GRC MAGAZINE FOR LEADING RISK MANAGEMENT, AUDIT, INTERNAL CONTROL, COMPLIANCE AND INFORMATION SECURITY PROFESSIONALS
OF COMPLIANCE, AUDIT AND RISK THIS ISSUE
THE EVOLVING ROLE OF THE LINES OF DEFENSE COMPLIANCE MANAGEMENT OPRISK AWARDS EVENTS AND WEBINARS
THE PEOPLE BEHIND THE C O M PA N Y
B U S I N E S S IN CONTROL WITH BWISE
EVENTS AND WEBINARS
CONTENTS GRC JOURNEY MAGAZINE
MANAGING THE VELOCITY OF INFORMATION
THE THREE LINES OF DEFENSE
P4 TAILOR MADE
GARTNER SECURITY & RISK MANAGEMENT SUMMIT
YOUR COMPLIANCE PROGRAM
P 10 OPERATIONAL RISK AWARDS 2016 P 11 THE PEOPLE BEHIND THE COMPANY P 14 CUSTOMER GRC JOURNEY DESCRIPTIONS P 15 EVENTS AND WEBINARS
FOREWORD ROB VAN STRATEN
THE VALUE OF BEING FUTURE PROOF I AM VERY HAPPY TO PRESENT YOU WITH A NEW ISSUE OF THE GRC JOURNEY MAGAZINE. THIS TIME, WE WILL ZOOM IN ON THE EVOLUTION OF COMPLIANCE, AUDIT AND RISK.
Rob van Straten Global Head of Sales and Professional Services
When we meet with potential customers, having strong functional coverage is always important. Lately, however, we have seen that there is also growing interest in our plans for future product enhancement. In essence, business owners want to know not only that the solution they are buying will work today, but they also want to ensure that the solution is future proof. There is simply too much change in the requirements to build a solution today and expect it to be valid for a long time. Instead of building a GRC solution in-house today that risks being outdated and difficult to update tomorrow, business owners aim for GRC Platforms that can be expanded over time. There are several benefits to having a platform that can be expanded over time: • • •
First, there is lower cost to implement new functionality as it can be easily switched ‘on’ in an existing system. Second, there is lower risk for system issues or delays in the implementation phase as vendor and client have prior experience with each other. And finally, the cost and friction related to training business users on the new functionality is lower if they are already familiar with the system from other use cases.
I hope you will enjoy reading this issue of the GRC Journey Magazine. You will find a number of articles touching on the evolution of Compliance, Audit and Risk. Please don’t hesitate to contact me if you have any questions or reactions. Best regards Rob van Straten Global Head of Sales and Professional Services
THE EVOLVING ROLE OF THE LINES OF DEFENSE THE TRADITIONAL LINES-OF-DEFENSE MODEL IS BECOMING BLURRED. NO LONGER IS THERE A CLEAR DEMARCATION BETWEEN THE THREE LINES (FIGURE 1). IN FACT, ORGANIZATIONS WITH MATURE RISK MANAGEMENT PRACTICES ARE FREQUENTLY SPEAKING IN A DIFFERENT VERNACULAR; ONE THAT HIGHLIGHTS THE NEED FOR KNOWLEDGE, DATA, AND UNDERSTANDING OF THE FACETS OF RISK AND CONTROL. IT’S NOT UNCOMMON TO HEAR MATURING RISK MANAGEMENT ROLES SUCH AS “1A AND 1B” REFERRING TO HOW THE BUSINESS IS TAKING GREATER OWNERSHIP IN UNDERSTANDING THE REQUIREMENTS EXPECTED FROM THE SUPPORT FUNCTIONS. ADDITIONALLY, THE SECOND LINE IS MORPHING ITS ACTIVITIES TO BETTER ALIGN, COORDINATE, AND COLLABORATE WITH THE BUSINESS. FIRST LINE
By: Ladd Muzzy Principal at Nasdaq BWise FIRST LINE
THIRD LINE Figure 1
GRC TRENDS THE EVOLVING ROLE OF THE LINES OF DEFENSE
This is particularly true in areas like compliance. The proliferation of new laws and regulations and heightened expectations of regulators is forcing organizations to beef up their compliance management activities. This requires an active role from legal to interpret the laws, for compliance to translate the laws/ regulations into operational activities, and to develop and implement a process that assures that the organization is in compliance. This is driving a much closer collaboration between the first and second line than ever before.
adopt, and sustain. Having a GRC (Governance Risk and Compliance) technology solution can go a long way in accomplishing this.
Expectations from audit are also increasing. Audit is in a tenable position of having a strong understanding of the control environment across the organization. As the risk profile for the business becomes increasingly complex, audit is being pushed to provide insight and share its findings and recommendations with the business in a way that more closely correlates with the underlying value chain processes. This approach creates economies of scope and scale across the organization. It also helps to prioritize the control environment by evaluating necessary improvements with the organizationâ€™s defined risk profile, limited capital, and allocation of resources.
GRC technologies have matured at the same pace as the underlying processes they support. However, in order for the technology to do its job well, it must be configurable and nimble enough to move across the risk management processes to respond to the quick changing risk environment. Risk management requires a dynamic approach, not one that is executed on a periodic basis (such as an annual assessment or quarterly updates). Risks, such as cyber, can occur multiple times a day making harmful exposures a daily reality. Waiting for an assessment to be performed or an audit to occur to identify control weaknesses can result in significant exposure to the company. A GRC technology that has a friendly user interface, can be made configurable based on the userâ€™s role, and present risk and control information in real time will provide the business, executives, the Board, and regulators the confidence that the risk management process is fluid, there is active communication, and activity to thwart concerns.
Although the exacerbation of the regulatory environment has driven a lot of the impetus for risk management programs and people, the question of value still remains. Capitalism is still driving the behavior of organizations. Remaining competitive, entering new markets, creating new products and services, and optimizing operations is what drives shareholder and stakeholder value. Risk management, while important to reduce or eliminate losses and reputation damage, is an overhead function. As a result, many functions struggle with having enough resources to execute the risk management framework in a manner that provides 100% confidence that the universe of risks have been identified, codified, evaluated, and acted upon appropriately.
There is pressure to create a risk management environment that also creates competitive advantage. It gives confidence in being a first mover. Moreover, it allows organizations to directly address their bottom lines to take advantage of revenue opportunities because of the strong risk management culture and infrastructure as well as reducing expenditures by optimizing control spend on the most salient risks.
This puts greater pressure, in particular on the second line, to develop a risk management process that the organization can understand,
Realizing these advantages forces an active collaboration across the lines of defense. The rapid way in which risks materialize today require education within the business on the risk framework, educating the risk support functions on the business, as well as having audit understand both. Only then can there be alignment in organizational activities, analysis and use of risk data, and an approach that demonstrates sustainability.
THRIVENT’S GOVERNANCE, RISK AND COMPLIANCE EVOLUTION:
HOW TO MANAGE THE VELOCITY OF INFORMATION
WITH MORE THAN 20 YEARS OF EXPERIENCE IN IT, SIX SIGMA, RISK MANAGEMENT AND STRATEGIC PLANNING IN FINANCIAL SERVICES, PETER GIANOPOULOS, DIRECTOR BUSINESS RISK MANAGEMENT, THRIVENT FINANCIAL EXPLAINS HIS VIEWS ON THE EVOLUTION OF THE THREE LINES OF DEFENSE.
“Let’s be honest, during my career there hasn’t been any real innovation in Governance, Risk Management and Compliance (GRC),” Peter begins. “The strategies and processes haven’t changed much at all. What has changed is the rapid increase in regulations and the way in which technology enables us to capture more and more data. Also people will change overtime. So if you don’t have a companywide Enterprise Risk Management (ERM) framework as the stable factor, some organizations get stuck in a paradigm.”
By: Clarinda Dobbelaar Head of Portfolio Management, BWise
That is quite a statement, no innovation combined with rapid growth in data and regulations. How have you been able to manage it all? “It is certainly a challenge. So it has always been my belief that companies should focus on developing a strong ERM framework made actionable for the entire organization by GRC technology. To develop this, that is the real evolution.” Nasdaq: At Thrivent, you have aligned your ERM framework with Nasdaq BWise’s GRC
GRC EVOLUTION THE VELOCITY OF INFORMATION
platform. Do you consider this as a strategic solution? “Yes, it is a strategic tool. ERM has a top down approach, while BWise GRC technology works bottom up. This enables Thrivent to aggregate and disaggregate our risk portfolio for decision making, performance management, and the allocation of capital and resources. We can paint complete pictures of our risk landscape from different angles and for multiple purposes.” Can you elaborate on how Thrivent’s framework is being used to keep control of risks, e.g. regulatory non-compliance? “When I say ‘the framework’, I really mean the time and effort that’s been put into making people aware of risk. When managing risk on different levels of the organization, given the volume of regulations and risk management information to consider, there is often an exhaustion point. With BWise, we can prevent this exhaustion point by cutting it in smaller bites so you can control it. The topic of this article is about the evolution of GRC. How did you manage before you had a framework and BWise? “Prior to BWise, groups existed in silos; I once had 28 oversight programs identified. Each of those groups were doing things in documents and Excel. There was no central repository. Now the GRC platform is our repository for documenting regulations, frameworks like COSO, standards and policies and we can connect them to the business processes and entities. We simply couldn’t do that until we implemented both. However, developing a framework cannot be done in silo, but only in collaboration with all the lines of defense.” So how much time did this process take Thrivent? “We started conversations with BWise in 2010, but that was too early; we needed to align internally. In 2013 we had an initial version of the framework developed and we kicked off a project to identify the system in which we wanted to implement the framework to make it actionable for the whole organization. We looked at Gartner and Forrester, then selected about 7 vendors for an RFP, and finally selected BWise because of its ease of use and the ability to interface with the business. At Thrivent, the business owns ‘how to manage GRC’. What aim to ensure that what we do is both fit for compliance and the right thing for our customers. The business was a
very important stakeholder in this process.” I believe in May 2013 we signed the contract and we had BWise up and running in two months.” Are there tips you would like to share with our readers? Yes. Pick one system with the aim to journey and grow along with it. For us, I now know we picked the right partner with Nasdaq BWise. The acquisition by Nasdaq resulted in an even stronger partnership. Another tip: Getting an agreement on the approach to your GRC journey is critical. Bring people along on the journey and make sure management supports it. And a last tip perhaps: Maintaining the framework and the supporting technology in the ever-changing regulatory environment is never easy. One of the key success factors has been to prioritize evaluating risks versus the opportunities together with senior management. Based on those priorities, we were able to focus on we wanted to accomplish with BWise.”
Peter Gianopoulos, Director, Business Risk Management- Thrivent Financial Peter Gianopoulos is the Director of Business Risk Management at Thrivent Financial. He has over 25 years of experience in the Financial Services Sector. At Thrivent, Peter provides leadership to Thrivent’s Risk Management, Internal Audit, Planning, and LeanSix Sigma operations. Peter is the business owner of Thrivent’s Governance, Risk, and Compliance (GRC) framework and systems. In 2013, Thrivent won NASDAQ’s Innovation Award for their GRC implementation. Over the years, Peter has presented and written articles on a variety of topics including risk management, merger integration, planning, and performance. Peter has spoken at past Nasdaq events, and in 2015, he was the Key Note Presenter at Nasdaq’s Global Summit where he talked about managing in a rapidly changing world.
KEYS TO A TAILOR-MADE COMPLIANCE PROGRAM ANY ORGANIZATION WANTING TO EMBED A SOLID SET OF COMPLIANCE PROCESSES IN THE ORGANIZATION, WHILE REDUCING THE BURDEN AND COSTS OF COMPLIANCE, MUST IMPLEMENT A SOPHISTICATED SOFTWARE PLATFORM. THE GREATEST BENEFITS ARE REALIZED WHEN ALL COMPLIANCE STEPS AND PROCESSES ARE IMPLEMENTED IN AN INTEGRATED PLATFORM THAT REUSES INFORMATION AND IS ABLE TO SEND MEANINGFUL REPORTS TO MANAGEMENT. The Compliance Cycle Each process shown in the compliance cycle (figure 1) can solve various compliance requirements. The first process “Surveys & Questionnaires” can be used for several purposes and easily facilitates questionnaire creation, response monitoring and follow-up on identified gaps. It is an excellent form of awareness training for employees and stakeholders regarding policies such as the Code of Conduct or Information Security. At the same time, it is also a powerful vehicle for collecting compliance data from the organization. The key benefit of an integrated Governance, Risk, and Compliance (GRC) platform is that the collected data is captured in relation to
Author: Bart van der Hoeven Sr. Director Solutions Consulting, BWise
In this article, I describe in more detail how a compliance software solution is derived from an integrated platform and supports you in reducing the burden and costs of compliance.
KEYS TO A TAILOR-MADE COMPLIANCE PROGRAM
the GRC or Enterprise Risk Control Framework, which allows it to be shared automatically with other GRC initiatives when authorized.
The Compliance Enforcement Cycle Although there is no required order in which to implement these processes, the compliance enforcement cycle can be used as a good foundation and starting point for any tool implementation. Compliance needs to be embedded in the organization and complying is mandatory by its nature. Non-compliance can have major impact both financially and to a company’s reputation. The compliance enforcement cycle starts with documenting control objectives from external requirements, internal requirements and identified risks. External requirements come from laws and regulations, internal requirements from governance and policies. Risks are identified within the business units, processes, objectives or by the second and third lines of defense. As this is not a onetime activity, it also needs to manage changes coming from various external and internal sources. Impact assessments need to be performed to determine which business activities, locations, policies, control objectives, etc. are affected by the changes and the processes for updating, informing and training the organization. •
The first line: business management continuously tests effective operation of the implemented controls, including evidence. The second line: compliance monitors successful execution of the testing by the first line. The third line (optional): internal audit can perform their independent audits over the compliance test results.
Identified issues require a mitigating action plan or acceptance by the business. Timely follow-up of actions needs to be tracked, including notifications and alerts. Regulatory exams and inquiries could be seen as specific types of action plans ensuring timely and high-quality follow-up, meeting deadlines and
taking advantage of the information of the previous activities.
Empower the Management Team to Interpret Results and Act Accordingly Reports show compliance per control objective, compliance category, external/internal requirements, activity, location, business unit, control, and more. However, access to a dashboard is key for providing insight to management into general compliance status and issues which need particular attention.
Compliance Dashboard • • • • •
Which issues require attention? What is the risk if not solved in time? How serious are the consequences of non-compliance? Are there any gaps in the compliance program? Are controls in a certain high risk compliance area or business unit performing poorly? What are the causes of poor performance by people, processes or systems?
The ability to analyze compliance results in a meaningful way for the management team is what the implementation of GRC software brings to the table. It allows management to understand what actions need to be taken to further improve performance and reduce the risk of non-compliance.
A day in the Life of Jackie McLaren, CCO
COMPLIANCE & POLICY MANAGEMENT IN CONTROL WITH STATE-OF-THE-ART GOVERNANCE, RISK MANAGEMENT, AND COMPLIANCE SOFTWARE
BWise® Compliance & Policy Management WWW.BWISE.COM
For more information, watch the recorded webinar “Keys to a Tailor-Made Compliance Program” www.bwise.com/news-events/webinars Or request the brochure: www.bwise.com/compliancebrochure
Winner of the
Thousands of users across the world rely on BWise, Nasdaqâ€™s cornerstone for governance, risk and compliance software, for controlling their ďŹ nancial and reputational risks. We believe winning the Operational Risk 2016 awards would not be possible without the loyalty and trust of our customers and partners. Thank you.
Damian Thomson Chief Information Security Officer
Head of Internal Audit
Gerard Parker Chief Risk Officer
Jackie McLaren Chief Compliance Officer
Corporate Group Controller
The #1 Governance, Risk Management and Compliance software solution WWW.BWISE.COM
BEHIND THE COMPANY
LADD MUZZY, PRINCIPAL AT NASDAQ BWISE It is great to be part of Nasdaq BWise and the successful future we have in front of us. After working in both a consulting capacity and as a practitioner for over 20 years in the Governance, Risk and Compliance (GRC) space, the technology sector is one that have a keen interest in being a part of. I can’t think of any other time in my career where technology and data have played such a significant role in helping to shape the effectiveness and efficiencies of a company’s risk management program. I am thrilled to be supporting such a great set of solutions and working with such passionate and intelligent people.
OLIVIA RICCI – PROJECT SUPPORT OFFICER, SOUTHERN EUROPE For already 1,5 year, I have been working as a Project Support Officer at Nasdaq BWise in the Paris office. Project support is the “lubricant” of the BWise software implementation: we deal with all kind of behind-the-scene tasks so consultants and project managers can deliver BWise software and perform their job with professionalism. Our responsibilities go from planning to internal reporting as well as invoicing customers. We also take care of internal improvement projects, leading to operational excellence. Although I am part of the Southern Europe team, my job is a very international job, reflecting Nasdaq BWise’s global position. I have a number of colleagues in the same role in other regions, covering projects globally and it feels like we are also covering the 24-hours clock. I wake up with the Southern Europe region and finish my day connecting with Latin America, which is one of my responsibilities too. With this variety of interlocutors, we have to adapt, not only to the different cultures but also to the manifold ways of working – that is what makes it interesting and challenging every day!
VANESSA KEANY – DIRECTOR, SOLUTIONS CONSULTING US Over the last nine years at Nasdaq BWise, I have seen a variety of customer challenges. In my current role, I translate customer requirements into useable solutions, in order to meet company objectives. One way I am able to do this is by being ahead of the game. Our software enables me to do just that in the ever evolving discipline of Governance, Risk and Compliance (GRC). New features and functionality are added on an ongoing basis to meet the demands of our growing customer base. No two customers are alike; although they might both be implementing a GRC solution, their requirements and methodology can be completely different. My team’s role is to showcase the solution in the best light to drive home the value and benefits on a case by case basis. Because I’ve been in the industry since 2007, I am able to draw on my experience and knowledge of the space to succeed in my role. Additionally, being part of the Global Solution Consulting team at Nasdaq BWise ensures that I am always up to date with the latest international GRC trends.
GARTNER SECURITY & RISK MANAGEMENT SUMMIT, JUNE 2016
GARTNER SECURITY & RISK MANAGEMENT SUMMIT
“MAKE INFORMATION SECURITY MORE RESILIENT”
Annu Warikoo, Nasdaq Global Head of Group Risk Management and Luc Brandts, BWise Chief Strategy Officer presented the session “Protect | Comply | Simplify: The Nasdaq Use Case”.
BWise was one of the premier sponsors
GARTNER’S 2016 SECURITY & RISK MANAGEMENT SUMMIT, HELD THIS JUNE IN NATIONAL HARBOR, MD, IS THE LARGEST GARTNER EVENT FOR INFORMATION SECURITY IN THE WORLD— THIS YEAR’S SUMMIT WAS ATTENDED BY OVER 3,000 PROFESSIONALS. The keynote opening by Gartner’s lead analysts Felix Gaehtgens , Peter Firstbrook, and Jeffrey Wheatman, framed the Summit within a new vision for today’s digital business environment and made the case for “more resilient” Information Security. In previous years, the Summit theme had been focused on ‘protection’ and ‘prevention’. This year, the analysts notably stressed the importance of viewing security threats in a business context. They recommended that InfoSec professionals present to the business choices on how to balance acceptable risk (risk appetite) and business performance goals. Interestingly, this point aligns near seamlessly with the key benefits that BWise Information Security solutions offer for Risk and InfoSec professionals.
Want to learn more about BWise InfoSec? Discover in Virtual Reality how Nasdaq BWise technology can help Protect against cyber threats, reduce the burden of Compliance and Simplify Information Security Management. http://www.bwise.com/vr-experience
Read the Nasdaq BWise blog about the event: http://bit.ly/2cWiC2T
NASDAQ BWISE GLOBAL LEADER IN GRC
CUSTOMERS THAT RECENTLY JOINED US ON THEIR GRC JOURNEY Global Investment Company selects BWise software to achieve risk management best practices Headquartered in London with investments totaling $300 Billion, this privately owned investment company operates around the globe and invests for banks, wealth funds, large corporates, insurers and financial institutions. Initially they were looking for an Operational Risk Management solution for RCSA, Key Risk Indicator Management and losses registration, including the ability to capture and record capital modelling. The company sees the strategic value of integrated Governance, Risk Management and Compliance (GRC) and therefore decided to redefine their GRC journey based on the capabilities of the BWise enterprise GRC platform. The use cases to be implemented have been expanded to include now also include Regulatory Compliance, Business Continuity Management and Business Impact Assessments. The BWise software platform was selected based on proof of concepts that clearly showed that this Global Investment Company’s requirements could be implemented, purely by software configuration, guaranteeing a successful delivery on time and in budget. Furthermore the excellent usability of the BWise platform played a key role in their decision to select BWise; User groups were included in the vendor selection process and the organization appreciated the look and feel of the BWise system. In addition, the company decided to base the first phase of the implementation on the BWise Rapid Deployment Solution, pre-configured best practices that provide a jump start on any implementation project. Through continuous prototyping and agility in the project team’s way of working the implementation will be substantially shorter.
Multiple European National Treasury Institutes Invest in Risk Management Programs
Rapid-growing International Company Seeks Improved InfoSec Management System
Recently several National European Treasury Institutes in Europe have selected BWise to support their Risk Management programs. Although the vendor selection processes were independent from each other, the similarity was within the requirement to 1) supply the software as well as the project services in the local language, 2) base the implementation on best practices and 3) provide out of the box, configurable software to support the treasury Risk Management programs. The BWise fully configurable Risk Management software, in combination with the BWise Risk Management Rapid Deployment Solutions for best practice based delivery, led too much of the positive impression of BWise. The treasury Risk Management processes were configured in proof of concepts and perfectly matched the user expectations.
Growing in 10 years’ time to annual revenue streams above $100 Billion, this company is highly dependent on Information Technology for its primary processes. Headquartered in Europe and operating in more than 50 countries, the company’s culture is centered on service, quality and efficiency. To protect their reputation and reduce their operational and compliance risks, the organization decided to purchase and implement an IT Governance, Risk and Compliance (GRC) solution. The company selected BWise Information Security (InfoSec) through an RFP process and proof of concept. The completeness of BWise InfoSec, excellent connectivity to the company’s IT infrastructure and sophisticated reporting capabilities played a key role in their decision. As the urgency was high to get an Information Security solution in place, this organization trusted BWise to fully implement the solution within months of the start of the project. After the implementation of IT GRC, the company will further roll out the BWise platform to include Internal Audit and Regulatory Compliance.
Read about your peer’s experiences and get inspired
Fortune 100 Insurance Company selects BWise for enterprise Governance, Risk and Compliance (eGRC) A New York- based Fortune 100 Insurance Company with over half a trillion dollars in assets recently signed a contract with Nasdaq for deployment of the BWise Enterprise GRC platform. This iconic American company evaluated available GRC technologies extensively through proof of concepts and sandbox environments and came to the conclusion that BWise would not only be a good fit for all their use cases, but would enable them to effectively involve consultancy firms to strengthen the governance and compliance programs and harmonize their GRC processes. The fully configurable BWise GRC
platform will ensure a low Total Cost of Ownership (TCO) over time. Upgrades to new releases are a seamless and free process which substantially saves on operational costs over the expected lifetime of the GRC platform. The insurer’s GRC Journey will initially be focused on Operational Risk Management and Corporate Compliance and will include the deployment of the BWise Information Security solution and the BWise Vendor Risk Management capabilities. To drive accountability throughout the enterprise, all employees can make use of the BWise software and participate in risk management processes.
EVENTS & WEBINARS SAVE THE DATE
EVENTS AND WEBINARS GARTNER SECURITY & RISK MANAGEMENT SUMMIT OCTOBER 31 - NOVEMBER 1, 2016 RAFFLES, SHEIKH ZAYED ROAD DUBAI, UAE Nasdaq BWise is Platinum sponsor at Gartner's Security and Risk Management Summit at the Raffles in Dubai, UAE. More information about our upcoming events: www.bwise.com/news-events/events
Read the blog post about Gartner’s 2016 Security & Risk Management Summit Washington in National Harbor, Maryland: Protect | Comply | Simplify http://bit.ly/2cWiC2T
WEBINAR DATA FEED MANAGEMENT FEATURING FORRESTER RESEARCH INC. Nasdaq BWise hosted a webcast which will demonstrate how to leverage data to manage risk and fight financial crime. Data Analytics is part of the integrated BWise GRC Platform. Request the recording of the webinar: www.bwise.com/data-feed-management
“GRC Journey Magazine” is published by Nasdaq BWise Rietbeemdenborch 14-18 5241 LG Rosmalen T: +31 73 704 2000 @: firstname.lastname@example.org www.bwise.com business.nasdaq.com
Rob van Straten – Global Head of Sales and Professional Services Anton Lissone – Chief Technology Officer, BWise Bart van der Hoeven – Senior Director Solutions Consulting, BWise Ladd Muzzy – Principal at Nasdaq BWise Clarinda Dobbelaar – Head of Portfolio Management, BWise
Design Plushommes, www.plushommes.com
G O V E R N A N C E I S T H E C U LT U R E , P O L I C I E S , P R O C E S S E S , L AW S , A N D I N S T I T U T I O N S T H AT D E F I N E T H E M A N N E R I N W H I C H C O M PA N I E S ARE DIRECTED AND MANAGED. R I S K I S T H E E F F E C T O F U N C E R TA I N T Y O N B U S I N E S S O B J E C T I V E S ; R I S K M A N A G E M E N T I S T H E C O O R D I N AT E D A C T I V I T Y T O D I R E C T A N D C O N T R O L A N O R G A N I Z AT I O N T O R E A L I Z E O P P O R T U N I T I E S W H I L E M A N A G I N G N E G AT I V E E V E N T S . C O M P L I A N C E I S T H E A C T O F A D H E R I N G T O A N D D E M O N S T R AT I N G A D H E R E N C E T O E X T E R N A L L AW S A N D R E G U L AT I O N S A S W E L L A S T O C O R P O R AT E P O L I C I E S A N D P R O C E D U R E S .
DEFINITION OF GRC, SOURCE: OCEG
W W W. B W I S E . C O M
5241 LG ROSMALEN
T: +31 734 6464 915
GRC Journey Magazine for Leading Risk Management, Audit, Internal Control and Compliance Professionals.