This is a literature review project based on the study of integrated GRC systems. It aims to create a document, for the companies interested in integrated GRC systems, by collecting and providing useful information about these platforms (their features, implementation prerequisites, implementation tips, etc.). This should allow the companies to select and deepen the topics in which are more interested and at the same time to be able to identify all the elements involved in such a project. In other words this should to be considered as a preparatory work to be uses during the first approach to GRC systems, in order to provide ideas that help the reader to focus on what considers more important or appropriate to his business reality. The material consulted to create this documents is composed by articles, publication and documents written by consulting companies or experts and interviews to CEOs of companies that have successfully implemented an integrated GRC system and make a continuous and profitable use of it. The form and structure of this document have been designed to meet the needs of the readers, making an extensive use of lists in order to facilitate the reading and providing business cases or secondary data in order to support the discussion with practical examples. The overall work is divided into three main parts. The first one is about GRCs (What are they?, How do they work?, What benefits could they bring?, etc.) and the problems of “silo structures” in order to better understand why GRCs represent a valuable tool. This first part also present two useful documents: a framework created by Forrester to help CEOs in calculating the ROI of an integrated GRC system and the work "Big Picture for Governance, Risk, and Compliance Platforms", created by Politecnico di Milano, focused on the evaluation and classification systems of GRC platforms. This should provide to companies two valuable tools for addressing the phase of project evaluation and GRC vendor selection, in order to choose the solution that better meets their requirements. The second part is focused on the implementation phase: after presenting the needed prerequisites it provides a list of valuable tips for easing the installation phase and help preventing risks. Once the implementation phase has been successfully completed the company may be interested in finding some way to continue its improvement process. For this reason the last part of the document is devoted to present two management techniques particularly aligned with the philosophy and modus operandi of the integrated GRC systems. Those are: the BYOD policies (for managing the use of personal devices for business purposes) and the "Just Culture" (regarding the risk management culture and processes).
Il presente documento riguarda uno studio, di tipo literature review, riguardante i sistemi GRC integrati. Lo scopo è quello di creare un documento, diretto alle aziende interessate ai sistemi GRC integrati, che raccolga e fornisca informazioni utili circa queste piattaforme (le loro caratteristiche, i prerequisiti necessari ed alcuni suggerimenti per la loro implementazione, ecc.). Questo dovrebbe aiutare le compagnie a selezionare gli argomenti più interessanti per la loro realtà aziendale in modo da poterli approfondire successivamente; allo stesso momento dovrebbe permettere loro di riuscire ad inquadrare tutti gli elementi coinvolti in questo tipo di progetti, in modo da avere una visione completa del problema e facilitare poi le operazioni di project management. In altre parole, questo documento dovrebbe essere utilizzato nello lo studio preparatorio, durante il primo approccio tra l’azienda ed i sistemi GRC integrati. I materiale utilizzato per questo progetto riguarda pubblicazioni di società di consulenza o esperti ed interviste ai CEO di aziende che hanno implementato con successo un sistema GRC integrato e ne fanno un uso continuo e proficuo: ciò permette non solo di avere degli importanti suggerimenti per la fase d’implementazione, ma soprattutto delle testimonianze di quali vantaggi questi strumenti hanno portato alle loro imprese. La forma e la struttura di questo documento sono state pensate in funzione del pubblico per cui è creato: vi sarà un uso frequente di elenchi per cercare di facilitarne la lettura ed esempi pratici (secondary data o business case) per supportare la trattazione. Il lavoro complessivo risulta suddiviso in tre parti. La prima parte riguarda da vicino i sistemi GRC integrati (cosa sono, come agiscono, quali vantaggi possono portare, ecc.) e i problemi delle cosiddette strutture aziendali “a silos”, in modo da comprendere meglio perché i GRC vengono considerati degli strumenti preziosi. In questa prima sezione vengono anche presentati al lettore due utili documenti: un framework creato da Forrester per calcolare il ROI di una piattaforma GRC ed il lavoro “Big Picture for Governance, Risk and Compliance Platforms” focalizzato sui sistemi di valutazione e classificazione delle piattaforme GRC. Ciò dovrebbe fornire alle aziende due importanti strumenti per la fase di valutazione del progetto e di selezione dell’offerta o GRC vendor più adeguati alla propria situazione. La seconda parte riguarda la fase di implementazione: dopo aver presentato i prerequisiti necessari si passa ai consigli pratici per completare l’installazione in maniera più agevole e poter prevenire alcuni rischi. Una volta completata con successo l’implementazione, l’azienda potrebbe essere interessata ad identificare e valutare delle occasioni per completare il proprio processo di miglioramento cominciato con l’adozione del nuovo sistema GRC integrato. Per tale ragione l’ultima parte è dedicata a presentare due tecniche di gestione particolarmente allineate con la filosofia e le pratiche dei sistemi GRC. Esse rappresentano quindi un’opportunità di supportare e completare il nuovo sistema, ed al contempo sfruttare sinergie e affinità per rendere la fase di implementazione particolarmente agevole e vantaggiosa. Le due tecniche in questione sono: la BYOD policy (Bring Your Own Device: riguarda la gestione e l’utilizzo di personal devices per lo svolgimento di attività lavorative) e la cosiddetta “Just Culture” (riguardante la cultura e i processi di gestione del rischio).
Addressing a successful implementation of a governance, risk and compliance management system
ZACCARI, LUCA
2016/2017
Abstract
This is a literature review project based on the study of integrated GRC systems. It aims to create a document, for the companies interested in integrated GRC systems, by collecting and providing useful information about these platforms (their features, implementation prerequisites, implementation tips, etc.). This should allow the companies to select and deepen the topics in which are more interested and at the same time to be able to identify all the elements involved in such a project. In other words this should to be considered as a preparatory work to be uses during the first approach to GRC systems, in order to provide ideas that help the reader to focus on what considers more important or appropriate to his business reality. The material consulted to create this documents is composed by articles, publication and documents written by consulting companies or experts and interviews to CEOs of companies that have successfully implemented an integrated GRC system and make a continuous and profitable use of it. The form and structure of this document have been designed to meet the needs of the readers, making an extensive use of lists in order to facilitate the reading and providing business cases or secondary data in order to support the discussion with practical examples. The overall work is divided into three main parts. The first one is about GRCs (What are they?, How do they work?, What benefits could they bring?, etc.) and the problems of “silo structures” in order to better understand why GRCs represent a valuable tool. This first part also present two useful documents: a framework created by Forrester to help CEOs in calculating the ROI of an integrated GRC system and the work "Big Picture for Governance, Risk, and Compliance Platforms", created by Politecnico di Milano, focused on the evaluation and classification systems of GRC platforms. This should provide to companies two valuable tools for addressing the phase of project evaluation and GRC vendor selection, in order to choose the solution that better meets their requirements. The second part is focused on the implementation phase: after presenting the needed prerequisites it provides a list of valuable tips for easing the installation phase and help preventing risks. Once the implementation phase has been successfully completed the company may be interested in finding some way to continue its improvement process. For this reason the last part of the document is devoted to present two management techniques particularly aligned with the philosophy and modus operandi of the integrated GRC systems. Those are: the BYOD policies (for managing the use of personal devices for business purposes) and the "Just Culture" (regarding the risk management culture and processes).| File | Dimensione | Formato | |
|---|---|---|---|
|
Thesis Zaccari.pdf
accessibile in internet per tutti
Descrizione: Testo della tesi
Dimensione
6.67 MB
Formato
Adobe PDF
|
6.67 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/135485