The basic concept of GRC (governance, risk and compliance) is simple – (1) say what you need to do and make sure everyone knows about it, (2) make sure you proactively look at risks, and put controls in place to mitigate the risks, and (3) monitor the controls you put in place to make sure they are working. In other words, put objectives and policies in place to reflect your strategy and regulatory commitments; periodically review the related risks; ensure that controls are in place, and audit the controls.
Say you work for ‘The Wide World of Bananas, Inc.’ growing and shipping bananas. Now, when everyone in your company knows why they are peeling bananas, which bananas they should peel, where the fallen peels are, and then consistently walks around them (or picks them up and tosses them into the trash bin) … then you have a company that is shipping a lot of high-grade bananas without falling down too often. Better GRC means better business. Easy.
Of course, growing and shipping bananas is not really that simple. You probably have your own banana plantations, and source some other bananas from third parties. You probably have a facility where you wash and shine all those bananas. You most likely ship those bananas to other countries. There is the IT department, for any self-respecting banana shipper needs ‘Big Data’ and iPads … and let’s not forget the bean counters who really are counting bananas in this case.
In reality, any business looks somewhat like the banana business – with suppliers, suppliers’ suppliers, facilities, manufacturing, R&D, quality, IT, finance, HR … and lots of people. And let’s not forget all the regulations! Financial reporting regulations, export regulations, data privacy regulations, health and safety regulations … there’s probably a good reason behind each and every one of them. Clearly the business of doing business is not simple, and if we are to achieve any measure of success by applying GRC across the board, we need technology. Here’s how technology can enable and support GRC, as identified by Vasant Balasubramanian, MetricStream‘s vice president of product management.
Click through for five ways technology can enable and support GRC, as identified by MetricStream.
Bananas, bananas, and then some more bananas. No oranges or blueberries.
Consistent terminology and language in terms of business objectives, policies, risks, business processes, and controls requires a common definition and repository for all these core concepts and information. It will simply not do to have every line of business and employee maintaining his or her own private spreadsheets and post-its. Technology comes to the rescue with a common GRC repository and data model to house the large amounts of data that make up GRC within an enterprise.
The first step to ensuring that everyone’s talking about bananas, instead of bananas, oranges, strawberries, and potatoes, is to look at the organization’s diverse current and future GRC needs, and develop the corresponding GRC data model. This data model can then be modeled and stored in a GRC repository.
Automate GRC business processes.
This is the easy one. Automate GRC-related business processes such as policy development and rollouts, risk assessments, internal audits, supplier governance, ethics surveys, fraud detection, supplier evaluation and onboarding, infrastructure monitoring, business continuity and other key processes with the help of technology. In addition to saving you a great deal of time and effort, automation also reduces errors and disparities introduced by manual alternatives and unstructured documents and spreadsheets floating around the office. It frees you up from repetitive tasks such as data entry and collection to focus on higher-end activities such as risk analysis.
One platform to rule them all.
When various GRC processes are built on a centralized data model, they can be interlinked for optimal efficiency. It’s important not to create separate application silos for each process. Often, organizations use one system to manage risks, and another to manage compliance. Or they use one application for operational risk management, and another for IT risk management. This siloed approach gives rise to unnecessary complexities, costs, redundancies, and duplication of information.
A better approach would be to integrate all the different GRC applications and systems on a common platform or shared bus. This way, data can be easily and automatically shared among various systems. Take again, the example of threat and vulnerability scanners – threat reports generated from these applications can be seamlessly routed to another system on the same platform for investigation and remediation. Or the information in the threat reports can be integrated with data from fraud detectors or identity access management systems. In this way, stakeholders can aggregate data from multiple systems, and transform it into meaningful risk intelligence to pre-empt further threats and attacks.
To be successful with GRC, GRC has to be baked into the organizational culture. Everyone within the organization as well as in the extended supply chain needs to be GRC ‘aware’ and ‘doing the right thing’ without doing anything more than they usually do. This means that GRC has to be personal, at everyone’s fingertips, and woven into their daily professional lives – it must be available in mobile devices and in email clients as well as in the day-to-day operational IT systems that every working employee uses. It must be available within ERP systems and travel and expense systems as well as supplier interaction systems. And, all this with an interface so easy to use that the average banana-picker in the plantation should have no trouble using it.
Show me. Make me smarter.
Your organization’s workings are no longer an obfuscated mess. There is now a common GRC-based vocabulary and methodology to align and provide consistency and visibility to the decision makers. With all that rationalized GRC data flowing in from across and beyond the enterprise, you can use reports, dashboards, analytics and other business intelligence tools to develop and act upon key insights.
Before we wrap up, it should be noted that technology is not the starting point nor is it an end unto itself. However, technology plays a critical role in almost every aspect of a successful GRC journey, including top-down business alignment and organizational culture. So, dive in – and good luck with the bananas.