Eliminating Compliance Silos
The First Step Toward Automated GRC
Governance, risk management and compliance (GRC)—is it a new acronym for existing processes? Yes and no. Individual disciplines for governance, risk and compliance have existed in the past; however, these activities have been fragmented, disparate and duplicative efforts across many aspects of an organization. In order to see business value from GRC, companies must redefine GRC for their organization and adapt their processes to fit these new definitions.
Effective governance starts with establishing business objectives, and it continues with a closed loop of measuring and comparing results and refining activities and goals. The specific role of governance is to enhance risk management processes and protect the strategic objectives of the business. And because a successful governance program is a continuous process, organizations must implement a comprehensive controls program, complete with testing, repeatability, visibility and automation.
Enterprise risk management is taking on a new dimension in publicly traded companies as they face greater regulatory responsibilities and increased public scrutiny. Companies are now devoting the same kind of attention and resources to manage regulatory, operational and reputational risks as they are to their more traditional risk management issues. In this new era of risk management, a company’s risk mitigation processes, procedures, applications and data are an essential remedy.
Compliance is not new; however, the demands of Sarbanes-Oxley and the regulations with consumer visibility have brought compliance into the forefront of activities in organizations. The "get compliant" mentality has created a very task-oriented, "checklist," attitude. Other than the checkmark, little business value was gleaned from many of these high cost efforts. As a result, organizations are attempting to create business value through compliance efforts, reduced cost and better business decisions. To do this, organizations are turning to a more strategic, risk-based approach.
The Optimal State of GRC
So what’s the new buzz about GRC? With the expanded scope of governance, risk and compliance across the organization, a more holistic enterprise approach is needed that improves visibility of information, increases efficiency, reduces cost and implements an on-going process to monitor investments, risks and controls across the organization. There are many ways to achieve an optimal state of governance, risk and compliance. Implementing controls is one approach where improvements in rationalization can begin to yield benefits to organizations as they mature in their quest for enterprise governance, risk and compliance.
To implement effective controls, every business must have a documented set of rules that define how data is generated, manipulated, recorded and reported. That sounds simple... but it’s not. After all, those rules must effectively support everything from the accuracy of financial statements to the protection of the business from risk. So business unit managers have many factors to consider if they’re going to ensure that their data controls fulfill all of the governance, risk and compliance objectives for which they are responsible.
So how do you monitor and maintain your controls program across the enterprise to achieve optimal value and risk mitigation?
Automation is Key
In developing controls, many organizations have focused on passing audits and achieving compliance for specific guidelines and governing bodies. While this approach addresses immediate needs, it doesn’t promote a real long-term strategy. It can also lead to duplicated efforts and failure to adequately correlate risk management with organizational control. Moreover, it defines results of a controls program based on a specific moment (the result of the assessment/test) and creates a situation where cyclical and manual maintenance are the norm.
Organizations that resort to this approach are constantly "reinventing the wheel" because there is little or no automation, and regulatory relationships aren’t well-defined. As a result, there is no mechanism by which the company can easily identify and address new and applicable risks, regulations or requirements. What’s more, testing, repeatability, visibility and remediation are costly or non-existent.