Automating governance, risk and compliance: 10 key considerations

By Ted Frank, Axentis |  Business Add a new comment

June 28, 2006, 9:56 AM Effectively automating the breadth of governance, risk and compliance (GRC) requires a journey few have completed. Most GRC efforts are executed within silos of specific, discrete compliance requirements, whether it is Sarbanes-Oxley or HIPAA. Even when addressed broadly, GRC has often been treated as a "nice-to-have" add-on to other projects or programs. Exacerbating this phenomenon is the fact that GRC practitioners have traditionally lacked the political clout to secure resources and the experience in building technology business cases -- all while being charged with achieving organizational compliance. The good news is that times have finally changed. With the heightened focus on risks and regulations, GRC is now being transformed into a formal category of automation.

Following are ten key considerations that should help IT and GRC practitioners kick off the debate as well as some simple steps for early implementation of a successful GRC program.

1. A Starting Point

First, complete a comprehensive inventory. What GRC programs exist? Who is accountable for each of them? What tools are being used? What processes are already in place? Who is mandating and evaluating them? How is GRC baked into compensation practices?

It is remarkable how broadly risk can impact an organization when financial, legal, operational and regulatory risks are included in the definition. Even more remarkable is how difficult it is to quickly secure solid answers to these questions. Compiling an inventory of explanations is the first step in understanding the organization's GRC ecosystem and getting a feel for its overall health and effectiveness. Gather this base information in advance of a technology discussion because it will allow the team to better define impact across a broad set of issues and drive benefit to more stakeholders.

2. Document the organization's current GRC vocabulary

One of the most basic and significant problems many organizations face is the range of definitions and perceptions surrounding common GRC terms. Each perception (or definition) is influenced by many experiences, issues or projects, which leads to countless assumptions being made in even the simplest GRC discussions. Technology has always treated compliance as many individual, secondary considerations instead of a set of processes to be collectively considered. Correcting the situation begins with getting your arms around who assumes what in the organization.

Compliance Management - Defined
Compliance management is the implementation of processes designed to control any type of risk and meet voluntary or mandated expectations of performance. Prominent mandates that fall under GRC include Enterprise Risk Management, Sarbanes-Oxley, HIPAA, Corporate Code of Conduct, Anti Money Laundering statutes, Operational Risk and COBIT.

3. Define the GRC vocabulary to be used going forward

Before any real dialogue can begin around GRC, a standardized baseline vocabulary must be established throughout the organization. The key terms required to carry on a productive conversation should be clear and easy to remember, with well thought out, simple definitions. Simple candidates include obvious terms like "risk," "compliance" and "governance" but also less obvious terms such as "loss" or "control." Once established, these definitions should be communicated to all involved and immediately put into practice. These terms should also be reiterated throughout training, developed through ongoing education and implemented with new personnel. For a sample GRC vocabulary, click here.

4. Adopt a process standard that can be consistently applied across GRC programs

It is essential for practitioners and technologists to decide on a consistent process model that facilitates deployment of a solution meeting a broad array of GRC processes/needs. Most people involved in GRC for the first time believe that their particular mandate is unique. As one of the most common failure points in GRC, this issue can be linked to various historical problems, ranging from inconsistent processes to the development of countless single use, isolated technologies that ultimately fail to deliver significant value. Best practice GRC processes are now emerging, however, presenting new opportunities to more effectively manage this far-reaching set of domains. One of the most complete standards is published by the Open Compliance and Ethics Group (OCEG). To see examples of these click here.

    Add a comment

    Post a comment using one of these accounts
    Or join now
    At least 6 characters

    Note: Comment will appear soon after you have activated your account.
    Obscene/spam comments will be removed and accounts suspended.
    The information you submit is subject to our Privacy Policy and Terms of Service.

    ITworld LIVE

    BusinessWhite Papers & Webcasts

    White Paper

    Insiders Can Ruin Your Company. Take Action.

    Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

    White Paper

    Ten Steps to an Enterprise Mobility Strategy

    Enterprise employees are more mobile, relishing the ability to work productively anywhere, at any time. They may use any means to get connected, often creating financial and security risks for your company. Discover how to get control of your enterprise mobility strategy and ensure mobile worker productivity with these ten steps.

    White Paper

    What You Need to Know About the Costs of Mobility

    Mobile workers want to get connected anywhere, at any time, often at any cost. Enterprise mobility is often a hidden "black" budget in your company. Ensure that your traveling employees are productive everywhere, even while you control cost and security, through an enterprise mobility strategy.

    White Paper

    The 2011 iPass Mobile Enterprise Report

    This industry survey covers trends, recommendations and a policy guide on managing Enterprise Mobility for IT management and CIOs. Get data on employee device liability, as well as smartphone/tablet penetration, budget control and provisioning. Find out how your organization compares, how to ensure mobile worker productivity, and control costs.

    White Paper

    Smarter Commerce is redefining value chain visibility

    Smarter Commerce is redefining the value chain in the age of the customer. It starts with putting the customer at the center of your operations - which of itself is not a new idea - however, truly operationalizing this strategy is not easy.

    See more White Papers | Webcasts

    Answers - Powered by ITworld

    ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

    Join Now

    New questions

    How to distribute apps to mobile employees?
    3 answers
    Why do VoIP calls over WiFi still get counted as "minutes used" by mobile providers?
    0 answers
    Which is better for password security, length or complexity?
    2 answers
    What are the chances that the cloud will kill off the PC?
    2 answers
    Where can I find tech services providers that focus on really small businesses?
    0 answers
    View more questions

    Ask a question

    Join Now or Sign In to ask a question.
    Ask a Question