFERENCE

In order to support its clients in the implementation of a GRC program, ArtimIS generally uses a reference framework combining good risk management and internal control practices (AMF, COSO 2 & ISO 31000/2009 RM) with the specificities and the user experience of business solutions (ERP: SAP S4 HANA / Oracle or other specific applications).

Before launching into the definition and implementation of a GRC Program, it is important to define the governance, i.e. to define the organization, the sponsors, the key actors of the project, the contributors, but also to identify the processes to be covered in priority.

ArtimIS experts assist their clients in identifying the players needed for each line of defense:

First line of defense

Finance

Administrative and Financial Management

Controlling

Accounting

–

Line of business

BU Managers

Employees

Human Resources

–

Other GRC roles

Purchasing

Quality

Legal

EHS

Second line of defense

Risk Management

Sector risks

Operational risks

Process risks

Project risks

Internal control

Internal control over reporting

IT Controls

Operational Controls

Risks and IT security

Information security

Information compliance

IT Governance

–

Ethics and compliance

Ethics & Compliance

Fraud Investigators

Management of procedures

–

Third line of defense

Internal Auditing

Financial auditing

IT Audit

Operational audit

Third party audit

Once the governance is defined (Organization, People, Processes, Applications, …) we need now to evaluate, define and implement the risk management and internal control system.

To do so, we can rely on the ISO 31000/2009 RM reference framework below:

————- Governance & Organization ————

Risk Assessment

Risks Culture

Posture, register & risk treatment

Program Definition and Implementation

Risk Anthology

Risk hierarchy and segmentation

Risk methodology

Program Review and Optimization

Notification, Reporting and Incident Feedback

Crisis Management Unit/cell

————- Risk Classification & Reporting ————

Risk Assessment

Risk and Threat Mapping, Data and Systems Combination

Impact and probability assessment

Program Definition and Implementation

Strategic Risk Alignment

Awareness of regulations, standards, and other internal rules

Program Review and Optimization

Risk Mitigation / Compensation

Risk and metrics reporting

————- Associated processes ————

Risk Assessment

Evaluation of the level of Maturity
Gap Analysis (Current/desired level)
Definition of strategy and roadmap
Evaluation of the level of readability of risk management and compliance initiatives (Context/ID/Objectives/Evaluations/Treatments)

Program Definition and Implementation

Review of processes/sub-processes & mapping
KPI/KRI/KCI Association
Policy, international and internal guidelines & controls library
Harmonization of the control environment

Program Review and Optimization

Communication & Change Management
Training & Sensibilization
SWOT analysis
Forum & Community
Continuous improvement of skills, added value and ROI

————- Applicative Technology & GRC Platform ————

Risk Assessment

Business Cases
PoC
RFI/RFP Process

Program Definition and Implementation

Application and system architecture definition
Phased implementation

Program Review and Optimization

Configuration and performance review
Development & fine-tunning