GRC Technology Introduction

Coaching, Governance Risk & Compliance

GRC Technology Introduction

Industry Descriptions of GRC

Over the past decade, organizations have been using different technologies and approaches to automate their risk and compliance management functions. Technologies such as spreadsheets and word processor programs have been commonly used to provide organizations with the ability to list and track risks, controls and assessment processes, issues, and remediation. As organizations looked to improve upon the use of spreadsheets, different combinations of workflow, database and reporting technology solutions have been created to address risk and regulatory challenges. It is generally accepted that around 2002, a new marketplace acronym was created to encapsulate these technology solutions into a category called “governance, risk, and compliance” (GRC). Vendors were quick to latch on to the new market acronym as a way to position their solutions to include partial or full integration between workflow, database, and reporting capabilities packaged into an integrated platform.

Several recent studies have shown how much the GRC marketplace has grown. A study conducted by Markets and Markets (GRC market trends 2013–2018) shows the eGRC solutions (software) market is expected to grow from $3.21 billion in 2013 to $6.27 billion in 2018 at a compound annual growth rate (CAGR) of 14.3% during the forecast period. OCEG (formerly called the Open Compliance and Ethics Group) recently performed a technology strategy survey (results published January 2016) that shows 55% of those polled are going to be increasing their spending on GRC (and another 18% are keeping spending the same).

With a growing reliance upon GRC technology platforms, the next two chapters will examine how organizations are gaining value from leveraging an integrated platform. Realizing that there are many different technologies that can fall under the acronym for GRC, this chapter will focus on those solutions that are marketed and sold as integrated platforms for automating GRC functions. The authors will rely upon observations from actual GRC projects performed for clients across multiple industries in order to show common approaches used in order to gain benefits through the use of a GRC technology platform.

The topic of GRC technology can often be confusing and lack specific solution definitions. In 2002, a market analyst (or a Big 4 consultant depending on who you ask) is generally acknowledged as making the term GRC more mainstream by grouping together risk and compliance technology capabilities for comparison purposes. An early definition of GRC usually involved a blending of people, processes and software to assist with addressing regulatory (compliance) requirements.

There are many different technical capabilities that can qualify as supporting governance, risk, or compliance solutions. The challenge has been to leverage a technical capability that can enable integration across multiple people, processes, and requirements. The marketplace has evolved from providing solutions to address specific regulatory needs to a more broad-based support platform. Even though the GRC technology platform vendors (and clients) have had roughly a decade to mature their respective solutions, there is still some confusion as to what constitutes a GRC solution. Vendors, standards bodies, think tanks, and marketplace analysts have been working to provide a more formal definition for GRC. Here is a description that includes some of the more prominent definitions:

OCEG (Formerly the Open Compliance and Ethics Group)

OCEG is a global nonprofit organization that develops and provides standards, guidelines, tools, and other resources to address governance, risk, and compliance management (GRC) for organizations of all sizes. All OCEG guidance is publicly vetted and finalized following a public comment period and testing of the application of the guidance within one or more organizations. The guidance is further augmented by development of online resource collections and toolkits that enable users to swiftly and efficiently customize and apply the guidance within their organizations. The guidance and all related resources are contained in a searchable database that OCEG member organizations can freely access. Membership in OCEG is free and can be accessed at www.oceg.org

OCEG has developed several resources:

The GRC Capability Model: (known as the Red Book), is a process model for the design, operation and evaluation of GRC programs. It is supported by several guides, such as:

At the core of OCEG’s work is a very good definition for GRC:

A capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity includes the governance, assurance, and management of performance, risk, and compliance. For OCEG, GRC is about taking an integrated approach for achieving principled performance.

OCEG’s GRC Technology Solutions Guide outlines 28 aspects of solutions that make up the GRC ecosystem as follows:

  • Audit & Assurance Management;

  • Board & Entity Management;

  • Brand & Reputation Management;

  • Business Continuity Management;

  • Compliance Management;

  • Contract Management;

  • Control Activity, Monitoring, and Assurance;

  • Corporate Social Responsibility;

  • eDiscovery Management;

  • Environmental Monitoring and Reporting;

  • Environmental Health & Safety;

  • Finance/Treasury Risk Management;

  • Fraud & Corruption Detection, Prevention & Management;

  • Global Trade Compliance;

  • Ethics Hotline/Helpline;

  • IT Risk & Security;

  • Insurance & Claims Management;

  • Intellectual Property Management;

  • Issues & Investigations Management;

  • Matter Management;

  • Physical Security & Loss Management;

  • Policy Management;

  • Privacy Management;

  • Quality Management and Monitoring;

  • Reporting & Disclosure;

  • Risk Management;

  • Strategy, Performance, and Business Intelligence;

  • Third Party/Vendor Risk and Compliance.

The Institute of Internal Auditors

The Institute of Internal Auditors (IIA) is the internal audit profession’s global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Generally, members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security.

Globally, The IIA has more than 180,000 members. The IIA in North America comprises 160 chapters serving more than 72,500 members in the USA, Canada, the Caribbean (Aruba, Bahamas, Barbados, Cayman Islands, Curacao, Jamaica, Puerto Rico, and Turks and Caicos), Bermuda, Guyana, and Trinidad and Tobago.

The IIA slightly changes the acronym definition for GRC to be, “governance, risk and control”. In August of 2010 the IIA adopted support for the OCEG definition for GRC and added that GRC is about how you direct and manage an organization to optimize performance, while considering risks and staying in compliance. IIA stated clearly:

  • GRC is NOT about Technology;

  • GRC is NOT a fad or a catchy phrase for software vendors and professional service providers to generate revenue.

The Institute of Risk Management

The Institute of Risk Management (IRM) lists on its website this definition for GRC:

GRC is a term used to describe an integrated approach to activities related to governance, risk management and compliance. Increased corporate failures and enhanced regulatory requirements have heightened corporate awareness about the value and importance of making sure these key activities are effectively designed, integrated and managed.

Prominent information technology analyst firms have performed an important service for clients by helping to produce opinions on which GRC software vendor may be the best fit based on specific use cases. While an argument can be made that those opinions may not be accurate or entirely objective, in many cases these opinions are the only sources of information on leading GRC vendors that organizations use to select potential solutions (or that are available other than from the vendors themselves). Due to the influence that some of these analysts have with clients, it is worth noting how they have defined GRC for client consumption. Since there are many different market analysts that cover the GRC marketplace we are going to only pick a representative sample using Forrester and Gartner to show an example of the types of definitions used to define GRC.

Forrester Research

Forrester Research describes itself as, “one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. Forrester’s unique insights are grounded in annual surveys of more than 500,000 consumers and business leaders worldwide, rigorous and objective methodologies, and the shared wisdom of our most innovative clients. Through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations” www.forrester.com.

Analysts at Forrester were some of the earliest users of the abbreviation GRC. Forrester has been well-known for producing research and more specifically a product called the GRC Wave that clients can use to help make decisions about GRC software vendors. Forrester’s work in the GRC space is summarized on their website as follows: “Every organizational business function and process is governed in some way to meet objectives. Each of these objectives has risks, as well as controls that increase the likelihood of success (or minimize the impact of failure). These are the fundamental concepts of GRC. To maximize business performance, GRC programs are designed to help companies avoid major disasters and minimize the impact when avoidance is unlikely” https://www.forrester.com/Governance-Risk-%26-Compliance-%28GRC%29.

According to Forrester, the Forrester Wave is a collection of information from vendor briefings, online demos, customer reference surveys and interviews, use of Forrester’s own demo environment of each vendor’s product, and, as per Forrester policy, multiple rounds of fact checking and review. The current iteration of the Forrester Wave was previously split into two distinct reports- one for enterprise GRC (eGRC) and the other for IT GRC. Trying to define the distinction between enterprise and IT GRC has added to some of the marketplace confusion around GRC platforms.

In addition to products like the GRC Wave, Forrester has started to build what it calls a GRC Playbook. The playbook gives Forrester a new way to package up important research and guides within the following categories:

  • Discover

  • Plan

  • Act

  • Optimize

The Forrester GRC Playbook was completed at the end of 2015.

Gartner

Here is the description of Gartner’s focus in the marketplace from its website:

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the valuable partner to clients in approximately 10,000 distinct enterprises worldwide.

Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, we work with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 7,600 associates, including more than 1,600 research analysts and consultants, and clients in 90 countries. www.gartner.com

Prior to 2014, Gartner produced research for clients on the various GRC vendors in the form of MarketScope and Magic Quadrant reports. Similar in structure to Forrester’s Wave reports, the Gartner Magic Quadrant was a collection of vendor data measured against criteria that produced a ranking similar in format to the Forrester Wave.

In 2014 Gartner announced it was doing away with the Marketscope and Magic Quadrant reports and retooling its research on the GRC market to be more focused on specific use cases. According to a report from Gartner released on May 13, 2015 entitled, “Definition: Governance, Risk and Compliance”, Gartner provides this definition for GRC:

Governance, risk and compliance (GRC) is a set of practices and processes, supported by a risk aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.

In the same report, Gartner goes on to explain that, “there are a growing number of GRC software applications that automate various workflows in support of GRC goals. Through common functions such as an asset repository, regulatory mapping, survey capabilities, workflow functions and data import, GRC automation addresses multiple use cases defined by Gartner. The seven defined Gartner GRC use cases are as follows:

  • IT Risk Management

  • IT Vendor Risk Management

  • Operational Risk Management

  • Audit Management

  • Business Continuity Management Planning

  • Corporate Compliance and Oversight

  • Enterprise legal Management.”

We are not trying to present an opinion on the merits of how the GRC marketplace is viewed or defined. The information presented here shows how many different firms view the marketplace for GRC technology platforms. As you will read in the following sections, integration of an organization’s governance, risk, and compliance (control) functions is absolutely key when it comes to gaining value from automation. Any definition that does not support leveraging an integrated technology approach is probably not going to gain much momentum in the marketplace.

GRC Scope of Coverage

An additional consideration for examining how GRC is defined is the scope of coverage for capabilities offered by GRC platform vendors. In addition to marketplace coverage provided by the analyst firms, GRC vendors have been positioning themselves in specific ways which also can cause confusion when it becomes time to evaluate technical capabilities. Basically, GRC vendor capabilities can be divided into three general categories

GRC Vendor Domain Capabilities
GRC Vendor Domain Capabilities

This simplistic view of GRC vendor capabilities is starting to change as more organizations mature with their GRC processes and as vendors invest to build more integrated capabilities within their platforms.

As enterprise resource planning (ERP) vendors add more capabilities that have been traditionally found within GRC platforms the differences between them start to get blurred. Many organizations have both ERP and GRC platforms. The reasons for this are varied, but many of the ERP vendors were slow to adopt capabilities that IT needed in order to be nimbler, such as performing self-assessments, control harmonization, policy management, compliance testing and reporting, vendor risk management, vulnerability management, incident management, and several other functions.

There has been some confusion with GRC vendors in establishing their capabilities as being able to support eGRC (enterprise GRC) or IT GRC. Up until recently the distinction was focused around whether a platform would support enterprise risk management (ERM) capabilities, business performance management (BPM) and other enterprise functions, or was just focused on capabilities marketed to support IT functions (IT GRC). Market analysts, until recently, even supported two distinct views of vendors along these lines. We are now finding that as organizations have matured their GRC programs and level of integration, this distinction for technology support is diminishing.

The specialty GRC market still exists, but is increasingly shrinking due to the development of integrated capabilities in the other two categories. Solutions that once were marketed to solve a specific challenge such as contract management, case management, and others are now being integrated into GRC technology platform functionality.

The term GRC today can invoke strong feelings of support or apathy. There are some practitioners who feel that the term GRC is too general and does not represent anything new that organizations should be doing. The feeling is that there is no such thing as a GRC department, so undertaking projects that involve improving processes and technology specifically as GRC does not accurately represent the operations of most businesses. Organizations have been leveraging automation to improve the governance, risk management, and compliance management functions before there was a new integrated platform capability in the marketplace to leverage.

As shown above, it is very common for the GRC concept to be associated with technology solutions rather than as a business-oriented solutions approach. Despite the different interpretations of GRC being discussed and addressed, there is one common theme that stands out in these discussions: clients view the automation and enterprise integration of governance, risk, and compliance programs as critical areas for achieving efficiency gains, improved transparency, and better control.

GRC Program Overview

Governance, risk, and compliance solutions are often looked at through the lens of their individual definitions. While true that the “G”, “R”, and “C” all have established definitions by various standards bodies and practitioners, organizations still struggle at performing some tasks within and across each of these programs. GRC technology platforms can provide value independently within each of these disciplines. However, as we will describe in more detail later in this chapter, it is the ability to leverage integrated capabilities that can assist an organization with making truly impressive performance improvements. As a refresher, there follow the formal definitions for each of the respective programs.

Governance

Corporate governance is the system of rules, practices, and processes by which organizations are directed and controlled. Corporate governance of IT is the system by which the current and future use of IT is directed and controlled. Corporate governance of IT involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using IT within an organization.

Definition from ISO 38500, Corporate Governance of Information Technology.

ISO 38500 also lists six principles that should be followed to provide good corporate governance of IT:

  • Responsibility;

  • Strategy;

  • Acquisition;

  • Performance;

  • Conformance;

  • Human Behavior.

Directors of organizations are encouraged to govern IT by using a model to evaluate, direct, and monitor. It is important to note that governance establishes the method for the organization’s processes to be managed (the “what”), but is not operational management (the “how”). ISO 38500 is a good resource for the responsibility of the board of directors in establishing the high-level requirements of governance of IT.

To apply these concepts as a GRC program that delivers value and protects against risk, typical governance functions can include the following:

  • Executive oversight;

  • Policy management;

  • Strategy;

  • Financial management;

  • Portfolio management;

  • Risk management.

One of the important elements of an overall risk governance approach to note is the establishment of the three lines of defense model. Since the financial crash of 2008, the three lines of defense model has been receiving more attention as a means to promote clear accountability for risk taking, oversight, and assurance within organizations. The basic premise to the model is as follows:

First line of defense: functions that own risk;

second line of defense: functions that oversee risks;

third line of defense: independent review function (internal audit).

There are many practitioners that feel this model is not a good representation of how to effectively manage risk. The model is included here due to its prominence as part of the Basel Commission on Banking Supervision Operational risk requirements for banks. For financial institutions, this model is a core part of a GRC program.

The use of GRC technology platforms to support functions related to governance can have a big impact on helping to track and improve the performance of the organization. There are many benefits to leveraging automation to support governance functions:

  • Provides more timely, accurate, and reliable information;

  • Enables more informed decision-making for allocating resources;

  • Saves costs by improving efficiency and reducing manpower hours needed for administrative tasks related to reporting, policy management lifecycle, and executive oversight tasks;

  • Assists in improving performance management by providing integrated processes, accountability, and reporting;

  • Supports a culture of process improvement.

Strictly from a technology support capability standpoint, there are many solutions that would fall under the governance category. Leveraging automation to support governance functions is an important and often diminished component of a fully integrated GRC program. Examples of governance functions that can take advantage of automation through a GRC technology platform include:

  • Whistleblower hotline tracking and monitoring;

  • Board of directors reporting;

  • Corporate strategy approval tracking;

  • Executive compensation linked to corporate performance;

  • Policy management;

  • Performance management;

  • Strategic objective monitoring;

  • Portfolio management;

  • “What-if” analysis for budgeting/resource allocation;

  • Executive dashboard and reporting.

Developing solutions to support governance functions has been relatively slow compared with other risk and compliance functions. However, applying automation to support the monitoring of corporate performance and meeting objectives should not be overlooked in importance as part of a solution roadmap. In fact, it is common for us to see organizations continuing to improve their governance capabilities as they build and integrate other risk and compliance related solutions and information. As an example, we are seeing organizations link objectives with their corresponding risks as they mature in the use of a risk domain structure enabled in a risk register. Whether the risk register is populated in a bottom-up fashion (through capturing results of risk assessments and other activities) or a top-down approach (through facilitated sessions to capture core enterprise risks) has the added benefit of gaining better visibility into risks, objectives, and performance over time.

Also, organizations are gaining direct benefits for their governance functions through many of the integration efforts that break down silo activity, fragmented approaches, disparate operations, duplicated efforts, dysfunctional communication mechanisms, and other improved operational efficiencies.

Risk Management

There are a number of risk management standards that organizations can use to help define a formal program. A widely accepted definition from ISO 31000 states:

Risk Management aids decision making by taking account of uncertainty and its effect on achieving objectives and assessing the need for any actions.

The standard goes on to describe the following functions as part of the risk management process:

  • Establishing the context;

  • Identifying, analyzing, evaluating, and treating risk;

  • Monitoring and reviewing risk;

  • Recording and reporting the results;

  • Communication and consultation throughout the process.

ISO 31000 also defines the following principles of risk management:

  • create value—resources expended to mitigate risk should be less than the consequence of inaction;

  • be an integral part of organizational processes;

  • be part of decision-making process;

  • explicitly address uncertainty and assumptions;

  • be a systematic and structured process;

  • be based on the best available information;

  • be tailorable;

  • take human factors into account;

  • be transparent and inclusive;

  • be dynamic, iterative and responsive to change;

  • be capable of continual improvement and enhancement;

  • be continually or periodically reassessed.

However, organizations continue to struggle with the achievement of many of their risk management goals. Critical risk exposures continue to exist despite large investments to improve risk management capabilities. Even though risk management technology capabilities are typically marketed by GRC vendors as improving the ability to reduce or eliminate risk (or improve the efficiencies of managing risk), the ability to provide better visibility into risks means organizations can take advantage of the positive aspects that risk mitigation can enable in the decision-making process. This important aspect of risk management is often overlooked as organizations continue to automate some of the more mundane tasks related to finding, managing, and monitoring risks.

Risk management functions can be some of the most complex capabilities to automate consistently across the enterprise. Many functions related to risk management have been slow to leverage technology support, or are using automation in a limited capacity such as tracking enterprise risks using a spreadsheet. There are many benefits to leveraging automation to support risk management functions:

  • Better visibility into risk;

  • Enables better decision-making for leveraging risk for positive gain;

  • Can save costs by improving efficiency and reducing manpower hours needed for performing risk assessment, risk treatment, and risk monitoring tasks;

  • Provides the capability of correlating and analyzing many data sets to help identify and treat emerging risks more efficiently than manual processes;

  • Provides ability to establish and manage a risk appetite and overall risk posture that can support decision-making and investment “what if” scenario planning;

  • Supports a culture of risk awareness.

Of course, GRC technology platforms work in conjunction with improvements to people and processes. Even though there are short-term benefits to be gained by making tasks related to the risk management function more efficient and interconnected, the real value comes from improving risk management capabilities to support effective decision-making and breaking down silos within the risk management domain.

Compliance Management

Failing to understand regulatory requirements or having the right controls and culture in place can cost organizations in heavy fines and remediation efforts. Automating compliance processes was one of the early use cases for the acquisition of GRC technology platforms. Compliance management programs involve more than just managing a checklist of which controls are required by which regulations. However, until recently there has not been much in the form of guidance from standards bodies about the functions a good compliance management program should contain. It has been common to observe organizations that were managing risks through the compliance checklist approach. In other words, if an organization could prove through testing that all controls required by regulatory requirements were in place and operating effectively, those risks would be, generally speaking, in check.

Recent guidance has been released to help organizations understand leading practices associated with the compliance management function. For example, the FFIEC (Federal Financial Institutions Examination Council) Compliance Examination Manual listed the activities a compliance management system should perform as part of the overall risk management strategy of an organization as follows:

  • Learn about its compliance responsibilities;

  • Ensure that employees understand the responsibilities;

  • Ensure that requirements are incorporated into business processes;

  • Review operations to ensure responsibilities are carried out and requirements are met;

  • Take corrective action and update materials as necessary.

The International Standards Organization (ISO) has recently come out with a new international standard that provides guidance for compliance management systems (CMS). ISO 19600:2014 provides guidance for establishing, developing, implementing, evaluating, maintaining, and improving an effective and responsive compliance management system within an organization. Similar to the FFIEC guidance, the core tasks that fall within this model include:

  • Identifying compliance obligations;

  • Evaluate compliance risks;

  • Define and implement measures;

  • Monitor controls;

  • Review the compliance management program continuously;

  • Manage noncompliance.

The introduction of ISO 19600 outlines the minimum guidelines and standards that are expected to be in place for a compliance program to be effective.

Compliance with an overwhelming amount of new laws, rules, and regulations continues to be one of the key driving (marketing) forces behind the growth of GRC technology solutions. Some of the biggest gains in efficiency and cost savings can be achieved by leveraging GRC technology platforms to address regulatory requirements and reporting. However, in order to obtain bigger gains in cost savings and efficiencies these technology platforms need to be paired with integrated processes and content libraries. There are many benefits to leveraging automation to support the above mentioned compliance functions:

  • A reduction in the amount of controls required to manage risks;

  • Ability to risk rationalize controls;

  • Cost savings by improving efficiency and reducing manpower hours needed for tasks related to control testing and reporting;

  • Improvement in quality of information related to risks and controls;

  • Ability to focus resources to areas of the business that need the help;

  • Provide better reporting;

  • Identify testing biases;

  • Identify patterns of exceptions that may not fit business objectives.

Integration

As GRC technology has matured it has become easier to make a business case that clearly articulates the process improvements, efficiencies, and cost savings that can be achieved leveraging GRC technology for specific use cases. However, just because technology can be utilized does not mean that by itself benefits will be realized. Many of the efficiency gains and cost savings are dependent on solid processes, clear direction, organizational cooperation, and support of the right technical capabilities. We have seen many GRC projects fail, or simply not return the efficiency/cost savings gains that were planned due to a lack of awareness about the role that integration plays.

The marketplace is starting to use the term “integrated” related to GRC in several different ways. There are some organizations that tout an “integrated GRC capability”. Others tout the integration that occurs between GRC programs, and still others mention integration benefits in relation to interconnecting disparate data and systems. What tends to get lost in the messaging is what is actually meant by “integration” and how additional benefits can be derived if the effort to integrate the various functions related to GRC programs can be realized.

In our experience, the term “integrated GRC” is redundant. Integration is not something you apply to your GRC programs per se, but rather drive through people, process, and technology improvements and innovation. As increased levels of integration are implemented, greater benefit can be achieved through all of the GRC functions. Ultimately, leveraging integration through the improvement of GRC processes will enable the connectivity between risks, strategy, and performance that can guide an organization to achieve its overall objectives.

The think tank OCEG has pulled together some very good guidance related to the topic of integration and its impact on driving principled performance, which is defined as a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity. We believe OCEG is correct in guiding organizations to, “… achieve principled performance – the capabilities that integrate the governance, management and assurance of performance, risk and compliance activities.” www.oceg.org/about/what-is-grc/The focus on integration to improve GRC functions can be thought of in two primary ways. First, there is integration within functions of a program itself, in order to improve existing capabilities and provide an increased maturity level for the program. Secondly, there is integration across multiple functions and programs, driving more benefit and ultimately improving GRC functions to better support corporate strategy. In both cases technology can be an enabler of these increased levels of integration, either through leveraging capabilities within the technology platform or through interconnecting other systems and data.

Examples where integration can be leveraged to improve GRC functions:

  • Process optimization. Activities can be examined and optimized for their capacity to add value and adjusted as necessary;

  • Aggregation and integration of data. Multiple data sets can be linked in order to provide better support for decision-making capabilities;

  • Increased effectiveness. The improvement to GRC functions enables more efficient use of resources to the activities where they are needed;

  • Visibility. Better data quality and reporting capabilities mean the right people are getting the data they need when they need it;

  • Culture of risk. Integration will assist in breaking down siloes, reducing duplication of efforts and free up resources to focus on more important activities;

  • Unified organizational structure. Disjointed organizational structures often force duplication of efforts and misrepresent risk and control results.

An example of how integration can play a key role by improving functions and then be leveraged to support other programs would be the establishment of an integrated control library. Establishing a harmonized set of controls is useful for streamlining the performance of risk assessment and control testing functions. Once a centralized repository is established, it can then be utilized for other programs such as new IT projects, vendor risk management, business continuity management, and others. Having a single harmonized source of regulatory requirements mapped to controls (and ultimately risks, assets, policies, etc.) can benefit many functions across multiple risk and compliance programs.

There are many examples that can show where integration amongst systems and data could be beneficial. For example, as organizations mature in their use of GRC platforms and processes, integration between the GRC technology platform and the ERP (enterprise resource planning) system could provide further benefits. While we have not seen a large demand for these types of projects yet, they are slowly starting to gain attention as organizations seek to integrate GRC with their finance functions (and merge various systems that house controls) and vendor risk management activities. Another use case that is gaining momentum in the marketplace is leveraging the integration of these systems to provide continuous controls monitoring as well.

Common GRC Technology Functionality

It is important to mention the core building blocks of an integrated GRC capability. Nearly all GRC technology platforms provide three core capabilities:

  • Database;

  • Workflow engine;

  • Analytics and reporting.

The value of GRC technology platforms over other technology solutions is that these core capabilities are all contained within an integrated technology platform. The degree to which each of these capabilities is integrated can be a source of competitive advantage among the GRC vendors. Plenty of technology solutions already exist that can provide certain levels of solution capabilities or partial integration, but GRC vendors have taken the level of integration among the three core capabilities and marketed that capability to span multiple programs and requirements. An organization could assemble best of breed tools in each core category and design risk and compliance solutions using that approach, but GRC technology platforms out of the box were designed to be simpler and more robust with the integration provided between data, workflow, and reporting capabilities. In the end this comparison becomes a trade-off between acquiring the best of breed tools within each category versus leveraging an integrated platform to address the GRC process challenges. As mentioned several times in this chapter, one size does not fit all, and it is not common to see a single integrated platform do everything an organization needs for GRC process automation.

It is these integration capabilities that form the heart of a GRC technology platform. We have separated out a few of the capabilities that are commonly used across multiple use cases due to the utility of their functionality. We will be covering different aspects of this common functionality, such as operational governance, system security, data architecture, and other capabilities later in this chapter. Common capabilities that support many of the core GRC use cases include the following.

Assessment Process

Within all GRC technology platforms is the ability to perform assessments. Some of elements required to provide assessment capabilities include the following:

  • Link to business hierarchy. Being able to control which part of the organization is involved in responding to an assessment can assist in maintaining proper coverage. The business hierarchy provides the ability to define the right layers of the organization and to also insure approval workflows are designed appropriately.

  • Survey capability. Many assessments are done in a survey style, which requires a preset template of questions with set answers that can be tracked through workflow for completion milestones.

  • Questionnaire repository. Many assessment capabilities leverage pre-existing questionnaire repositories in order to give the end user the ability to formulate different types of assessments with standard questions for the topic required.

  • Scoring model for risk rating. A flexible scoring system is required in order to provide feedback for assessments. Assessment capabilities can provide scoring on a question-by-question basis and then give the end user the ability to aggregate the scores into a tiered scoring system. This capability usually supports a qualitative and quantitative (and hybrid) scoring model.

  • Workflow. The ability to direct assessment questionnaires to intended audiences and track responses is provided through workflow capabilities.

  • Link to content repository (risks, controls, etc.). Relying on content to establish assessment criteria is a central component of all GRC platforms. How this capability is performed can be a competitive differentiator for vendors. Instead of relying on a questionnaire repository for the focus of the assessment, linkage to direct content can be a more effective means of designing assessments.

  • Archive ability. Providing the ability to record the assessment results as a snapshot in time, along with the questions and associated answers over a long period of time is also a capability most GRC vendors support.

  • Presentation capability (reporting/dashboards/other). GRC vendors are increasingly building more support for different presentation platforms, including mobile capabilities. This is another significant area of competitive differentiation amongst the GRC vendors.

  • Calendar (date) function: the ability to provide automatic date milestones for the kickoff of surveys and assessments can be critical to maintain regulatory reporting requirements.

Business Hierarchy

Almost all of the use cases built using GRC technology platforms will rely on the ability to leverage an organizational structure. The ability to put an organizational hierarchy into a GRC tool should be one of the first tasks an implementation should undertake. The impacts of the business hierarchy on many of the tasks that are supported through automation are critical to the success of the design of the system. For example, we have often worked with clients to understand the types of reports required at which level in the organization as one of the early planning stages of any GRC technology implementation. This “start with the end in mind” approach insures that the organizational hierarchy can be leveraged to support the requirements of the solution being addressed. The ability to also link processes and other assets with the appropriate accountability (as driven through the business hierarchy) provides benefits for all tasks that are performed using the GRC technology platform.

There are several design challenges that need to be considered before implementation, such as the depth of levels used to configure the hierarchy, how the different layers roll up to a single parent entity and managing exceptions/duplicates in the hierarchy. Again, a good rule of thumb is to start with the end in mind, meaning design the reporting and accountability models that are needed and tie the organizational layers into that model.

Workflow

Workflow capabilities provide the ability to route data, forms, and processes and to enable collaboration among stakeholders by leveraging the organizational hierarchy and established security protocols and privileges. In short, it enables the automation of repetitive tasks. Workflow capabilities can vary widely among GRC vendor platforms. It is one of the capabilities that are constantly being improved as the products mature.

GRC technology vendors have been making improvements to this specific capability. Many of the GRC technology workflow improvements revolve around graphical capabilities and improving collaborations. The ability to drag and drop processes and requirements into a master workflow solution makes building routine tasks requiring workflow support fast and easy. A typical workflow capability should support the following:

  • rules-based notifications that can be automatically generated via parameters including dates;

  • ability to provide different routing mechanisms based on different inputs;

  • ability to route based on roles and responsibilities;

  • ability to support user reassignment;

  • ability to integrate multiple documents and data sets;

  • ability to provide multiple notifications and alerts;

  • ability to collaborate on a set of data and/or forms.

Analytics and Reporting

Analytics and reporting capabilities within GRC technology platforms can differ greatly. A small selection of vendors has taken the approach of creating their own analytics and reporting engines. Some vendors will use their own engines for basic reporting but rely on third-party reporting tools to provide more complex data analytics and presentations. And still another set of GRC vendors have built direct links to third-party analytics and reporting capabilities as the core analytics and reporting engine.

Regardless of which GRC technology vendor is used, reporting of results against business outcomes has been one of the major focal points of GRC platforms. As GRC technology platforms have matured, just like with workflow capabilities, demands for more flexibility and improved analytics, and presentation capabilities increases each year. Risk aggregation by business hierarchy or product/service category is a must-have capability within GRC. The ability to leverage content-active reports, mobile platforms, and dashboarding has been driving a new set of requirements for reporting capabilities.

As mentioned withing the business hierarchy section, it always helps if the design of reporting requirements can be captured before laying out some of the data architecture designs. We have seen too many occasions where the addition of a new GRC solution impacts the existing data structure adversely, forcing a work-around or outright redesign of the architecture. Also, deciding whether to rely on the GRC technology systems internal reporting engine or leveraging a third-party solution also needs to be considered. It is not uncommon that many enterprise GRC technology projects leverage multiple reporting tools to obtain the necessary views required.

GRC Use Cases (ERM/ORM/IT)

Developing a Business Case for GRC Automation

Historically, the main reasons for implementing a GRC technology platform can be broken down into two categories: increasing regulatory pressure; and the search for efficiencies/drive to lower costs.

When GRC technology platforms were starting out they provided a marketing message to assist clients with addressing specific problems. In fact tools were developed to help organizations address specific compliance problems, such as the HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), AML (Anti Money Laundering), or GLBA (Gramm-Leach-Bliley Act) compliance. These solutions would give users a database of questions, sometimes linked to respective controls that could be formulated into an assessment vehicle to help show successful adherence to the mandate. Solutions have now matured into being much more supportive of integrated capabilities, for example reducing the drag on business units (especially IT) for having to respond to multiple surveys seeking the same information to compliance to multiple laws and regulations.

Of course, there are multiple business drivers for the acquisition of GRC technology that revolve around gaining efficiencies, lowering costs, obtaining better visibility into risks, and all of the other noted benefits mentioned in the section above. Some examples of business drivers include:

  • provide a central repository of standards, policies, processes, assets, risks, and controls;

  • provide a consistent process for measuring and remediating risk;

  • provide more accurate reporting for compliance requirements;

  • provide an easier method for connecting end users to control and risk requirements via a simplified self-assessment process;

  • provide a more efficient means of aggregating and reporting risks;

  • provide a more efficient way of supporting risk and compliance functions within the three lines of defense;

  • provide more accurate, timely, and targeted information for decision-making and reporting;

  • ease the burden of document management;

  • remove redundancies and inefficient processes related to risk and compliance management;

  • enable integration with other sources of data and risk to improve performance measurement.

If you examine almost any marketing materials of a GRC technology vendor, one of the common reasons listed for purchasing their software is to help get a handle on all of the regulatory compliance mandates now and in the future. While it is true that early adopters of GRC technology platforms were looking for better ways of addressing compliance mandates, the development of integrated architectures and associated content libraries have helped improve the return on investment opportunities for this business driver. The maturing of these GRC processes has also reduced the need for separate solutions to address specific regulatory requirements. Another part of the regulatory pressure business case is related to which functions regulators focus their attention each year. For example, in the financial services sector, regulators have focused on examining functions such as vendor risk management, enterprise risk assessment capabilities (related to GLBA, for example), and several other prominent GRC related activities. This focus on specific GRC functions by regulators has proven to be an important driver for which use cases have been developed by the GRC vendors over time.

As mentioned above, we have found two distinct patterns when it comes to how business cases have been formulated to acquire GRC technology platforms. Many organizations have gone down the path of directing resources to solving a specific problem at that point in time. In fact this still is a very common method used to defend the request for funding to acquire automated solutions. This “point-in-time” business case can be employed for a number of reasons, such as regulatory pressure, breach events, lack of attention over time, or some other short-term pressure points. Regulatory pressure to address a problem, either through indirect means (looking at peers, discussions with leaders about future focus, etc.) or direct means (issuing mandates to address a shortcoming) such as issuing an MRA (matter requiring attention) is still one of the most common drivers for spending money on GRC technology platforms.

The other common approach for developing a business case will involve showing how money can be saved through leveraging a GRC technology platform through process efficiencies, simplifying tasks, streamlining process, consolidating systems, moving off of old technology, or implementing other organizational changes. From our perspective as buyers and implementers of GRC vendor products, it is interesting to note the cycle that this business case method has supported for developing capabilities. Typically, an organization has purchased a tool to address a specific problem, and asks the vendor if they can build additional support for a new problem. The vendor then works with the client to build out the solution, and then markets the solution to other organizations and continues to tweak the solution to provide more generic support for the challenge. Over time, the vendor gets enough traction to have a viable solution that many clients across different industries can utilize to address the specific problem. An example of this would be a GRC vendor that only focused on “IT GRC” solutions that was now asked to expand the solution to assist with ERM.

The challenge with this process, from our biased perspective, is the lack of innovation and holistic approach that it supports. We would often be asked to help an organization reach out to other peers so that they could find out what they were doing with their GRC tools. This peer review process, coupled with industry analyst ratings for the vendors based on those same solutions, would then be used to decide if the level of process improvement or investment was adequate. We bring this up only to point out that many times it might make more sense to seek out more mature programs irrespective of industry to get a feel for new ways of approaching a particular challenge.

Additional Business Case Drivers

Additional drivers used for formulating a business case for acquiring GRC technology platforms could include some of the following:

  • Limitation of resources. Automated solutions typically help staff members reduce time doing repetitive tasks and refocus on tasks that add value to the business. Since most organizations do have limited staff to handle growing risk and compliance requirements, leveraging automation to reduce drains on time and resources is a common business case driver. However, implementation of tools creates its own need for dedicated staffing so this needs to be taken into consideration for the total cost of ownership and support.

  • Reduce ad hoc risk and compliance efforts. Many organizations force changes to their GRC processes and organizational structures through the acquisition of GRC technology. While not an ideal way of starting down the GRC automation path, acquiring GRC technology can help reduce the reliance on ad hoc information and processes through simplification and integration. This assumes a level of focus on process and people improvement BEFORE acquiring tools.

  • Data siloes. Over time it is common to see many different facets of risk and compliance information reside in siloed tools and other repositories. GRC technology is a good way to start to encourage collaboration and break down the siloes, moving toward an integrated model.

  • Integrated model for risk and compliance. GRC technology enables the organization to break down operational siloes, integrate data for better insight into risk and compliance requirements along with the improvement of GRC processes and governance abilities. Ultimately, efforts invested in moving to an integrated approach will produce many benefits such as reducing audit and regulatory scrutiny/findings along with improving overall risk visibility enabling better decision-making.

  • Ability to mesh information into tools of your choosing. Reporting capabilities are always a big reason for looking at automation, but the exportation and linkage of data into other tools for consumption can provide long-term benefits. Organizations can use GRC technology as the hub to aggregate information and then port it into the tools of their choice for additional manipulation and presentation in reports and dashboards. This enables better quality data for all levels of interaction from regulators to the board of directors.

  • Enabling the tracking of positive risk results. A lot of attention in this chapter and from GRC vendors in general is being paid to risk from a negative (impact) perspective, but GRC technology can enable organizations to realize the positive benefits to managing uncertainty (risk) as well. More accurate and timely risk information can be disseminated to assist with better decision-making and can more accurately link risk, performance, and strategy processes.

One of the other important factors for developing a business case is to understand the overall goals and end game of what success looks like. Being able to develop a roadmap to support the achievement of those stated objectives is a good way to frame the GRC journey. The roadmap needs to encompass all of the objectives related to people, processes, and technology. A typical roadmap can help define timelines, investments, and stakeholder support required. Technology roadmaps are good for understanding architecture issues and how to physically create the necessary support mechanisms, but without a defined end goal many projects can become disjointed and lose their organizational value.

GRC Technology Introduction

Leave a Reply

Your email address will not be published. Required fields are marked *