GRC Reference Architecture: Role/Process Specific Applications
Over the past few weeks we have looked at both theinformation model and the enterprise application core of Corporate Integrity’s GRC Reference Architecture. The GRC Reference Architecture provides the framework to approach technology, classify software offerings, and is part of my broader GRC EcoSystem (which includes over 1300 technology, professional service, and information providers). The GRC Reference Architecture represents the core to the revisions to the OCEG GRC IT Blueprint to be released by the end of this year. Your feedback is appreciated.
We now turn to the next component of the GRC Reference Architecture – the business role/function specific applications. These are the applications that are predominantly focused to meet the needs of a specific business function, process, or role in the enterprise. Applications in this area may very well have significant risk and compliance relevance as well as impact on the enterprise – but they are 80% or more used to a specific subset of GRC user roles. The enterprise application core that we previously discussed represents applications that span GRC business users/roles across the business.
The various business roles and functions that have specific uses of GRC technologies and applications are scattered across the enterprise. In one sense, every part of the business touches on GRC as it relates to different aspects of performance, risk, compliance, values, and control.
The primary, but not all inclusive, business function/role application categories include:
- Audit. While audit is a broader part of the enterprise application core of GRC, audit also maintains its own category of role specific applications dealing with assurance, audit management (e.g., calendaring, resource scheduling, work paper management), as well as audit analytics and automation.
- Brand & Reputation Management. This category offers targeted solutions for management the corporation’s brand and reputation – in both the physical world as well as online. This includes brand surveillance management.
- Business Continuity. From disaster recovery, business continuity, as well as crisis management – all are very relevant to GRC and are solutions that enterprises need to manage and maintain continuity of operations across the business.
- Business Operations (line of business). The line of business is the front line of GRC. From management of global trade compliance, procurement management, to customer relationship management . . . many aspects of business transactions, interactions, and relationships have relevance to GRC.
- Corporate Compliance & Ethics. Within corporate compliance and ethics there are solutions aimed at communicating code of conduct, delivering compliance training, as well as whistleblower reporting through hotline/helpline systems.
- Corporate Secretary. Board and entity management software is the primary vehicle for the corporate secretary role to carry out the function of managing board papers, communications, calendars, and corporate reporting.
- Corporate Social Responsibility/Sustainability. CSR is a burgeoning and growing field becoming increasingly relevant to organizations around the world. Solutions in this category aim to help monitor emissions and carbon tracking, as well as offering broader GRI (Global Reporting Index) reporting.
- Environmental, Health, & Safety. EH&S software helps the organization manage and maintain environmental controls as well as the health and safety of individual employees, partners, and clients. Solutions in this space have many offerings from areas like environmental monitoring and reporting to MSDS management.
- Finance & Accounting. The finance and accounting function focuses on using software to manage risk and compliance within business financial transactions, validates that the organization is managing finance and budgets within boundaries, and monitors finance and treasury risk management. This entire area is often referred to as Finance-GRC.
- Fraud. The area of fraud management utilizes software for fraud investigations, fraud prevention/management, as well as specific areas such as anti-money laundering.
- Human Resources. HR issues from hiring practices, discrimination, harassment, wage & hour, compensation, employee privacy, and other areas often carry some of the most significant risk and compliance risks the organization face. While broad HRMS systems have much relevance to GRC, there are specific areas of software that HR leverages to help communicate and prevent issues of risk and compliance such as employee evaluations and surveys, as well as learning/training management solutions.
- Information Security, Risk, & Compliance. What is often referred to as IT-GRC represents the most expansive domain of software solutions aimed at managing technology and information risk and compliance. This includes areas of threat and vulnerability management, configuration management, identity and access management, encryption, and many other components.
- Insurance. The role focused on managing insurance and claims management has software specifically aimed to support its function in GRC.
- Investigations. Part of the broader enterprise GRC application core as well, investigations management software enables the organization to consistently and efficiently intake issues, manage investigations, and record and manage loss across the organization.
- Legal. The legal department has a variety of technology solutions aimed at supporting the legal role in areas such as matter management, contract management, discovery management, and the management and protection of intellectual property. The terms Legal-GRC and legal process management are starting to be used to identify solutions that bring these components together.
- Physical Security. Physical security is dependant on many areas of technology for surveillance and physical access systems to protect the organization, and in some areas to comply with laws and regulations.
- Privacy. A variety of solutions have come to the market specifically aimed at managing privacy programs. These include software focused on information protection, privacy policy communication and training, to incident response and managing disclosure requirements.
- Quality Management. Quality management systems provide a backbone of managing quality within the line of business – while monitoring and resolving quality and control issues.
- Risk Management. Risk is a fundamental core to GRC but also has a variety of business roles across the organization. From enterprise risk management software, down into the bowels of many components of operational, geo-political, and financial and treasury risk management software – there are solutions aimed at meet
ing a variety of specific risk needs.
- Third-Party/Supply-Chain Management. Risk and compliance issues do not start at the traditional corporate boundaries but carry on to a complex web of business partner and supply chain relationships. Solutions in 3rd party management aim to communicate code of conduct and policies while managing and monitoring risks, compliance, and controls across extended business relationships.
These roles represent a significant but not exhaustive look at the categories of risk and compliance software solutions targeted at specific areas of the business. These applications need to be able to report and feed information into broader GRC reporting systems and dashboards to maintain a 360 degree view of GRC throughout the business. All are very relevant and part of a broad GRC strategy.
Further, the discussion and breadth of GRC business/function roles and supporting technologies underline the fact that GRC is a federated effort. There is not one group of the organization that does GRC. While there may be a role leading the collaboration, it really extends throughout the business.
Over the next few weeks we will wrap up the initial discussions on the GRC Reference Architecture. The next posting will provide commentary on the geographic and industry specific views of GRC technology, and the final one will look at the technology components/capabilities that GRC solutions are comprised of.
Detailed training on the GRC Reference Architecture can be found in Corporate Integrity & OCEG’s GRC Strategy & Technology Bootcamps.