An integrated approach to governance, risk, and compliance will not work without an IT infrastructure to support it; after all, take the wiring out of your Maserati and see how much good its fine-tuned Italian engineering does.
Similarly, without information systems designed to move data where they're needed, when they're needed, GRC personnel cannot form a clear, three-dimensional, enterprise-wide picture of an organization's challenges and opportunities. In other words, they cannot turn data into knowledge if the data aren't where they're supposed to be—and in a format that has meaning.
Creating the kind of IT backbone that supports integrated GRC activities is not easy; it involves a number of focused, difficult tasks that must be approached in a coordinated manner. But that's largely because each aspect of the underlying GRC capability—assessment, prevention, detection, resolution, and measurement—can be managed better with a better IT infrastructure behind it. And the entire GRC system benefits from a coordinated view of the organization's data as well.
A common approach to risk assessment, for example, can only be achieved with well-designed IT behind it. This will help to streamline the GRC process itself and, more importantly, make it possible to prioritize risks and allocate capital across the business. Technology can be used to help prevent adverse events from occurring by facilitating workflow, managing information, managing documents, and tracking employee participation in training. Using IT for GRC-related detection activities is also especially productive. Because adverse events are detected using a number of channels and techniques, it's important to store information about them in a common repository or in separate repositories that can be analyzed together for patterns.
And IT is critical to problem resolution, of course. It can help manage workflow associated with investigations—including how an issue is routed, escalated, and privileged. Just imagine trying to accomplish meaningful process improvement without a coordinated approach to, and integrated view of, the problem or problems being solved. By integrating information and analysis from multiple data sources, an enterprise can zero in on high-priority target areas for process improvement that may cut across departments, functions, and business units.
But while some individual elements of crafting a GRC IT backbone are even more complicated than they sound, the task overall is far simpler (conceptually, at least) than many organizations may realize. The point is not to add layer after layer of new IT; rather, constructing a GRC backbone is about analyzing opportunities to simplify existing IT and about leveraging existing IT investments.
“Unnecessary complexity is the bane of business,” emphasizes Lee Dittmar, partner at Deloitte Consulting. “Leveraging common information, processes, and systems, when done right, is more efficient and effective.” And, he points out, doing so works best when an organization maximizes its investment in enterprise systems by incorporating enterprise information into desktop widgets, dashboards, and e-mail programs. That way, the data in the system are the same you've been using; they're just being used better, because they're consistent and protected across all applications and access points. Future IT system upgrades become part of the solution, and not another problem.
Design Principles
When applying IT to GRC, consider the following principles:
INTEGRATION. It is unlikely that a single application can enable all GRC activities. Integrate existing and new technologies to create the “GRC Backbone.” The GRC Backbone should integrate with existing business applications such as Enterprise Resource Planning (ERP), Human Capital Management (HCM), Customer Relationship Management & Sales (CRM), and other systems that run the business.
SIMPLIFICATION. Analyze opportunities to simplify the architecture and use common components to enable multiple risk areas.
REUSE. Leverage existing investments where appropriate. Buy or build new systems only when necessary.
AUTOMATION. Automate activities where there are repetitive or complex tasks. Be careful what you automate. Some GRC activities require human judgment.
INFORMATION. Sharing information about performance, risks, controls, incidents, and resolution is fundamental to GRC. The ability to analyze this information, alongside business information is the essence of what GRC is about.
IT/GRC Action Plan
There are several steps companies can take to get started toward development of the GRC Backbone.
1. Leadership. Companies need to identify and bring together all of their GRC professionals to form a leadership team that can identify all of the company's needs based on its GRC objectives and obligations. Once assembled, this group should identify and discuss the common processes that they execute, including risk assessment, preventative activities, control design, policy creation and dissemination, training, surveying, detective activities, hotline/helpline intake, control monitoring, process assessment and audit, investigations, and case management.
2. Map Needs. With this information, the GRC leadership team can work with IT executives to define how IT can serve GRC objectives. Together, they should identify the needs of GRC professionals including:
Information Needs. Who needs to know what and when? How should information be stored, backed up, and secured?
Process Needs. What specific GRC processes and transactions need to be facilitated and streamlined, such as filing reports and processing complaints? How can the company get rid of inefficient, ineffective, and error-prone manual processes that can increase risk?
Control and Monitoring Needs. What preventative and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor these controls? How can the company test these controls and document that testing was completed?
“System of Record” Needs. Every organization needs a system of record for data and other evidence that demonstrates that the company is doing the right thing, especially in the area of compliance.
3. As-Is Analysis. Next, the company should take steps to identify how, and the degree to which, GRC needs are currently being met. This includes taking an inventory of the people, processes, and technology currently in place, the vendors that are being used, and the proprietary systems that are in place.
4. To-Be Definition. Using identified GRC needs and the current inventory of processes and technology, the team should identify gaps where GRC needs are not being met. Then, IT and GRC should enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control mapping software.
5. Execution. This vision should be realized through a series of projects that gradually phase in the total solution. These projects may be owned by IT or GRC as appropriate.
By using a comprehensive and integrated approach when applying IT to GRC, business performance can be understood in the context of risks and requirements. And, just as important, GRC can be managed in the context of real business issues and priorities.
No comments yet