GRC and performance: toward an integrated view
Governance, risk and compliance are well-established elements of business, but only relatively recently have they been consolidated under a single term, "GRC." The emergence of the acronym in the past few years reflects a new effort to coordinate and unify the implementation and measurement of those three functions in an organization.
Governance encompasses the management of organizational processes and information to support decision-making and to provide controls that ensure decisions are carried out appropriately. Risk management is a subset of governance, and entails monitoring and responding to events that could adversely affect the organization. Those may include financial, technological, information security, economic, political and regulatory risks. Compliance involves management of internal and external requirements such as policies and regulatory mandates.
Advantages of integration
When all three GRC activities are integrated, businesses benefit from elimination of redundant processes and monitoring efforts. Movement toward an integrated system is increasingly important as the regulatory environment becomes more complex and the need for agility increases. In highly regulated industries such as healthcare and financial services, for example, companies must comply with reporting regulations, privacy laws and IT requirements (see sidebar which follows—also on page 19, KMWorld June 2011), to name just a few.
A new set of software products oriented toward GRC has emerged to help organizations develop and sustain a more unified approach to those functions. While most organizations are implementing the products in a phased approach and do not yet have a fully integrated system, the GRC solutions help provide a roadmap to attain that goal. Moreover, they also provide the foundation for the next step, which is to begin linking GRC to corporate performance management (CPM).
Centene Corp. provides services for recipients of Medicaid, including Supplemental Security Income (SSI) and the State Children's Health Insurance Program (SCHIP). Contractors provide many of the specialty services such as long-term care and pharmacy benefits management. Operating in 10 states, Centene faces a complex set of both state and federal regulations. Failure to achieve compliance entails significant risks, including large fines that increase for repeat offenses. The challenge of staying in compliance is reflected by the fact that a typical Medicaid contract can be 250 pages long.
Centene selected the Compliance 360 platform, an integrated compliance management product, to monitor and ensure compliance. Compliance 360 GRC includes three major components: compliance management, enterprise risk management, and a financial and audit solution. Initially, Centene used Compliance 360 to automate its corporate code of conduct, and then expanded its use to manage compliance with state contract requirements because that was considered to be a primary compliance risk.
Knowledgebase of requirements
Compliance 360 tracks deadlines, provides visibility into performance gaps and is used to manage remediation projects for addressing compliance gaps. As a result of using Compliance 360, Centene has eliminated state sanctions for late report filings. In addition, one of its affiliates has used Compliance 360 to improve the tracking of complaints, which a state insurance regulator had noted as potentially inadequate. As a result, a subsequent audit found that a 15 percent rate of non-compliance in complaint tracking had been reduced to zero.
Compliance 360 is configured based on the needs of each client. "We partner with LexisNexis, for example, to aggregate legal and regulatory content that is applicable to each business," says Steve McGraw, president and CEO of Compliance 360. "Our customers establish knowledgebases of legal and regulatory requirements and workflow-automated processes for managing specific incidents such as data breaches, and requirements such as compliance with Sarbanes-Oxley and states-specific regulations." The processes are mapped into a framework of enterprise risk management.
The regulatory environment is becoming increasingly complex. The Dodd-Frank Wall Street Reform and Consumer Protection Act, signed into law as a result of the financial meltdown in 2008, marked a sea change in the environment, according to McGraw. "The regulations are just starting to roll out, and they will affect many aspects of the financial community, not just derivatives but also lending and banking," he says. "The FDIC and Federal Reserve have a lot more teeth now, and we think the penalties will be much more severe than in the past." Failing to maintain GRC best practices increasingly has the potential for devastating consequences.
Rapid risk mitigation
Waters Corp. produces analytical scientific tools used by laboratories for research and operations. A publicly traded company, Waters is subject to Sarbanes-Oxley, which includes restrictions on any single individual's having access to multiple aspects of transactions and processes-for example, being able to both create an invoice and pay it. Called the "segregation of duties" (SOD), the requirement is critical to compliance. Waters recognized that not having a centrally managed solution for ensuring SOD was inefficient and expensive.
As an existing user of SAP's enterprise resource planning (ERP) solution, Waters opted to deploy the SAP BusinessObjects Access Control application, which is a component of the SAP BusinessObjects GRC solution. Using the software, Waters was able to identify 80 high risks that could result from access violations. The company then went on to identify root causes of the violations, and developed a set of rules to prevent them.
Prior to installing SAP BusinessObjects Access Control, Waters could not determine how many violations were occurring. Once the product was in place, the company could obtain a baseline measure, and then used the product to make incremental improvements. Waters was able to mitigate 68 of the 80 risks quickly. Because the company had started with the most problematic violations, that improvement resulted in a 98 percent reduction in violations.
Other components in the SAP BusinessObjects GRC solution include Enterprise GRC, which automates risk management and compliance, and Sustainability Performance Management, which helps set and manage sustainability goals. "With thousands of companies now reporting on their sustainability performance, monitoring performance in this area is becoming increasingly important," says Michael Lortz, senior director of GRC solution marketing at SAP. In addition, SAP offers a separate solution for measuring and managing an enterprise's carbon footprint.