Optimizing Your GRC Technology Ecosystem

Most organizations rely on multiple technologies to manage GRC across the enterprise. Optimizing a GRC technology ecosystem aligned with a defined GRC process structure improves risk-informed business decisions and achievement of strategic business objectives. This illustration outlines ways to continuously optimize your GRC technology ecosystem for

  • greater process consistency
  • and development of actionable information.

An integrated GRC technology ecosystem built on common vocabulary, taxonomy and processes enables

  • more accurate and timely reporting,
  • increased reliability of achievement of objectives
  • and greater confidence in assurance with less burden on the business.

Here are just a few of the key benefits:

Process and Technology Alignment

  • Common methods for core tasks, uniform taxonomies, and consistent vocabulary for governance, risk management and compliance across the organization
  • Risk-based actions and controls that ensure timely responses to changed circumstances
  • Standardized GRC processes based on understanding where in the organization each defined process takes place and how data is used in managing risks and requirements
  • Connected technologies as necessary to gain a complete view of the management actions, controls and information needed by each user

Governance Systems to include:

  • Strategy / Performance
  • Board Management
  • Audit & Assurance Tools

Risk Systems to include:

  • Brand & Reputation
  • Finance / Treasury Risk
  • Information / IT Risk
  • External Risk Content
  • Third Party Risk

Compliance Systems to include:

  • Policies
  • Helpline / Hotline
  • Training
  • EHS (Environment Health and Safety)
  • Fraud / Corruption
  • Global Trade
  • Privacy
  • Regulatory Change
  • AML (Anti Money Laundering) / KYC (Know Your Customer)

Enabling Systems to include:

  • Data Visualization
  • Analytics
  • Business Intelligence
  • Predictive Tools
  • External Data Sources

Protective Systems to include:

  • Information Security
  • Data Protection
  • Assets Control

Benefits and Outcomes

  • Enhanced tracking of achievement of objectives and obstacles
  • Connected reporting for board/management/external stakeholders
  • Timely understanding of impact from operational decisions
  • Actionable view of changes needed to meet regulatory requirements
  • Clear action pathways for resolution of issues and process reviews
  • Consistent risk assessments feeding into advanced analytics
  • Improved predictive capabilities to support strategic planning
  • Control testing and audit trails for response to regulators and auditors
  • Greater confidence in assurance with less burden on the business
  • Enterprise-wide, departmental and geographic control standards

OCEG

Tips for Optimization

1. Process Framework

  • Identify tasks appropriate for standardization and schedule implementation across units
  • Assess vocabulary used throughout organization for inconsistencies and establish rules
  • Adjust process model periodically to continue alignment with business objectives and activities

2. Technology Ecosystem

  • Periodically review GRC technologies for gaps and duplication of systems
  • Assess appropriateness of connection of systems for data sharing and user access
  • Maintain a current road map for re-purposing and acquisition of technologies

3. Outcome Management

  • Apply standard processes for resolution of issues and remediation of identified process framework or technology ecosystem weaknesses
  • Enhance reporting capabilities with refined report structure and delivery methods/schedules
  • Ensure all users apply the process framework and understand how best to use the technology

Click here to access OCEG’s illustration in detail

Mastering Risk with “Data-Driven GRC”

Overview

The world is changing. The emerging risk landscape in almost every industry vertical has changed. Effective methodologies for managing risk have changed (whatever your perspective:

  • internal audit,
  • external audit/consulting,
  • compliance,
  • enterprise risk management,

or otherwise). Finally, technology itself has changed, and technology consumers expect to realize more value, from technology that is more approachable, at lower cost.

How are these factors driving change in organizations?:

Emerging Risk Landscapes

Risk has the attention of top executives. Risk shifts quickly in an economy where “speed of change” is the true currency of business, and it emerges in entirely new forms in a world where globalization and automation are forcing shifts in the core values and initiatives of global enterprises.

Evolving Governance, Risk, and Compliance Methodologies

Across risk and control oriented functions spanning a variety of audit functions, fraud, compliance, quality management, enterprise risk management, financial control, and many more, global organizations are acknowledging a need to provide more risk coverage at lower cost (measured in both time and currency), which is driving re-inventions of methodology and automation.

Empowerment Through Technology

Gartner, the leading analyst firm in the enterprise IT space, is very clear that the convergence of four forces—Cloud, Mobile, Data, and Social—is driving the empowerment of individuals as they interact with each other and their information through well-designed technology.

In most organizations, there is no coordinated effort to leverage organizational changes emerging from these three factors in order to develop an integrated approach to mastering risk management. The emerging opportunity is to leverage the change that is occurring, to develop new programs; not just for technology, of course, but also for the critical people, methodology, and process issues. The goal is to provide senior management with a comprehensive and dynamic view of the effectiveness of how an organization is managing risk and embracing change, set in the context of overall strategic and operational objectives.

Where are organizations heading?

“Data Driven GRC” represents a consolidation of methodologies, both functional and technological, that dramatically enhance the opportunity to address emerging risk landscapes and, in turn, maximizing the reliability of organizational performance.

This paper examines the key opportunities to leverage change—both from a risk and an organizational performance management perspective—to build integrated, data-driven GRC processes that optimize the value of audit and risk management activities, as well as the investments in supporting tools and techniques.

Functional Stakeholders of GRC Processes and Technology

The Institute of Internal Auditors’ (IIA) “Three Lines of Defense in Effective Risk Management and Control” model specifically addresses the “who and what” of risk management and control. It distinguishes and describes three role- and responsibility-driven functions:

  • Those that own and manage risks (management – the “first line”)
  • Those that oversee risks (risk, compliance, financial controls, IT – the “second line”)
  • Those functions that provide independent assurance over risks (internal audit – the “third line”)

The overarching context of these three lines acknowledges the broader role of organizational governance and governing bodies.

IIAA

Technology Solutions

Data-Driven GRC is not achievable without a technology platform that supports the steps illustrated above, and integrates directly with the organization’s broader technology environment to acquire the data needed to objectively assess and drive GRC activities.

From a technology perspective, there are four main components required to enable the major steps in Data-Driven GRC methodology:

1. Integrated Risk Assessment

Integrated risk assessment technology maintains the inventory of strategic risks and the assessment of how well they are managed. As the interface of the organization’s most senior professionals into GRC processes, it must be a tool relevant to and usable by executive management. This technology sets the priorities for risk mitigation efforts, thereby driving the development of project plans crafted by each of the functions in the different lines of defense.

2. Project & Controls Management

A project and controls management system (often referred to more narrowly as audit management systems or eGRC systems) enables the establishment of project plans in each risk and control function that map against the risk mitigation efforts identified as required. Projects can then be broken down into actionable sets of tactical level risks, controls that mitigate those risks, and tests that assess those controls.

This becomes the backbone of the organization’s internal control environment and related documentation and evaluation, all setting context for what data is actually required to be tested or monitored in order to meet the organization’s strategic objectives.

3. Risk & Control Analytics

If you think of Integrated Risk Assessment as the brain of the Data-Driven GRC program and the Project & Controls Management component as the backbone, then Risk & Control Analytics are the heart and lungs.

An analytic toolset is critical to reaching out into the organizational environment and acquiring all of the inputs (data) that are required to be aggregated, filtered, and processed in order to route back to the brain for objective decision making. It is important that this toolset be specifically geared toward risk and control analytics so that the filtering and processing functionality is optimized for identifying anomalies representing individual occurrences of risk, while being able to cope with huge populations of data and illustrate trends over time.

4. Knowledge Content

Supporting all of the technology components, knowledge content comes in many forms and provides the specialized knowledge of risks, controls, tests, and data required to perform and automate the methodology across a wide-range of organizational risk areas.

Knowledge content should be acquired in support of individual risk and control objectives and may include items such as:

  • Risk and control templates for addressing specific business processes, problems, or high-level risk areas
  • Integrated compliance frameworks that balance multiple compliance requirements into a single set of implemented and tested controls
  • Data extractors that access specific key corporate systems and extract data sets required for evaluation (e.g., an SAP supported organization may need an extractor that pulls a complete set of fixed asset data from their specific version of SAP that may be used to run all require tests of controls related to fixed assets)
  • Data analysis rule sets (or analytic scripts) that take a specific data set and evaluate what transactions in the data set violate the rules, indicating control failures occurred

Mapping these key technology pieces that make up an integrated risk and control technology platform against the completely integrated Data-Driven GRC methodology looks as follows:

DDGRC

When evaluating technology platforms, it is imperative that each piece of this puzzle directly integrates with the other; otherwise, manual aggregation of results will be required, which is not only laborious but also inconsistent, disorganized and (by definition) violates the Data-Driven GRC methodology.

HiPerfGRC

 

Click here to access ACL’s study