Governance, risk management and compliance (GRC) is a relatively new term that encompasses a set of interrelated processes and activities designed to assess and manage risk and compliance. It supports and protects knowledge management functions such as enterprise content management (ECM) and collaboration. The ultimate goal is to maintain or improve organizational performance, while minimizing vulnerability to adverse events.
A considerable portion of GRC is IT-related because many business risks result from potential data loss, violation of privacy regulations or other IT-centric hazards. Other types of risks such as the impact of political instability on product markets exist primarily outside of the IT environment, but also require management. Software solutions for various aspects of GRC help standardize the governance processes and provide reporting capability that facilitates monitoring of performance, risk and compliance.
The city of Charlotte, N.C., uses Microsoft SharePoint to support many of the informational needs of its employees and constituents. Collaboration sites, records management and document storage are among the functions designated to the SharePoint environment. Over time, the number of SharePoint sites proliferated to more than 1,300. Each department had different requirements for security, structure and collaboration, but improved governance to bring greater order to the environment was essential.
A natural transition point for the change emerged at the time the city was upgrading to SharePoint 2007. "We carried out a full requirements process and a proof of concept for the functions we needed," says Karen Floyd, process manager for IT service management. After evaluating several products on a short list, the IT department selected ControlPoint from Axceler. Axceler's products are designed for SharePoint administration and migration, and allowed the city of Charlotte to embark on a process of managing its sites more systematically.
A few clicks away
Large areas of the city's intranet needed to be restructured and consolidated. "That is one of our primary tasks as we go forward," Floyd says. "We can now batch edit across multiple sites, which is much more efficient than making the changes to each site." In one multidomain environment, the permissions of 400 users needed to be mirrored from one site to another, which saved weeks of manual effort. "In many cases, SharePoint has the capability to do these administrative tasks," Floyd explains, "but ControlPoint makes it happen in just a few clicks, with greater visibility and much better reporting."
One example is the ability of ControlPoint to locate and modify web parts, also referred to as widgets. Web parts are small programs within the browser that allow users, for example, to add features like digital clocks and to display Tweets, blog entries or weather reports. "Some of the web parts on our sites were not compatible with SharePoint 2007," Floyd says, "and ControlPoint allowed us to search for them and automatically replace them with compatible web parts."
When Floyd first launched the initiative to revamp the SharePoint environment, the structure was flat, with no hierarchical administration. "We wanted to maintain the identity of each of the business units, but manage structure and security from the top down," she says. For example, initially everyone who set up a site was an administrator, but in fact many did not need to be. Each department's governance was standardized, and a hierarchical structure was established. "With ControlPoint, it's much easier to apply consistent governance policies," Floyd says. "We have been able to bring people toward best practices while still allowing flexibility."
Gail Shlansky, director of product management at Axceler, says, "SharePoint is so easy to use that people tended to create sites first and then start to think about governance. We had experience with administering a collaborative environment in the [Lotus] Notes world, so we had a strong base of understanding of customers in terms of what administrators need to do."
Initially, SharePoint was used for tactical activities such as workspaces or document sharing, according to Shlansky. "Now, we see many more strategic applications built in SharePoint that are critical to running the business," she adds. Managing the environment for security and consistency is a much more important issue, and governance has become more broadly relevant.
"Governance in IT can cover anything from control of how a user requests a new site to the amount of storage allowed or who has signoff authority," Shlansky explains. "But the big picture is how critical content is protected and managed."
Even though governance, risk and compliance (GRC) is a broad discipline, companies often localize management of specific risk areas within individual departments rather than approach GRC through a comprehensive plan. "IT may have concerns about privacy risk or other IT-centric risks, for example, and want to put a structure in place to manage them," says Scott Wisniewski, managing director of risk technology at Protiviti, a consulting firm that specializes in managing business risk and internal auditing. "Internal audit or enterprise risk groups may wish to pursue management of a different set of risks, but often interaction among each of the groups is limited."
Managing risks in isolation as opposed to doing so through coordination of the various GRC disciplines often results in redundant efforts, in which the same risk is being managed by multiple groups, or in gaps in risk coverage because no group is monitoring certain areas. "Through the lack of coordination," says Wisniewski, "there may be risks that no one is monitoring." That lack of coordination increases the cost of risk management while also increasing the company's risk exposure.
The drawbacks of failing to coordinate are evident in the recent mortgage meltdown. "In the case of the mortgage business," Wisniewski says, "performance was very high, but the companies were not managing risks such as the amount of exposure and the potential for default. The results were disastrous." Companies need to drive performance, but must consider risk as well, which includes strategic risk, financial risk, operational risk and compliance risk.