The popularity and proliferation of governance, risk, and compliance systems has grown over the years as regulatory requirements have become more complex. So it’s little wonder that IT, risk, and compliance professionals have sought ways to make their lives less complex.
After all, who wouldn’t want some form of automated process that delivers real-time data to senior executives and business-unit managers so they can better assess and manage your risks? As businesses have looked to cut costs and streamline processes, technology is often expected to provide efficiency for many of the previously manual functions performed by individuals. Enter the vendor of GRC software.
Not surprisingly, however, achieving the promise of GRC software has been elusive. Vendors’ products typically are compilations of templates from risk and compliance frameworks, such as the Committee of Sponsoring Organizations (COSO) or Control Objectives for Information and Technology (CoBIT). Homegrown programs are usually built in business silos, preventing scalable implementation across the whole enterprise—which is precisely the perspective that the C-suite needs.
Why have these systems failed to live up to the hype? What should you do to assure that if you do decide to implement a wide-ranging GRC system, you develop a process that truly addresses your risks?
Roadmap to the Future
When you decide to go down the path of implementing a GRC system, you must consider at least three questions:
What are the key issues to managing compliance, risk, and governance?
Should I build a proprietary system or buy a vendor-based application?
Do I have a comprehensive technology strategy for managing compliance?
Every company will answer those three questions differently, so let’s explore the main points of each one in turn.
Key Issues: First begin with a concise policy on the three pillars of oversight: governance, risk, and compliance. Governance is the main driver of the next two pillars, risk and compliance, so before you even start to implement a system, senior management must agree on who is responsible for governance and what that looks like. Be precise in that agreement. Is governance decentralized or centralized? How often will reporting occur? What are the critical issues and topics that must bubble up from work papers from compliance and risk management?
Lastly, you must decide how to prioritize the mitigation of critical risk and compliance issues. Without formal agreement and support of a governance framework, a GRC project may be viewed as a “compliance project” that competes for business resources during tight budgetary times. Just as bad, smaller projects might crop up across the firm that aren’t connected to the strategy set forth in the governance policy. You want a governance framework that allows for a strategy that can evolve with GRC, rather than one that exists as a collection of siloed approaches living in separate fiefdoms of the corporation.
Build or Buy: Once your governance mandate is in place, the decision of whether to buy a GRC system or build your own becomes a cost-benefit question based on meeting the directives set forth by governance. In some cases, the tools available in the Microsoft Office suite of applications are enough.
Indeed, Microsoft Excel, Word, and Access have been primary tools of the trade for years. They are accessible and easy to implement, since Microsoft Office is available at almost every PC in Corporate America. Sharing GRC data also becomes quite easy, since many employees use Microsoft Office every day and understand how the programs work.
Depending on the size of your corporation, however, you may well reach the limits of capability with MS applications. That doesn’t automatically mean you must look to outside vendors. Whether you use relational databases or non-relational databases (cloud computing, Web-based development, or other computer technology), you may have the framework for creating a GRC system that could be tied into online applications with real-time data.
Is all that still cheaper than using a vendor? That’s a complex decision that only your firm can weigh against the choice of buying from an outside vendor.
If you do decide to buy a suite or platform to integrate into your organization, consider whether the vendor can accommodate the requirements imposed by the IT department. Before you circulate any request for proposals from vendors, you absolutely must consult your IT department; this is critical. Many companies mistakenly believe that the implementation of a GRC system is the IT department’s responsibility. Wrong! A GRC system should be chosen to solve the challenges set forth in the governance policy and must be owned by those responsible for implementing the governance strategy. The IT department is critical in the process, yes—but should be used to enable the strategy, not to drive it.
GRC Technology Strategy: Strategy is defined as a plan of action intended to accomplish a specific goal. This may be the hardest part of the decision tree to solve. For example, should the GRC system provide real-time feedback on business application controls? Should supervisory controls be included in GRC front-end user interfaces? Will reporting output include trends and heat mapping, or will users need to interpret data form different output sources? Will output controls be mapped into the system, or will manual input be required to test controls? The questions here can get very granular; exactly how much will depend on your governance policy and the limits of your system’s capability.
Future State
It’s no wonder that GRC systems have failed to deliver the promise of providing “one version of the truth;” today’s business environment and needs are too complex to provide such a simple answer to the myriad questions that inevitably arise from a well-defined governance strategy. The truth changes as business needs change, and your system must be able to keep up.
What is needed is a fully integrated system of real-time internal control, built right into business applications, with controls for supervisors based on seniority or risk limits set by management. Whenever any control is violated, the feedback should be instantaneous and transparent. Senior management should have the ability to monitor compliance from their desktop computers and to send queries about anomalies as they occur!
Am I dreaming? Well, inasmuch as compliance controls and risk management are seldom built into new system development requirements to realize this dream, yes I am.
Consider a system where internal controls are built into business applications to provide real-time feedback. The technology exists in cars today! Cars that use actuated braking and distance-sensing systems (they are out there, and more are coming onto the roads every day) are essentially using risk-management systems in real-time. We must challenge the IT department to be more forward-looking and to use engineering from other disciplines to anticipate where GRC can be integrated into business applications, instead of outside the business operations platform.
GRC systems are here to stay. Over time they will provide increasingly more powerful, flexible tools to help senior executives understand their risk and compliance challenges. Whether you have a vendor-based system or build your own, I suggest that you map your strategy based on a governance plan that incorporates a future state that drives efficiency and real-time monitoring, and informs you of the key issues that present real threats to the enterprise.
No comments yet