This month, Compliance Week and the Open Compliance and Ethics Group present the third installment of our regular series, “GRC Illustrated.” The interactive series—which features visual representations of key governance, risk, and compliance initiatives—is intended to help readers understand how to put principles into practice (Click here for information on the series). In this month's entry, GRC Illustrated demonstrates how technology can be leveraged to build a GRC system efficiently and take full advantage of it. Here's how:
When executives think about information technology and governance, risk management, and compliance (GRC), they tend to focus on IT-specific compliance, such as information privacy/security. Or maybe they think about automating controls for Sarbanes-Oxley compliance. But Sarbanes-Oxley and information privacy/security are not the only games in town. Companies face a laundry list of GRC requirements that only promises to get longer as time goes on.
ILLUSTRATION
Part III of the GRC Illustrated series is sponsored by SAP, Deloitte, and Cisco:
Download The Illustration Accompanying This Column
The Series
Click Here For Information On The GRC Illustrated Series
Recent Related Webcast With OCEG CEO Scott Mitchell
Sure, companies can devote time and resources to automate controls and address information privacy/security. But what about trade compliance? Or employment compliance, which is the single largest source of corporate litigation? And what about the 30 or so other major compliance areas that companies must deal with on a regular basis? And what about risk management needs? And governance needs?
Quite simply, it doesn't make sense to approach each major GRC requirement as a discrete IT project. In fact, it can be cripplingly expensive and time consuming to do so. A company that takes this type of myopic approach becomes weighted down with the demands of many isolated projects that leave GRC efforts more disjointed than ever. Even more frustrating, such an approach often leaves fissures in the IT infrastructure and makes the company vulnerable to missteps, which we all know can devastate a business, ruin its reputation, and even risk the personal freedom of its executives.
Case In Point
Thanks to a chance conversation at the water cooler, an IT professional from a major bank found that three separate compliance departments within the bank had made three separate requests for proposal for IT solutions even though most of the requirements in all three RFPs were nearly identical. This experience drove home the communication breakdowns in his own company because none of the compliance departments had coordinated their needs and nobody in IT was involved in gathering the requirements or drafting those RFPs.
The situation also illustrated the financial cost of this type of disjointed approach to meeting IT needs. Although the requirements in all three RFPs were the same, vendor responses had price tags ranging from $75,000 to $2 million to meet substantially the same requirements. But because this situation was uncovered before any purchase was made, the bank was able to select a single solution for just $100,000 plus an estimated $75,000 of staff time to integrate and customize the applications for all three departments.
Companies cannot afford to rely on chance or water-cooler chat when it comes to the technology for enabling GRC. To prevent this scenario from playing out in their companies, GRC professionals need to start working together. And they need to work with the company's chief information officer and other IT executives with the goal of developing a common infrastructure that will support the company's GRC efforts today and can absorb the demands of unknown GRC needs in the future.
Understanding The challenge
GRC activities tend to be the least automated at most companies. Frankly, this makes some sense because most organizations are not in the GRC business. They are in the business of making cars, delivering financial services, and so on. Understandably, companies are much more apt to fund IT investments that promise to improve the supply chain, customer-relationship management, manufacturing, logistics, and other areas that are crucial to the success of the business.
Even so, executives must find a way to effectively and efficiently meet GRC commitments. Companies are operating in a new age where laws and regulations are increasingly numerous, complex, and challenging to address. This is even more true when companies are dealing with the realities of mergers and acquisitions, expanding global markets, and the constantly changing boundaries of conduct.
More importantly, today's organizations are operating in the “age of how.” Shareholders and other stakeholders are demanding that organizations be accountable not only for what they are accomplishing (financial and non-financial performance) but also for increased transparency into how they are pursuing their objectives. Even companies that resist this dynamic and attempt to control the flow of information often find that some “how” information is being disclosed by others, such as employee blogs or the news media. When information is released that way, it may not accurately depict the reality of the company's situation.
Information Needs
Governance, risk, and compliance professionals require systems that generate a “single version of the truth” and the information necessary to succeed in this new environment. This information should allow executives to answer the following key questions:
What are the major risks to the company's ability to achieve its objectives? Have any of these risks materialized? Have any assumptions about these risks changed?
What are the boundaries of business conduct?
Is the company operating within those boundaries? What is the company doing to ensure that it is operating within those boundaries?
Are there any unusual patterns of business conduct that could indicate that a risk has materialized? Are filings taking longer than usual? Are some business units out of line with others?
Are there any policy violations or red flags?
What is the status of any investigations and remedial actions? Is the company making progress in resolving these issues?
How can the company improve its system so problems are less likely to occur again and, if they do, are less likely to harm the organization?
Ideally, this information should be available on a real-time or near real-time basis so management and the board can fulfill their obligations.
GRC, Meet IT
ACTION PLAN
There are several steps companies can take to get started on developing a comprehensive IT architecture for GRC activities:
Companies need to identify and bring together all of their GRC professionals to form a leadership team that can identify all of the company's needs based on its GRC objectives and obligations. Once assembled, this group should identify and discuss the common processes that they execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit, and case management. (Click here for more on aligning GRC initiatives.)
With this information, the GRC leadership team can work with IT executives to define how IT can serve the GRC objectives. Together, they should identify the needs of GRC professionals including:
Data and Information Needs. Who needs to know what and when? How should information be stored, backed up, and secured?
Process and Transaction Needs. What specific GRC processes and transactions need to be facilitated and streamlined, such as filing reports and processing complaints? How can the company get rid of inefficient, ineffective, and error-prone manual processes that can increase risk?
Control and Monitoring Needs. What preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor these controls? How can the company test these controls and document that testing was completed?
Documentation and “System of Record” Needs. Every organization needs a system of record for data and other evidence that demonstrates that the company is doing the right thing, especially in the area of compliance.
Next, the company should take steps to identify how, and the degree to which, GRC needs are currently being met. This includes taking an inventory of the people, processes, and technology currently in place, the vendors that are being used, and the proprietary systems that are in place.
Using identified GRC needs and the current inventory of processes and technology, the team should identify gaps where GRC needs are not being met. Then, IT and GRC should enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control-mapping software.
This vision should be realized through a series of projects that gradually phase in the total solution. These projects may be owned by IT or GRC as appropriate.
Source
Open Compliance and Ethics Group
Part of the problem is that GRC professionals often do not have access to the information they need to meet existing and future GRC commitments or to meet stakeholder expectations of transparency. Most companies have not aligned their IT assets to provide management and the board with the information they need to do their jobs. In addition, few organizations have integrated GRC into core decision-making and business processes. In most companies, GRC activities are fragmented. In this context, GRC includes board processes, risk processes, and compliance processes, such as employment/labor law compliance, environmental health and safety, financial compliance, and so on. Even in the best-case scenario, responsibility for GRC requirements tends to sit with at least three different senior executives and as many as 20 or more in some companies.
By working together, a company's GRC professionals can identify ways to harmonize processes as much as possible to make it easier for all of them to leverage the same systems. When successful, GRC can operate in a manner similar to the sales organization with multiple sales forces operating on a single sales force management system.
Throughout this effort, IT should be involved to suggest solutions that can help bring GRC professionals the information they need. If GRC professionals conduct their IT planning without input from the IT organization, they are likely to make erroneous assumptions about the ease or difficulty of obtaining certain information or implementing certain solutions. It is possible that they won't understand what solutions are available or possible. If IT professionals are involved on the front end, it can help IT get a head start on planning the architecture necessary to meet GRC needs.
Every company already has some IT assets in place; the goal is for GRC professionals to work with the IT organization to figure out the best way to use those IT assets, and how to fill the gaps, to meet GRC needs.
When approached correctly, this effort can result in a GRC platform that is less complex, more efficient, and more economical than a patchwork of individual solutions. This more streamlined architecture can help companies to reduce the risk of something slipping through cracks, such as incorrect revenue recognition that might lead to an earnings restatement down the road. Instead of being overwhelmed with data, GRC professionals can develop a dashboard of metrics that enables continuous monitoring (and even continuous audit) of GRC activity and effectiveness. It allows them to make adjustments when issues are identified, rather than waiting for a problem to occur.
Conclusion
GRC commitments and requirements will not lessen in number or importance in the foreseeable future. Indeed, the importance of GRC will continue to grow. However, rather than being a burden, GRC efforts can be turned into a huge benefit for organizations that use the proper application of IT resources to improve the knowledge, efficiency, and integration of GRC professionals and activities throughout the organization.
Of course, this process is never really finished. Instead, it represents a cycle of continuous improvement with an IT infrastructure that must constantly evolve as GRC demands and requirements change. The goal of this effort is to build a resilient platform that will grow with the company.
For their part, GRC professionals must constantly communicate their business needs to the IT organization; much like the vice president of sales is always working with the CIO to maintain systems that help the sales force meet customer needs. Only then will companies realize the full promise of the partnership between IT and GRC.
No comments yet