The Challenges of Defining and Managing Governance, Risk Management, and Compliance

As discussed in SAP Solutions for Governance, Risk, and Compliance, much of the value creation and innovation within companies takes place as a consequence of the intricate relationships between people, processes, and systems—all of which are, as a rule, patchy across different organizations, functions, and geographies. This fragmentation can hold any enterprise back in a number of ways:

  • Organizational fragmentation caused by disconnected, department-driven GRC activities customarily results in inconsistent policies, difficulty in predicting risk, a lack of enterprise transparency, and duplication of effort. As enterprises increase collaboration with trading partners, the consequences of having no central body coordinating GRC activities enterprise-wide intensify because most legislation holds them accountable for good governance and compliance within their own organization, as well as across the extended enterprise (supply chain).

  • Most businesses lack GRC information integrity because their departments use different metrics, standards, software, and methodologies for analyzing risk and compliance information. This system fragmentation makes it difficult to aggregate data; gain a complete view of enterprise-wide risks; effectively monitor these risks and compliance; and adjust business processes to meet changing requirements, market trends, and regulatory mandates.

  • Policies and risks are generally defined and measured at the local geographic level, without proper consideration for their impact on the global, multinational, national, or regional mandates with which an organization must also comply. Decision makers are often unaware of the interdependencies between mandates and the risks of noncompliance in specific regions and markets, whereby one region's risk might be another one's opportunity.

  • Internal GRC discipline fragmentation is also an issue, since at the corporate level, as well as the departmental or regional levels, there is general uncertainty around the meaning and scope of the disciplines of GRC. Most important, the management team may not recognize that these disciplines are inextricably linked and interdependent, and as a result, must function interdependently instead of as part of an integrated strategy.

To be successful, companies have to align their corporate strategies with more effective oversight and institutionalized policy setting, risk management, and business process control. The only way to accomplish this goal is through an overall approach to GRC that unifies the above fragmented areas. Only then can a company hope to capture new information about emerging threats and opportunities, and exploit them for competitive advantage.

According to AMR Research, approximately two-thirds of compliance cost is attributable to people. This is because fragmented GRC efforts tend to result in "people-powered GRC" (or inefficient, manual processes that are duplicated across departments). Of even greater significance might be the lost opportunities that result from a tactical, fragmented approach to managing GRC. Without a comprehensive and cohesive GRC strategy, companies are deprived of a means to effectively navigate today's highly regulated (and ever-changing) business environments, as well as of a critical driver of revenue and competitive advantage.

Therefore, a multiplicity of government regulations, growing pressure from financial markets, and increasing demands from stakeholders have renewed the focus on GRC. Some forward-thinking organizations no longer see GRC as discrete, project-based activities managed as separate functions. Rather, they are adopting an overarching GRC strategy that guides people, standardizes processes, and unifies technology to embed GRC at every organizational level. That is to say, in the face of shifting industry conditions, compliance mandates, and governance requirements, companies need to take a broader, more structured approach to managing GRC to proactively identify and forecast inefficiencies and errors, adopt a risk-based approach toward embedding controls in business processes, and continuously monitor operations to optimize and guide future policy (see SAP Solutions for Governance, Risk, and Compliance).

To manage information technology (IT) and business risks at all levels of the organization, GRC's integrated solutions must be capable of monitoring business processes and IT controls automatically. Not only should an integrated approach offer top executives an actionable dashboard showing a more complete and more accurate risk profile of the company, but it should also detect high-risk events, and prioritize risk responses and corrective or, even better, preventive action.

This is the final part of a series on how various industries address compliance issues. For more information, please see previous parts of this series: Thou Shalt Comply (and More, or Else): Looking at Sarbanes-Oxley , Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management , Sarbanes-Oxley Act May Be Just the Tip of a Compliance Iceberg , Automotive Industry and Food, Safety, and Drug Regulations , "Evergreen"—Environmental Regulations for High-tech and Electronics, Chemical, and Oil and Gas Industries , and Global Trade and the Role of Governance, Risk Management, and Compliance Software.

GRC Defined, Starting with the Central Repository

Delving deeper into the individual GRC components, governance entails the oversight role, with the idea of setting strategic objectives the company wants to pursue, and then managing these. To that end, governance typically relies on a repository to centrally manage all GRC content, guide governance strategies, and improve business performance.

Such a repository should centrally document and store records to streamline and manage GRC content, including control frameworks; corporate policies and procedures; regulations; industry mandates; business process flows; risk libraries; control libraries; test plans; evidence for compliance; etc). In other words, the central repository should enable consistent, effective, and efficient coverage of regulatory content (that is, frameworks, laws, internal company policies, etc.) by providing visibility into related requirements. Companies can then cross-reference their organizational policies and procedures with regulatory requirements to ensure compliance.

The key to a central repository is in centralizing and managing GRC content from multiple sources, and in its ability to model business processes and document associated objectives, risks, and control activities. Also important is the library of configurable business rules, business process controls, and IT controls to ensure proper segregation-of-duties (SOD), business process controls, and environmental and global trade compliance.

By harnessing a well-populated GRC repository, companies should benefit from enterprise-wide visibility into all GRC activities. This visibility should allow companies to analyze risk, make more informed decisions, and take a risk-based approach to satisfying multiple company initiatives and regulatory mandates.

In addition, users should be able to link these risks and controls to multiple security and control frameworks, such as the Committee of Sponsoring Organizations (COSO), the IT Infrastructure Library (ITIL), or the Control Objectives for Information and Related Technologies (COBIT), and to US mandates like the Sarbanes-Oxley Act (SOX) and the Food and Drug Administration (FDA) regulations. The repository often also enables adherence to official product classification schemas such as the US Harmonized Tariff Schedule (HTS) and the Export Control Classification Number (ECCN), which is issued by the Bureau of Industry and Security (BIS) for shipments that require an export license.

To illustrate the transformative power of a central GRC repository, consider all the necessary SOD needs defined within all pertinent compliance solutions. These SODs would then include access and authorization control applications that are integrated with the GRC repository application. This way, all of an organization's policies, initiatives, and regulations that require proper SODs (or, alternatively, that need appropriate definition and assignment of compensating controls) would be automatically documented within the GRC repository, complete with links to the appropriate access controls for automated monitoring. By doing so, the enterprises should be able to take advantage of opportunities that they might not have noticed before to improve efficiency and transparency, optimize risk-and-return portfolios, and increase business predictability by rationalizing controls and risk responses across the enterprise.

… Which (Ideally) Manages All Conceivable Risks

Risk management applications provide frameworks for identification of risk; analysis of potential impacts and appropriate responses; and the monitoring of mitigating actions and reporting—all in a structured manner. When implemented holistically, more effective risk management practices should be able to improve decision making and create significant value throughout the enterprise.

But too often, actual risk management practices are reactive, theoretical tasks performed in departmental silos, and these practices overlook critical interactions between risks. At the same time, because risk management is often regarded as a theoretical exercise with no practical methodology, organizations are not equipped to recognize critical risks; to analyze risk-reward trade-offs; and to respond appropriately based on quantitative cost and benefit analysis metrics. The idea is thus to deploy appropriate risk management applications, and implement proactive, collaborative processes throughout the entire enterprise. Such applications will enable companies to balance new business opportunities with financial, legal, and operational risks.

A full-fledged risk management application suite should provide a best-practice framework for enterprise risk identification, collaborative risk analysis, risk-response management, and continuous risk monitoring and reporting. Such an application suite should help users to effectively anticipate and respond to changing business conditions. The applications should also ideally include executive-level, personalized dashboards, scorecards, and reports that provide users with visibility into key risk metrics and policy compliance.

The aim is for users to be able to monitor the overall risk portfolio, including cohesive, global profiles of operational and entity-level risks ("heat maps"), and then to analyze risk in terms of severity and impact on a monetary and qualitative basis. Furthermore, users should be able to balance the costs of risk avoidance against new business opportunities. They should also be able to alert management when high-impact and high-probability risks exceed company-specific thresholds, and to prioritize corrective action using role-based dashboards and alerts.

… To Ensure Compliance at the End of the Day

Last but not least, compliance entails the actual, tactical actions to mitigate risk. In other words, compliance is the execution of these objectives based on established risk tolerance for the company. Namely, as mentioned previously, some regulations are not mandatory, but recommended. For instance, the FDA regulations for drug manufacturers are not fixed targets. Thus, compliance is a key objective for any regulated drug manufacturing company, but the requirements to meet compliance are subjective based upon product, production processes, and (perhaps most important) every company's tolerance for risk. Regulatory risk is the risk of being found out of compliance, and if a company accepts very limited risk, its cost of compliance will logically be high. Conversely, with more risk allowed, compliance cost is reduced, but the potential cost of noncompliance increases.

Executive management, therefore, has the responsibility of setting the organization's risk tolerance and of allocating the required resources to satisfy that tolerance. A compliance team (for example, from the quality or legal department) needs to set the regulatory strategy for a company based on an interpretation of the regulations relative to its specific situation. At the same time, the compliance team must carefully balance the cost of compliance and the cost of noncompliance.

When reviewing compliance cost, one must think of the total cost of ownership (TCO). TCO should include the one-time cost to initiate the system (that is, implementation and training, acquisition of any equipment or software involved, and validation), plus continuing operational and maintenance costs (that is, personnel cost, cost of continuing training, cost of maintenance of any hardware or software used, etc.). Continuing cost also includes the continuing effort to keep the compliance system in sync with evolving standard operating procedures (SOPs). The IT component of the compliance system will also need to evolve with the SOPs.

The core of compliance revolves around proper access and authorization controls, since such applications aim at reducing control risk in enterprise applications by enforcing proper SODs. The applications then manage enterprise roles and the compliant provisioning of users, and grant audited emergency access for super-users. One should allow super-users privileged but controlled access so they can quickly address emergency requirements or help mitigate situations where SODs cannot be accomplished.

As indicated earlier, two critical pieces of the GRC puzzle are proper separation of tasks and access control over key information assets, which are the most effective safeguards against fraud—and prerequisites for sound corporate oversight. These are also the most arduous controls to deploy and sustain, given the thousands of users, roles, and processes that require access and authorization evaluation for violations, testing, and remediation.

The immense task of managing user and role access can only be accomplished when business-process owners (who can determine appropriate access in business terms) and IT experts (who can define the underlying technical objects that make up business functions) work together in an environment that bridges business processes, IT capabilities, and the plethora of enterprise applications used in the organization. That is to say, a company needs a bridge that links business language with IT capabilities. To achieve this link, a comprehensive set of access control applications is needed that will enable all corporate compliance stakeholders (including business managers, auditors, and IT security managers) to collaboratively manage proper SOD enforcement.

Conclusion and Recommendations

It is apparent that companies have become increasing aware of the need for IT solutions that support an integrated, all-encompassing GRC strategy to help them achieve greater transparency and predictability, streamline GRC processes, and ultimately improve their overall enterprise performance. To best support these strategic objectives, companies need software solutions that will enable better transparency into business performance, cultivate predictable business results, and ensure business process continuity. An integrated GRC portfolio, rather than a bundle of point solutions, stands a much better chance of solving fragmentation across management organizations, IT systems, and operating regions.

Still, each organization must chart its own course to embrace a GRC framework. Companies must weigh critical business requirements and risk tolerance with organizational GRC maturity and top-level commitment. Companies can choose to start by identifying a select few, high-priority risk areas, and then initiate a business-specific or initiative-driven, proof-of-concept deployment of GRC applications. Success with this approach should help pave the way and drive the value of a comprehensive GRC strategy. Following this, it should provide a reusable and sustainable model for controlling and addressing future GRC areas. Some potential benefits of a comprehensive GRC approach might include

  • better protected brand and reputation;
  • optimized risk-and-return portfolios (owing to transparency and insight for selecting and rejecting projects based on risk impact and probability relative to potential return);
  • reduced GRC costs and freed resources for innovation;
  • improved business performance and predictability (due to improved visibility—a systematic process for anticipating, monitoring, and controlling risks, and the tools to proactively determine proper actions and critical tasks);
  • business continuity (owing to software automation, management by exception, analytics and alerts, visibility to risk interdependencies, etc.);
  • increased business agility and competitiveness (due to the ability of decision makers to identify and assess alternative, what-if and future scenarios); and
  • smarter IT risk management.

In general, enterprise software must be tested and validated specifically for each company's compliant use. Once a company's standard operating procedures are developed and documented, system validation is largely a function of performing documenting tests of its processes within the software to prove that it acts in the expected manner. It is thus important that the provider (software vendor or system integrator) offers a deep understanding of the regulations with which the company must comply. If the vendor can further bring pre-built validation tools that can be directly used or slightly modified for some of the user enterprise's validation processes, the savings in consulting cost and time can be significant.

Also crucial is the understanding of the initial setup and ongoing change management aspects of operating an enterprise system in a regulated deployment. For example, each new product version requires new testing, and specific change management processes must be followed to bring the new version into production. Bundled with this is a deep understanding of the software, including the way the database is structured and the way the source code is designed to behave. This deep understanding is required to support the testing and validation process, and to support decision-making on what transactions must be tracked at the audit level.

In short and to recap, GRC's central repositories manage conceivable risks to help ensure compliance. Yet, to successfully harness this emerging, strategic software, GRC and its effective management require a broad yet structured approach. Only then can enterprises effectively guide personnel, standardize business processes, and unify technology to embed GRC at all organizational levels.

This concludes the series Thou Shalt Comply (and More), or Else

comments powered by Disqus