The Guide to GRC Frameworks and Implementation

Transcription

1 E-Guide The Guide to GRC Frameworks and Implementation As organizations put into action a plan for GRC it s important to consider the 3 individual components and how they create a system of reinforced GRC frameworks. How can you create a system that aligns with corporate objectives while considering associated risks? This E-Guide breaks down the GRC layers and the hierarchical relationship, with vital solutions to minimizing enterprise risk and maintaining compliance regulations. Learn how loopholes in your GRC systems can lead to risk and prevent you from creating an efficient system for your organization Sponsored By:

2 E-Guide The Guide to GRC Frameworks and Implementation Table of Contents A cohesive GRC framework can make a compliance strategy more effective Avoid enterprise risk with compliance system controls Resources from BWise Sponsored By: Page 2 of 10

3 A cohesive GRC framework can make a compliance strategy more effective By John Weathington, Contributor I'm sure you've heard the term GRC, and I'm quite sure you know it stands for governance, risk and compliance. What you might not realize is how important it is for all three parts to fit together well, forming one seamless system. Having a GRC framework that demonstrates the relationship among the three parts will help you build much more effective compliance systems. In this era of heightened security around air travel, a Nigerian terrorist successfully smuggled a liquid explosive onto a flight bound for Detroit on Dec. 25, 2009, and came very close to accomplishing a devastating mission. U.S. Department of Homeland Security chief Janet Napolitano characterized the resulting government response as a success, proclaiming that the system worked. To be fair, she's correct -- but only if you have a very myopic perspective centered on compliance. If the scope of your system includes mitigating risk, this system did not work at all. So, let's start from the ground up. In my view, governance, risk and compliance have a hierarchical relationship, with compliance being on the bottom. In short, the goal of compliance is to make sure you're following the rules. When addressing systems of compliance, the assumption should be that you're following the rules, and the focus should be on building architecture that proves it. First question for a GRC framework: Why am I following the rules? The compliance architect should constantly ask, "How can I prove we're following this rule?" A robust compliance strategy will prove the rule from more than one angle. Napolitano's statement is obviously framed only from this level. What she claims is that all the proper procedures were followed -- and I'm sure they were -- but there's an obvious problem: The man still got on a plane with explosives. Sponsored By: Page 3 of 10

4 So compliance is driven from risk. Napolitano is only one high-profile example of a common problem I see in corporate America: Companies follow the rules, but they never take the time to really understand why they're following the rules. The reason for following the rules, or staying in compliance, is to mitigate some risk with an unappealing effect or impact. So when designing your system of risk, take into consideration how it relates to compliance. When you profile risk (basically an uncertainty), characterize it with a probability, impact and set of probable causes. Using our terrorist example, the risk is that somebody with bad intentions will try to smuggle explosives on the plane. I'm not sure what the probability is, but I'd say given the current climate that it's fairly moderate, and the effect is an explosion with the devastating impact of lost lives. Because this risk has such a prominent impact, we've come up with rules, or controls, to mitigate this risk. As noted above, a good system of compliance will prove that these rules are being followed. When you elevate your scope from compliance to risk, you have the opportunity to mitigate impacts instead of just following rules, which is much more valuable. Risk architects should constantly ask themselves, "How can I prevent this from happening?" If starting from compliance, to uncover the risk, the architect will ask, "What risk event is this rule trying to prevent?" Governance at the top of a GRC framework At the top of the hierarchy is governance. Governance is about management efficacy. It's the policies and controls that an organization has in place to ensure that its missions and goals are being accomplished. Governance is more similar in form to compliance than risk. They're both about making sure things are done properly. The reasons why they're separated in the GRC framework, however, are in their differences. Governance has more to do with the strategic objectives of the company, whereas compliance has more to do with outside concerns. The relationship that risk has with governance is in the organization's probability of accomplishing its strategic objectives. Risks usually represent uncertain events that can derail the accomplishment of strategic objectives, thereby compromising governance. To Sponsored By: Page 4 of 10

5 uncover risks from governance, the architect will ask, "What can go wrong as we try to accomplish this strategic objective?" To uncover governance from risk, the architect will ask, "What strategic objective does this risk interfere with?" In the end, the GRC architect will have a complete model to build the processes and data architecture into a complete GRC system. The strategic objectives of the company will spawn a governance process to make sure the objectives are met. These objectives are subject to risks, or uncertain events, that can derail the objectives. To mitigate risk, rules are built and, subsequently, controls are put in place to make sure the rules are being followed. Your compliance subsystem will provide the evidence that everything is happening as it should. Once framed properly and architected as a system, the three layers of a GRC framework dramatically reinforce each individual component. Overlay this framework on what you have today, and take any measures necessary to bring the three pieces together as a whole. If the plane did blow up, does it really matter that everybody was in compliance with the process? John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. Sponsored By: Page 5 of 10

6 BWise named Leader in Enterprise GRC Platforms by independent research firm* Take control Stay ahead BWise offers you an industry leading software solution to get in control of all your Governance, Risk and Compliance (GRC) challenges, such as management of your financial controls, enterprise and operational risks and corporate (IT) governance. With our unique process-based approach, BWise turns GRC into a formidable driver of compliance cost reduction and process optimization. Visit to request a complimentary copy of the Forrester independent report. *The Forrester Wave : Enterprise Governance, Risk and Compliance Platforms, Q

7 Avoid enterprise risk with compliance system controls By Dean Lane, Contributor Corporations complying with the Sarbanes-Oxley Act have produced hundreds of thousands of documented compliance system controls during the past two years. A concerted effort by management and independent audits have led to well-formed compliance controls that are aligned with corporate objectives while considering associated risks. The results? Defined activities that minimize enterprise risks while still achieving regulatory compliance. Lack of compliance tools for employees During the past two years, business drivers have forced corporations to create complex systems that demand a considerable amount of maintenance. Important, everyday tasks are often overlooked as employees track more complex systems of controls. An employee must be familiar with all controls, the functions that must be performed and when they should be executed. Common issues employees face include: Keeping current with compliance requirements. Recognizing when to execute actions necessary for obtaining compliancy. Prioritizing controls based on their importance to the organization. Understanding the tests for compliancy, and how to record the results. Daily workloads are filled with controls that require action from employees in order to fulfill management requirements. These controls require hours of training to perform, schedule follow-up, review, document, archive and audit. Sponsored By: Page 7 of 10

8 The result of having numerous control activities to schedule, without a supporting monitoring system that has escalation built into it, can be a lack of visibility, slippage and increased risk to the company. Remaining in a compliant state does not take into account employee workload or allowance for a backlog. While training is essential to keeping new control activities current, old activities may suffer and be pushed down in the queue. Loss of visibility frequently occurs and compliance controls go unattended. Equipment may not be calibrated in a timely manner, certification reviews may be late or missed and lagging security audits leave the organization exposed to data breaches. The most recent control receiving attention may not be the highest priority, or the greatest enterprise risk. For an organization to succeed, employees must have access to tools that can trace controls. Lack of compliance tools for management Managers have limited options when it comes to overseeing the status of systems that require organizing many control activities. Most systems manufacturers have developed idiosyncratic methods of managing compliance from their perspective. With limited options and resources to bridge these differing systems, managers have become accustomed to using spreadsheets, s and makeshift devices for tracking a vast numbers of compliance system controls. Spreadsheets provide little help in integrating the actions required for maintaining compliance, managing employees and their tasks, and assessing current risk levels. Common issues managers face include: Tracking the productivity of employees responsible for control activity execution. Identifying the status of key business process controls activity at all times. Training employees on the business processes and systems that require compliance. Verifying that schedules are kept and activities are consistently performed. Verifying that documentation standards for completed controls are met. Sponsored By: Page 8 of 10

9 Surprisingly, paper systems are the norm for following most compliance requirements. Managers often use paper systems rather than automated forms because of the vast number of one-off needs. Systems and data are kept in silos, where they are typically organized by department, making it difficult for executives to access necessary information. Internal policies are often managed reactively; only when processes fail are their effectiveness evaluated. Such ad hoc policy management allows for oversight of the most important systems. There is little opportunity for creating systems that are predictive and preventative. This results in management losing necessary agility. Solution requirements for compliance system controls A number of software solution providers are responding to the need for comprehensive compliance systems, but they fall short in providing a holistic approach. The solutions may address one business process (enterprise resource planning, security, etc.) and provide excellent compliance reports and audit trails but neglect to consider other applications and regulations that organizations face. Regardless of the system, the requirements for a compliance solution should remain the same: Manage the standards and controls over business units and processes. Create and preserve an audit trail that is secure, easily accessible and verifiable. Deploy notifications so the enterprise is proactive and preventive in its actions. Feature an easily accessed portal with an executive dashboard that has drill-down capability. Include a single system to support compliance efforts with the greatest speed and at the lowest cost. Dean Lane is principal of Office of the CIO. He can be reached at dlane@oocio.com Sponsored By: Page 9 of 10

10 Resources from BWise Forrester Wave report from BWise The Value of Process Management in GRC Regulatory Risk and Compliance About BWise BWise is the leader in Governance, Risk and Compliance software. BWise delivers solutions to help organizations become in control by increasing accountability; strengthening financial and operational efficiencies; and maximizing performance and ROI. Sponsored By: Page 10 of 10