Business today requires agility and efficiency to stay competitive. Organizations must respond rapidly to changing conditions, while managing financial and human capital costs.
Compliance processes often work against business agility and efficiency. Requirements and initiatives bear down on the business, and become burdensome and inflexible. When managed manually and/or across numerous siloed business units, compliance can slow down and encumber the business.
Risk can be a burden or a tool that enhances business performance. Healthy risk-taking drives business; however, organizations must understand whether they are taking the right risk, if risk is being managed effectively, and how to monitor risk. A cavalier and uncontrolled approach to risk will result in disaster — even for companies with strong brands.
Poorly managed risk and compliance generates complexity, redundancy, and failure. In this instance, the organization is not thinking about how controls and processes can be architected to meet a range of risk and compliance needs — nor does it gain an understanding of how risk management and compliance impact corporate performance. Too often organizations are reactive and lack a cohesive strategy. This isolated and periodic snap-shot approach to risk and compliance causes organizations to spend excessively on internal management and external auditors.
What may seem like an insignificant risk in one part of the organization may have a different impact when other risks are factored-in, either from another business process or risk category. Organizations are at-risk when they rely upon out-of-sync controls and disconnected corporate policies. Executives are becoming aware of these redundant risk-and-compliance projects, and are identifying the need for an integrated governance, risk, and compliance (GRC) strategy.
Organizations report significant issues and cost associated with manual and basic technology approaches in these areas:
- Common anomalies, malicious activity, and errors go undetected.
- Significant spend on external auditors and consultants.
- Horrendous reporting.
- Unmanageable amounts of paper and spreadsheets.
- Reactive after-the-issue fire fighting.
Success in today’s dynamic environment requires organizations to integrate, build, and support business processes with an enterprise view of GRC. While new risk and compliance issues constantly come to bear, organizations must take care to tackle the problem at its roots. A sustainable enterprise view of GRC means accountability is effectively managed and a complete system of record provides visibility across the key business processes and multiple applications.
Technology should empower business-process owners (who are also the control owners) to manage risk and compliance continuously. Technology can directly integrate controls within business processes, applications, and systems to prevent and/or detect unwanted behavior. IT should not be required to operate the control environment, which will improve the security of the audit trail. Audit does not need to be a quarterly event, but part of everyday activity and good business practices. This leads to cost savings and efficiency, while allowing the organization to remain agile.
A well-designed system of control is not necessarily a well-operating system of control. Many organizations pursue GRC with limited results as they have focused their efforts on GRC documentation. While this concept and approach to GRC is a good start, achieving efficiency in GRC requires a GRC strategy to be operating effectively not just designed (documented). Operating effectiveness is where GRC value is obtained and is built upon design effectiveness:
- Design effectiveness: Begins with understanding of how a GRC system of internal control is effectively designed. To determine this, the organization starts by documenting controls and processes. An assessment is performed, and for each risk and compliance requirement, controls and incentives that mitigate risk are identified. Ultimately, the organization must determine whether these controls and incentives and the system as a whole are designed to satisfy stakeholders and regulators while managing risk and requirements.
- Operating effectiveness: An effectively operating GRC system considers how GRC is being managed within business, and its impact on the business. The organization should determine if the system operates as-designed, and if the system supports the needs of a dynamic business in a way that increases business agility while minimizing use of financial and human capital resources.
Organizations face a complex array of risk and compliance demands that impact the business. The organization must implement control-monitoring processes and technology that streamlines GRC operations, minimizes risk, meets regulatory requirements, and supports business agility and efficiency. GRC control monitoring should exist within the context of business processes and the supporting application environments, and across all potential sources of change to those controls.
Achieving efficiency and value in GRC requires a long-term GRC vision, and shorter-term wins. The more extended and distributed the business is, the more challenging risk and compliance are to manage. A solid GRC foundation provides an extensible technology platform that is adaptable and scalable. An enterprise GRC solution does not operate as a silo unto itself, but integrates with critical business processes and applications. The goal is to:
- Avoid issues and mitigate risk: Organizations must mitigate loss, fraud, error, and risk within acceptable boundaries. GRC automation allows the organization to detect potential or actual issues within key business processes and applications, to avoid negative or unintentional consequences.
- Reduce reporting time: Effective operation of GRC means creating efficiency in human and financial capital resources. It is critical to implement a GRC approach that reduces the amount of time spent by internal and external assurance personnel.
GRC is about protecting the business — staying within defined risk and requirement boundaries to minimize loss while optimizing performance. An organization approaching GRC proceeds through three levels of maturity:
- Manual and isolated: The first level is a reactive approach to risk and compliance. Different issues are managed in different parts of the organization, relying on burdensome and costly approaches to managing risk and compliance. This ad hoc approach is a manual and labor-intensive process, and results in mountains of paper and electronic documents. This produces a compliance posture that is often full of holes or outright smoke-and-mirrors.
- Documentation and workflow: The second level is documentation of GRC controls and processes. This is often maintained in document or policy-management systems that have content and workflow capabilities, but little understanding of business processes and no integration with the underlying business application environment. The focus of this level of maturity is the design effectiveness of GRC — to document the busin
ess appropriately to satisfy regulators and stakeholders.
- Control automation and monitoring: The third level focuses on the operating effectiveness of GRC. Here, the organization achieves economies in GRC through processes and controls connected and in-sync with objectives, policies, and risks associated with business processes and applications. Value is created by ensuring that control violations are identified immediately, minimizing loss from fraud and errors, and by greater efficiency in human and financial resources.
The most economical GRC approach focuses on automation and efficiency. The goal is to connect policies and procedures to control objectives and automate monitoring and enforcement of controls. Automated controls can span business processes, applications, and information to reduce inefficiencies in current methods of internal control monitoring and validation.
The importance of automated monitoring increases as the velocity of change steps up within the organization. Change can be good or bad. As companies expand the number of users spread across geographies, there is more opportunity for mistakes, fraud, or operational errors. Growth also multiplies the application levels within which users can make changes, for both end-users and database users. Changes can also come from third-party systems running batch processes, application triggers that are poorly implemented, or stored procedures that do not leave a transaction footprint. Accidental changes can occur during IT system upgrades, patches, or restarts.
When control monitoring becomes a background process of everyday business activities, a continuous real-time audit trail is always available. This eliminates the need for time-consuming investigations that take place when exceptions are identified, weeks or months after the fact. The scope of monitoring can expand beyond a limited subset of key controls required for compliance activities. By empowering business process owners to monitor the integrity of their operations, operational risk from fraud and errors is greatly reduced.
For audit and compliance, this eliminates or greatly reduces sample-based audits while providing a comprehensive control baseline and change history for data and processes. The scope of review can also be significantly expanded without requiring additional resources: Audit processes that were performed once every several years can be done continuously. Once validated, auditors can rely on the existence of automated controls and continuous change-tracking as evidence of compliance.
This posting has been an excerpt of Corporate Integrity’s published research, Achieve GRC Value – Efficient Business Process & Application Monitoring.
I would love to hear your thoughts on the topic of GRC Software. Please feel free to comment in this forum, or send me an email. Please comment on this blog or send me an e-mail.