by Scott L. Mitchell
Companies cannot afford to rely on chance or watercooler chat when it comes to coordinating technology purchases for enabling GRC. GRC professionals need to start working together. And they need to work with the company’s chief information officer and other IT executives to develop a common infrastructure that will support the company’s current GRC efforts as well as absorbing future GRC demands.
When executives think about information technology and governance, risk management and compliance, they tend to focus on IT-specific compliance such as information privacy/security. Or perhaps they think about automating controls for Sarbanes-Oxley compliance. But Sarbanes-Oxley and information privacy/security are not the only games in town. Companies face a laundry list of GRC requirements that only promises to get longer.
Sure, companies can devote time and resources to automate controls and address information privacy/ security. But what about employment compliance, which is the single largest source of corporate litigation? And what about other compliance areas that companies must deal with on a regular basis? And what about risk management needs? Governance needs?
It simply doesn’t make sense to approach each major GRC requirement as a discrete IT project. In fact, it can be cripplingly expensive and timeconsuming to do so. A company that takes this myopic approach becomes weighed down with the demands of many isolated projects that leave GRC efforts more disjointed than ever.
Learning at the Water Cooler
Thanks to a chance conversation at the water cooler, an IT professional from a major bank learned that three separate compliance departments within the bank had made three separate requests for IT solutions, even though most of the requirements in all three RFPs were nearly identical.
Vendor responses had price tags ranging from $75,000 to $2 million. But because this situation was uncovered before a purchase was made, the bank was able to select a single solution for just $100,000 plus an estimated $75,000 of staff time to integrate and customize the applications for all three departments.
Governance, risk, and compliance professionals require systems that generate a “single version of the truth” and the information necessary to succeed in this new environment. Ideally, this information should be available on a real-time or near real-time basis. Executives need to address the following key questions:
• What are the major risks to the company’s ability to achieve its objectives? Have any of these risks materialized? Have any assumptions about these risks changed?
• What are the boundaries of business conduct? Is the company operating within those boundaries? What is the company doing to ensure that it is operating within those boundaries?
• Are there any unusual patterns of business conduct that could indicate that a risk has materialized? Are filings taking longer than usual? Are some business units out of line with others? Are there any policy violations or red flags?
• What is the status of any investigations and remedial actions? Is the company making progress in resolving these issues? How can the company improve its system so problems are less likely to occur again and, if they do, are less likely to harm the organization?
A New Age
GRC activities tend to be the least automated in most companies. Even so, executives must find a way to meet GRC commitments. Today’s organizations operate in the “age of how.” Shareholders and other stakeholders demand that organizations be accountable not only for what they are accomplishing (financial and non-financial performance) but also for increased transparency. Even companies that resist this dynamic and attempt to control the flow of information often find that some “how” information is disclosed by others, such as employee blogs or the media, and not always accurately.
GRC, Meet IT
Most companies have not properly aligned their IT assets or integrated GRC into core decision-making and business processes. Even in the bestcase scenario, responsibility for GRC requirements tends to sit with at least three and as many as 20 or more different senior executives. By working together, a company’s GRC professionals can identify ways to harmonize processes that can leverage the same systems. Throughout this effort, IT can suggest solutions that will provide GRC professionals with the needed information. If GRC professionals conduct IT planning without IT input, they may make erroneous assumptions about the ease or difficulty of obtaining certain information or implementing certain solutions. They may not understand what solutions are available or possible. Having IT professionals involved on the front end can help IT get a head start on planning the architecture necessary to meet GRC needs.
1. Companies need to identify and bring together their GRC professionals to form a leadership team to identify the company’s needs based on its GRC objectives and obligations. This group should identify and discuss the common processes that they execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit and case management.
2. With this knowledge, the GRC leadership team can work with IT executives to define how IT can serve GRC objectives. Together, they can identify the GRC needs, including data and information needs. Who needs to know what and when? How should information be stored, backed up and secured?
• Process and Transaction Needs. What specific GRC processes and transactions need to be facilitated and streamlined, such as filing reports and processing complaints? How can the company get rid of inefficient, ineffective and error-prone manual processes that can increase risk?
• Control and Monitoring Needs. What preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor these controls? How can the company test these controls and document that testing was completed?
• Documentation and “System of Record” Needs. Every organization needs a system of record for data and other evidence that demonstrates that the company is doing the right thing, especially in the area of compliance.
3. Next, the company should take steps to identify how, and the degree to which, GRC needs are being met. This includes taking an inventory of the people, processes and technology currently in place, vendors that are being used and proprietary systems that are in place.
4. Using identified GRC needs and the inventory of processes and technology, the team should identify where GRC needs are not being met. Then, IT and GRC should enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC -ready information, as well as building or buying new GRC -specific components, such as risk and control mapping software.
5. This vision should be realized through a series of projects that gradually phase in the total solution. These projects may be owned by IT or GRC as appropriate.
Every company already has some IT assets in place; the goal is for GRC professionals to work with the IT organization to figure out the best way to use those assets and how to fill the gaps to meet GRC needs. This effort can result in a GRC platform that is less complex, more efficient and more economical than a patchwork of individual solutions. Instead of being overwhelmed with data, GRC professionals can develop a dashboard of metrics that enables continuous monitoring and even continuous audit of GRC activity and effectiveness. It allows them to make adjustments when issues are identified, rather than waiting for a problem to occur.
From Burden to Benefit
GRC commitments and requirements will not lessen in number or importance in the foreseeable future. However, rather than being a burden, GRC efforts can be turned into a huge benefit for organizations that properly apply IT resources to improve the knowledge, efficiency and integration of GRC professionals and activities.
Of course, this process is never really finished. Instead, it is a cycle of continuous improvement with an IT infrastructure that must constantly evolve as GRC demands and requirements change. The goal is to build a resilient platform that will grow with the company.
Scott L. Mitchell is the Chairman and CEO of OCEG. www.oceg.org
This article and the IT Roadmap for GRC are part of an ongoing series: GRC Illustrated, which is jointly presented by OCEG and Compliance Week.