Embed Size (px)
Citation preview
E-Guide
The Guide to GRC Frameworks and
Implementation
As organizations put into action a plan for GRC it’s important to
consider the 3 individual components and how they create a system of
reinforced GRC frameworks. How can you create a system that aligns
with corporate objectives while considering associated risks?
This E-Guide breaks down the GRC layers and the hierarchical
relationship, with vital solutions to minimizing enterprise risk and
maintaining compliance regulations. Learn how loopholes in your GRC
systems can lead to risk and prevent you from creating an efficient
system for your organization
Sponsored By:
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 2 of 10
E-Guide
The Guide to GRC Frameworks and
Implementation
Table of Contents
A cohesive GRC framework can make a compliance strategy more effective
Avoid enterprise risk with compliance system controls
Resources from BWise
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 3 of 10
A cohesive GRC framework can make a compliance strategy more effective
By John Weathington, Contributor
I'm sure you've heard the term GRC, and I'm quite sure you know it stands for governance,
risk and compliance. What you might not realize is how important it is for all three parts to
fit together well, forming one seamless system. Having a GRC framework that demonstrates
the relationship among the three parts will help you build much more effective compliance
systems.
In this era of heightened security around air travel, a Nigerian terrorist successfully
smuggled a liquid explosive onto a flight bound for Detroit on Dec. 25, 2009, and came very
close to accomplishing a devastating mission. U.S. Department of Homeland Security chief
Janet Napolitano characterized the resulting government response as a success, proclaiming
that the system worked. To be fair, she's correct -- but only if you have a very myopic
perspective centered on compliance. If the scope of your system includes mitigating risk,
this system did not work at all.
So, let's start from the ground up. In my view, governance, risk and compliance have a
hierarchical relationship, with compliance being on the bottom. In short, the goal of
compliance is to make sure you're following the rules. When addressing systems of
compliance, the assumption should be that you're following the rules, and the focus should
be on building architecture that proves it.
First question for a GRC framework: Why am I following the rules?
The compliance architect should constantly ask, "How can I prove we're following this rule?"
A robust compliance strategy will prove the rule from more than one angle. Napolitano's
statement is obviously framed only from this level. What she claims is that all the proper
procedures were followed -- and I'm sure they were -- but there's an obvious problem: The
man still got on a plane with explosives.
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 4 of 10
So compliance is driven from risk. Napolitano is only one high-profile example of a common
problem I see in corporate America: Companies follow the rules, but they never take the
time to really understand why they're following the rules. The reason for following the rules,
or staying in compliance, is to mitigate some risk with an unappealing effect or impact.
So when designing your system of risk, take into consideration how it relates to compliance.
When you profile risk (basically an uncertainty), characterize it with a probability, impact
and set of probable causes. Using our terrorist example, the risk is that somebody with bad
intentions will try to smuggle explosives on the plane. I'm not sure what the probability is,
but I'd say given the current climate that it's fairly moderate, and the effect is an explosion
with the devastating impact of lost lives.
Because this risk has such a prominent impact, we've come up with rules, or controls, to
mitigate this risk. As noted above, a good system of compliance will prove that these rules
are being followed. When you elevate your scope from compliance to risk, you have the
opportunity to mitigate impacts instead of just following rules, which is much more valuable.
Risk architects should constantly ask themselves, "How can I prevent this from happening?"
If starting from compliance, to uncover the risk, the architect will ask, "What risk event is
this rule trying to prevent?"
Governance at the top of a GRC framework
At the top of the hierarchy is governance. Governance is about management efficacy. It's
the policies and controls that an organization has in place to ensure that its missions and
goals are being accomplished. Governance is more similar in form to compliance than risk.
They're both about making sure things are done properly. The reasons why they're
separated in the GRC framework, however, are in their differences. Governance has more to
do with the strategic objectives of the company, whereas compliance has more to do with
outside concerns.
The relationship that risk has with governance is in the organization's probability of
accomplishing its strategic objectives. Risks usually represent uncertain events that can
derail the accomplishment of strategic objectives, thereby compromising governance. To
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 5 of 10
uncover risks from governance, the architect will ask, "What can go wrong as we try to
accomplish this strategic objective?" To uncover governance from risk, the architect will ask,
"What strategic objective does this risk interfere with?"
In the end, the GRC architect will have a complete model to build the processes and data
architecture into a complete GRC system. The strategic objectives of the company will
spawn a governance process to make sure the objectives are met. These objectives are
subject to risks, or uncertain events, that can derail the objectives. To mitigate risk, rules
are built and, subsequently, controls are put in place to make sure the rules are being
followed.
Your compliance subsystem will provide the evidence that everything is happening as it
should. Once framed properly and architected as a system, the three layers of a GRC
framework dramatically reinforce each individual component. Overlay this framework on
what you have today, and take any measures necessary to bring the three pieces together
as a whole. If the plane did blow up, does it really matter that everybody was in compliance
with the process?
John Weathington is president and CEO of Excellent Management Systems Inc., a San
Francisco-based management consultancy.
BWise offers you an industry leading software solution to get in control of all your Governance, Risk and Compliance (GRC) challenges, such as management of your financial controls, enterprise and operational risks and corporate (IT) governance. With our unique process-based approach, BWise turns GRC into a formidable driver of compliance cost reduction and process optimization.
Visit www.bwise.com to request a complimentary copy of the Forrester independent report.
BWise named Leader in Enterprise GRC Platforms by independent research firm*
Take controlStay ahead
*The Forrester Wave™:Enterprise Governance, Risk and Compliance Platforms, Q3 2009
www.bwise.com
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 7 of 10
Avoid enterprise risk with compliance system controls
By Dean Lane, Contributor
Corporations complying with the Sarbanes-Oxley Act have produced hundreds of thousands
of documented compliance system controls during the past two years. A concerted effort by
management and independent audits have led to well-formed compliance controls that are
aligned with corporate objectives while considering associated risks.
The results? Defined activities that minimize enterprise risks while still achieving regulatory
compliance.
Lack of compliance tools for employees
During the past two years, business drivers have forced corporations to create complex
systems that demand a considerable amount of maintenance. Important, everyday tasks
are often overlooked as employees track more complex systems of controls. An employee
must be familiar with all controls, the functions that must be performed and when they
should be executed.
Common issues employees face include:
Keeping current with compliance requirements.
Recognizing when to execute actions necessary for obtaining compliancy.
Prioritizing controls based on their importance to the organization.
Understanding the tests for compliancy, and how to record the results.
Daily workloads are filled with controls that require action from employees in order to fulfill
management requirements. These controls require hours of training to perform, schedule
follow-up, review, document, archive and audit.
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 8 of 10
The result of having numerous control activities to schedule, without a supporting
monitoring system that has escalation built into it, can be a lack of visibility, slippage and
increased risk to the company. Remaining in a compliant state does not take into account
employee workload or allowance for a backlog.
While training is essential to keeping new control activities current, old activities may suffer
and be pushed down in the queue. Loss of visibility frequently occurs and compliance
controls go unattended. Equipment may not be calibrated in a timely manner, certification
reviews may be late or missed and lagging security audits leave the organization exposed to
data breaches. The most recent control receiving attention may not be the highest priority,
or the greatest enterprise risk.
For an organization to succeed, employees must have access to tools that can trace
controls.
Lack of compliance tools for management
Managers have limited options when it comes to overseeing the status of systems that
require organizing many control activities. Most systems manufacturers have developed
idiosyncratic methods of managing compliance from their perspective. With limited options
and resources to bridge these differing systems, managers have become accustomed to
using spreadsheets, emails and makeshift devices for tracking a vast numbers of
compliance system controls.
Spreadsheets provide little help in integrating the actions required for maintaining
compliance, managing employees and their tasks, and assessing current risk levels.
Common issues managers face include:
Tracking the productivity of employees responsible for control activity execution.
Identifying the status of key business process controls activity at all times.
Training employees on the business processes and systems that require compliance.
Verifying that schedules are kept and activities are consistently performed.
Verifying that documentation standards for completed controls are met.
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 9 of 10
Surprisingly, paper systems are the norm for following most compliance requirements.
Managers often use paper systems rather than automated forms because of the vast
number of one-off needs. Systems and data are kept in silos, where they are typically
organized by department, making it difficult for executives to access necessary information.
Internal policies are often managed reactively; only when processes fail are their
effectiveness evaluated. Such ad hoc policy management allows for oversight of the most
important systems. There is little opportunity for creating systems that are predictive and
preventative. This results in management losing necessary agility.
Solution requirements for compliance system controls
A number of software solution providers are responding to the need for comprehensive
compliance systems, but they fall short in providing a holistic approach. The solutions may
address one business process (enterprise resource planning, security, etc.) and provide
excellent compliance reports and audit trails but neglect to consider other applications and
regulations that organizations face.
Regardless of the system, the requirements for a compliance solution should remain the
same:
Manage the standards and controls over business units and processes.
Create and preserve an audit trail that is secure, easily accessible and verifiable.
Deploy notifications so the enterprise is proactive and preventive in its actions.
Feature an easily accessed portal with an executive dashboard that has drill-down
capability.
Include a single system to support compliance efforts with the greatest speed and at
the lowest cost.
Dean Lane is principal of Office of the CIO. He can be reached at [email protected]
SearchCompliance.com E-Guide
The Guide to GRC Frameworks and Implementation
Sponsored By: Page 10 of 10
Resources from BWise
Forrester Wave report from BWise
The Value of Process Management in GRC
Regulatory Risk and Compliance
About BWise
BWise is the leader in Governance, Risk and Compliance software. BWise delivers solutions
to help organizations become in control by increasing accountability; strengthening financial
and operational efficiencies; and maximizing performance and ROI.
