O p e n Te x t C o r p o r a t i o n

GRC Over view

J U N E 2 0 1 8
 What’s GRC?

GRC is a discipline that consists of three pillars (Governance, Risk and Compliance) which allows an
organization to identify risks, meet compliance initiatives, and report on findings that could negatively impact
their organization

► Key features of GRC include:

► The identification and calculation of financial, IT and operational risks

► The ability to assess risk around company assets, people, vendors and other business entities

► The ability to identify, monitor and report on risk and compliance across an organization

► The ability to produce actionable results based on preset risk thresholds

► Defined relationships between people, critical business processes, assets, vulnerabilities and other key entities for decision
support

► A process, risk and control (PRC) framework that maps to a business structure to support risk and compliance activities

► The elimination of overlap amongst various organization siloes

How Companies use GRC?

► Gives senior management visibility

into the state of risk and compliance ► Provides the ability to identify risks within an
throughout the organization organization
► Provides a mechanism for managing Governance Risk ► Allows companies to quantify and score
risk at an enterprise level risks for decision making support

GRC
► Reduces costs across the ► Provides due diligence and reporting
organization support for Senior Management
► Provides data mapping to identify ► Manages risks from identification, to
critical relationships between assessment and treatment
corporate objectives, risks and
controls ► Reports, monitors and dashboards of risk
across the environment
Compliance

► Supports compliance audits

► Provides supporting evidence to
ensure organizational compliance
► Provides management of the overall
auditing process
► Controls testing and monitoring
What are GRC systems?

► Federated systems of interoperable modules that provide management reporting and analytics
across an organization’s governance, risk, and compliance work streams

► They provide automation of the management, measurement, remediation and reporting of

controls and risks against objectives, in accordance with rules, regulations, standards, policies
and business decisions
Typical GRC Use Cases
Governance
► Asset and hierarchy
management
► Awareness training
► Data management
► Policy management
► Process risk control
framework
► Procedures and standards
► Process accountability
► Project management
► Standards
Compliance
► Compliance assessment
► Compliance monitoring
► Regulatory content
management
Other functional coverage consists of Vendor Risk Management, Business Continuity and
Disaster Recovery Management, Information Security, Privacy, etc.
Financial Risk
► Calculation of risk
► Financial risk impact
analysis
► Impact analysis
► Quantitative/qualitative risk
► Inherent risk scoring
► Risk modeling
► Scenario analysis
► Total risk calculation
Audit
► Attestation
► Audit resource
management
► Evidence capture
► Program management
► SAS 70/SOC 2
► Work paper management
Risk Management
► Internal control
management
► KRI/KPI management
► Risk analysis
► Risk assessment
► Risk identification
► Risk profiling
► Threat and vulnerability
management
► Vendor risk management
Issues Management
► Policy exceptions
► Risk acceptance
► Risk transference
► Risk treatment
Metrics and Reporting
► Ad-hoc reporting
► Audit tracking
► Dashboards
► Data integration
► Historical trending
► Notifications
► Statistical analysis
► Triggered calculations
► Organizational
transparency
Incident Management
► Event capture
► Loss capture
► Incident prioritization
► Incident handling
► Mapping incidents to
critical assets
GRC tools and vendors
►GartnerMagic Quadrant for Operational
►Forrester
Wave Governance, Risk, and
Risk Management Solutions (December
Compliance Platforms (Q1 2016)
2015)
Summary of Major GRC Vendors
Benefits
RSA Archer (EMC) ► Easy to Configure
► Comprehensive solution set
► Lots of integration already
done
► Good support and community
► Library of policies, control
standards, procedures, and
assessments mapped to
regulatory and business
standards
IBM OpenPages ► Strong financial reporting and
risk management modules
► Great integration with IBM
Cognos for reporting
► Good with large datasets and
data feeds
► Pre-configured solutions for
some business processes,
medium and small
businesses/business units
MetricStream ► Comprehensive solution set
► Strong product workflow
solutions
► Built-in reporting and
dashboard features
Concerns
► Product interface can be
confusing or lacking
► Data feed size limitations
► Reporting is limited
► Full deployment can be
expensive
► User Interface can be
confusing
► Requires more technical
skillsets for support (DBA)
► High configuration and support
costs
► Limited solution sets; mainly
focused on audit, risk and
compliance
EY perspective
► RSA Archer is often successful in multi-program
eGRC/ IT Risk Management contexts
► Global presence, established support network and
large customer base
► Consistently ranked at the top of the GRC industry
for customer service, implementation and quality of
work
► High ratings for core system (GRC/PRC library
management, user experience, security,
configurability, data analytics and issue
management)
► OpenPages is often successful in Financial Risk
Management and Enterprise Risk Management
► Most mature GRC platform in the market, with the
largest distribution amongst industries
► Industry leading business analytics through
integration with IBM’s library of data analytics
products
► High marks for configurability, security, issue
management, customer support and financial
services industry knowledge
► MetricStream is often successful handling Audit
and Incident Management
► Truly federated and integrated platform, built-in
programming, workflow, security, monitoring and
management tools
► Flexible interfacing can connect MetricStream to
virtually data source
► High marks for user interfaces, dashboards and
GRC management tools
Summary of Major GRC Vendors (cont.)
Benefits
Nasdaq (Bwise) ► Strong financial support for
eGRC use cases (Risk
Management, Internal Control,
Internal Audit, Compliance &
Policy Management, IT GRC
and Sustainability
Performance Management)
► Strong integration with
Business Objects for reporting
SAP GRC ► Allows customization of
workflows to meet business
requirements
► Connects to SAP ECC for data
feeds to allow continuous
control monitoring and
automation
► Many SAP GRC modules
integrated
► Ability to integrate with HANA
(i.e. Fraud Management)
Concerns
► Takes time to properly set up
► Security model is not robust
► Simple changes may require
professional expertise (Prof.
Services)
► Requires highly technical
skillsets for support (DBA)
► Not a strong IT GRC player
► Some SAP GRC modules
require HANA (i.e. Fraud
Management)
► Requires SAP technical skill
set for Support (i.e. SAP
Security and SAP GRC
Administrators)
EY perspective
► Bwise is often successful in eGRC Risk
Management programs
► Industry leading reporting, security, integration and
GRC/PRC library management
► One of the higher performing GRC platforms
► Strong industry focus in banking, energy,
pharmaceuticals, insurance and manufacturing
► High marks for availability of online and on premise
training
► SAP GRC is successful where SAP is the
primary enterprise software solution
GRC Transformation
Board, CEO, CFO, Internal Audit,
CRO
VP` Quality, Compliance
► Helps executive ► Helps drive towards ► Automates/
management drive transparency and standardizes process
down and better visibility for controls
operationalize the around key assessment and
tone at the top performance and risk testing
through centralized indicators to better ► Centralized
policy management manage the repository of controls
organization’s risk enables easier
posture, and take auditability and
advantage of reporting of
opportunities to avert compliance
or mitigate risk ► Provides better
events visibility to pervasive
compliance issues
and enables a
consistent approach
towards managing
compliance
► Enables integrated
management and
auditing of multiple
regulatory
requirements
CFO/VP HR, Supply CIO, CISO, CTO, VP-
Chain, Finance, Sales IT
► Enables automation ► Enables automation
and timely monitoring and timely monitoring
of controls owned of controls owned
and executed by the and executed by IT
business, which can ► Reduced
lead to business administrative costs
process efficiencies resulting from
► Facilitates standardization of
rationalization of risk technology
and control points platform(s) and
across spectrum of related risk and
regulatory controls (across
requirements regulatory
► Helps optimize the requirements)
mix of controls ► Enables better
(manual vs. insight to the
automated) within the business through a
business process common information
► Helps standardize and reporting
and embed structure
automated control
procedures within the
core business
process
Why Consider a GRC Transformation?
Risk Value
Cost
► Do we know our key risks?
► Do we have effective risk
reporting for executive
management and the Board?
► Are we accepting the right
level of risk?
► Do we know if our risks are
being properly managed?
► Do we have a comprehensive
risk framework in place?
► Does internal audit
understand the risks that our
company faces?
Risk Value
Cost
► Are we focused on the risks
that matter?
► Do we have duplicative or
overlapping risk functions?
► Are we leveraging automated
controls versus manual
controls?
► Do we have the right mix of
skills at the right cost?
► Have we optimized the use of
technology to manage risk?
► Can we use alternative
sourcing strategies to reduce
costs?
Risk Value
Cost
► Are the risks we take aligned
to our business strategies and
objectives?
► Are we getting the right return
on our risk investment?
► Are we getting process
improvement ideas?
► Are we taking the right risks to
achieve competitive
advantage?
► Is risk management slowing
us down or helping us go
faster?
Appendix A - Integration of risk management in a GRC tool

• Board reporting • Audit universe • Audit execution

• Enterprise risk assessments • Audit plan management • Issues management
• Financial risk management (credit/market risk) • Audit scoping • Reporting

• Legal and regulatory requirements • ITRM strategy

• Policy, standards, and procedures Enterprise • IT risk management process management
monitoring and management Risk Audit • Risk profiling
Policies & Management • Control/risk assessments
• Policy management metrics IT Risk
Standards
Management Management
• Supplier risk management
• Scenario analysis governance program
• Internal/external loss events • supplier profiling
• Risk and control self-assessments Operational Supplier • Due diligence/risk assessments
• Key risk indicators Risk Risk • Supplier issues management
• Operational risk quantification Management Management • Supplier performance/quality metrics
Integration of risk
processes through
a GRC solution Business • Business impact analysis/
• Configuration management IT
Continuity assessments
• Incident & problem management Operations
Management • Business continuity/disaster
• IS operations
recovery plan management
• Application security
• Crisis management
Business
Capabilities Information
Services Security • Information security program
• Enterprise capabilities definition (ECM) management
• Business services determination • IS security metrics
Information & Regulatory
• Technology aligned business • Organizational security and awareness
strategy
Asset Risk • Threat & vulnerability management/
Management Management assessments

• Information & asset inventory • Regulatory program & • Governance and

• Information & asset classification & profiling change management stakeholder management
• Information & asset monitoring • Dependency management
Appendix B - EY’s GRC solutions enablement lifecycle

Current State Assessment GRC Strategic Roadmap

• Analyze Business • Define Guiding Principles
Requirements • Develop Governance Model
• Define Target State • Enhance Operating Model
Current State Assessment*
• Stakeholder Buy-in • Define Implementation
• Observations & GRC Strategic Strategy
Recommendations Roadmap • Process Optimization

Configuration,
Configure, UAT, Deployment UAT, Business & Functional
& Post Production Support Deployment Requirements
• Configure Solution & Post • Develop Detailed Business &
• User Acceptance Testing Production Business Functional Requirements
• Enhancements and Fixes Support & • Create Use Cases for Supplier
• Production Deployment Functional Selection
• Post Production Support Requirements • Develop Technical
Specifications/Design
Technical
Requirements
Technical Requirements GRC supplier Selection
GRC supplier
• Develop Detailed Technical Selection • Develop Request for Proposal
Requirements (RFP)
• Develop Technical Design and • Perform Feasibility Study
System Implementation • Proof of Concept (PoC)
Architecture Demos

*Annual re-evaluation of current strategic plan and direction